Too many people are thinking of security instead of opportunity; they seem more afraid of life than of death, said James F Byrnes. Over three decades later, the American Statesmans saying in a way reflects the debate facing the CIO todaybetween keeping the enterprises security systems locked within or outsourcing to a third party service provider, which provides the opportunity to concentrate on core activities while improving efficiency and cost savings.

This conflict of interests between security and opportunity is getting intensified with the vendors and service providers aggressively pushing their managed security services (MSS) offerings. However, with the MSS offerings gaining maturity and with the CIOs struggling to tackle the growing complexity of security threats with budget and resource constraints, the opportunity involved in outsourcing is not only becoming more acceptable but also attractive.

With enterprises getting comfortable with the concept, MSS is emerging as one of the fastest growing areas in the Indian security market. Gartner cites MSS as one of the fastest-growing segments in the security marketplace. As per Frost & Sullivan, the Indian MSS market in 2007 stood at around $46 mn. Akhilesh Tuteja, executive director, KPMG, pegs the market growth in India in excess of 40%, and it will maintain 40-45% growth rate over the next 2-3 years. On the other hand, the worldwide MSS market is projected to exceed $6 bn by 2011, as per Frost & Sullivan.

Even while the overall momentum is in favor of growth in the MSS space, it will take a lot more maturing and evolving before enterprises are able to make complete peace with it. As a security expert points out, after all its like locking your door and then handing over the key to anyone. In a very literal sense, this is what Managed Security Services is about. Though, in the enterprise context its not just about anyone that one gives the key to. Its the trusted experts in whose hands the CIO places the information security systems of the enterprise. Strategic deliberation on the need to outsource (benefits vs risk), how much to outsource, and whom to outsource to will be paramount to ensuring the success of the MSS model for the enterprises. On the other hand, for the vendors and service providers its their ability to instill confidence in their customers and how they evolve their service offerings that will hold the key to their market success. This, in effect, will decide the future face of the Indian security market, ie, the shift from the product to the services model.

Key Drivers
The mindset towards MSS saw a drastic shift in the Indian market in 2006 in terms of psychological concerns. The verticals, mainly banks and government, which once hesitated to outsourcing security services to a third-party due to psychological concerns and loss of control, were found making managed security services as a default choice due to convenience and cost benefits in 2006.

The challenges being faced by enterprises today is a big driver for the MSS market. According to Satish Syal, executive vice president, Managed Services, NIIT Technologies, the major challenges that enterprises face in terms of security management are high operational costs, having to monitor the changing environment continuously within existing resources, scarcity of skilled resources to handle threats, lack of understanding of best practices, and complex organizational ecosystem. Mahesh Gupta, business development manager, Network Security, Cisco India & SAARC, sums up operational challenges, skill challenges, and complexity of the environment as the key factors driving MSS. IT budget constraints and increased focus on compliance are the key drivers making enterprises move to the outsourced MSS option.

The threats are becoming more complex with the increasing adoption of web-enabled applications and are no longer direct. There is growing complexity in terms of malwares, application security, unrestricted information/content flow, data leakage, identity thefts, cyber crimes, etc. Furthermore, the threats have become blended, draining network resources. All this has opened up new avenues for unknown threats and data vulnerabilities. All Akhilesh Tuteja, executive director, KPMG points out that apart from key drivers like manpower and staying updated, the other factor driving the market is the growing integrated approach towards security. Now the enterprises have started looking at an integrated and unified view of security. And, this is easier done by a third party service provider.

According to Ajit Pathak, country manager, Sales Operations, SecureSynergy, security is a moving target, meaning that it is physically impossible for any organization to monitor, analyse threats, manage, and act upon them on a 24x7x365 basis. The complexities of integrating security products and the accountability assigned to security incidents are driving the demand for managed security services which will bring better expertise and commitment into the market, he adds.

There is also compliance and regulatory pressure driving enterprises to go the MSS way. In such a scenario the need for expertise becomes imperative. For Arun Gupta, Group CTO of Shoppers Stop, the primary growth driver for MSS has been heightened awareness for security and compliance expectations from regulators and customers. As organizations understand the value of information and its impact on revenue and credibility, they have been scouting for resources from the market. Considering this is not yet a full-time activity within most companies, the MSS players have filled in the gap to address the demand, he explains.

Benefits on Offer
At a broader level, the managed security service providers (MSSPs) given their IT infrastructure, are in a position to pass on their expertise to the organization hiring their services in a cost effective way. MSS delivers real-time threat analysis, helping organizations establish compliance, minimize business impact and reduce overall security risk at an acceptable cost in the face of emerging threats, says Amuleek Bijral, country manager, India & SAARC, RSA, the Security Division of EMC.

From the cost angle, as Tuteja points out, if the enterprise is looking at MSS as just a simple model for replacing the internal team and purely saving on their salary, then that does not bring in the RoI. In fact, it might even be more expensive. One needs to look at MSS from an overall perspective in terms of the efficiency gained, savings on R&D and staff training for regular updating, to name a few. He cites that if one actually monetizes everything then there can be savings to the tune of 20-25%.

Although, the organization still owns information security risk and business risk, contracting with an MSSP allows it to share risk management and mitigation approaches. MSS is also used by Indian organizations to access the latest security technologies without the pain of getting them approved by the management.

Even the Big to Benefit
While initially MSS was touted as the buzzword for small and medium enterprises, its no longer relegated to them alone. According to Prosenjeet Banerjee, associate vice president, Global Security Services, HCL Technologies Infrastructure Services Division, enterprises are turning to MSSPs to provide most of their security solutions during the next five years and will outsource almost 90% of their solutions by 2011.

Over the last two years, large enterprises have realized that outsourcing security management makes as much sense for them, as for an SMB. For an SMB, to build security from scratch can be overwhelming because of the initial investment costs, while for large enterprises trying to adapt existing solutions to ever changing security concerns mean huge maintenance costs. According to Tuteja, while the business case for the SMBs is to build their security set-up from scratch (which would otherwise be difficult internally), the business case for the large enterprises is sustenance and maintenance. Unlike SMBs, while it is easy for the large enterprises to build their security infrastructure, it is difficult for them to maintain owing to its size and heterogeneity.

The reason why large enterprises are increasingly looking at outsourcing or sharing the responsibility of security with a specialist partner is because it helps with a single view of all its security issues, makes it easier to locate faults, reduce costs and improve efficiency.

According to Syal, MSS makes sense for large enterprises as it enables them to concentrate on their core business, helps them reduce on-board staff to address security issues, and as a result achieve RoSI (return on security investment), and give enterprises an unbiased outside view of their organizations security status.

According to Lt Col HS Bedi, CMD, Tulip Telecom, MSS for large enterprises has gained popularity because of the ability of a service provider to address corporate information security in totality.

Vertical Inclinations
In terms of verticals, the market segments for MSS continue to be BFSI, telcos, manufacturing, government and BPO. According to Lt Col Bedi, the involvement of public money and strict security guidelines for ICT will propel the MSS for the BFSI segment. On the other hand, ITeS players will have to work with various compliance requirements of their customers.

Services on Offer
Most service providers offer one or more of the following servicesdevice management, patch management, preventive processes, 24x7 monitoring of security events, security incident identification, real time alerting, auditing, compliance in network services, data center services, real-time network monitoring, 24x7 incident prevention, log monitoring, and analysis network boundary protection, vulnerability assessment and penetration testing, information security risk assessments, threat and event analysis, vulnerability scanning (internal and external), managed log retention, email and web scanning, security consulting, etc.

The Outlook
According to Mahesh Gupta of Cisco, content security, application security, and web security are going to be the major trends in the MSS space. Among some of the emerging service areas in the MSS space are: Managed authentication, IDS/IPS management, application security, SSL, managed WAN optimization, security information event management (SIEM), SecureID, advanced security analysis, global intelligence correlation, mobile security, managed incident response and forensics, regulatory compliance, etc.

According to PJ Nath, executive president, Enterprise Solutions, Sify Technologies, MSS is expected to see convergence of the product, product related services, and even services disconnected from the product. The next 2-3 years should see strong investments around managed security, storage security and identity management, log analysis, biometrics, mobile data security, as well as, vulnerability management.

Increasingly, emerging MSS services are geared towards meeting the compliance and regulatory requirements. According to Banerjee, as the industry faces stringent compliance norms and security policies, more and more organizations will go for deploying security solutions for their IT set up

The Catch
The overall growth for the MSSPs will rest on whether they can assure clients on data security, address their regulatory mandates and exhibit industry led good practices of ISO 27001, ITSM, and process excellence. On the other hand, the MSSPs infrastructure, SLA levels, security arrangements, service offerings, past record and credibility are some of the aspects that the CIO will need to factor in to ensure that the enterprise is not heading into another security risk by outsourcing its security systems.

Shipra Malhotra
shipram@cybermedia.co.in

Page(s)   1