Shakeout Threatens Managed Security Clients

[InfoSec News <isn () c4i org>]

http://www.zdnet.com/intweek/stories/news/0,4164,2807738,00.html

By Brian Ploskina 
Interactive Week
August 27, 2001 

Rapid consolidation in the managed security business can have costly
results for corporations that entrust the safety of their most
valuable information to companies in danger of disappearing tomorrow.

"The economics suggest that only a few major players will survive,"
said a recent report by investment bank Pacific Crest, which estimates
there are more than 50 managed security providers now in the market.

The consolidation is picking up steam.

Pilot Network Services and Salinas Group both went out of business in
the spring, with no contingency plan for their customers and no help
in moving them to other providers, customers and employees said.
Former executives of the companies could not be reached for comment.

More favorable recent transactions include Guardent acquiring
DefendNet Solutions in the spring, OneSecure selling its customers to
Riptech, and Electronic Data Systems absorbing the assets of Fiderus.

"I would expect this trend to continue," said John Schneller, senior
research analyst of CIBC World Markets, the global marketing arm of
the Canadian Imperial Bank of Commerce. "This is a business where
scale is tremendously important and valuations are down. That's the
state of consolidation."

Venture capital pouring into the market for managed security service
providers hit $322 million in the fourth quarter of 2000, but only
$212 million in the second quarter this year, according to CIBC
research.

Managed security service providers are hired to monitor and manage a
variety of network components, such as antivirus software, firewalls,
intrusion detection systems, and Web and e-commerce servers. The
market this year for MSSPs is $630 million, according to The Yankee
Group.

Some businesses look to managed security as a cheaper way to secure
their operations, paying a monthly fee to a provider instead of
dishing out hundreds of thousands of dollars up-front for hardware and
software and hiring their own people to run it.

However, if the provider that's hired suddenly goes out of business,
the company has to pick up the pieces of the broken security operation
and either piece it back together itself or find someone else to do it
- which could take days, weeks or months, depending on the complexity
the of systems. Experts advise companies to choose providers
carefully.

That doesn't make the customers left behind by converging forces feel
any better. During Pilot's breakdown, one I-manager found out the real
meaning of the phrase "out of service."

"The senior executives at Pilot had completely disappeared," said the
vice president of information services of a West Coast health care
provider, speaking on the condition he and his company not be
identified.

When Pilot went out of business, the health care provider went
scrambling for other resources. Employees using the virtual private
network (VPN) system to connect from outside the company were
disconnected for up to four days. It would have been worse had the
company not already had a backup ISP under contract.

About three weeks elapsed from the time Pilot warned customers it
would go out of business to when it actually went kaput, the customer
said.

There was apparently no such warning from the Salinas Group, a New
York MSSP. According to a former company engineer, who asked not to be
identified, Salinas had billed several customers for an entire year of
service just a couple of weeks before it went out of business in
April.

E-mails retrieved and displayed at www.salinasgroup.org, a site run by
former employees, show executives were already planning the Web site
for a new company they were building, Averweb, before they closed
Salinas.

Officials from the former Salinas could not be located. Calls and
e-mails to Averweb were not returned.

Whether behind closed doors or out in the open, executives of MSSPs
are searching for dollars that will keep them in business.

At a CIBC security and privacy conference, Jeff Payne, president and
CEO of venture-backed Cigital, stood up in front of a packed gathering
of peers and investors and said flat out he was looking hard for
money.

But his hand is only one of many reaching out for a little cash, and
very few are going to get it, according to experts. "We're tracking
maybe 25 or 30 serious companies in the marketplace, and only four or
five them will be survivors," said Ed McPherson, a director of
Pricewaterhouse Coopers. Other professionals in the market back up his
estimate.

When one considers that Internet Security Systems and Symantec both
run profitable public software companies that can fund their
respective MSSP businesses for years to come, that leaves maybe three
open slots for private companies to make it through the funding
gauntlet. "Most of the venture-backed companies will not make it,"
McPherson said.

The private MSSP companies typically got their start as security
consulting businesses, offering professional advice until customers
began asking for those consultants to host the operation as well, said
Ram Shanmugam, principal of Greylock, which has funded MSSPs. In a
security industry teeming with venture capital, those companies jumped
at the chance to expand.

That was what Al Decker did as former CEO of Fiderus, until he
realized the money was about to run out. "Over the course of 14
months, we had acquired about 60 customers," Decker remembered. With
cash reserves drying up and an IPO out of reach, Decker opted to be
absorbed by EDS. "The time was right, the economy was nipping at our
tails," he said.

McPherson said this model seems to be a trend in the nascent MSSP
market. As a company comes out of the "embryonic" stage, just
beginning to become viable, it either fails or fades. "The question is
whether someone buys you or you just [go out of business]," McPherson
said. "And there's only going to be a very few that make it out of the
pack."

As for private companies that are strong enough to survive the
increasingly poor economic conditions, frequently mentioned candidates
include Counterpane Internet Security, Guardent and TruSecure. Those
companies that do make it will have nearly $2 billion in revenue to
split among them by 2005, according to The Yankee Group.

"There is still money flowing into this space," CIBC World Market's
Schneller said. "But it won't be indiscriminate. [Investors] will be
very highly critical."

Greylock's Shanmugam has seen several technological opportunities
opening up, especially in VPNs. So far, companies such as eTunnels,
Fiberlink Communications, Imperito Networks, OpenReach and SmartPipes
offer these kinds of services. Shanmugam also points to secure data
storage and managed extranet services as underserved markets in
managed security.

As for the I-manager of the West Coast health care provider burned by
the Pilot shutdown, he said the best way to gamble on managed security
is to spread out the bets. "A sole provider at this point, given that
experience, seems to be too risky," he said.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.