Symantec's push to double its services revenue to $1 billion a year by 2010 includes a restructuring of its services offerings. The company said Wednesday the plan includes Symantec Operational Services and Symantec Residency Services, the former following an offsite outsourcing model while the latter embeds Symantec personnel at customer locations.
Symantec hopes to grow its services offerings in a number of directions atop this basic model. The company currently offers both operational and on-site data-protection services as well as on-site antivirus services. Operational data-protection services include backup and recovery and remote monitoring and alerts and are governed by service-level agreements negotiated between Symantec and its customers. Symantec plans to offer an operations-based version of its antivirus service, but hasn't set a timeline for delivery.
Other Symantec services will follow, including one that expands antivirus protection into a more comprehensive threat-management service to fight spyware and other menaces, as well as a messaging service that manages, archives, searches, and secures e-mail and other electronic correspondence.
Symantec has offered managed security services for years and partners with Accenture to provide consulting and implementation services that help clients better secure their security operations centers and application development and meet their compliance requirements. As part of its Security 2.0 rollout in October, Symantec also partners with VeriSign to deliver identity-protection services. Some of Symantec's services are delivered with the help of offshore locations, and the company says it's evaluating the efficiency of this model with the hope of increasing its use of offshore resources.
The on-site version is fee-based, depending on the scope of work a Symantec employee or employees do at a customer site. This work can include management of an on-site backup and recovery system, assessments of data-protection capabilities, and the execution of emergency responses when necessary. Residency-based antivirus services likewise occur at the client site and include the logging and analysis of malware trends, customized reporting, and overall project management.
What sets security services apart from other services used primarily to augment an IT staff or cut costs, as with outsourced call centers, is what's at stake. Failure at security affects customers and internal operations and can lead to problems with regulatory compliance. The failure of a Web site can cost millions in lost business, but a hack into a Web site can cost revenue, lead to additional government fines, and damage a company's image.
Symantec's services operation includes 3,300 employees worldwide, 1,000 of whom are consultants, and is the company's fastest-growing business. "There's a tremendous appetite for increased services of many varieties as IT management functions become more complex," says Jeff Russakow, VP of Symantec global services product management.
One concern that typically arises whenever an IT vendor offers products and services is that the vendor will use one side of its business to sell the other side. Russakow says Symantec is capable of delivering its services into IT environments populated by a range of vendors' products, although he anticipates that these environments will over time continue to standardize and consolidate to a smaller number of vendors. Symantec has spent years and invested tens of millions of dollars broadening its product lines, so it's likely that the company will position itself as the vendor of choice in a number of areas.
Employee-benefits provider Cigna first started using Symantec's security services three years ago, when the volume of worms and viruses reached unmanageable proportions. "Out of our own frustration, we talked to Symantec about the value of having someone on-site, embedded in our operations," says Craig Shumard, Cigna's chief information security officer.
Shumard acknowledges that not everyone at Cigna was comfortable bringing an outsider into the fold to deal with security, or confident that a Symantec security pro could augment Cigna's antivirus efforts. "Now we're looking to get another person in here," he says. In addition to being an expert on Symantec's antivirus product, the Symantec security pro now has a better understanding of Cigna's IT environment and can better recommend security products that are a good fit for Cigna.
A sales coup for Symantec to be sure, but there's also something to be said about Cigna's satisfaction with Symantec's services. The benefits provider is looking to add a Symantec staffer to manage its anti-spam appliances. Overall, adding staffers from Symantec doesn't increase Cigna's security costs, Shumard says, since any additional fees paid to Symantec are recovered by internal efficiencies. And he doesn't have to worry about employee turnover at that position. Although the same Symantec employee has been with Cigna for the full three years of the contract, any replacement would hypothetically have the same level of knowledge of Symantec's products.
Of course, Cigna has been more aggressive than the average company about outsourcing. The company also outsources the provisioning of its corporate IDs and passwords to a services vendor and, for the past two years, has been using Symantec's managed services to monitor and report on its intrusion-detection and prevention systems. Shumard spends 25% of his IT security budget on services, although he doesn't expect this to grow dramatically anytime soon.
But this doesn't mean IT executives and managers can sign a big services contract and shift into autopilot. Managing service-provider relationships is real work, including the negotiation of service-level agreements and constant assessment of the service provider's performance. Although Symantec, just like security service providers Qualys and IBM, which this week announced a data-governance consulting service, wants to expand its business with its clients, this doesn't mean Shumard has to bite. "The relationship with the vendor doesn't override their competency," he says.
Competence shouldn't be a problem for Symantec as it looks to double its services business over the next four years. The real question will be how much security work clients and prospective clients are willing to hand over. Security services will grow as long as they save their clients time and money, allowing these organizations to more quickly react to security threats.