MANAGING A SECURITY SHIFT

Telcos are evolving into managed security service providers, but face an uphill battle to become leading MSSPs

By Joan Engebretson

With traditional voice and data revenues under pressure, telcos are pinning many of their hopes for growth on value-added business services — and telco executives often point to managed security services as one of the most promising of such offerings. Increasingly, enterprise customers are turning over management of firewalls, intrusion protection and other security functions to service providers, who often are in a better position to provide 24-hour monitoring and maintenance.

In the managed security services market, telcos face a wide range of non-traditional competitors — including systems integrators such as IBM and EDS and pure play managed security service providers (MSSPs) such as Counterpane and Symantec. According to research from Gartner, managed security service revenues for all providers combined climbed from $936 million in 2004 to around $1 billion in 2005 and are expected to increase again for 2006 and 2007.

But telcos' efforts in this market to date essentially amount to picking the proverbial low-hanging fruit. The telcos have been most successful at selling managed services to existing customers that buy network connectivity and other services. As Loren Rudd, industry analyst for Frost & Sullivan, put it, “The telcos have a large installed base and can leverage their existing clientele. They don't find themselves in the position of a pure play where they're evangelizing and selling the business model to new prospects; they're not cold calling.”

According to TheInfoPro (TIP), a research firm that conducts in-depth one-on-one interviews with large enterprise users — such as Fortune 1000 firms — telco leaders AT&T and Verizon each have only about 1% of the MSSP market. Optimists, however, may see opportunity in the fact that the market is still a highly fragmented one with no dominant player. Phil Lerner, managing director of information security for TIP, which has been conducting its research in six-month intervals since the early 2000s, noted the service provider market shares can change substantially from one study period to the next. And in the most recent study, completed earlier this year, even the market leader — Symantec — had only a 10% share.

Because their infrastructure and scale gives them a cost advantage, telcos have competed largely on cost, Rudd said. “Telcos are one of the major forces within the industry that are driving price competitiveness,” he said, adding that as MSSPs begin to focus more on the small and medium-sized business market, price will become increasingly important.

Sophisticated users of managed security services sometimes find that telcos come up short, however. “Telcos have limited capabilities in terms of the specific brands and models of equipment they will manage on behalf of the customer,” said Kelly Kavanagh, a Gartner analyst. “They're also limited in their ability to correlate security event data across devices and present it to the customer, and in their ability to provide expertise in terms of what the information they're gleaning from the devices means. Customers clearly recognize this, and the telcos recognize that they have a credibility gap to overcome.”

Kavanagh pointed to AT&T as the telco that has done the best job of understanding and addressing the needs of managed security service customers. “AT&T gets it the most in terms of its offerings and approach to the market,” he said. “They also have a very credible security public face in Ed Amoroso. He speaks a lot at conferences and is a smart guy.

“Also, AT&T has really put together a team of folks who are dedicated to managed security services as a business, not just as an adjunct to other communications or outsourcing services that AT&T offers. The company has taken the managed security business and treated it like a business as opposed to a hobby that they do for their biggest customers.”

Verizon's greatest successes in the managed security services business have come from the MCI side of the company. Prior to the merger of the two telcos, MCI had bolstered its managed security services capabilities by acquiring pure play MSSP NetSec in February 2005. But the success of that acquisition still remains to be determined. “MCI took a smart approach in terms of maintaining the NetSec brand,” Kavanagh said. “But actually integrating NetSec into MCI was bumpier than I think they wanted. By the time they started to get it smoothed out, and everyone realized who was responsible for what, then Verizon bought MCI.”

After a merger of that sort, Kavanagh joked that “the organization has to lie on the couch and digest its Thanksgiving dinner,” to which he attributes the fact that currently “we're not hearing much about MCI, NetSec or Verizon.”

The only other telcos besides AT&T and Verizon that Gartner numbers among the major MSSPs are Orange, which is strongest with global customers, and Sprint. Although some other telcos — including Broadwing, Global Crossing and Level 3 — offer managed security services, they are not included in what Gartner refers to as the “magic quandrant” of MSSPs, either because they have fewer than 200 customers or because their offerings lack the breadth of the major players. Should any of the telcos decide to become more aggressive on the managed security front, one route would be to acquire one of the pure plays. However, Kavanagh pointed out, there has not been much acquisition activity in the market recently because prospective buyers and sellers have had difficulty agreeing on a price.

The future growth prospects of the telcos as largely dependent on the popularity of what Kavanagh calls “in the cloud” or network-based security services, where the telcos' network infrastructure will provide a competitive advantage. To succeed there, however, the telcos must overcome entrenched interest groups within customer organizations. As Kavanagh put it, “There are groups within the enterprise that have a job description that includes evaluating, selecting and running security devices. They like to open the closet and see blinking lights and have an equipment bake-off.”

To gain more ground in the managed security services market, telcos also may need to obtain more cutting-edge expertise. “This year one of the things I've seen that seems fairly significant is that big providers are beginning to offer managed [security event management] services,” Frost & Sullivan's Rudd said, adding that such services involve correlating data from a range of devices on the network.

Rudd also sees increased opportunities in the MSSP market as a result of new regulation in certain industries aimed at protecting consumer data. For business in such industries, he said, “managed security service providers are not only a convenient way to provide themselves with round the clock network management, they're also an endorsement of their due diligence — something tangible they can take to a regulatory entity.