- BT and IBM are consolidating their security capabilities in response to customers’ demand for more coherence.
- The FUD factor has been somewhat toned down as customers focus on securing their business processes.
The past week brought two significant organizational announcements in the managed security service provider (MSSP) market. BT Global Services is finally bringing its diverse security capabilities under one hat (i.e., BT Assure), and IBM is following suit, bringing its far-flung security expertise into a single division (i.e., IBM Security Systems, reporting into the Software Middleware Group).
The past five years have seen the gradual ascendance of ‘security’ from its arcane egghead roots to becoming a risk-focused, business-critical capability that has gotten the attention of shareholders and, therefore, company boards and C-level execs. In that five-year period, service providers from both the telecom and IT solution realms have been acquiring smaller security companies with point expertise and stitching them together, then using their expensive professional services teams as the glue to provide the comprehensive security that customers seek. However, the trend has often met with internal resistance from entrenched divisions in the service providers themselves, leading to internal fragmentation of security capabilities and responsibilities. This phase is now fading out as security comes into its own.
More than any other market, the security market has used fear, uncertainty and doubt (FUD) to stoke its market fires, with daily bulletins about new strains of virus and new hacking attacks on the unwary. Enterprises and legislators have responded with standards and best practices which executives can integrate into their business processes using governance, risk and compliance (GRC) procedures. The outcome has changed the dialog between enterprise customers and security service providers, with the focus now on securing business processes and providing measurable outcomes. This has helped to reduce the security FUD and forced MSSPs to provide more standardized and coherent security services, leading to the organizational changes we are witnessing now. So, what changes can the enterprise customer expect?
The next challenge is immediately visible: cloud computing! There are currently no security standards (apart from PCI DSS) that directly address cloud security, making it difficult for enterprise buyers to formulate security requirements in cloud-related RFPs. So, what can service providers do? One possibility is to develop vertical industry solutions with leading companies in a specific vertical, as is happening in utilities and the public sector, and then use their adoption as a proof of concept for others in the vertical. Another option is to continue working in best practice forums such as the Cloud Security Alliance to improve the dialog with customers. Our research into cloud adoption indicates that carriers could improve their cloud service market position with a better-integrated security message, because today, they are at the back of the queue when enterprises go looking for cloud services.