IT and Business Insights for SMB Solution Providers

Managed Security: It's an Easy Sell

Supplementing core server and desktop management offerings with an add-on service such as managed security is a great way for MSPs to boost profit margins. Here's your guide. By Alan R. Frank

Service is where the margins are. That's one reason managed services, with its recurring monthly revenues, is particularly in vogue. And a small but rapidly growing niche within the SMB managed services space--managed security services--is attracting a lot of attention from VARs and integrators in search of not just profits, but more predictable, closer, and long-lasting relationships with their customers.

The case for managed security services "is pretty compelling," says Jerrett Miller, channel sales manager for Omaha, Neb.-based managed security services provider (MSSP) Solutionary Inc. "In addition to the revenue, it's a way to develop trust, and there's a stickiness that happens with partners that bring managed services to their customer base."

Research firm Gartner Inc. put the North American SMB market for managed security services at slightly more than $346 million for 2007, and predicts it will reach $561 million by 2010.

The stronghold for managed security has been in the enterprise market, but it's beginning to filter down to smaller markets. "We do an extensive North American SMB survey," says Adam Hils, principal research analyst for Gartner. According to the firm's most recent survey, conducted in the fourth quarter of 2007, about 43 percent of U.S. SMBs are employing some form of managed security services. That's a big jump from the year prior, notes Hils, when "the number was about half that."

Hils cautions that this doesn't mean SMBs have completely outsourced their security. "It means that they've deployed at least one managed security service."

Particularly among companies that don't have an in-house IT or security staff, "there's still a degree of hesitation and trepidation on behalf of the small and medium business market [about security technologies]," according to Jason Hilling, business line executive for enterprise services at IBM Internet Security Services Inc. (IBM ISS), a wholly owned subsidiary of IBM Corp., headquartered in Armonk, N.Y. That's so, he says, "simply because some of these technologies are still foreign to them."

Lack of awareness can make some SMBs reticent about investing in security hardware. But even when companies see the need, Hilling says, "there's often the issue of, "Who in my organization is going to sit down and monitor that thing on a 24/7 basis?" or, "I don't have the time to go out and train on how to use that technology.'' So when VARs and integrators can offer a managed services solution around those security technologies, reasons Hilling, they can help their SMB customers get over their hesitation about using the devices.

"There's clearly a trend for more SMBs at least considering MSSPs," says Thomas Raschke, senior analyst for Forrester Research. "The primary reason is to save money. At the same time, they want to guarantee the security of the company or ideally improve it," by getting in some external experts to manage their network. "These MSSPs usually have better equipment, better knowledge, and a broader reach, and they're set up to monitor 24/7/365."

Forrester's Enterprise and SMB Security Survey, conducted in the third quarter of 2007, asked North American and European respondents which managed or outsourced security services they were currently using. Managed and/or monitored firewalls topped the list, followed by email/Web content filtering. The survey found enterprise and SMB priorities generally closely matched, with some divergence in the managed firewall and vulnerability assessment categories.

"A lot of VARs are very strong, technically, and are used to doing the traditional VAR business model," says Dal Gemmell, product marketing manager at Trend Micro Inc., in Cupertino, Calif. "It's a challenge transitioning your company from a traditional VAR to a managed service provider business model. How do they move their business from one-time or untraceable service revenues to a more predictable business?"

It was a desire to help VARs and integrators meet that challenge that moved Trend Micro to partner with Amy Luby and her Omaha, Neb.-area MSSP firm Mobitech to develop the Worry-Free Managed Security Services Webinar and Playbook. In 24 pages, the book discusses the managed services model and various factors for success, including management, marketing, staffing, contracts, processes, and tools. Published as a PDF e-book, the playbook is available from Trend Micro at (registration required).

The playbook stresses that solution providers seeking to move their companies to a managed services business model need to do some soul searching to honestly assess the strengths and weaknesses of their staff, executives, and companies as a whole. If you come up short in any management, technical, sales, or systems area, these will need to be addressed with training, hiring additional talent, outsourcing, or other means.

Do you and your staff have strong security expertise? If so, that's a solid starting point for offering managed security services. If not, reselling the services of an MSSP might be a better way to go. Can you make the massive investment needed to build and staff a 24/7 security operations center (SOC)? If not, that's another argument for partnering with, and reselling the services of, a larger MSSP.

There are a variety of MSSP offerings, but broadly speaking, they can be categorized in two ways. The first is monitoring and responding to alerts from security hardware (such as firewalls, intrusion detection and prevention systems [IDS/IPS], and unified threat management [UTM]) and from software (for anti-virus and anti-spyware). The second is process-oriented filtering of Web traffic or email (for viruses, spam, spyware, and phishing). Some MSSPs, such as IBM ISS and Perimeter eSecurity, headquartered in Milford, Conn., offer all of these services, while others specialize in either monitoring or filtering.

Monitoring in particular can be tough to downsize in a way that makes it financially palatable to SMBs. That's because highly skilled security experts and 24-hour SOCs represent expensive investments. And, since each maker of security hardware typically has its own proprietary log formats, the result can be a security Tower of Babel if you plan to monitor environments comprising hardware from multiple vendors. Some MSSPs simplify the process by standardizing on one vendor's security hardware. Others differentiate themselves by the wide variety of products they support, and have developed the technology to parse each different log format.

San Diego-based Iomega Corp.'s OfficeScreen service is targeted at the SMB market. There are two core offerings, according to Dan Williamson, the company's vice president of managed services: Managed IPSec VPN and managed email security powered by Postini. The managed VPN service is "a turnkey deal," says Williamson, which is based on Juniper Networks hardware. Iomega owns and provides the hardware. End customers pay monthly for the service. The email filtering and scanning offering is hosted at Postini. "We offer the full enterprise product, not a stripped-down version," says Williamson. Despite that, the offering still scales down to fairly small clients--20 seats and up. It's been productized as an SKU, distributed through Tech Data.

Perimeter eSecurity offers a range of services. "We've got 50 services today, all integrated in one [customer-facing] portal that can be white-labeled or co-branded with the partner," says Clark Easterling, vice president of marketing. Available services run the gamut from managed firewall, IDS/IPS, and VPN, to email filtering and scanning, Web content filtering, and host anti-virus/anti-spyware and host intrusion prevention.

Perimeter will manage customers' on premise firewalls and other security equipment, but its specialty is security "in the cloud," where the firewall and other security devices are located in one of Perimeter's three data centers. Riding on the popularity of the SaaS acronym, Perimeter calls its approach "Security as a Service."

IBM ISS also operates some security services in the cloud, says Hilling. Most of those cases are where the firewall and/or other security equipment can be located at an ISP's or telco's point of presence. IBM ISS supports a wide variety of security vendors' equipment, according to Hilling, with "more than half" being non-IBM ISS gear.

SecureWorks Inc.'s customer base is "equally split between small, medium, and enterprise business clients," says Andy Szymendera, director of channel operations. The Atlanta-based company has about 2,000 clients, served by SOCs located in Atlanta, Chicago, and Myrtle Beach, S.C. VARs can partner with SecureWorks to resell its monitoring offerings. According to Szymendera, "[Partners] are able to take the security service and scale it down into all client sizes."

Solutionary's business is monitoring. The company fields two SOCs--one in Omaha and another in Pittsburgh. According to Miller, partners can work with Solutionary in four possible ways: referrals, reselling, cobranding, or white-labeling.

McAfee Inc., based in Santa Clara, Calif., offers its Partner Security Services Program to those who want to provide McAfee's Total Protection solution to clients. The Advanced version of Total Protection adds hosted email scanning and filtering to the basic suite of anti-virus, anti-spyware, desktop firewall, and Site Advisor, which provides Web surfers with Web site safety ratings. For end customers, McAfee provides SecurityCenter, a hosted security management console. For partners, the company hosts its Partner Security Dashboard--a reseller portal that allows reseller partners to manage individual customers' SecurityCenters, send customers reports, and create cobranded McAfee product trials.

Trend Micro offers Worry Free Client Server Security for SMB, which provides anti-virus, anti-spyware, and desktop firewall protection for network clients and servers. The product adds email filtering for Microsoft Exchange Server. For partners, Trend Micro makes available its hosted portal, Worry Free Remote Manager, which allows them to monitor multiple customers' installations using one interface.

Fiberlink Communications Corp., in Blue Bell, Pa., offers hosted, managed VPN services for secure remote access for mobile workers, as well as the Extend360 endpoint mobility and security platform. The firm works with reseller partners to bring these services to end customers. Englewood, Colo.-based MX Logic Inc. is a managed email and Web security service provider. The company's marketing assistance program provides resellers with such sales tools as training, lead generation, and cold-calling.

It can be tough to develop a managed security offering with a price tag that's attractive to smaller businesses, says Drew Savage, global alliance manager for MSSPs and carriers at security equipment maker Fortinet, in Sunnyvale, Calif. But he says he has the answer: "We go to market with unified threat management." UTM, he says, is the key to developing a managed security offering that can be priced for SMBs. Instead of single-function point products, he notes, Fortinet handles multiple functions--including firewall, IDS/IPS, VPN, anti-virus, anti-spam, and Web content filtering--with a single solution. That, he says, "allows MSSPs to create an entire portfolio of security services off of one vendor," as opposed to dealing with numerous vendors. "It lets MSSPs hit the operational efficiencies on provisioning, design, deployment, and support," he maintains.

As many have said, the easiest sale to make is with an existing, satisfied customer. Managed services is about doing more, and more frequently, with key accounts. It can be much more profitable than a steady stream of one-shot or infrequent-engagement customers. As such, building a managed services practice, including managed security, can help reduce customer churn.

Managed security is all about trust. Clients need faith in you and your organization if they're going to trust you with their security. That said, if you can establish a managed security engagement with a client, it's a great way to deepen that trust relationship, as you become not only the company's security adviser, but part of its team.

ALAN R. FRANK is a networking consultant and freelance writer who covers networking and communications technologies.

About the Author

ChannelPro SMB Magazine

Get an edge on the competition

With each issue packed full of powerful news, reviews, analysis, and advice targeting IT channel professionals, ChannelPro-SMB will help you cultivate your SMB customers and run your business more profitably.