By Chris King Information security awareness is at an all-time high. META Group research indicates information security ranks as a top priority among Global 2000 CIOs. Trade and business press covering security continue to drive awareness among both executives and end users. www.metagroup.com While organizations are beginning to realize the importance of information security, products […]
By Chris King
Information security awareness is at an all-time high. META Group research indicates information security ranks as a top priority among Global 2000 CIOs. Trade and business press covering security continue to drive awareness among both executives and end users.
While organizations are beginning to realize the importance of information security, products to address the issue remain complex and immature. In addition, qualified information security personnel, despite current economic conditions, will remain in short supply at least until 2004.
Although a similar scenario in any other IT domain normally drives a boom outsourcing market, outsourcing security is a relatively new concept that faces several obstacles to acceptance and maturation. Nonetheless, there has been a massive proliferation of security services vendors (and those that hope to sell to them) during the past 12 months. We expect this proliferation to continue, but vendors over the next year will be sharply culled by funding limits, acquisition, and channel limits. Over the next three years, we expect consolidation in this space, first by vendors attempting multifunction aggregation, then by resellers through channel aggregation.
Security services can be broken into three segments: security planning (including assessment and architecture), integration (i.e., consulting), and managed security services (outsourcing). Security planning and consulting have been commonly used by many of the Global 2000 for a few years. Most of the new security services investment is in outsourcing, hoping to capture subscription revenue from small and medium businesses, as well as larger corporations that want to outsource specific security operation center functions.
Indeed, recent announcements suggest that nearly every information security product and services vendor is either becoming a managed security service provider (MSSP) or is targeting MSSPs with specific sales efforts. Although a few offerings (certain managed firewall and virtual private network [VPN] services) are second generation, most MSSPs are very new — notably those providing scanning for system vulnerability or intrusion detection, monitoring, and response services. We expect to see maturity first in the managed VPN and firewall arenas, though a viable business model is proving elusive. MSS-based vulnerability scanning will mature next (2003), followed by intrusion detection (2003/04), security monitoring and response (2004), and authentication and administration (2004/05).
Barriers to Adoption and Maturation
Managed firewall and VPN services excepted, managed security services (intrusion detection, monitoring, scanning, authorization management, and administration) are immature, most being less than a year old. This immaturity is found at all levels, with technology and marketing most apparent, but process immaturity and lack of appropriate skill sets less obvious, but more troubling.
We find customer-vendor trust (a factor that had inhibited the creation of an MSSP market and can be an issue for any service provider) remains a significant hurdle in selling managed security services. First, many organizations are reluctant to consider outsourcing security. Usually, MSSPs have no pre-existing relationship with potential customers and little or no track record in the market. Coupled with the culture clash between corporate entities and many hacker-staffed security services firms, trust is proving to be a significant barrier.
Finally, there is often a thorough lack of focus from security service vendors. Most security service firms are willing to apply their talent in almost any fashion, making them little more than a security body shop. Many lack sufficient funding to build leveraged services and grasp at any business that comes their way. Focused providers such as Counterpane and Qualys are able to position themselves as best of breed for a particular security function (e.g., monitoring or scanning). However, even among the focused providers, funding is still an issue, because it takes time to build the necessary relationships to succeed in this market.
Channels and Market Evolution
Initially we expect MSSPs to be successful selling to larger corporations with a direct sales model (they will use indirect channels for smaller companies). Longer term, we expect most companies to buy security services through indirect sales (often Internet or other service providers), with MSSPs fielding a small direct sales force targeting the largest companies.
In addition to vendor reduction through problems with funding, execution, and focus, we expect significant aggregation in this space. The initial attempt will be to aggregate multiple security functions within one provider. We expect this to fail because of infrastructure realities — that is, most enterprises do not wholly own the infrastructure they depend on, which often confounds security outsourcing efforts. In addition, we expect infrastructure providers (prominently ISPs and Web hosting companies) to become channel aggregation points for multiple MSSPs; we believe this will be a successful model, largely for relationship and trust reasons.
Businesses should recognize the limits of the existing vendors and offerings, and realize that outsourcing any security function involves, at a minimum, an audit of the MSSP’s people, process, and technology to ensure a good fit; at a maximum, it may involve the customer carefully defining the MSSP’s process, customer interfaces, and service-level agreements.
Business Impact: Any company relying on IT needs solid information security policies and practices. Outsourcing components of information security should be evaluated as a solution, but the business must always retain responsibility — thus underlining the importance of understanding business and regulatory implications of outsourcing security.
Bottom Line: Users examining managed security services should seek providers with focus and realize that multiple providers may be warranted, depending on the breadth of function outsourced. User organizations should also realize the maturity level of this market requires greater vendor due diligence than normal, and current economic conditions suggest seeking managed security service providers with 18 months of funding.
Chris King is an analyst for META Group, an IT consulting firm based in Stamford, Conn.
Ethics and Artificial Intelligence: Driving Greater Equality
FEATURE | By James Maguire,
December 16, 2020
AI vs. Machine Learning vs. Deep Learning
FEATURE | By Cynthia Harvey,
December 11, 2020
Huawei’s AI Update: Things Are Moving Faster Than We Think
FEATURE | By Rob Enderle,
December 04, 2020
Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era
ARTIFICIAL INTELLIGENCE | By Guest Author,
November 18, 2020
Key Trends in Chatbots and RPA
FEATURE | By Guest Author,
November 10, 2020
FEATURE | By Samuel Greengard,
November 05, 2020
ARTIFICIAL INTELLIGENCE | By Guest Author,
November 02, 2020
How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
October 29, 2020
Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
October 23, 2020
The Super Moderator, or How IBM Project Debater Could Save Social Media
FEATURE | By Rob Enderle,
October 16, 2020
FEATURE | By Cynthia Harvey,
October 07, 2020
ARTIFICIAL INTELLIGENCE | By Guest Author,
October 05, 2020
CIOs Discuss the Promise of AI and Data Science
FEATURE | By Guest Author,
September 25, 2020
Microsoft Is Building An AI Product That Could Predict The Future
FEATURE | By Rob Enderle,
September 25, 2020
Top 10 Machine Learning Companies 2021
FEATURE | By Cynthia Harvey,
September 22, 2020
NVIDIA and ARM: Massively Changing The AI Landscape
ARTIFICIAL INTELLIGENCE | By Rob Enderle,
September 18, 2020
Continuous Intelligence: Expert Discussion [Video and Podcast]
ARTIFICIAL INTELLIGENCE | By James Maguire,
September 14, 2020
Artificial Intelligence: Governance and Ethics [Video]
ARTIFICIAL INTELLIGENCE | By James Maguire,
September 13, 2020
IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI
FEATURE | By Rob Enderle,
September 11, 2020
Artificial Intelligence: Perception vs. Reality
FEATURE | By James Maguire,
September 09, 2020
Datamation is the leading industry resource for B2B data professionals and technology buyers. Datamation's focus is on providing insight into the latest trends and innovation in AI, data security, big data, and more, along with in-depth product recommendations and comparisons. More than 1.7M users gain insight and guidance from Datamation every year.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.
