MSSP M&A

"The continued process of consolidation going on within the industry is not just limited to the same types of providers anymore," says Loren Rudd, a research analyst at Frost and Sullivan, an international business consulting firm. "Now you are seeing more cross-provider type consolidations and acquisitions. I think in that sense there is a new type of consolidation in the industry."

There have been several recent announcements that corroborate Rudd's view, most notably the $1.3 billion dollar acquisition of Internet Security Systems (ISS) by IBM. Big Blue is picking up ISS to help fold better security offerings into its overall IT service business. Such recent mega-deals indicate that security services are all grown up now, Rudd says.

"I think when it is taken in the context of other indicators, like the relative distribution channels being used within the industry and the gradually declining growth rates of the industry itself, it appears the MSSP industry has matured more quickly than many of us analysts might have expected," he says.

In the beginning
To really understand how far along the MSSP market has matured, it is important to understand where it came from, says Grant Geyer, vice president of global managed security services, Symantec.

"In the early days, up until about 2003, managed security services [were] purchased by security practitioners and the IT organization to help protect organizations from security risks, both internally and externally," he says.

But at that time the uptake of these services was not widespread. Also, much of these service purchases were often driven for technology reasons rather than strategic ones — many organizations that couldn't afford their own security solutions simply hired a provider to bring in the exact technology that they needed. After that, the rise of some very high-profile worms and big cases of expensive downtime at larger organizations thrust security services into the limelight, he explains. At the same time, many organizations with little to no in-house security expertise were seeking managed security services for compliance reasons.

"During the early part of the compliance buying we sometimes saw our customers purchasing MSS for the wrong reasons," he says. "A lot of times they were purchasing managed security services for a check-the-box solution to show they were compliant. A lot of times we saw organizations trying to buy the lowest cost MSS out there because they really didn't care about the quality of the service."

In today's environment, however, things have come full circle, he adds. With disclosure laws bringing more high-profile data loss incidents into public view, companies are being forced to buy for strategic reasons.

"The bottom line is that the details matter now to customers of managed security service," he says. "We see a significant amount of managed security services occurring in the large enterprise because they need to protect themselves from internal threats, external threats and threats on the internet they don't know about."

Changing the focus
As services solutions have matured, so have clients' buying preferences.
According to Geyer and many others in the industry, MSSP customers are no longer content to simply shop for service providers that offer technology they can't afford to buy outright. Instead, they are seeking expertise and information to help them navigate the risks at play and to run their businesses most effectively.

As more businesses ask for security services that help them meet overarching business concerns, service providers are moving from a service approach to a philosophy geared more toward risk management.

"When we started with MSS in the late nineties this was a purely technology-centric type of market," says Bart Vansevenant, director of product management at Cybertrust, Herndon, Va. "We were talking with operational people with a lot of techie-talk about firewalls and IDS. Whereas today if we go to an account and talk security, the conversation is much more about how we secure their business and how we can limit or manage risk."

He says the only way to really handle that last piece is by talking to the client.

"We allow our clients to give that criticality report of each asset. If you then put it all together, how that works is you have the threat information collected in real time by the MSSP, you have the vulnerability information collected monthly or quarterly, and then you have the criticality information."

At that point, the service provider can give timely action and advice based on both the technology and the risks at hand. This type of prioritization is exactly what customers are looking for from providers at the end of the day, says Scott Magrath director of product marketing, managed security services group, VeriSign.

He agrees that customers expect more strategic advice from managed services. In fact, it is coming to the point where he and his colleagues see more clamoring for consulting advice to be paired with the services for more comprehensive help.

"We see a lot more times where the customer is leveraging us for both consulting and managed services because they're thinking about it as being seamless. It is about more than getting smart people to help them solve problems."

MATCH GAME:
Consolidation