It is surprising, says Internet Security Systems (ISS) CEO Tom Noonan, how things can turn full circle. “Originally we were a managed services provider because Internet Scanner [ISS’s first product] was not stable enough to package and ship to customers,” he says.
That was ten years ago. He and ISS co-founder Chris Klaus used to conduct security scans for clients at night and work on improving the product by day. It barely paid the rent, and, at one point, the company even ran out of money. It was only when Internet Scanner was finished and could be sold as a standalone product that sales took off – from a total of just $38,000 in 1994 to $243.3 million in 2002.
ISS has even grown at a respectable rate through the downturn in IT spending, in marked contrast to once fast-growing rivals such as Check Point Software and RSA Security. The secret, says Noonan, is down to a booming demand for managed security services that, he says, is now ISS’s fastest-growing business segment. This year, subscriptions to ISS’s managed security services will surpass licence revenues for the first time.
The reason? Security has become so complex – and expensive – that organisations are turning to selective outsourcing. “This is where things are changing very dramatically,” says Noonan.
Not every operator is benefiting. Managed security was identified back in 1999 by the venture capital community as a key sector that would boom even as the dot-com industry was going bust. During 2000 and 2001, some $1.7 billion was poured into managed security services companies. But today, very little remains to show for that investment.
There are a number of reasons why ISS, as well as other well-established security software and services suppliers, particularly Symantec, have been able to prosper in a market where supposedly more nimble start-ups have failed.
That is because customers feel more secure with mature companies. Major organisations are reluctant to entrust security to relative unknowns, however lavishly funded. Moreover, well-established suppliers could bring to bear a wider range of services, particularly in the event of a security breach being detected.
ISS and others have also been able to offer more comprehensive service level agreements – for example, giving guaranteed protection against specific threats. Many start-ups merely offered to manage firewalls or routers – a less enticing prospect for the customers and less profitable for the supplier.
“Telcos could manage a firewall for one-tenth of the price,” say Noonan. The managed security services survivors are now buoyant. They see growing demand for a bedrock of services, such as penetration testing and vulnerability assessment.
New services are also emerging. After the network of car maker General Motors was broken into via a loophole on a partner’s system, Noonan says that ISS benefited from an increased interest in third-party security assessment services – checking out an organisation’s security on behalf of their partners.