Managed security service market is today at its own demand and growing steadily and sharply. But before jumping into this market, service providers and consumers both should delve deeper to understand the multi direction of this market and to address that this article explains different aspects of this market and its future.

The challenges facing your organization today are innumerable. As your enterprise expands, so do your requirements for global information exchange amongst employees, suppliers, partners and customers. Fortunately, the technologies required to enable this real-time information exchange are readily available. Wide scale adoption of private network technologies and the public Internet as information exchange vehicles have led to a situation in which access to business-critical information and applications is but a click away.

However, as this information becomes more broadly distributed, threats to the confidentiality, integrity and availability of this information increase exponentially. Information is one of your most important assets. Your organization must be prepared to mount a proactive defense against threats from both external and internal environments.

Unfortunately, for most organizations keeping pace with the rapidly changing IT security landscape and proactively defending against newly exploited weaknesses is a daunting task. Additionally, constant changes in regulatory and industry mandated compliance programs leave many organizations confused about their requirements for data protection.

Outsourcing Managed Security Services—Is it wise?

As computer attack patterns shift and threats to networks change and grow almost daily, it is critical that organizations achieve reliable information security. Investment decisions about information security are best considered in the context of managing business risk. Risks can be accepted, mitigated, avoided, or transferred. Many global businesses have the driving imperative to improve the degree to which they protect the confidentiality, integrity and availability of information systems, applications and data within their business. As such, these companies find that it is increasingly difficult to manage the continuing need to keep up with evolving technologies and the threats resulting, in addition to traditional duties of controlling the cost required to manage their enterprise IT security. Additional complexity comes from the need to maintain IT governance, regulatory compliance and the need for IT to better enable the business to grow and remain flexible to survive in today’s hyper competitive marketplace. Therefore they have to seek external support in order to get total protection delivered by experts in a manner as to reduce operating expenses over time.

Real time protection of enterprise network requires specialized skills that have to be always available but applied only on demand. Enterprises face numerous difficulties with continual monitoring of their networks. First, hiring skilled security experts is a huge challenge. Second, the sporadic nature of security events, when contained to a single enterprise, causes an inability on part of the enterprise to retain such highly skilled experts. Lastly, the investments required to maintain or enhance the skill sets of the IT security experts on pay roll can be prohibitive.

With increase in cost of owning an integrated solution and maintaining the same, large corporate in India are opening up to the option of outsourcing the solution to service providers. Services like hosted secured email security solution, managed authentication solution, compliance etc. are now gearing up in the market. With e-governance taking priority in the coming years, compliance services are expected to take importance. Outsourcing selected managed security services (MSS) by forming a partnership with a Managed Security Service Provider (MSSP) is often a good solution for transferring information security responsibility and operations. Although the organization still owns information security risk and business risk, contracting with an MSSP allows it to share risk management and mitigation approaches.

Quite a few organizations still use outdated security devices at their own peril. With the entry of managed security in the Indian Market, organizations are made to realize that they need to upgrade to the latest devices. This is a required move as the vendors providing Managed Security will always keep their focus on what is required to prevent security breaches in today's environment instead of focusing on managing devices which are outdated and inadequate to prevent security breaches. Often some vendors undertake management of outdated devices in the India Market and this is something which hurts both the parties when a security breach occurs. With the increase of cost of owning an integrated solution and at the same time maintaining the same, enterprises in India are opening up to the option of outsourcing the solution itself to the service providers. Services like hosted secured email security solution, managed authentication solution etc are now gearing up in the market.

Security Outsourcing is akin to handing over the keys to the kingdom to third parties. Companies without high security concerns should consider security outsourcing to trusted third parties to take advantage of shared costs, 24x7 coverage and higher expertise they offer. Additionally while outsourcing, companies should keep a tight control on change management, study daily reports and audit their service provider. With globalisation and mobility, SMB and Enterprises are facing much the same issues. Security outsourcing is extending beyond the confines of mere technology to a more strategic business decision.
Another factor pushing the trend is the need for greater vendor accountability. With MSS, there's no accountability gap, MSPs are responsible for the infrastructure as well as the application. Buyers get a definite, single point of accountability for performance. Compliance monitoring is important for security infrastructure and critical information assets, which enables an organization to quickly identify and prevent any security threat, thus ensuring uninterrupted business activity, enhancing the overall productivity, performance and return on investment.

Experts also say that an organization needs to understand the level of information security risk in outsourcing any managed security service. The costs to procure, operate, and manage provider service delivery, including review for compliance with the Service Level Agreement (SLA) and the overall contract, should not exceed the anticipated benefits. MSS provides an integrated approach towards security. It allows the organization to have a single view of all its security issues and make it easier to locate faults instantly and take immediate corrective measures. MSS delivers real-time threat analysis, helping organizations establish compliance, minimize business impact and reduce overall security risk at an acceptable cost in the face of emerging threats providing continuous protection against vulnerabilities and external threats.

Factors driving MSS

Chandrasekhar Balasubramanian, Country Manager, Infrastructure Management Services, IBM India/South Asia

In the present times when overall budgets are being squeezed, the focus of any organisation shifts to the better management of costs and on their core business. Organizations are finding it cheaper to go for MSS, saving money, gaining efficiency while paying based on security needs and usage. Another factor pushing the trend is the need for greater vendor accountability. With MSS, there's no accountability gap, MSSPs are responsible for the infrastructure as well as the application. Buyers get a definite, single point of accountability for performance.

Compliance monitoring is important for security infrastructure and critical information assets, which enables an organization to quickly identify and prevent any security threat, thus ensuring uninterrupted business activity, enhancing the overall productivity, performance and return on investment. Chandrasekhar Balasubramanian, Country Manager, Infrastructure Management Services, IBM India/South Asia, said, “In today’s complex business environment, there is a need to streamline security business processes in order to maximize investments. MSS offerings are designed to help clients enhance their information security posture, lower their total cost of ownership and demonstrate compliance monitoring and managing security operations, regardless of device type or vendor. As the industry faces stringent compliance norms and security policies, more and more organizations are going for deploying Managed Security Solutions for their IT set-up.” Experts say that CIO needs to ensure that the security partner will help enhance productivity of the organization, make it compliant to meet today’s business requirements without compromising data/information of the organization. Infrastructure is also a major challenge, especially connectivity.

S. R. Kannan, Business Development Head, Managed Security Services, Tata Communications Ltd

Essentially, MSS was conceptualized to help businesses improve their security posture by monitoring their infrastructure in real time against threats. Clearly, protecting information is now a high-profile business priority, which makes meeting regulatory requirements an important component of a risk management program. A growing number of organizations are discovering that outsourcing security monitoring to a capable vendor enables them to better protect their information assets, reduce their vulnerability to threats and free IT to focus on core business issues.

How big is Staffing issue?

Experts believe that lack of ability to attract and retain talent is a BIG driver for outsourcing security management. Even BIG organizations are finding it increasingly difficult to retain security experts as they are not able to keep such experts engaged over time as well as not able to pay the compensation demanded by these experts. What companies truly need is real-time security monitoring and management options at a fraction of the cost which in-house solutions cannot offer. S. R. Kannan, Business Development Head, Managed Security Services, Tata Communications Ltd., said,
“At Tata Communications we have an ISO 27001 certified & ITIL compliant Security Services Operations Center (SSOC) that is a global operation center and a single point of contact for all customer support needs for 24x7x365 support.”

Lucius Lobo, Director, Security Services, Tech Mahindra Ltd

Lucius Lobo, Director, Security Services, Tech Mahindra Ltd, said, “staffing is one of the two big issues, as organization find it difficult to recruit and retain talented security professionals. The other one is cost. Security operations needs sufficient CAPEX for tools and infrastructure, and OPEX for staffing 24 by 7 operations.”

Kaushik Thakkar, Vice Chairman, Syntensia AB also believes that, finding out the right security experts can be one of the concerns driving enterprises towards MSSP. As qualified and experienced security experts are hard to find, the enterprises have little choice but to hire a lesser experienced professional, invest time and money to train him. However the entire cycle has to be repeated again when this employee quit the organization.

Kaushik Thakkar, Vice Chairman, Syntensia AB

Commenting on this issue, Amuleek Bijral, Country Manager, India & SAARC, RSA, The Security Division of EMC, also said, “Staffing is an issue to drive an organization towards MSS because of the several reasons. Firstly, Since MSS is a niche expertise so it becomes difficult to find the right kind of person to handle it and secondly the experts on MSS are rare therefore the cost of hiring them is very high. Because of these reasons the companies prefer to outsource the service by which they also get a team of experts.”

MSSP—What to look for?

Choosing the right managed security services provider (MSSP) to help manage IT risk is critical. When evaluating an MSSP, companies should consider not only experience and the ability to execute, but also long-term stability, vision, and breadth of expertise and support. With constantly evolving technologies and attack techniques making security a moving target, organizations are exposed to new risks nearly every day. Archana J., Business Head, India Projects, e4e Business Solutions, said, “By partnering with a vendor that offers powerful technology along with, proven processes, accurate threat intelligence and experienced professionals, organizations can improve their protection significantly while meeting complex compliance demands and maximizing their IT investments.”

Amuleek Bijral, Country Manager, India & SAARC, RSA, The Security Division of EMC

By getting in front of security risks with early detection and blocking, these services reduce the risk of compromise. It is imperative for organizations to look for MSSP vendors which provide a solution that is both scalable and affordable to help them realize significant benefits in business: By providing reasonable pricing over time, the services will help manage security budgets predictably in a fast-changing threat landscape. With these cost-effective, real-time services, organizations will be able to achieve compliance and reduce risks in the face of today’s ever-changing security threats.

Lucius Lobo, Tech Mahindra believes that trustworthiness, financial stability, security focus and expertise, level of attrition, quality of infrastructure (tools and datacenter), cost, staff quality and skills, and range of security services are the major points, one should always look before selecting as MSSP. IT services companies normally favor clubbing security operation with IT operations which may result in lower security coverage and skills and a failure to comply segregate duties.

Archana J., Business Head, India Projects, e4e Business Solutions

It’s important for an MSSP to look beyond the obvious IT budget the client has, and help them find ways to avoid productivity loss, security breaches and workflow inefficiencies.
Kaushik Thakkar, Syntensia AB, firmly believes that an ideal MSS offering should bundle everything into a single subscription fee, including comprehensive security features, automatic updates, patches, and 24X7 technical support, thus enabling organizations to eliminate upfront costs, providing a predictable cost structure, ensuring quality of service, and the freedom to re-evaluate the solution decision at any time.

Supporting the criticality of selection of proper MSSP, Amuleek Bijral, RSA, said, “Security is a very sensitive for any organization and it’s a difficult decision to outsource it to an outsider. However, when the decision is taken to outsource security, the responsibility should be given to an expert with credible experience in the field and not to any generic MSS. It is also critical that an organization specify its security requirements and require candidate MSSPs to demonstrate their ability to meet them, both as part of evaluation and selection and while providing ongoing services.”

Commenting on the MSSP selection, Chandrasekhar Balasubramanian, IBM said, “Through its MSS, IBM ISS offers a comprehensive range of services for various IBM and third-party security technologies including firewalls, intrusion detection and prevention systems, unified threat management (UTM), security event and log management, vulnerability management, e-mail, data and Web security. Managed Security Services complement the IBM ISS product line—a multi-layered security solution designed to provide preemptive protection from network- and host-based attacks before they impact business assets. As security increasingly becomes a crucial need for organizations of all sizes across industries, IBM is firmly committed to continuing to innovate and enhance its security portfolio to help keep customers ahead of the latest threats.”

Market Size

The market for managed security services is rising in India and is the next big trend in IT services. Today, corporate and businesses across verticals like Telecom, BFSI and retail are deploying IT enabled business solutions in order to increase their productivity and updating themselves with the rapidly changing IT industry trends. There has been an enormous increase in the use of Internet across. With the advent of Net Banking especially in Tier 1 cities, information security is turning out to be a major business concern for all enterprises. The increase in the online e-commerce transactions, greater access to the Internet and increase in the number of data thefts are driving enterprises towards adopting managed security solutions. Archana J., e4e Business Solutions, said, “The adoption of managed security services has increased significantly over the past one year and we can assume that the market size in India should cross $400Mn over the next year.”

Chandrasekhar Balasubramanian, IBM said, “The domestic market for managed security services is ramping up at a rapid pace. Apart from large corporate, government and SMEs are also embracing it in a large scale. Security spending continues to be a top priority among many organizations today.” IDC estimates that worldwide will grow to $65B by 2010. IDC further estimates that the Security Services market will grow to $32.6B in 2010 and the Security Hardware market will grow to $13.6B in 2010.

According to Kaushik Thakkar, managed security services is one of the fastest growing markets in India and worldwide. According to a report by Frost & Sullivan, the MSS market in India has seen a CAGR of more than 80% between 2005 and 2007. MSS business in the country crossed $50 million in 2007 as compared to $27.4 million in 2006. SMB presented a huge pool of opportunity for the managed service market in 2006 and is expected to grow 25% annually through 2009.

The total Information Security market in Asia Pacific was said to be worth $420 million in 2006, and APRG predicts it will grow to nearly $1.1 billion by 2012. According Amuleek Bijral, Indian enterprises are in the process of either establishing or reinforcing their network security architecture. IT budgets, with a focus on developing an effective IT security management processes are becoming increasingly substantial. As per PWC, managed security services (outsourced to third parties) have been growing at over 50 percent a year for last two years. IDC estimates that the managed security services segment is likely to grow by 50 percent every year till 2006 and continue to witness substantial growth till 2012.

How matured is Indian market?

The Indian Industry has reached the level where organizations should adopt the MSS model as it will help them in improving their security posture & reducing their operational expenditure. As infrastructures in India continue to expand due to the growing business requirements, focusing on managing security has become a challenge, especially with business being conducted from multiple offices located across various locations. To secure such an infrastructure, centralized management which can cater to decentralized requirements as well has become a must. Therefore this makes the current scenario an ideal time to switch from an in-house model to an outsourced model - managed security. The managed security model helps organizations focus on their key business with the comfort that security is being controlled by the experts.

With IT becoming the backbone of most businesses, it is of utmost importance to secure the environment and protect the infrastructure from any breach and threats. According to industry studies, in-house IT departments spend approximately 80 per cent of their time and budgets on keeping their operations up and running. Yet, up to 40 per cent of today's outages results from human errors and the in-house staff spend 25-50 per cent of their time identifying and resolving problems. According to Archana J., e4e Business Solutions, India is a growing economy and even during these hard times is expected to grow at 7% - 8% and the domestic market is evolving very fast. Not just the large corporate but the mid size organizations as well are adopting managed security services in a large scale today.

Lucius Lobo, Tech Mahindra Ltd, believes that security outsourcing in the Indian Market is in its early stages but has potential for quick growth. Few of the large Indian companies already have their security operation run as a managed service. One of the key accelerators for managed security services are Managed Security Service Providers and these are increasingly services provided by Telecom companies and large SI’s. Telecoms are yet to launch formal security ICT services in India. “The most common issue hampering the growth of MSS has more to do with education of SMB about the many benefits and cost saving. In many cases SMB owners lack the knowledge of online threats and expertise to effectively prevent them, which works as an opportunity for managed security service providers. An organization opting for MSS can save as much as 75% compared to companies handling security on their own,” said, Kaushik Thakkar, Syntensia AB.

Amuleek Bijral believes that china and India represent the fastest growing and most important emerging markets, and significant opportunities are available for consulting and services organizations that understand the dynamics of the India and China enterprise technology markets and the evolving nature of IT Security issues in India and China.

According to a PWC report, MSS have been growing at over 50 percent a year for the last two years. IDC estimates that the MSS segment is likely to grow close to 50 percent till 2012. Then there’s this report by Frost & Sullivan which says the MSS market in India has seen a CAGR of more than 80 percent between 2005 and 2007. The MSS business in the country crossed $50 million in 2007 as compared to $27.4 million in 2006.

Where is it heading?

Experts feel that in the near future, MSS is expected to become more complex but at the same time more adaptable as per the customer’s need, be it in India or anywhere else in the world. Along with major verticals such as BFSI, e4e foresees the ITeS/ BPO, telecom, manufacturing and pharmaceutical sectors also looking to managed security services. IBM feels that the MSS market will continue to grow rapidly in the future. Industry participants are becoming increasingly defined by their ability to meet the growing expectations and goals of a monolithic end-to-end offering that integrates initial consulting services (which may include policy development), appliance and product identification and installation, and finally monitoring and management. Organizations are looking to address the compliance mandates by using a unique set of products and services to create a customized, ongoing compliance objectives administration framework. There is no doubt that the market for managed security services is rising in India and will prove to be the next big trend in IT services.

Tata Communication believes that the market is expected to grow at a rapid rate for next 3 years with companies increasingly looking for both ‘in the cloud’ services and ‘CPE based’ services to address their Information Security problems. Ensuring security requires more than deploying a set of devices and point solutions. MSSPs can provide a suite of Managed Services which are best positioned to support the information security needs of today’s enterprises. On the other hand, Tech Mahindra believes that to be successful in the Indian market, the service provider needs to keep prices low. At the moment, there is not sufficient volume to justify the low price. Additional companies do not spend on 24x7 security or differentiate between security and IT operations, and therefore are not able to convince themselves of the need to spend more even on a shared services basis.

RSA strongly believes that Security Information Event Management (SIEM), SecureID, Advanced security analysis, global intelligence correlation etc. is some of the upcoming and new emerging services in MSS. SIEM is a service which monitors, logs and analysis data for an organization. It helps identify any anomaly in the system and then raise an alarm for immediate corrective action to be taken.

Conclusion

As managed security services market is gradually picking up, similarly the demand of trusted MSSps are also on rise. Issues like tight budget, lack of adequate skilled staffs, lack of proper infrastructure etc. are obviously accelerating the growth of this industry. In future, experts feel that India will play major role as per as managed security service market is concerned.

—By: ‘InfoSecurity’ Bureau.