Managed security services (MSS) are all the rage in the security channel and for good reason. As margins on security products continue to diminish and customers have less time to focus on security activities, being able to provide a monthly solution that alleviates the pressure on your customers is a good thing, right?
For the most part it is. Customers are increasingly receptive to outsourcing some facets of security, like email scanning and firewall/IPS monitoring. But does that mean you should run headlong into the wild, wooly world of managed security services (MSS)? The answer is probably yes, but before pulling the trigger consider the following issues.
- Infrastructure -- How are you going to offer these services? At a minimum, you'll need devices to put on the customer site, and a central console to aggregate the data and manage it. If you expect any kind of volume, you are looking at an enterprise-class deployment, and that costs big dollars. It's a good investment, but it's still a big check you'll need to write.
- Volumes -- The only constant in the technology world is more -- more traffic, bigger pipes, exponentially-growing volumes of email. It seems that the gauge for everything in security goes to 11 nowadays. Services are interesting to customers because they make "more" someone else's problem. Between Q3 and Q4 2006, for example, email volumes grew significantly due to a wave of image spam. Companies that had their own gateways were forced to invest in more technology to deal with the volume. Customers that used a service were none the worse for wear.
Of course, what's good for the customer can be bad for the service provider. It's not like you can go back to the customer and ask for more money in the middle of the contract. Moreover, these markets are so competitive that you'll have no pricing power. So as volumes increase, you will need to keep pace.
- Always on -- It's a 24/7 world out there. When you sell the customer a product, you do the install and wish them well. Well, not really, but you don't get a call at 3 a.m. when something is amiss -- unless you sell them a service.
You'll also need to field a 24/7 support capability, which is a pretty significant investment. You could probably get someone else to do off-hour support, but that will impact your profit margin on delivering the service.
- Liability -- Another advantage of selling products without services is that the VAR isn't liable for much of anything. If the product wreaks havoc, the manufacturer gets tagged, not you. But if you sell a service, it's your neck on the line. So make sure you have counsel that specializes in technology managed services agreements to create contract vehicles for you. Getting sued is a pretty bad time to figure out your contract has more holes than Swiss cheese.
There are a lot of reasons why offering managed services to customers is a good business move -- tighter relationships, monthly annuities and providing a lot of value to customers top the list -- but I hope this discussion has given you a greater appreciation for the risks of getting into the business, as well.
Entering MSS is a significant investment, and one that should be analyzed carefully. A less risky play would be to OEM a provider's services. This will get you out of the infrastructure and 24/7 support business. Many of the independent MSS players offer a private label option, which may make more sense for your situation. It's certainly something to consider.
About the author
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Get more information about the Pragmatic CSO at http://www.pragmaticcso.com, read his blog at http://blog.securityincite.com, or reach him via e-mail at mike.rothman (at) securityincite (dot) com.
