The US-based National Aeronautics and Space Administration (NASA) is the stuff of dreams, using technology to boldly go where no man or woman has gone before and may never go again. But even NASA, with its relatively unlimited budget, could not block 2003’s SQL Slammer worm, which tore through PCs on the internet all around the world in minutes.
Although NASA’s firewalls were able to block most of the malicious traffic, the speed of Slammer’s spread made it clear that firewalls, massive expertise and a fast response on-site are not enough, NASA IT security officer Michael Castegna told US publication GCN at the time.
NASA decided to augment its own skills with an outside service -- by Patchlink, dubbed Patchlink Update. NASA uses the service to ensure best practice patch management of some 80,000 networked PCs at a time when security threats are getting ever more serious and expensive to deflect or contain.
In this country, Neil Campbell, Australian national security practice manager at Dimension Data, does offer security product from various vendors -- including RSA Security, McAfee, Cisco, Nokia and Check Point -- and a diverse bunch of security services. DiData has transformed itself from a traditional products-and-services business to managed services provider and consultancy over the past few years. “Growth has been in consulting and core products in services and managed services,” he says. “And also in taking business away from competitors.”
Dimension Data’s Australian security business has grown from 30 to 50 staff and become a $30 million business here in that time, targeting mainly enterprises and verticals such as financial services, government, healthcare and utilities.
Taking a more rigorous approach to more rigorous needs has been key to DiData’s success, Campbell believes.
The integrator has worked hard at hiring and training the right staff -- a challenging task made easier by DiData’s substantial size and resource base.
“Full service provision” is the key, Campbell says. Of course, few if any Australian resellers can expect to retain the resources DiData has. But that does not mean they are out of the game, he says. “What a customer wants in a market like this is value,” Campbell says.
“I don’t think the answer is about picking the right vendors or selling the right products, frankly. I think it’s about showing them you understand the risks and helping them devise a plan to address those risks.”
Meanwhile, the increasing need for regulatory compliance is raising the stakes for security services in new and complex ways. That is an area Campbell believes is one of the main security service-related opportunities for coming years.
|DiData's Campbell: Answer might not involve selling a product|
An example is a recent Dimension Data review of IT security at the Parliament of NSW, spearheaded by Campbell.
The state parliament needed to comply with information security management standard ISO 17799 and get a complete picture of its technology and how it could secure information around its law-making and government activities.
The parliament needed to ensure its security was scaleable and highly secure. Campbell says DiData conducted a gap analysis of security management and compared that with ISO 17799. Then it provided a road map showing how parliament could achieve compliance, including detailed recommendations on specific problems and guidelines on the document preparation required to support the final information management system. An extensive study of parliament’s users and the way they interacted with that information was also done, Campbell says.
Resellers should examine the ways customers do things and the answer might not involve selling them a product, he points out. That is the lesson DiData has learnt in the past few years and it is one every hopeful security services provider can adopt, he says.
“Another thing is realising that managing the risks doesn’t mean removing them.”
It is not only massive government agencies that can benefit from network and desktop security services. Trevor Jacups, managing director at Sydney reseller Aleon Solutions, says his customers hail from a number of more prosaic verticals, including banking, finance, real estate and charity organisations.
|Unipax's Piotrowski: Success is about knowing the right vendors|
“The budget for IT departments in relation to security four years ago was significantly less than it is now,” he says. Aleon started offering security services four years ago and has seen ongoing growth. Security services have become a much more important and lucrative part of the reseller’s business. “In full year 2004, we grew about 300 percent by turnover and by full year 2005 we doubled,” Jacups says.
Aleon’s team has swelled to 14 in recent years and the reseller expects to field 20 by next June. Jacups says users are more aware of security issues now and fear what could happen to their businesses.
Meanwhile, costs keep increasing as the threats get more complex and diverse. “What we’ve actually found is that a lot of people buy a security product and then they don’t spend a great deal of time maintaining it,” he says. “What we’re offering is we actually install the product, rather than just sell it.” People often buy security products, Jacups says, then don’t know how to get the optimum value from them. Aleon’s practice sends engineers in regularly to ensure a security setup is performing its best. The reseller’s staff talk to support customers over the phone every week and meetings are scheduled every three months, he says.
“A few other people sell the product through the [customer’s] IT department. Some IT departments maintain very good standards and get very good life out of the products. But for those that don’t, in fact the product can become a burden,” he says.
Jacups says the market is becoming quite competitive. However, there could well be room for one or two more specialists prepared to invest. “There are a lot of people who sit on the fringe and have one trained engineer.” The biggest challenge is staying on top of security needs and solutions available. “Companies are not aware generally of where the next threat is going to come from and we do a lot of work in relation to disaster recovery and business continuity,” Jacups says.
Managed services is also booming -- dragging managed security along for the ride. According to a mid-year IDC study, managed services in the Asia-Pacific through 2004 earned US$13.3 billion in the enterprise market and US$63 million in the telecom market, excluding Japan. Value-added managed services are expected to grow some 15 percent in 2005. Managed security services are 2.6 percent of that total, IDC says.
Know your verticals
Tom Piotrowski, managing director at value-added distributor UnixPac, adds that success is about knowing the vendors and solutions used, not about having the right vendors or using high margin product. Good solutions will be easy to deploy and provide good information, he says. “So a lower margin appliance might be much simpler to deploy, maintain and manage. Consequently, there is a gain because the actual process of establishing the site for security is easier than deploying the higher margin software,” Piotrowski points out.
Scott McKinnel, country manager at Check Point, tends to agree. He says top resellers in the security space have built a dedicated security practice with specialist engineers and salespeople. Supporting one or two vendors in each space is better than being vendor-agnostic, he claims.
“Traditionally, those integrators who have been successful in selling managed security services have been those involved in large outsourcing agreements,” McKinnel says.
Market research firm IDC says web hosting, network and system security consulting are the most widely used IT services by SMBs.
Further, IT security adoption will intensify across industries in the Asia-Pacific outside Japan over the next five years, with investment in security solutions tipped to double or even more by 2008 across the region.
Dave Stevens, managing director at SecureTelecom and Brennan IT, says the managed services model is succeeding. His entire business was built around the promise of recurring revenue, he adds. This year, the sixth year of its operation, saw SecureTelecom grow 44 percent by turnover, and in 2004, the company increased revenue 86 percent. That is despite having “quite a battle” to get prices down.
“The last three years it has just taken off,” he says. “I don’t think we’ve got any unsecured creditors left, [except] maybe larger clients that have their own kit or their own firewalls...I think the first [investment] was a couple of $100,000 and in the first year or eight months, we probably put in another $500,000 or $600,000,” he says.
Latest capital budgets top $2 million, just to keep pace with various “bits and pieces”, Stevens says. Resellers can use a vendor’s tool and add Cisco or Juniper or Netscreen top line product. That is the right way, he says. The wrong way is to run the service on a Linux box and “some managed application you think will do the job”, he says. “That doesn’t work. You can do it with a Linux box, but it’s just the management time just to get a firmware upgrade rolled out to 200 clients,” Stevens advises.
Stevens also says resellers need to choose gear with care. He says the first firewalls they bought “just broke”. “They weren’t designed to run the firewall base we were running,” he says. So SecureTelecom bought the biggest Netscreen boxes out instead. “The sales went up. The salespeople started to believe in it. Our productivity improved,” Stevens says.
Stevens says the company is migrating lots of services from Windows to Linux. “We achieve great increases in stability with maintenance and those sorts of things,” he says. “[But] we tend to want a commercial product. We have written a few applications ourselves, but the development time on them is just not worthwhile.”
Managed services -- such as for internet protection, IDS or packet filtering, not so much anti-virus or anti-spam -- may offer higher than normal margins because of the added value. But it all balances out because one cannot buy an expensive box to do something properly and then pass that cost on direct to the customer.
“It’s not for everyone either. I imagine the ASX doesn’t outsource the true core of its security. Defence doesn’t outsource it. The banks don’t outsource it,” Stevens says.
David Blackman, channel director at security giant Symantec, adds that resellers should eye up opportunities to develop security services around a wider range of messaging threats. Some 61 percent of all email is now spam, and the rise of instant messaging (IM) means hackers will increasingly target that too. “Security means protecting the key business of companies,” Blackman says. “By going into email, people can find out anything they want about a company.”
|HP's Pestonji: Relying on the channel to get to SMBs|
Michael Ang, Asia-Pacific vice-president at Aventail, is also bullish on holistic security services. “People are starting to look at security services in terms of the full set of services...It’s not just about one particular product.” Ang says.
“They’re going to outsourcing companies and larger integrators.” Aventail is getting good results from local resellers like Loop Technology and ComNet Solutions, he says.
“[Loop] has a very large technical and sales team who understand the solution,” Ang says. “So I believe in specific relationships.”
Cyrus Pestonji, business development manager for HP services, says the vendor is doing well with channel partners such as OfficeMax. HP has various new security services -- including security reliability assessment, desktop security and backup offerings -- and related products that rely on the channel to get to SMBs.
“It suits channel partners used to talking to customers about value propositions and business issues, because really this is a business issue for SMBs,” he says. “We want to provide our channel partners with new solutions. If you look at the SMB market, there are over 300,000 businesses and there’s no way HP can get to that market cost-effectively.” Pestonji says many organisations are going online for business purposes but are unsure how to protect their customers. “Some have stopped their businesses because of viruses and spam going around,” he says.
Nick Verykios, marketing director at distributor Firewall Systems, is also hot on “beyond the box” offerings. “It’s no good having the best IPS or anti-virus system if the server blows up, someone steals it or water blows through the mains,” he says.
However, Verykios adds, that it is no good selling a solution if it is not remotely managed by a specialist provider because the security products themselves become obsolete the second they are turned on.
The channel certainly has a much clearer idea of what is needed to build a great security services practice today. But the question remains: how many will successfully use that knowledge to ride out the coming storm?