Industry experts are predicting a year of growth in the security market as demand picks
up. Cath Everett reports
The information security market is driven by an ever-growing number of compliance issues and a constantly changing threat landscape, which has helped it weather the recession better than most.
Unlike areas such as networking, desktops and other infrastructure technology, where organisations are taking an "if it ain't broke, don't fix it" attitude, security is considered relatively recession-proof.
Ed Callacher, divisional manager for networking and security at distributor Bell Micro, says: "The market has not got away scot-free, but it has weathered the storm quite well. As is the case in a lot of markets, it is taking longer to close deals and longer to sign off budgets, but as the sector is often driven by compliance and emerging threats, it is not something businesses can just stop doing."
Compliance considerations include the Data Protection Act, the Payment Card Industry's Data Security Standard, and the government's Code of Connection which enables local authorities to securely use and access the Government Secure Connect Extranet wide area network.
The high number of well- publicised data security breaches over recent years have also pushed the information security issue higher up the boardroom agenda as senior management starts to better understand the potential damage to reputation caused by such incidents.
More for less
"The perception in the wider market at the user level is so high that people are still spending money on security, even in a recession. Many are trying to make the most of what they have but will maintain and upgrade where necessary, or they are buying new and want their products to do more," Callacher says.
A typical offering in the latter "more for less" category would include unified threat management devices, which combine a range of technologies such as anti-virus, anti-spam and content filtering software in one appliance. This means you can tick multiple boxes with one product, Callacher says.
This trend towards consolidation is also born out in a survey by Vanson Bourne in June last year on behalf of network security vendor Fortinet. It indicated that 90% of the 600 mid-sized to large organisations questioned expected to undertake a network consolidation project over the next 12 months to simplify management and reduce operating costs.
Barry Desmond, business development director at distributor VADition, says: "About 85% of security budgets relate to operational expenditure, so that means only 15% goes on keeping pace with accelerated tactics and tools. And therein lies the paradox. There is a growing attack surface, but people are spending most of their budget on just keeping the lights on."
As a result, he believes that in this "last bastion of manual intensive labour", the key is to "automate, consolidate and innovate".
"You have to add value and go out with an attack on opex. The resellers that are doing that are growing with us," Desmond says, intimating that the company has doubled its security-related revenues in the past few years.
Driven by regulations
Security reseller Pentura has also had a better year than might have been expected. At the start of the organisation's financial year in April, it had prepared for difficult times by looking at its costs and putting a plan in place to try to cope should the worst happen.
"The year got off to a slow start in April/May, but from then it has gone from strength to strength," says Steve Smith, managing director of Pentura. "The security market is quite insulated from recession and many of our customers are highly regulated so they have no choice but to be audited and fix problems."
While organisations have undoubtedly been more cautious about signing big deals and currently require more signatories than was previously the case, smaller deals have been closing easily, he says.
Smith acknowledges that customers want more for less, which means it has "been battered on margins a bit", but says requests for improved discounting from vendors have paid off, which has helped somewhat, as has an increasing move to higher-margin service wraparounds.
As a result, Pentura has just recruited five staff and set up a professional services division to complement its more traditional technical implementation business.
"We have always done risk assessment and penetration testing, but we have now added government-based CLAS consulting to it. Over the next 12 to 24 months, we see our consultancy services business growing as organisations have lost a lot of internal staff and are increasingly seeing the value of using specialists to get a different view on things," Smith says.
While the firm's professional services business currently accounts for 8%-10% of gross profits, this figure is expected to increase to between 25% and 30% over the next few years.
But such a move also reflects the commoditisation of the security market at the low end in established areas such as anti-virus and anti-spam software.
David Hobson, managing director of security consultancy Global Secure Systems, says: "There is downward pressure on product margins from licence vendors looking for a renewal. The market likes working with them as they get cheap deals, but the vendors have to be careful as people will end up not investing in their sales people or providing a proper support structure."
Some resellers are reinforcing the situation by agreeing to operate purely on a rebate rather than a margin model in these commodity areas. This means that if they generate £100,000 of business, for example, they will obtain a rebate of 5%.
But Hobson warns that there are too many people out there with too little expertise, which is potentially devaluing the market.
Another way that channel partners are trying to deal with falling margins is to expand into new areas such as networking and storage. Bell Micro's Callacher says the distributor currently does 50%-60% of its business through security specialists and the rest through generalists, some of which are traditional box-shifters and others that are more services-based.
But over the next year or so he expects to see a shift of between 10% and 15% away from specialists and towards services-based generalists. "As security threats are becoming more sophisticated, customers are starting to rely more on how people set up storage solutions (SharePoint and the like), which is not what they have traditionally looked at when thinking about their security posture," Callacher says.
The distributor recently merged its security and networking divisions together to exploit cross-selling opportunities more effectively as the "technology is very interlinked" and because networking sales have remained flat.
"When business times are tough, it focuses the mind on what you have to do to make money. The market is also becoming more aware and people are starting to understand that different products are increasingly reliant on each other and so they need to be familiar with more things," Callacher says.
This would appear to suggest that the security market is starting to polarise more markedly between dedicated security consultancies that cater to the more sophisticated requirements of large, often highly regulated companies, as well as the top end of the mid-market, and technical implementation-focused generalists that are increasingly handling security as simply one element of a bigger technology puzzle at the lower end.
One organisation that has chosen to focus on the professional services side of the equation is ITC Global Security. It currently generates 60%-70% of its revenues from consultancy and acting as a specialised security sub-contractor in larger enterprise outsourcing deals.
Tom Millar, managing director of ITC Global Security, indicates that sales rose by about 59% last year and are expected to show similar growth rates this year due to two key factors, both of which reflect customers' desire to cut costs in a recessionary climate.
He says on the one hand, many organisations are starting to realise that despite having spent large sums of money on information security products in the past, they still have a poor understanding of what security vulnerabilities they have and what potential threats they face.
As a result, they are increasingly interested in adopting a risk-based approach to information security management, something that has been talked about for some time but has up until now generated little action. "But people now need to understand what their threat profile is and what risks they face as a direct result of the financial collapse," says Millar.
The second factor is widespread headcount freezes or even the axing of security-related personnel - although the function has not been hit as badly as others - which has also led to new opportunities. It is this situation in particular that benefits companies like ITC Global Security, Millar says.
As a result, it is seeing rising interest in three key areas: the purchase of modular outsourcing services; managed services; and technology such as security information and event management (SIEM).
SIEM tools plug into existing network infrastructure and report on trends, patterns and security events across the enterprise via a graphical dashboard and managed services, and are key to providing more "visibility" into what is occurring on a day-to-day basis.
But it is in the managed services space that Millar expects to see the most growth over the coming years. While this area accounts for about 30% of the firm's revenue today, he expects it to grow to more like 50% or 60% over the next 24 months.
VADition's Desmond is equally enthusiastic about the prospects for the sector. Therefore, from December, the distributor intends to offer its partners white label security monitoring and management services to resell. These will include providing customers with performance analyses, threat mitigation reports and monthly updates.
"Our partners will sell the boxes and make money on the upfront installation of the product as well as annuity-based revenues, but we will do the back-end monitoring and management. So ABC VAR will provide the veneer to the customer and answer support calls during the working day, but we will do it out of hours," Desmond says.
Data loss prevention
Pentura's Smith believes data leak prevention (DLP) will be another big growth area over the next 12 to 18 months. "We have seen some success with it this year, but it has moved higher up people's agendas due to the multiple data loss scandals recently. I think we will see more progression, so we believe that next year will be big for DLP," he says.
As many customers do not know where to begin in tackling the issue, the firm has set up a data risk service. This entails undertaking data discovery to establish where information resides in the organisation and where it should be, classifying data into meaningful categories, and introducing a DLP tool to make it easier to enforce related information security policies.
Bell Micro's Callacher agrees that pent-up demand relating to DLP is likely to be unleashed in the next financial year. He indicates that such activity involves securing corporate information in three key formats: data in use, which includes establishing who should have access to what information; data in motion, which covers any information, including e‑mail traffic, that is crossing either internal or public networks; and static data, which includes information stored in databases and other systems.
"The Ponemon Institute says 88% of data breaches come from inside the workplace as a result of genuine mistakes rather than maliciousness by staff, as well as broken processes and procedures. But people are starting to value data more so there will be a strong market for data loss prevention products and services next year to help people minimise risk," Callacher says.
What this all means in terms of future growth is that the outlook for the sector is likely to remain relatively positive over the year ahead.
"I think 'green shoots' is a good description. Customers are saying that things are livening up and I do not see much doom and gloom in this space. There will be plenty of headroom for a while to come as security is a constantly moving target. I cannot see that ever really changing," concludes Pentura's Smith.
This was first published in February 2010