Managed security services (MSS) are all the rage in the security channel and for good reason. As margins on security products continue to diminish and customers have less time to focus on security activities, being able to provide a monthly solution that alleviates the pressure on your customers is a good thing, right?
For the most part it is. Customers are increasingly receptive to outsourcing some facets of security, like email scanning and firewall/IPS monitoring. But does that mean you should run headlong into the wild, wooly world of managed security services (MSS)? The answer is probably yes, but before pulling the trigger consider the following issues.
- Infrastructure -- How are you going to offer these services? At a minimum, you'll need devices to put on the customer site, and a central console to aggregate the data and manage it. If you expect any kind of volume, you are looking at an enterprise-class deployment, and that costs big dollars. It's a good investment, but it's still a big check you'll need to write.
- Volumes -- The only constant in the technology world is more -- more traffic, bigger pipes, exponentially-growing volumes of email. It seems that the gauge for everything in security goes to 11 nowadays. Services
Requires Membership to View
To gain access to this and all member only content, please provide the following information:
By submitting your registration information to SearchSecurityChannel.com you agree to receive email communications from the TechTarget network of sites, and/or third party content providers that have relationships with TechTarget, based on your topic interests and activity, including updates on new content, event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile, unsubscribing via email or by contacting us here
- Your use of SearchSecurityChannel.com is governed by our Terms of Use
- We designed our Privacy Policy to provide you with important disclosures about how we collect and use your registration and other information. We encourage you to read the Privacy Policy, and to use it to help make informed decisions.
- If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States.
- are interesting to customers because they make "more" someone else's problem. Between Q3 and Q4 2006, for example, email volumes grew significantly due to a wave of image spam. Companies that had their own gateways were forced to invest in more technology to deal with the volume. Customers that used a service were none the worse for wear.
Of course, what's good for the customer can be bad for the service provider. It's not like you can go back to the customer and ask for more money in the middle of the contract. Moreover, these markets are so competitive that you'll have no pricing power. So as volumes increase, you will need to keep pace.
- Always on -- It's a 24/7 world out there. When you sell the customer a product, you do the install and wish them well. Well, not really, but you don't get a call at 3 a.m. when something is amiss -- unless you sell them a service.
You'll also need to field a 24/7 support capability, which is a pretty significant investment. You could probably get someone else to do off-hour support, but that will impact your profit margin on delivering the service. - Liability -- Another advantage of selling products without services is that the VAR isn't liable for much of anything. If the product wreaks havoc, the manufacturer gets tagged, not you. But if you sell a service, it's your neck on the line. So make sure you have counsel that specializes in technology managed services agreements to create contract vehicles for you. Getting sued is a pretty bad time to figure out your contract has more holes than Swiss cheese.
There are a lot of reasons why offering managed services to customers is a good business move -- tighter relationships, monthly annuities and providing a lot of value to customers top the list -- but I hope this discussion has given you a greater appreciation for the risks of getting into the business, as well.
Entering MSS is a significant investment, and one that should be analyzed carefully. A less risky play would be to OEM a provider's services. This will get you out of the infrastructure and 24/7 support business. Many of the independent MSS players offer a private label option, which may make more sense for your situation. It's certainly something to consider.
About the author
Mike Rothman is president and principal analyst of Security Incite, an industry analyst firm in Atlanta, and the author of The Pragmatic CSO: 12 Steps to Being a Security Master. Get more information about the Pragmatic CSO at http://www.pragmaticcso.com, read his blog at http://blog.securityincite.com, or reach him via e-mail at mike.rothman (at) securityincite (dot) com.
This was first published in June 2007