For those participants and investors in the managed security services (MSS) space, the last two years has seemed more like two lifetimes.
Eighteen to twenty-four months ago, one would have been hard-pressed to find anything hotter within Internet security than managed security services.
The argument was simple. Security is much too complicated and time-consuming for organizations to constantly monitor and manage their own security infrastructures. Security products (i.e. firewalls, intrusion detection systems) alone are not adequate enough to handle the increasing threat environment. Where else in security could a business model be constructed with such high margins and recurring revenue? These arguments did not fall on deaf ears in the financial community, as it seems every start-up that even had MSS in their business plan received funding.
Fast forward to the beginning of 2002 and a different story was being told. MSS was being lumped in with those other three-letter abbreviations (PKI, SSO) as over-hyped and disappearing functions. The carnage resulted in reorganizations (e.g. OneSecure, Mitoses), forced partnering (e.g. Televises, Para-Protect), and outright disasters (e.g. Pilot, Salinas Group).
Today, there is evidence that the MSS space is coming back into consciousness. Fueling this view is Symantec's endorsement of the space through its acquisition of Riptech and SecurityFocus, and solid second quarter 2002 monitoring revenue (up 22 per cent sequentially) from Internet Security Systems (ISS). So, is MSS really back or are these examples just outliers, highlighted because Symantec and ISS are visible companies?
The negative sentiment around the MSS space in 2001 and early 2002 originated from too many entrants and too high expectations. In reality, even in the best of environments this space could not support all the new entrants. It also did not help that many of these new participants underestimated how difficult (and costly) it was to develop a scalable monitoring solution. The result is that all the bad stories (i.e. bankruptcies, closings, botched implementations, etc.) overwhelmed the good stories. This discouraging news trickled down to the prospective customer, providing a hint of skepticism when dealing with the pure-play MSS vendors.
The Thriving Players
In truth, the outlook for the market is not as challenged as perceived. According to the IT research firm, In-Stat, worldwide revenue for MSS is expected to grow from approximately $1.2 billion in 2001 to $4.9 billion in 2006, a compound annual growth rate of 32 per cent. Even in today's tough tech environment, several privately-held firms are thriving, with growth rates and profit margins the envy of most technology companies. How are these firms standing out from the pack? We think there are some common characteristics.
Don't bite off more than you can chew
One of the biggest problems many start-up MSS firms have had in the last two years was focus. They were seduced by the vast market opportunity, and underestimated the importance of execution. As a result, instead of investing monies in the technologies and processes required to offer a workable solution, more money was spent on marketing and trying to develop a brand. The problem with this strategy is that as more companies employ it, the more costly it becomes to be heard. Some of the more successful (and profitable) MSS firms are also some of the most stealthy. The Virginia, U.S.-based NetSec has spent almost all its effort in developing a workable solution, and let word-of-mouth spread the news. The result has been probably the most impressive reference list in the space, including one project where it is monitoring approximately 1,000 network devices.
Even though MSS is a service, the tools required to provide that service are key. For example, to perform 24x7 monitoring of a system requires the ability to make sense of a constant barrage of data logs. The better the tools (i.e. correlation engines, etc.), the more efficient the monitoring. This allows the MSS to handle larger networks and derive more revenue per employee. Although there are third-party products for MSS firms to use, including offerings from e-Security and netForensics, many successful players have their own proprietary technology. One of the principal reasons Symantec wanted Riptech was to get access to a monitoring technology that could scale to large networks.
When a corporation decides to outsource their security management and monitoring they are essentially handing over the keys to the kingdom. As a result it is a challenge for many privately-held MSS firms with their limited track records to penetrate large enterprises. One way trust can be earned is through consulting engagements. Those MSS firms that have mature consulting practices have been more successful at eventually winning outsourced management and monitoring business. The most prevalent example of this in the U.S. is Massachusetts-based Guardent Inc. Guardent was founded as a MSS firm in early 2000, and for the first year almost all revenue was from high-end consulting contracts. After proving its worth, the company gradually began providing these customers with MSS solutions as well. Currently, Guardent is arguably the largest privately held MSS firm in the industry. Monitoring revenue grew 1,000 per cent in the past year to approximately $1 million per month, and is expected to grow 300 per cent in 2003.
Future MSS Landscape
Even with some of the ferreting out of many MSS participants in the last eighteen months as well as the more promising prospects on the demand side, we expect to see more consolidation. In fact we see three distinct phases. The first phase, which is happening now, consists mostly of fire sales. A once promising MSS firm has seen its cash dry up, prospects go dim, and has to find a partner to keep afloat. The second phase of consolidation will consist of the larger privately-held firms being more selective, and buying smaller MSS firms that have less burn and provide a complement to an existing service portfolio. Finally, the larger firms will combine themselves to create enough size to be attractive to the public markets.
When it has all stabilized, we believe the managed security service space will be one of the hottest areas in all of security. Like many start-from-scratch segments, it has had its share of growing pains. However, we believe the pain is subsiding. Darwinian forces have made the landscape less confusing for customers, and have matured the existing vendors. There has never been much doubt about the economic benefits of outsourcing non-core 24x7 functions like security management and monitoring. With the increasing maturity of the industry, doubts about relying on pure-play MSS firms to perform this task are becoming fewer as well.
Sean Jackson, CFA, is vice president of Avondale Partners, LLC, an investment bank.