Managed Services:  Enterprise Security

As part of the security manager’s arsenal of strategies to combat today’s complex enterprise challenges, outsourcing security operations is becoming a critical component in many cases. Times couldn’t be any tougher for SMEs and large enterprises to secure their organizations as they face shrinking IT budgets and historical levels of Internet threats spurred by motivated cybercriminals.

New Day for Outsourcing Security

A sea change is occurring in the way managed security services are offered, following the consolidation of the industry in recent years. Some pure-play managed security service providers (MSSP) still operate thriving businesses, but now the big guys have entered the space, including network service providers and traditional security management players. This brings more tools to more people in the way of affordable outsourced security bundles, so those who thought managed services were only offered in the form of custom services for the very large and wealthy are finding a broader list of technologies available under the managed umbrella for prices that accommodate everyone.

This industry consolidation has also lent itself to increased confidence in handing over management of security operations to an outside party. Customers feel more comfortable outsourcing their security operations to companies they’ve been doing business with for years, not to mention, companies with strong brand recognition. In the past, and still to some degree, customers have been reluctant to outsource security due to concerns about possible data breaches. More recently, however, customer concerns have shifted to the changing threat landscape that could potentially wreak havoc through data breaches and identity thefts.

Benefits and Types of Outsourcing

So why the attraction to outsourced security? The security service provider’s business model is designed to meet the current needs of enterprise customers. Primary benefits customers receive include:

-       Reduced cost of setting up and managing security by tapping SaaS providers or MSSPs versus paying for on-premise products and management costs

-       More effective, real-time security provided by security professionals that are backed by large networks of threat intelligence

-        Ability for customers to focus on core business

Outsourced security services are being offered by a growing number of companies, following some key acquisitions in recent years including: IBM’s acquisition of ISS; Verizon’s purchase of Cybertrust; BT’s acquisition of Counterpane Internet Security; and Symantec’s purchase of MessageLabs. Categories of security service providers include MSSPs (Integralis, Perimeter eSecurity, and SecureWorks); network service providers/ISPs (AT&T, BT, Verizon); IT outsourcing providers (CompuCom, EDS, HP and IBM); security management vendors (IBM ISS, Symantec, VeriSign); and software as a service (SaaS) players (CA, Symantec, Trend Micro). 

Technologies Galore

Being a security manager is no longer just about monitoring the company’s firewall technology. Now, security administrators are required to understand advanced security technologies such as spyware, IDS/IPS, anti-phishing, Web security, identity management, and compliance regulation issues.

Service providers are offering a slew of technologies, and they continue to broaden their portfolios. Technologies include threat protection (antivirus, anti-spam, antipharming/antiphishing), Web filtering, vulnerability scanning, authentication, unified threat management, e-mail archiving, encryption, firewall, VPN, intrusion detection and prevention (IDP), network monitoring and log review, penetration testing/compliance review, backup and storage, and business continuity.

Channel Challenges

Service providers face the challenge of marketing attractive outsourcing options that appeal to the low end of the market, customers typically served by channel partners including VARs (value-added resellers) and resellers. SMBs that already have threat protection infrastructure in place will be weighing the cost of maintaining security technology on their own, versus paying for outsourcing services. At times service providers are competing with channel partners. While most service providers offer channel partners incentives in the form of monthly revenue streams for referring customers to the providers’ services, VARs say the margins are minimal. Further, once that technology is outsourced, the VAR no longer has the opportunity to provide value-add to its clients.

Channel players also tell Synergy that SMBs are mostly interested in outsourcing their secure messaging (e.g. email security and Web security), as well as disaster recovery, storage, and back-up operations. VARs savvy in advanced technologies have no intention of passing up these kinds of business opportunities.

Summary

Companies are grappling with numerous issues including reduced IT budgets and limited security professionals. At the same time, the amount and sophistication level of Internet threats have never been so daunting to an administrator. Companies of all sizes need to conduct due diligence and consider the possibility of outsourcing all or part of their security operations as they look for new ways to strengthen network security in this new economy.