Information security awareness is at an all-time high. META Group research indicates information security ranks as a top priority among Global 2000 CIOs. Trade and business press covering security continue to drive awareness among both executives and end users.
Although a similar scenario in any other IT domain normally drives a boom outsourcing market, outsourcing security is a relatively new concept that faces several obstacles to acceptance and maturation. Nonetheless, there has been a massive proliferation of security services vendors (and those that hope to sell to them) during the past 12 months. We expect this proliferation to continue, but vendors over the next year will be sharply culled by funding limits, acquisition, and channel limits. Over the next three years, we expect consolidation in this space, first by vendors attempting multifunction aggregation, then by resellers through channel aggregation.
Security services can be broken into three segments: security planning (including assessment and architecture), integration (i.e., consulting), and managed security services (outsourcing). Security planning and consulting have been commonly used by many of the Global 2000 for a few years. Most of the new security services investment is in outsourcing, hoping to capture subscription revenue from small and medium businesses, as well as larger corporations that want to outsource specific security operation center functions.
Indeed, recent announcements suggest that nearly every information security product and services vendor is either becoming a managed security service provider (MSSP) or is targeting MSSPs with specific sales efforts. Although a few offerings (certain managed firewall and virtual private network [VPN] services) are second generation, most MSSPs are very new -- notably those providing scanning for system vulnerability or intrusion detection, monitoring, and response services. We expect to see maturity first in the managed VPN and firewall arenas, though a viable business model is proving elusive. MSS-based vulnerability scanning will mature next (2003), followed by intrusion detection (2003/04), security monitoring and response (2004), and authentication and administration (2004/05).
Barriers to Adoption and Maturation
Managed firewall and VPN services excepted, managed security services (intrusion detection, monitoring, scanning, authorization management, and administration) are immature, most being less than a year old. This immaturity is found at all levels, with technology and marketing most apparent, but process immaturity and lack of appropriate skill sets less obvious, but more troubling.
We find customer-vendor trust (a factor that had inhibited the creation of an MSSP market and can be an issue for any service provider) remains a significant hurdle in selling managed security services. First, many organizations are reluctant to consider outsourcing security. Usually, MSSPs have no pre-existing relationship with potential customers and little or no track record in the market. Coupled with the culture clash between corporate entities and many hacker-staffed security services firms, trust is proving to be a significant barrier.
Finally, there is often a thorough lack of focus from security service vendors. Most security service firms are willing to apply their talent in almost any fashion, making them little more than a security body shop. Many lack sufficient funding to build leveraged services and grasp at any business that comes their way. Focused providers such as Counterpane and Qualys are able to position themselves as best of breed for a particular security function (e.g., monitoring or scanning). However, even among the focused providers, funding is still an issue, because it takes time to build the necessary relationships to succeed in this market.
Channels and Market Evolution
Initially we expect MSSPs to be successful selling to larger corporations with a direct sales model (they will use indirect channels for smaller companies). Longer term, we expect most companies to buy security services through indirect sales (often Internet or other service providers), with MSSPs fielding a small direct sales force targeting the largest companies.
In addition to vendor reduction through problems with funding, execution, and focus, we expect significant aggregation in this space. The initial attempt will be to aggregate multiple security functions within one provider. We expect this to fail because of infrastructure realities -- that is, most enterprises do not wholly own the infrastructure they depend on, which often confounds security outsourcing efforts. In addition, we expect infrastructure providers (prominently ISPs and Web hosting companies) to become channel aggregation points for multiple MSSPs; we believe this will be a successful model, largely for relationship and trust reasons.
Businesses should recognize the limits of the existing vendors and offerings, and realize that outsourcing any security function involves, at a minimum, an audit of the MSSP's people, process, and technology to ensure a good fit; at a maximum, it may involve the customer carefully defining the MSSP's process, customer interfaces, and service-level agreements.
Business Impact: Any company relying on IT needs solid information security policies and practices. Outsourcing components of information security should be evaluated as a solution, but the business must always retain responsibility -- thus underlining the importance of understanding business and regulatory implications of outsourcing security.
Bottom Line: Users examining managed security services should seek providers with focus and realize that multiple providers may be warranted, depending on the breadth of function outsourced. User organizations should also realize the maturity level of this market requires greater vendor due diligence than normal, and current economic conditions suggest seeking managed security service providers with 18 months of funding.
Chris King is an analyst for META Group, an IT consulting firm based in Stamford, Conn.