Unable to keep up with security holes, attacks and government regulations, enterprises will turn to outside firms for 90% of their security by 2010, according to Yankee Group. Security companies marketing themselves as vulnerability managers will thrive in this environment.
A new report from the Boston-based research firm noted that more businesses have made security a priority to meet growing threats and comply with laws like the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act and Sarbanes-Oxley Act. Enterprises are swallowing some of their return-on-investment concerns and setting aside more cash for outside help, unconvinced they can handle the daunting task on their own.
As this happens, vendors who sell vulnerability scanning devices will do well simply by marketing their products as "vulnerability management services," said Matthew Kovar, security solutions and services vice president for Yankee Group.
"Organizations have used these legislated requirements to kick off security risk programs known in the early generations as vulnerability-management initiatives," said Kovar, the report's author. "This directive has been a marketing coup for companies that have taken vulnerability-scanning services and called them 'vulnerability-management services.' Managed security service providers (MSSPs) are merely naming the services to align with what executives are trying to do. It was pure happenstance that the product name matched enterprise need, which will be profitable for those managed security service providers that offer these robust risk-management services."
The report was a year in the making and is based on feedback from enterprises across a range of industries, Kovar said. He focused on mid- to large-sized companies and his research included roundtable discussions. "We also spoke to a lot of service providers, talking to them as providers as well as those in need of security solutions," Kovar said.
Those in the financial, telecommunications and health care industries are especially concerned about security, Kovar said. But, he added, "The concern isn't limited to those areas. No industry out there is telling us they don't want outside help. Everyone is looking at spending more for security. In health care, for example, it's all about protecting their intellectual property."
In the past, enterprises focused on buying affordable security devices with a specific focus, making it hard for MSSPs to thrive. But with attackers exploiting software vulnerabilities with increased speed and a host of security-driven laws making it onto the books in the last couple of years, times have changed. "The need for superior security value has turned the landscape around," Kovar said. "The whole has become greater than the individual parts." Instead of purchasing the lowest-cost devices, companies see a bigger need for integrated, faster, more responsive solutions, he added.
Based on his research, Kovar said companies like TruSecure and Symantec are the early leaders in security risk management. Close on their heels are Unisys, Netsec, Solutionary, ISS and RedSiren. The third group of niche player challengers includes AT&T, VeriSign (which acquired MSSP Guardent), Counterpane, Ubizen and Qualys. The report noted that this last group is starting to add vulnerability scanning, threat and vulnerability alerts and life-cycle management to service delivery platforms and will challenge the market leaders by the end of this year.
In the end, Kovar said, "Those who don't understand how to integrate vulnerability management into their portfolios or understand how to tune devices and systems to accept good traffic and block the bad will continue to struggle."
The report, available to Yankee Group clients, predicts managed security service revenue will grow from $1.5 billion in 2002 to $3.7 billion in 2008. This includes both professional services and managed services, which totaled $1.1 billion and $540 million, respectively, in 2002, and will grow to $2.2 billion and $1.1 billion by 2008.