FAC/Equities and META Group concur that security is a top priority for most Global 2000 CIOs, but skilled security personnel are still scarce, and solutions remain complex and difficult to integrate. META Group notes that many vendors, hoping to address growing demand, have announced managed security service (MSS) offerings. However, according to META Group, trust, maturity of offerings, and overall market maturity will remain issues until 2003.

META Group suggests customers realize that the low maturity level of this market requires greater vendor due diligence than normal, and current economic conditions suggest seeking managed security service providers with 18 months of funding. FAC/Equities and META Group think those guidelines bode well for emerging MSS leaders, including publicly held ISS, and privately held Aventail, Counterpane, Qualys, Riptech and Ubizen.

Information security awareness is at an all-time high. META Group research indicates information security ranks as a top priority among Global 2000 (G2000) CIOs, as trade and business press covering security continue to drive awareness at all levels (e.g., other executives and end users). While organizations are beginning to realize the importance of information security, META Group notes that many are struggling with complex and immature product solutions.

In addition, META Group thinks that, despite current economic conditions, qualified information security personnel will remain in short supply until 2004. Although a similar scenario in any other IT domain normally drives a boom outsourcing market, META Group notes that outsourcing security is a relatively new concept that faces several obstacles to acceptance and maturation.

Nonetheless, both FAC/Equities and META Group note that there has been a massive proliferation of security services vendors (and those that hope to sell to them) during the past 12 months. META Group expects this proliferation to continue, but vendors will be sharply culled by funding limits, acquisition, and channel limits (2002). In addition, both FAC/Equities and META Group expect consolidation in this space, first by vendors attempting multifunction aggregation (2002-03), and then by resellers through channel aggregation (2003-04).

According to META Group, security services can be broken into three segments: security planning (assessment, architecture, etc.), security integration, and managed security services.

META Group notes that security planning and integration services (i.e., consulting) have been commonly used by many of the G2000. META Group thinks that most of the new security services investment is in MSS, hoping to capture subscription revenue from small and medium-sized enterprises, as well as G2000 organizations looking to outsource certain security operation center (SOC) functions. META Group notes that recent announcements suggest that nearly every information security product and services vendor is either becoming a managed security service provider (MSSP) or targeting MSSPs with specific sales efforts.

Although a few MSS offerings (certain managed firewall and virtual private network [VPN] services) are second generation, according to META Group, most MSSPs are very new - notably those providing scanning and intrusion detection/monitoring/response services. META Group expects to see maturity first in the managed VPN and firewall arenas (2002), although a viable business model is proving elusive. MSS-based vulnerability scanning will mature next (2003), followed by intrusion detection (2003-04), security monitoring and response (2004), and authentication/administration (2004-05).

Barriers to adoption and maturation

According to META Group, with the exception of managed firewall and VPN services, MSSs (e.g., intrusion detection, monitoring, scanning, authorization management, administration) are immature, most being less than a year old. META Group thinks this immaturity is found at all levels, with technology and marketing most apparent, but process immaturity and lack of appropriate skill sets are the more troubling - albeit less obvious - issues.

META Group thinks customer-vendor trust (a factor that had inhibited the creation of an MSSP market and can be an issue for any service provider) remains a significant hurdle in selling MSSs. First, many organizations are reluctant to consider outsourcing security; MSSPs have no preexisting relationship with potential customers and little or no track record in the market. META Group thinks this factor, coupled with the culture clash between corporate entities and many hacker-staffed security services firms, results in trust proving to be a significant barrier.

Finally, META Group thinks there is often a thorough lack of focus from security service vendors, as most security service firms are willing to apply their talent in almost any fashion, making them little more than security body shops. In addition, many lack sufficient funding to build leveraged services, and grasp at any business that comes their way. META Group thinks focused providers (e.g., Counterpane, Qualys) are able to position themselves as best of breed for a particular security function (such as monitoring, scanning); however, even among the focused providers funding is still an issue, because it takes time to build the necessary relationships to succeed in this market.

Channels and market evolution

Initially, META Group expects MSSPs to be successful in the G2000 with a direct sales model (MSSPs will use indirect channels for smaller companies). Longer term, META Group expects most companies to buy MSSs through indirect sales (often Internet service providers [ISPs] or other xSPs), with MSSPs fielding a small direct sales force targeting the largest companies.

In addition to vendor reduction through problems with funding, execution and focus, META Group expects significant aggregation in this space. The initial consolidation effort will be to aggregate multiple security functions within one provider. META Group expects this to fail because of infrastructure realities - that is, most enterprises do not wholly own the infrastructure they depend on - often confounding security outsourcing efforts. In addition, META Group expects infrastructure providers (ISPs and Web-hosting companies, in particular) to become channel aggregation points for multiple MSSPs; we believe this will be a successful model, largely for relationship and trust reasons.

FAC/Equities and META Group concur that G2000 organizations should recognize the limits of the existing vendors and offerings and realize that outsourcing any security function involves, at a minimum, an audit of the MSSP's people, process and technology to ensure a good fit; at a maximum, it may involve the customer carefully defining the MSSP's process, customer interfaces and service-level agreements.

META Group notes that Global 2000 organizations need solid information security policies and practices. META Group thinks outsourcing components of information security should be evaluated as a solution, but the business must always retain responsibility - thus underlining the importance of understanding business and regulatory implications of outsourcing security.

META Group thinks users examining managed security services should seek providers with focus and realize multiple providers may be warranted, depending on the breadth of function outsourced. Both FAC/Equities and META Group believe user organizations should also realize the maturity level of this market requires greater vendor due diligence than normal, and current economic conditions suggest seeking managed security service providers with 18 months of funding.

This story was excerpted from META FACts, a newsletter published by META Group and FAC/Equities, a division of First Albany. Matt Barzowskas is a vice president with FAC/Equities. He can be reached at matt_barzowskas@fac.com or (617) 228-3512.