Managed Security Services Providers and the BPO / ITO Providers

If you follow the managed security services providers (MSSP), you will notice a significant shift in the definition of outsourcing. Usually most of the MSSPs are aiming to manage the customer premises equipment with sophisticated remote management, and central log correlation tools. The manpower required to execute this operation is different from the BPO providers or even Managed Service Providers, just a handful Security Operation Centers (SOCs) and a 24x7 full escalation engineering shift is good enough to kick start an MSSP operation.

The difficulty in managing customer owned security devices derives from multiple sources, but if you exclude the technological challenges (like development, capacity, infrastructure, tools) the main roadblock for the newcomers is “Trust”

Giving up security, the keys to the kingdom is not easy, especially to an operation center that is connected via cross-oceanic fiber cable. All early players in the market played the “local” hand to gain the trust of the potential clients. In a post 9/11 world, relying on the 3rd party for all information security operation required different assurances. Large corporations chose different paths:

1- Choosing their trusted telecom company to provide managed security services instead of their core BPO partner
2- Choosing , monitor-only services from BPOs and limiting the scope to view and alert type of passive access instead of full security operation management
3- Trusting on a local specialized MSSP instead of a low-cost overseas shop

If we look at the MSSP market today, the decision tree above is very visible in the developed markets for managed services. Telecoms are eager to acquire any MSSP that can bring them the services recurring services revenue, and higher services margins. In the last 2-3 years, BT, Verizon, France Telecom NTT, KPN they all acquired some sort of managed security services providers to compete in the global market. The other global/local telecom chose to develop their own services. (e.g. AT&T, DT) Either way telecoms see MSSP market as their own managed CPE market.

On the second category, a lot of large outsourcing contracts came with security monitoring that pushed BPO providers to build impressive monitoring / log correlation operation centers. But large corporations usually kept the internal security team intact to manage the security infrastructure.

The last category of specialized MSSPs grew significantly with the demand. The interesting part is that none of the global players were from the outsourcing world Verisign, Symantec, Integralis, ISS, SecureWorks, Perimeter, RedSiren, Counterpane, NetSec, CyberTrust, Ubizen etc, none of the specialists belonged to a BPO provider. Most the specialized MSSP companies listed were acquired by the telecoms by the way.

So the question lies in “what will happen next?” Will the telecoms finally figure out the magic of delivering services, or will they prove yet another failure in investment. It is very difficult for a telecom company deliver a highly customized service, on the other hand cookie-cutter, managed router, managed MPLS type of boxed solutions do not play well in managed security services..

Of course there are alternatives like IBM acquiring ISS, Microsoft acquiring FrontBridge, Google acquiring Postini, and finally Dell acquiring SilverTech. But with the exception of IBM, in-the-cloud on-demand managed security services form a different category than the outsourcing complete operation, or the managed CPE.

I see a lot of leverage where large scale managed services shops (MSPs) to engage specialized MSSPs to build a hybrid best of both worlds model. At the end of the day it is very difficult to draw a demarcation line for managed security. If the desktops and the servers are a part of grand information security plan, an MSP should play well with the information security management provider; trusted MSSPs will also bring security credibility to MSPs. On the other hand MSSPs will be able to tap 500+ large MSP operation centers, and they will be able to deliver direct end-user security support for the first time. Segregation of duties will automatically be delivered in the meantime.

Time will show, which path will dominate the market.
On personal behalf,
- yinal ozkan