Even if the managed security market grows as fast as some analysts forecast, it can't support the number of startups that have jumped into the market in the past two years. IT advisory firm Gartner predicts 60% of managed security service providers (MSSPs) will fail or be acquired. The collapse of once-promising companies such as Pilot Network Services Inc. and Salinas Group sounds like the rumblings of a shakeout beginning in an emerging market.

That's a scary notion for a manager considering handing over the keys to the network to a managed security provider. Once a company depends on a security firm to manage firewalls, intrusion detection, or other functions, it faces both a risk and an expense to switch if the vendor suddenly closes up shop. "There are going to be a lot of companies in this space that don't have the cash or business model to survive it alone during the economic downturn," Gartner security analyst John Pescatore says. "Many of these companies are billing $100,000 a month while burning $1 million to $2 million in salaries."

Pilot was a pioneer in the managed security business. But in late April, it laid off all employees except those needed to help shift customers to other vendors. Choosing a managed security provider is a gamble, but managers can do a few things to put the odds in their favor.

Pescatore says he looks for four factors in a managed security company. First, he favors companies with a national client base across which to spread costs. At best, regional companies will be acquired, as DefendNet Solutions Inc. was by Guardent Inc. At worst, they'll be next in the list of failed MSSPs.

Second, make sure the company is well-funded--somewhere in the neighborhood of $25 million dedicated to the MSSP business if it's not yet generating cash. Third, choose a provider that augments off-the-shelf monitoring tools with technology developed in-house. Off-the-self-packages such as Micromuse NetCool or Hewlett-Packard OpenView can't handle the demands of monitoring thousands of devices from a variety of vendors without significant integration, Pescatore says. However, an MSSP that develops everything in-house also is unlikely to be successful because of the high cost involved.

Finally, look at the MSSP's personnel mix. In addition to managed services, Pescatore says, companies need consulting services such as security audits, penetration testing, security architecture, and implementation assistance. That makes it more likely the provider will have the skills a customer needs and the diverse revenue it takes to survive.

Picking a managed security company is similar to choosing any other key IT vendor, except that a security services buyer can't afford downtime if the vendor fails.

Despite that pressure, a growing number of E-business executives are like Dave Stringham, who hired Relera Inc., a partner with managed security provider Riptech Inc., to protect the elective surgery health-care marketplace iEnhance Inc., where he's director of business development. Security is an around-the-clock job, and Stringham says iEnhance is better off with someone else on that clock. "I don't want to wear a beeper at night," he says. "I'm not into that."

close this window