STATE OF THE MSSP SPACE
For every CIO who thinks outsourcing core security operations is blasphemous, there's another who's doing it right now, or is on the verge. As a result, the MSSP space is growing rapidly, according to Forrester Research, with sales estimated at $3 billion this year. The dominant players in this market--IBM ISS, Symantec, and VeriSign--have well-developed and mature managed security businesses supported by vast talent pools.
But Tier 1 Internet service providers are vying for a slice of this business, and enterprises are interested. In our poll, when we asked about preferred provider type, nearly 20% of companies with 1,000 or more employees said they'd be open to using an ISP for security, versus 15% for smaller firms. Large companies were most likely to prefer a pure-play security vendor, with 40% going that route. For small and medium-sized enterprises, the No. 1 choice is a provider that offers not only a wide range of services, but also a deep base of expertise. As a result, the top technology companies with MSSP divisions, like IBM with ISS, own the advantage.
The cutthroat competition and tight margins that bedevil ISPs mean they're always on the lookout for growth opportunities, and professional services is a perennial source of high margins. ISPs were largely unsuccessful at growing their MSSP businesses organically, so they shifted to an "if you can't beat em', buy 'em" approach. The ensuing acquisition spree kicked off a large consolidation of pure-play MSSPs, with the largest deal being Verizon Business Solutions' recent acquisition of Cybertrust.
While consolidation isn't generally well-received by IT, in this case, it bodes well because it means that companies like Verizon, AT&T, and Sprint Nextel have the potential to build industry-leading security suites into their network clouds. Assuming these ISPs avoid infecting their pure-play security acquisitions with the poor service and lethargic organizational culture that has kept their other service plays down, in the not-too-distant future, IT will be able to subscribe à la carte to an enterprise-class managed firewall service, intrusion-detection or -prevention system, or managed e-mail with its Internet circuit. This would be a boon for SMEs as well as distributed companies stressed over securing remote offices.
For now, IBM leads in its service suite, while SecureWorks and Solutionary are top pure-play providers. We spoke with Val Rahmani, general manager of IBM's ISS business, at the company's recent security summit in Boston. Rahmani sees ISPs as a key distribution channel for the company's Unified Threat Management offering.
"However good you are, you can't be looking at as much as we are looking at," says Rahmani, adding that the IBM service is popular with ISPs that want to offer security services as an incremental value add for customers without a big investment in infosec experts. "We don't want to get into the telecom business, why should they want to get into the security business?"
FIGHTING THE SKEPTICS
Ten years ago, the majority of CIOs summarily dismissed the idea of outsourcing any security-related function. Two years ago, when we reviewed 24 MSSPs, the idea was gaining traction thanks to an increase in zero-day attacks and media scrutiny of breaches. Today, based on our poll and discussions with IT pros and MSSPs, the predominant feeling is still a level of mistrust, but there's growing acceptance that the threat landscape is complex enough that calling in professionals may be the responsible course.
Still, there are limits to what can be outsourced. Some of the most egregious hacks in recent memory were inside jobs, and considering the difficulty of securing and monitoring access to globally distributed data, no independent, third-party watchdog can ensure that employees or contractors don't walk out the door with the data equivalent of gold bars falling out of their pockets.
When faced with battling back inside and outside threats, IT must take a holistic and comprehensive approach that may include outside vendors, but also takes advantage of the latest content inspection and behavioral technologies, like data-loss prevention and network-behavioral analysis tools. One option for those unsure of outsourcing is to use an MSSP in the same way finance departments use third-party auditors to verify the accuracy of their books--as an independent authority for proving security standards to management. In fact, according to our poll, one of the most popular ways providers are being employed is in a vulnerability-assessment capacity. The best way to discover gaping holes is to hire a professional hacker.
We're also seeing a rise in customization to battle the perception that IT is losing control. When we last reviewed MSSPs, a sticking point was that providers often forced their policies and procedures onto customers, with few options. Today, long-term success as an MSSP requires close customer collaboration, tailoring of services, and quick reaction to issues. The MSSPs we spoke with are looking to meet the concerns of IT head on by stressing versatility in their deployment scenarios and service models.
"We realized early that customers don't want to lose control, so we've developed all managed service solutions in a collaborative way," says Verizon's Bailey. "The tools and portals that customers see are the same tools that Verizon engineers see."
Still, for organizations with significant intellectual property, the trust issue might be a hurdle too high for MSSPs to leap. Our poll indicates that the No. 1 concern for all organizations considering outsourcing is possible loss or compromise of critical data. IBM ISS's Rahmani says customers are looking for comprehensive coverage while keeping sensitive info in-house. "In most cases, we're not getting their client data," she says. "We're generating alerts against the environment to say, for example, 'It's 2 a.m. on a Saturday and you told us no one should be using Unix on a Saturday.'"
(click image for larger view)