In the late 1990s, we all predicted big things around managed services. As we close 2007, we are all predicting big things for Software as a Service (SaaS). What's old is new again but this time we may be right.
Case in point, managed security. A few years ago, enterprise security professionals were too proud and too paranoid to even think about outsourcing security management. As Bob Dylan sang, "the times, they are a changin'." According to a recent ESG Research survey 50 percent of large organizations (i.e. more than 1,000 employees) are either "interested" or "very interested" in outsourcing some portion of their security management tasks.
Why the change of heart? Security is getting too complicated and one mistake could result in hundreds of millions of dollars in damages. Just ask my Massachusetts neighbor TJX. Aside from this, large organizations have grown comfortable with outsourcing operational tasks and business processes. If my organization is in an industry such as retail, financial services, or health care, why on earth should I focus valuable IT resources on security management when outside experts can do this better, faster, and cheaper than I can?
What does user demand for managed security services mean for the industry?
1. Established security management players like CSC, Symantec, and Unisys have an opportunity to really scale the business. Looking forward, ESG believes that managed security services could soon be as important to Symantec as desktop security and backup. This may mean some additional investment in data center space, global expansion, personnel, and training in the short term.
2. Cisco Systems is just getting started with managed services but this is right down Broadway for IBM and Hewlett-Packard. Little wonder why IBM has been actively acquiring security firms like ISS and announcing big risk-management initiatives. IBM and HP can also add managed security to current IT outsourcing contracts.
3. With the right investments in infrastructure, marketing, and sales, managed security presents a lot of global upside for offshore system integrators such as Infosys, Satyam, Tata, and Wipro. Security could help these guys back into other enterprise IT business opportunities.
4. This is exactly why BT bought Counterpane and Verizon Communications gobbled up Cybertrust. Juniper is also working with a number of carriers as well. Again, security services may be a Trojan Horse (pardon the term) to sell more managed network, WAN and hosted services.
5. Product vendors need services air cover. Leaders like ArcSight, CA, and EMC/RSA need to establish their own managed security services, work with third-party carriers, or team up with service specialists like EDS.
All of this impending competition is good news for large organizations as it forces service excellence and price competition. If I were the chief information-security officer at an enterprise company, I'd make a New Year's resolution to begin assessing managed security options and ROI benefits in 2008.
Over the past few years, the security industry has been a hotbed of M&A activity. The big guys swallow the small guys and independent technologies become part of integrated suites or anchor products. We saw this with identity management, e-mail security, SSL VPNs, security event management, etc.
My prediction is that we will soon see a repeat of this cycle and this time the buyout activity will center on database security tools.
Why database security? To quote the famous bank robber Willie Sutton, "because that's where the money is." Databases contain loads of private, confidential, and regulated data that needs better protection than it has today. What's more, databases are complex pieces of software that are becoming more and more exposed to the Internet through flaky Web applications. Finally, existing security tools look at network connections and database servers but not the database itself. Databases need their own customized security safeguards.
There are a whole bunch of database security companies out there, including Application Security , Guardium, Imperva, IP Locks, Lumigent, etc. These guys do everything from vulnerability scanning to auditing and each is a venture-backed start-up. If you add up all of their cumulative revenue, it is probably less than $100 million--yet these firms are attractive takeover targets. For whom? How about IBM. Armonk has tons of database, security, and compliance tools but nothing for database security and compliance.
The same scenario applies to CA. Old database management experts BMC and Quest Software would also benefit from a database security play. EMC's RSA division has security event management and database encryption products so database security and auditing would round out its offerings rather nicely. You can never count out others like Hewlett-Packard, Microsoft, Oracle or Symantec either.
Before the year ends, I see a lot of buying and selling. Database security adds a lot of value to a lot of existing products and vendors. Remember, you read it here first.
- prev
- 1
- next
