Managed security in 2008
Given the increasing complexity of enterprise security, it's getting harder and harder for companies to ignore options for outsourcing security management.
In the late 1990s, we all predicted big things around managed services. As we close 2007, we are all predicting big things for Software as a Service (SaaS). What's old is new again but this time we may be right.
Case in point, managed security. A few years ago, enterprise security professionals were too proud and too paranoid to even think about outsourcing security management. As Bob Dylan sang, "the times, they are a changin'." According to a recent ESG Research survey 50 percent of large organizations (i.e. more than 1,000 employees) are either "interested" or "very interested" in outsourcing some portion of their security management tasks.
Why the change of heart? Security is getting too complicated and one mistake could result in hundreds of millions of dollars in damages. Just ask my Massachusetts neighbor TJX. Aside from this, large organizations have grown comfortable with outsourcing operational tasks and business processes. If my organization is in an industry such as retail, financial services, or health care, why on earth should I focus valuable IT resources on security management when outside experts can do this better, faster, and cheaper than I can?
What does user demand for managed security services mean for the industry?
1. Established security management players like CSC, Symantec, and Unisys have an opportunity to really scale the business. Looking forward, ESG believes that managed security services could soon be as important to Symantec as desktop security and backup. This may mean some additional investment in data center space, global expansion, personnel, and training in the short term.
2. Cisco Systems is just getting started with managed services but this is right down Broadway for IBM and Hewlett-Packard. Little wonder why IBM has been actively acquiring security firms like ISS and announcing big risk-management initiatives. IBM and HP can also add managed security to current IT outsourcing contracts.
3. With the right investments in infrastructure, marketing, and sales, managed security presents a lot of global upside for offshore system integrators such as Infosys, Satyam, Tata, and Wipro. Security could help these guys back into other enterprise IT business opportunities.
4. This is exactly why BT bought Counterpane and Verizon Communications gobbled up Cybertrust. Juniper is also working with a number of carriers as well. Again, security services may be a Trojan Horse (pardon the term) to sell more managed network, WAN and hosted services.
5. Product vendors need services air cover. Leaders like ArcSight, CA, and EMC/RSA need to establish their own managed security services, work with third-party carriers, or team up with service specialists like EDS.
All of this impending competition is good news for large organizations as it forces service excellence and price competition. If I were the chief information-security officer at an enterprise company, I'd make a New Year's resolution to begin assessing managed security options and ROI benefits in 2008.