[ISN] Shakeout Threatens Managed Security Clients

From: InfoSec News (isnat_private)
Date: Tue Aug 28 2001 - 02:55:38 PDT

  • Next message: InfoSec News: "[ISN] Windows 2000 Port Invites Intruders"

    By Brian Ploskina 
    Interactive Week
    August 27, 2001 
    Rapid consolidation in the managed security business can have costly
    results for corporations that entrust the safety of their most
    valuable information to companies in danger of disappearing tomorrow.
    "The economics suggest that only a few major players will survive,"
    said a recent report by investment bank Pacific Crest, which estimates
    there are more than 50 managed security providers now in the market.
    The consolidation is picking up steam.
    Pilot Network Services and Salinas Group both went out of business in
    the spring, with no contingency plan for their customers and no help
    in moving them to other providers, customers and employees said.
    Former executives of the companies could not be reached for comment.
    More favorable recent transactions include Guardent acquiring
    DefendNet Solutions in the spring, OneSecure selling its customers to
    Riptech, and Electronic Data Systems absorbing the assets of Fiderus.
    "I would expect this trend to continue," said John Schneller, senior
    research analyst of CIBC World Markets, the global marketing arm of
    the Canadian Imperial Bank of Commerce. "This is a business where
    scale is tremendously important and valuations are down. That's the
    state of consolidation."
    Venture capital pouring into the market for managed security service
    providers hit $322 million in the fourth quarter of 2000, but only
    $212 million in the second quarter this year, according to CIBC
    Managed security service providers are hired to monitor and manage a
    variety of network components, such as antivirus software, firewalls,
    intrusion detection systems, and Web and e-commerce servers. The
    market this year for MSSPs is $630 million, according to The Yankee
    Some businesses look to managed security as a cheaper way to secure
    their operations, paying a monthly fee to a provider instead of
    dishing out hundreds of thousands of dollars up-front for hardware and
    software and hiring their own people to run it.
    However, if the provider that's hired suddenly goes out of business,
    the company has to pick up the pieces of the broken security operation
    and either piece it back together itself or find someone else to do it
    - which could take days, weeks or months, depending on the complexity
    the of systems. Experts advise companies to choose providers
    That doesn't make the customers left behind by converging forces feel
    any better. During Pilot's breakdown, one I-manager found out the real
    meaning of the phrase "out of service."
    "The senior executives at Pilot had completely disappeared," said the
    vice president of information services of a West Coast health care
    provider, speaking on the condition he and his company not be
    When Pilot went out of business, the health care provider went
    scrambling for other resources. Employees using the virtual private
    network (VPN) system to connect from outside the company were
    disconnected for up to four days. It would have been worse had the
    company not already had a backup ISP under contract.
    About three weeks elapsed from the time Pilot warned customers it
    would go out of business to when it actually went kaput, the customer
    There was apparently no such warning from the Salinas Group, a New
    York MSSP. According to a former company engineer, who asked not to be
    identified, Salinas had billed several customers for an entire year of
    service just a couple of weeks before it went out of business in
    E-mails retrieved and displayed at www.salinasgroup.org, a site run by
    former employees, show executives were already planning the Web site
    for a new company they were building, Averweb, before they closed
    Officials from the former Salinas could not be located. Calls and
    e-mails to Averweb were not returned.
    Whether behind closed doors or out in the open, executives of MSSPs
    are searching for dollars that will keep them in business.
    At a CIBC security and privacy conference, Jeff Payne, president and
    CEO of venture-backed Cigital, stood up in front of a packed gathering
    of peers and investors and said flat out he was looking hard for
    But his hand is only one of many reaching out for a little cash, and
    very few are going to get it, according to experts. "We're tracking
    maybe 25 or 30 serious companies in the marketplace, and only four or
    five them will be survivors," said Ed McPherson, a director of
    Pricewaterhouse Coopers. Other professionals in the market back up his
    When one considers that Internet Security Systems and Symantec both
    run profitable public software companies that can fund their
    respective MSSP businesses for years to come, that leaves maybe three
    open slots for private companies to make it through the funding
    gauntlet. "Most of the venture-backed companies will not make it,"
    McPherson said.
    The private MSSP companies typically got their start as security
    consulting businesses, offering professional advice until customers
    began asking for those consultants to host the operation as well, said
    Ram Shanmugam, principal of Greylock, which has funded MSSPs. In a
    security industry teeming with venture capital, those companies jumped
    at the chance to expand.
    That was what Al Decker did as former CEO of Fiderus, until he
    realized the money was about to run out. "Over the course of 14
    months, we had acquired about 60 customers," Decker remembered. With
    cash reserves drying up and an IPO out of reach, Decker opted to be
    absorbed by EDS. "The time was right, the economy was nipping at our
    tails," he said.
    McPherson said this model seems to be a trend in the nascent MSSP
    market. As a company comes out of the "embryonic" stage, just
    beginning to become viable, it either fails or fades. "The question is
    whether someone buys you or you just [go out of business]," McPherson
    said. "And there's only going to be a very few that make it out of the
    As for private companies that are strong enough to survive the
    increasingly poor economic conditions, frequently mentioned candidates
    include Counterpane Internet Security, Guardent and TruSecure. Those
    companies that do make it will have nearly $2 billion in revenue to
    split among them by 2005, according to The Yankee Group.
    "There is still money flowing into this space," CIBC World Market's
    Schneller said. "But it won't be indiscriminate. [Investors] will be
    very highly critical."
    Greylock's Shanmugam has seen several technological opportunities
    opening up, especially in VPNs. So far, companies such as eTunnels,
    Fiberlink Communications, Imperito Networks, OpenReach and SmartPipes
    offer these kinds of services. Shanmugam also points to secure data
    storage and managed extranet services as underserved markets in
    managed security.
    As for the I-manager of the West Coast health care provider burned by
    the Pilot shutdown, he said the best way to gamble on managed security
    is to spread out the bets. "A sole provider at this point, given that
    experience, seems to be too risky," he said.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Aug 28 2001 - 05:15:44 PDT