Judging the health of an MSSP

Thinking of outsourcing some of your security needs to a managed security services provider (MSSP)? Of course you need to understand how to negotiate the contract and structure the business relationship (See Outsourcing security a good plan, but be careful out there). But with the downturn in the tech industry, you also have to worry about whether your MSSP will even be in business in a year or two.

"A year ago, we were tracking about 125 national and international MSSPs," says Michael Rasmussen, director of research in information security at Cambridge, Mass.-based Giga Information Group. That number is now down to approximately 75, as MSSPs have fallen victim to slumping demand and a shortage of funding from venture-capital firms and other investors.

Before turning over critical security functions to an MSSP, analysts say, look for several vital signs: If the MSSP isn't already profitable, does it have a realistic plan to reach profitability even if it can't get funding from squeamish investors? Does it have enough cash on hand to give it a one-year cushion if the business plan doesn't work out? Does the MSSP have a healthy customer base or reseller agreements with other companies that do?

MSSPs can be broken into two broad categories, says Gartner Inc. Analyst John Pescatore. Insourcers are usually hired by small to medium-size firms or government and put staff to work managing security systems on the customer's site. Outsourcers are usually hired by larger customers and manage those customers' security from the outsourcer's own remote operations center.

Insourcing poses less of a risk if the MSSP goes under, says Pescatore, because insourced security management is usually done by small, regional systems integrators who can easily be replaced. "The only risk," says Pescatore, "is if you allow the insourcer to lead you to some very obscure technologies," such as an open-source firewall you never heard of. If the insourcer disappears, warns Pescatore, "your firewall disappears" as well.

Financial viability is more important when MSSPs outsource security to their own facility, he says. Cash in the bank is the critical –maybe the most critical –thing to look for. "It's a pretty tough environment to be out raising capital," says Walter Pritchard, an associate analyst with investment bank Soundview Technology Group. "If they expect to break even a year from now, they have to have sufficient cash to get there" and a year's worth of cushion beyond that, he says. For most MSSPs, he says, that means $20-25 million in the bank.

"It's a business that requires a lot of resources," says Pritchard. "You have to build out some infrastructure, you have to have an operations center to run all the managed security monitoring from," he says.

Potential customers should also track an MSSP's financial performance on a quarter-to-quarter basis. That can be tricky, especially when scandals have shown how companies can manipulate earnings through accounting tricks. Pritchard recommends looking at operating income (the amount an MSSP earns before paying interest and taxes), rather than its net income, which can include special one-time charges or income (such as from the sale of assets) that can mask its true performance.

Pescatore recommends finding an MSSP that gets 70 to 80 percent of its revenue from managed security services and the rest from security consulting. That way the consulting revenue can help the MSSP survive if it loses several big managed services customers, and the MSSP can try to sell new consulting customers on its managed security services, as well. The ability to quickly find new customers and replace lost customers is especially crucial for MSSPs "whose whole business model is based on economies of scale," says Pescatore.

Tracking customer wins and losses is another useful indicator of an MSSP's health, as are whether its staff is growing or shrinking and whether the MSSP is enlarging or cutting back its operations center's space.

Pritchard also says survival prospects are best for larger players, such as IBM, AT&T and WorldCom, that have a lot of existing customers to whom they can sell security outsourcing. Next best is an MSSP that sells services through a larger partner. Web hosting firm Verio Inc., for example, resells managed security services from Riptech Inc. BellSouth sells services including managed firewall and VPN, intrusion detection and response provided by Internet Security Systems. "If nobody else is selling their services, we think that's a big risk," says Pescatore. On the flip side, he says, the more well-known the reseller, the better.

Analyst Laura Koetzle at Forrester Research Inc. expects many smaller MSSPs "to join forces or sell out to larger managed services providers like telecom carriers" or merge with security services companies so they can combine their lower-margin managed security services with "higher-margin incident response planning or forensics consulting engagements."

In the long run, says Rasmussen, an MSSP "is either going to go out of business, it's going to be acquired, or it's going to acquire somebody else," he says. The trick is to sign up with an MSSP who will survive long enough to acquire somebody else –and right now, cash in the bank is one of the best ways to tell the winners from the losers.