Service providers are looking to capitalize on the growing appetite for managed security, broadening and deepening their portfolios through a flurry of mergers and acquisitions. Perimeter eSecurity has been particularly aggressive, snapping up vulnerability management provider Edgeos this week, the second company it's bought this year.
A number of factors are driving the managed security service provider (MSSP) market. As the vendors and their technologies mature, companies are more willing to trust at least portions of their security operations -- and, in some cases, even their sensitive data -- to respected outsiders. Pricing is attractive to small organizations with limited budgets, and larger enterprises stretched thin in a tough economy. Compliance pressures, notably PCI DSS, are also forcing a lot of companies, often smaller ones with little security experience, to add protections they once considered marginal and too expensive.
Perimeter bought email archiving compliance provider Secure Electronic Communication Compliance Archival System (SECCAS) in January. Last summer they bought secure messaging services vendor USA.NET, following a half-dozen other acquisitions since 2004, adding customers and technologies to its growing package of some 50 different services. They plan to make about one acquisition a quarter.
"They have really increased their presence in the market," said Kelly Kavanagh, an analyst at Stamford, Conn.-based Gartner Inc. and lead author of the 2007 Magic Quadrant report on MSSPs, in which Perimeter was parked in the "Visionary" corner. "They have the ability to deliver services via customer premises equipment or via cloud-based services, and package a wide range of services targeted towards buyers that don't have a lot of security expertise."
"Generally speaking, instead of trying to integrate a third party in, we go out and buy the third party, and make them a much tighter, intertwined solution than you would get if you tried to partner with two independents," said Doug Howard, Perimeter's chief strategy officer and CEO of USA.NET.
Perimeter's existing vulnerability service was appliance-based, similar to the successful Qualys model, which puts leased boxes inside the customer network. Edgeos offers theirs as a true SaaS model, allowing scheduled or on-demand scans anywhere in the customer network. The approach is a lot cheaper for Perimeter to deploy, and offers better central management and automation than their old service.
Edgeos' model was to "white label" their service, so other providers could label it as their own for customers. This opens up additional sales opportunities for Perimeter.
The MSSP market has undergone something of a metamorphosis in the last couple of years, as providers move to one-stop shopping for security services through acquisitions, mergers and partnerships. For example, SecureWorks merged with Lurqh, and Solutionary merged with VigilantMinds. Ambiron Trustwave acquired SecurePipe.
In addition to pure-play providers, the giant telcos are stepping up their play. AT&T, which has a long history of offering strong home-grown services; BT, with acquisitions of Counterpane Internet Security and INS; and Verizon, which bought Cybertrust, have all dramatically stepped up their plays in the market.
Howard of Perimeter thinks the big telcos aren't in it for the long run. They have to show heavy growth and a reasonable margin, and that's not likely in the MSSP market, he said.
"It's good PR, but at the end of the day, with limited capital and limited budget, where are you going to put a buck?" Howard said.
Gartner's Kavanagh, however, said that these giants have some advantages. They could easily tap into their customer base, made up of people who buy bandwidth from them, he said.
"They have some real structural advantages in being able to deliver services in a cloud-based model, because they are provisioning the bandwidth," Kavanagh said. "On the other hand, security expertise, whether developed internally or through acquisitions of pureplays like Cybertrust, will enable them to sell outside their core markets."
Even as we see consolidation in the MSSP market, specialists continue to emerge in hot security technologies, so we see, for example, application security providers like WhiteHat Security and Veracode.
"Services tend to follow adoption of technology by leading-edge enterprises," Kavanagh said. "Once they have some experience with the technology and understand what it takes to run it, they have a greater comfort level turning it over to somebody who can do it cheaper, and maybe with greater expertise."