Security managers are caught in a double bind. IT security is an increasingly complex area, with constantly evolving threats, increased remote and web-based access, wireless networking and growing volumes of security logs and real-time alerts to wade through.
Simultaneously, it is becoming business-critical, as organisations rely more on communications and e-business, and legislation makes directors personally liable for security breaches.
Strapped for resources, often short of expertise and increasingly accustomed to outsourcing, IT managers are anxious to offload their security management onto a trusted third party.
Analyst Gartner Dataquest predicts managed security services (MSS) will be the fastest-growing service type across all vertical markets in western Europe, growing from $547.8m in 2003 to $1.2bn in 2006 (a compound annual growth rate of 19.3 per cent).
Meanwhile, In-Stat/MDR believes MSS worldwide will have almost quadrupled to $4.9bn between 2001 and 2006.
Organisations of all sizes are farming out security management. "SMEs are a prime target for outsourcing as most have no IT security expert or even an IT manager," says David Ellis, director of e-security at security distributor Unipalm.
"With many having broadband installed, they are effectively opening up their company to the outside world, so the risk of attack is higher than ever."
Even corporates are struggling, as connections multiply to branch offices, mobile users and teleworkers.
Corporates are more likely to be selective in what they outsource, with firewalls, virtual private networks (VPNs) and remote access among the most popular areas.
Of security vendor Symantec's 500 MSS customers, the top five sectors are business services (19 per cent), financial services (13 per cent), high-tech (11 per cent), manufacturing (nine per cent) and healthcare (eight per cent).
MSS is no longer just about managing products, but about providing any security function.
The list includes: managing firewalls, VPNs, anti-virus, intrusion detection systems (IDS) and authentication; penetration and vulnerability testing; activity monitoring; patch management; security policies and consultancy. The best-sellers are firewall and anti-virus.
An MSS provider may supply and configure the hardware and software, or manage existing installations.
Management is usually remote but can take place on-site. Multivendor approaches are common, and even the security vendors that provide MSS do not always manage their own products.
Resellers could provide MSS using their own staff and resources as equipment prices fall.
"Traditional solutions have not been attractive because a firewall and VPN device cost large sums of money, creating a return on investment lag of several years," says Harry Gostling, UK country manager at internet security appliance vendor SonicWall.
"But the latest firewalls are equipped with integrated security management capabilities, and for just £5,000 a reseller can acquire a comprehensive security management system for up to 25 firewalls, which scales to support a rapidly growing customer base."
But vendors and distributors that offer MSS for resale are quick to point out the drawbacks of the DIY route.
"It can require a pretty sizeable investment," says Ellis. "Not only is the infrastructure an expensive up-front cost, but you need adequate staffing to monitor and deliver on service level agreements [SLAs]."
Instead, there is a growing queue of security vendors (including Symantec, McAfee, Internet Security Systems and VeriSign), distributors (such as Unipalm and e92plus) and service companies (including Via Networks and Trend Communications) trying to persuade channel companies to resell their MSS.
"Resellers that want to offer complete solutions to customers are working with MSS providers to add the management layer on top of the hardware systems sale," says Richard Chapman, channel sales director at managed service provider Via Net.Works UK.
"Resellers benefit as they don't have to invest in resources to provide 24-hour monitoring and support, and they gain an ongoing revenue stream."
MSS suppliers need the channel. "Through their understanding of customers' needs, resellers can provide an important link between the end-user and MSS provider to ensure the solution is correctly specified, designed, implemented and maintained," adds Chapman.
"Network and systems integrators have the best profile of knowledge and customer contact to resell MSS."
Distributors and vendors may offer everything from consultancy and security testing to full management services and technical support. They can be pitched at many levels.
Kathryn Harding, professional services manager at Unipalm, says: "There are three options: providing services, directly or through partnership, to resellers that are unable to provide them themselves; a 'white label' service for those that wish to be seen as a security service provider; and providing the tools for resellers to offer the services themselves."
Resellers can pick and mix to achieve the right balance. "We can offer flexible resource sharing, allowing resellers to take on some of the management responsibility and increase their margins," says Mukesh Gupta, managing director of security distributor e92plus.
"Some are equipped to provide nine-to-five monitoring, leaving a specialist like us to handle out-of-hours cover. Specialists can also provide European coverage."
The white label approach can be particularly effective, either permanently or as a bridge while the reseller sets up its own MSS operation.
"White label is very attractive to resellers, who understand their customers want a single supplier," says Gupta. "Some specialist distributors can support this, and even offer out-of-the-box marketing campaigns to help get the ball rolling."
Most suppliers are cagey about precise margins, but concede they are higher than pure product sales or simple connectivity.
Chapman says margins are "double-digit", while Phil Robins, channel and partnership director at Symantec, says resellers can make 25 per cent on services.
Gupta says managed anti-virus is becoming a commodity, but firewall monitoring offers better margins, particularly where there is a white label option, and VPN and IDS offer the best margins because they are the most labour-intensive.
Sales support, consultancy, training and implementation offer extra value-add opportunities.
The critical nature of security makes trust a key issue in this market. Resellers must work hard to achieve trusted status, but once achieved, it can be a lever for obtaining repeat and further business.
"The main benefit to resellers is the prospect of repeat business," says Phil Watts, channel and sales director at security vendor Trend Micro.
"Managed services are a key platform on which you can build your reputation as a reseller and grow your business. The amount of repeat business rests entirely on the achievements of the reseller."
Ironically, the very imperfection of IT security (only the bravest MSS provider would guarantee 100 per cent uptime and impenetrability) enhances opportunities.
"Security is not done once, it should be a continuous process," says Stuart Muirhead, sales and marketing manager at network support specialist Trend Communications (no relation to Trend Micro).
"Users change the system and the nature of the threat keeps changing. It can be worms, then viruses."
Upselling is common. "For many companies, taking on MSS is a significant step," says Robins. "They may choose the most basic level of service initially and then upgrade."
At best, MSS can seem like an endless sales cycle. "You review a customer's security, provide recommendations, sell products or services to fulfil the recommendations, manage the process and then start again," says Harding.
"A single service such as a vulnerability scan is only a snapshot. The reseller can make recommendations to reduce the risks, either by providing a consultancy service to tighten up the existing security policy or by selling products to further increase security.
"For example, if a WLAN access point has been added to the network, a firewall is needed to control access."
Insurance companies are taking an increasing interest in security and disaster recovery provisions.
"It's a two-way deal. Insurers offer a lower premium to organisations that take security from a preferred supplier, so the reseller benefits from repeat business and third-party endorsement," says Jeremy White, consultancy manager in the security practice at solutions company LogicaCMG.
Creaking security kit may provide further opportunities. "The reseller can carry out an audit to establish areas of poor functionality or risk, and then advise and implement the best way of upgrading and managing these," says White.
In some respects, MSS sales are straightforward, says Robins. "The reseller sells the service, but the supplier establishes the SLA directly with the customer and carries out the service. The reseller makes margin on the sale."
But he warns that the positioning of an MSS sale is very different from a product sale.
Resellers need to know which other aspects of the business are already outsourced, the overall infrastructure, and what other products are being monitored and managed.
"One of the key values a reseller can bring is the ability to assess the business and determine the right level of service," says Phil Goff, technical director at security distributor Allasso.
"This can only be achieved after the reseller has dealt with the customer for some time, when it has a close understanding of the business."
And despite the demand for MSS, selling it is no pushover. "Outsourcing security management is a strategic decision, so the reseller needs patience and understanding," says Dermot Greally, MSS business development manager at vendor Internet Security Systems.
Customers are more savvy and contract renewals are not automatic. "Originally, customers wanted to get rid of the problem: fit, forget and we'll see you in a year for the renewal," he says.
"But boards of directors are now asking what value we can demonstrate throughout the contract. Don't assume that because you've won the contact you can't lose it."
The sales and account management process has changed, too, and the need to manage the relationship with the customer on a daily basis should not be underestimated.
"You may be required to show up to a number of meetings with no financial return other than retaining the current revenue stream," says Greally.
On the plus side, regular customer contact, especially with senior directors, increases the chance of further sales.
Commoditisation is already driving down margins in areas such as firewall and anti-virus management, and Greally warns that in future, the bigger systems integrators may bring down prices by consolidating MSS with unrelated services.
He says managed IDS is the most lucrative market, but is also more expensive and riskier to develop and deliver.
As products mature, management may become simple enough for user organisations to take it on themselves, so the market for basic device management services may decline.
This will make it even more important to keep margins up and educate customers about the benefits of MSS, argues Greally.
"Many still aren't fully aware of the benefits of outsourcing security," he says. "Unless vendors and resellers take part in the education process, we shall continue to see erosion of margins, which does neither the reseller nor the customer any favours in the long term."
- Demand for MSS is growing among corporates and SMEs.
- Better and cheaper management products mean resellers could do it themselves. But distributors, vendors and service providers are queuing up to offer MSS for resale, promising extra reach and reduced risk for the reseller.
- Anti-virus and firewall services are more commoditised, but virtual private networks and intrusion detection offer high margins.
- Upselling and repeat business are common as threats and networks grow. But customers are demanding more, and MSS needs careful account management and effective reporting.
CASE STUDY: VISTORM
Managed services specialist Vistorm has been providing managed security services since 1999 and now manages 470 devices for 150 companies in 65 countries.
About 80 per cent of the business is firewall management, 10 per cent intrusion detection and 10 per cent authentication (much of it for remote users and satellite offices), mostly run remotely from Vistorm's UK headquarters.
"Our typical customer is a large-ish, UK-headquartered company, probably with other sites around the world, connected by a VPN," says Rhodri Davies, Vistorm's head of R&D.
"The lower you go down the market, the less money there is to be made and you need a different sales strategy."
Vistorm's sales lever is its experience. "We use just about every feature of a product like a firewall, so we really know our way around it," says Davies.
"A user company will only use a fraction of those features. It would be a nightmare if we didn't have in-depth networking and security expertise. It's not something you could do thoroughly from day one."
Monitoring can be a major overhead, especially for intrusion detection, which is difficult to automate and requires 24-hour interpretation by Vistorm staff.
Equally important is the need to show that customers are getting something for their money. Vistorm developed a multicustomer reporting system, delivered via a web portal.
"In a perfect world, the customer sits there and sees nothing except a cheque going out at the end of the month," says Davies. "They need reports to justify this to the board."
Margins are highest on intrusion detection and authentication, which are both relatively new, while the economies of scale on Vistorm's larger firewall business offset the lower margins there. The most lucrative customers are those that provide an open brief.
"We like people to come to us with a business problem, not detailed technical instructions, because we can add more value," says Davies.
"Security opens doors for other managed service and enables us to build closer relationships, so there is some pull-through of extra business."
Allasso (0870) 366 8511
e92plus (0870) 200 9292
Internet Security Systems (0800) 085 2976
LogicaCMG (020) 7637 9111
McAfee 01753) 217 500
SonicWall (01344) 668 090
Symantec (020) 7616 5600
Trend Communications (01628) 524 977
Trend Micro (01628) 400 500
Unipalm (01638) 569 600
VeriSign (0041) 22 548 0000
Via Net.Works (0845) 330 4975
Vistorm (01925) 665 500
Today saw 14 of the UK IT channel's biggest hitters come together to determine the winners of CRN's WiC awards. But what does being a WiC judge actually involve? Doug Woodburn reports
'Smaller firms may struggle to keep up with Microsoft's innovation with Dynamics' says CEO Stuart Fenton after acquiring assets from Profile Enterprise Solutions
Pete Peterson admits the firm hasn't always been the 'easiest company to do business with'
New chief exec Aaron Painter says 'longer-term strategy' could see firm tackle the Asian market