Maturing VARs Offer New Outsourcing Option

Transcription

1 ANALYST BRIEF Maturing VARs Offer New Outsourcing Option VALUE- ADDED RESELLERS SHIFT TO OFFERING MANAGED SECURITY SERVICES Author Rob Ayoub Overview Security equipment vendors have found managed security service providers (MSSPs) to be a fast- growing channel. In fact, in today s market, it is increasingly difficult to distinguish between many value- added resellers (VARs) and MSSPs. The shift to service- centric security affects all participants in the security sales cycle. VARs have found that they can increase loyalty through managed security service (MSS) offerings and thus take advantage of monthly recurring revenue (MRR). Equipment vendors constantly seek ways to increase customer loyalty and sales; and end user organizations, particularly small and medium- sized businesses (SMBs), struggle to manage local security systems, and thus value the ability to outsource security (both products and management) to a trusted provider. However, as security purchases more and more become services fulfilled rather than physical products, organizations must carefully evaluate whether VARs can introduce innovation into the services model and deliver the same level of service as top- tier, dedicated MSSPs or, whether they are limited in their scope and can provide only basic security services

2 NSS Labs Findings The demand for MSSPs continues to grow. SMBs and small and medium- sized enterprises (SMEs) are seeking providers to meet their security needs within their budgets. Vendors are offering incentives to drive more partners to build out managed services, but these can create a potential conflict of interest for customers. Not all providers possess the infrastructure required to completely replace an organization s security. Vendor lock- in and other security challenges are possible when organizations contract out security services. NSS Labs Recommendations Evaluate the vendors and products that MSSPs use to deliver their services. Determine whether new vendors will be brought in by the MSSP to perform security functions, and perform independent research on these vendors to ensure interoperability with the current environment and to evaluate any new exposure or risks that they may introduce. Evaluate the staffing levels of the MSSP to ensure that response times and support will meet service targets. Evaluate the disaster recovery capabilities of the MSSP in order to understand its ability to adhere to service level agreements (SLAs) and to provide auditable reporting. Negotiate the costs and processes that will be followed on dissolution of a partnership with an MSSP. 2

3 Table of Contents Overview... 1 NSS Labs Findings... 2 NSS Labs Recommendations... 2 Analysis... 4 The Shift From VAR To MSSP... 4 Infrastructure Requirements... 5 Sales Enablement... 5 Technical Support Requirements... 5 Vendors Shape The Growth Of MSSPs... 5 Discounts... 5 Marketing Spend... 6 Improved Support... 6 Advantages For Customers... 6 Affordability... 6 More Comprehensive Security... 6 Reliance On A Trusted Partner... 6 Potential Customer Blind Spots... 7 Vendor Lock- In Through The MSSP... 7 A False Sense Of Security... 7 Incomplete Solutions... 7 Incomplete MSSP Infrastructure... 7 Reading List... 8 Contact Information

4 Analysis Security product vendors have found MSSPs to be a valuable channel. In fact, in today s market, it has become difficult to distinguish between traditional value- added resellers (VARs) and MSSPs. VARs have found that they can increase loyalty through MSSP offerings and also then take advantage of monthly recurring revenue (MRR) streams. End user organizations, particularly SMBs, are struggling to manage security, thus value the ability to outsource security to a trusted provider. A growing MSSP market will engender increased sales of equipment and services for vendors, and while this shift in the market potentially can improve the security of many SMBs, organizations that select a smaller MSSP must perform due diligence to ensure that the MSSP can provide the appropriate level of service. The Shift From VAR To MSSP The MSSP market is growing at a healthy rate; average pricing for managed services continues to fall, and organizations large and small are considering the value of outsourcing some components of their security. As cloud adoption grows, many organizations are considering a mix of on- premise, in- the- cloud, and hosted security offerings. Despite the increasing complexity of security, the growing list of cloud- based vendors and their offerings illustrates that organizations consider the outsourcing of security to be a viable solution. Many security vendors offer dedicated partner programs for MSSPs. These programs provide incentives ranging from increased discounts to increased marketing spend and increased support. In return, security vendors request that MSSP partners train staff on their specific platforms or that MSSP partners generate a certain amount of revenue. These programs, their incentives, and the growing trend of organizations looking to MSSPs for their security needs have changed the relationships between end users, their partners (for example, MSSPs), and security vendors. Some of the changes are positive; with smaller MSSPs entering the market, the competition for services is driving prices down, and smaller organizations are able to find security providers within their budget constraints. Often, a VAR that is shifting to the role of MSSP is already an organization s trusted provider. On the other hand, vendor incentives can create a potential conflict of interest for customers. Previously, the focus of traditional MSSPs was on the management of equipment that was chosen by the customer; MSSPs tended to be vendor agnostic and had expertise in diverse vendor technologies. However, as MSSPs move downstream, and as vendors offer more lucrative partner programs, some MSSPs may be less effective in an advisory role; they may not necessarily be offering services based on the best choice of equipment for an organization s security, but rather will be focused on selling equipment from the vendor with the best incentives. This will result in a more limited scope of choice, which may not lead to the best solution for the business need. Independent evaluation of the security products used in an MSSP s offerings by the potential customer is essential. Existing customers of an MSSP also need to remain aware of any change in security products used by the MSSP, or of the introduction of new technology, in order to assess fully the risk to its own operations. The shift from the role of VAR to the role of MSSP is not trivial. There are expectations associated with an MSSP with which the standard VAR does not have to contend. Although shifting to the role of MSSP is not advisable for all VARs, the trend is growing: NSS research indicates that percent of partners have registered as MSSPs for vendors providing specialized programs. This number is expected to grow over the next few years with some vendors indicating that up to 50 percent of their partners may provide a managed offering. 4

5 This does not include partners offering managed services that are separate from formal MSS programs, nor does it include MSSP partners using products from vendors that do not offer dedicated MSS programs. Infrastructure Requirements Any partner that is looking to becoming an MSSP must consider infrastructure requirements. These include having in place the equipment required for delivery of the service; staffing levels that are capable of supporting multiple customers and a 24x7 environment; and full disaster recovery. The MSSP partner should determine the nature of the services to be provided; the nature of the SLA with the customer; and the number of customers that it would be able to support. The customer should ask similar questions in order to assess the maturity of the MSSP. Regardless of budget size, every SMB wishes to ensure that its data will be protected and that it will have access to support. Sales Enablement Another challenge for a potential MSSP is sales enablement. The selling of solutions can be significantly different than the selling of point products; a new MSSP should have in place a sales team that can convey the value of holistic security solutions. Potential MSSP customers should evaluate the sales message of an MSSP in order to determine its maturity. Is a true solution being offered, i.e., one that evaluates the customer s current security needs, or is the MSSP still functioning similar to a VAR, with more focus on point products? A solution- oriented sales approach will consider multiple approaches to securing the business rather than merely providing a checklist of offerings. Technical Support Requirements Technical staffing challenges accompany the challenges of building out an MSSP infrastructure. It is not trivial to fully staff a 24x7x365 operation. And, once experienced personnel are hired, they will require continued training. Many vendors mandate minimum levels of training as part of their MSSP agreements (discussed below), but it is also important to mandate a minimum number of trained professionals. Potential MSSP customers should have the ability to evaluate individual members of a support team. Certifications and length of stay with an organization are solid indicators of the level of service provided by an MSSP. Vendors Shape The Growth Of MSSPs While MSSPs undoubtedly can offer significant benefits to SMEs and SMBs, vendor incentives in the form of deeper discounts and additional marketing development funds (MDF) have significant influence for newer MSSPs. This influence may provide the incentive for some VARs to move to MSSP roles, where they are able to provide security for customers that might otherwise have limited security choices. However, end users should still evaluate service providers to ensure that they are acting in their best interests, rather than those of their vendors. Discounts Partners currently receive discounts from vendors as part of the standard manufacturer/reseller relationship. When building out an MSSP, a VAR must still contend with the outlay costs of usually high performing and therefore costly equipment. Many vendors offer discounts and terms that are designed to ease the capital expenditure (CAPEX) required by MSSPs when they enter the MSS business. 5

6 Marketing Spend Another advantage for VARs looking to offer managed services is the ability to access additional marketing funds offered by vendors. All MSSP programs evaluated by NSS offered additional marketing support for those MSSP efforts. While such marketing funds are important for all providers, they are particularly so in a competitive region and can significantly influence a VAR s ability to sponsor tradeshows and other events. Improved Support VARs that function as MSSPs also have access to specialized support. MSSP deployments are complex, more often than not operating on equipment that is reserved for large organizations. Supporting the routing and other functions for a multi- tenant environment can impose more demands on the equipment than was originally anticipated. Ultimately, the more successful an MSSP is, the larger and the more specialized will be the equipment that can be sold. Therefore, it is prudent for the vendor to provide the best support possible to MSSP partners. Advantages For Customers When a VAR shifts to an MSSP, there are potential advantages for the over traditional VAR/reseller relationships. In fact, an MSSP can significantly change the relationship between a security vendor and its end customer because of the organizational depth the MSSP typically offers. The customer is no longer merely purchasing a product; it is relying on a third party to manage aspects of its security. This change in relationship can increase brand loyalty to the vendor in a way that is not possible with traditional resellers. Affordability Many of the MSSPs leading the market are known for their ability to manage multiple different devices on a 24x7x365 basis with alerting and mitigation capabilities. Such services can cost thousands of dollars per month. While this is reasonable for large enterprises, SMEs and SMBs typically have less equipment to manage and require fewer changes in security per month than do their large enterprise counterparts. This is an opportunity for an MSSP to offer services that could not otherwise be afforded, and many of the newer MSSPs targeting smaller markets are offering services for hundreds rather than thousands of dollars per month. More Comprehensive Security An MSSP that is capable only of catering to smaller organizations likely still offers better security than an organization could provide on its own. This is particularly true in the case of small retailers and healthcare organizations that are subject to increasing regulatory requirements. Many MSSPs offer a basic combination of Firewall, IPS, content filtering, and other controls that would be costly to purchase and manage separately. Reliance On A Trusted Partner Many organizations do not receive direct support from vendors. Vendors generally rely on their resellers and partners to provide support. An MSSP that targets smaller organizations can address a smaller subset of clients and can focus on providing quality service to these clients. This improves the relationships between end user organizations and vendors while also ensuring that equipment is deployed correctly. 6

7 Potential Customer Blind Spots In spite of smaller regional MSSPs having the ability to reach a new market of smaller organizations, the vendor push for increased participation in MSSP programs can cause problems for customers. There are questions that organizations need to ask before moving to an MSSP, even in the case of a trusted partner offering the service. Vendor Lock- In Through The MSSP Just as an organization should not lock in with a single MSSP, and thus find itself unable to move services or access its data, a vendor should not lock in with a specific MSSP. With vendors driving incentives for MSSPs, organizations should ask questions regarding the vendors that an MSSP supports. If an MSSP supports a single vendor for a specific service, organizations should consider the value of changing to this vendor. Are there differences in functionality, performance, or reporting that would reduce the organization s level of security? Performance metrics in particular should be examined to ensure that the new provider is able to provide the level of service that the organization requires, even if it is delivered in a managed form factor. A False Sense Of Security Once an organization has retained the services of an MSSP, it may settle into a false sense of security. Often, an organization that outsources the management of its existing security functions will focus on the continued effectiveness of the management/monitoring rather than on the effectiveness of the security itself. As VARs move into the MSSP business, and as they are entrusted with the security for SMBs and SMEs, there is a greater chance that these organizations will not have the security maturity to understand the limitations of the MSSP. This could lead to compromises in security, in spite of the organizations having outsourced to MSSPs. Incomplete Solutions An MSSP that is driven by a few key vendors is likely to be incomplete in its offerings, providing only a narrow set of services or offering only limited feature sets. Although some measure of security is being provided, if the MSSP does not support a wide range of vendors and solutions and if it does not educate users, smaller organizations may be unaware of complementary innovative solutions that could secure different parts of the enterprise. MSSPs should augment the existing security of an organization and should be driving security as business enablers, rather than merely providing a service. Incomplete MSSP Infrastructure Similar to the challenge above, a smaller VAR or MSSP may not have the infrastructure and personnel necessary to perform 24x7x365 operations. Staffing becomes critical for a smaller MSSP, and white- label services are emerging from larger MSSPs. Outsourcing services that already are outsourced may have consequences not yet understood, and it is critical that organizations of all sizes evaluate any provider they are considering. 7

8 Reading List The Enterprise Security Landscape Is Changing. NSS Labs security- landscape- changing Is Cloud Security Best Fit For Your Organization? NSS Labs security- best- fit- your- organization 8

9 Contact Information NSS Labs, Inc. 206 Wild Basin Rd Building A, Suite 200 Austin, TX USA +1 (512) This analyst brief was produced as part of NSS Labs independent testing information services. Leading products were tested at no cost to the vendor, and NSS Labs received no vendor funding to produce this analyst brief NSS Labs, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the authors. Please note that access to or use of this report is conditioned on the following: 1. The information in this report is subject to change by NSS Labs without notice. 2. The information in this report is believed by NSS Labs to be accurate and reliable at the time of publication, but is not guaranteed. All use of and reliance on this report are at the reader s sole risk. NSS Labs is not liable or responsible for any damages, losses, or expenses arising from any error or omission in this report. 3. NO WARRANTIES, EXPRESS OR IMPLIED ARE GIVEN BY NSS LABS. ALL IMPLIED WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON- INFRINGEMENT ARE DISCLAIMED AND EXCLUDED BY NSS LABS. IN NO EVENT SHALL NSS LABS BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL OR INDIRECT DAMAGES, OR FOR ANY LOSS OF PROFIT, REVENUE, DATA, COMPUTER PROGRAMS, OR OTHER ASSETS, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. 4. This report does not constitute an endorsement, recommendation, or guarantee of any of the products (hardware or software) tested or the hardware and software used in testing the products. The testing does not guarantee that there are no errors or defects in the products or that the products will meet the reader s expectations, requirements, needs, or specifications, or that they will operate without interruption. 5. This report does not imply any endorsement, sponsorship, affiliation, or verification by or with any organizations mentioned in this report. 6. All trademarks, service marks, and trade names used in this report are the trademarks, service marks, and trade names of their respective owners. 9