EMA Webinar Transcript:

Security as a Service: Transforming the Landscape of

Security Management

Webinar Date:

7/8/10

Featured Speakers:

Scott Crawford

Raleigh Gould

Abstract:

Dramatic increases in vulnerabilities and threats coupled with growing compliance

requirements have made security into one of the most challenging domains of IT

management. How can enterprises and small-to medium-sized businesses (SMBs) make

the most of limited resources—particularly in a difficult economy—without sacrificing

strategic business priorities? How can enterprises deliver security management at scale,

on demand? How can the SMB access enterprise-class expertise when they face the same

level of threat as larger organizations but have far fewer resources?

For many, the answers to these questions are increasingly found in security services. Four

times more organizations plan to expand their use of Managed Security Services in the

next 12 months than those who expect their use to decrease. 57% of those who use hosted

security technology delivered as Software-as-a-Service (SaaS) expect their use of

Security SaaS to grow in the coming year. SMBs in particular expect a significant

increase in their use of Security SaaS by 5-to-1 over large enterprises.

Join EMA Managing Research Director Scott Crawford to hear more about these findings

and:

Explore other key findings from one of the most in-depth studies of security

services to date, based on data from more than 200 organizations of all sizes

worldwide

Learn how organizations charting new territory in services such as Security SaaS

see opportunity to transform the way today’s customers approach security

management and stake an early claim on security leadership for cloud computing

as well

Page 1 of 18

Introduction:

Welcome, and thank you for joining us today for Security as a Service, Transforming the

Landscape of Security Management. My name is Raleigh Gould and I will be your moderator for

today’s event. Our featured speaker is Scott Crawford, Managing Research Director at Enterprise

Management Associates. Scott has over twenty years of experience as an IT professional. He is

the former head of Information Security for the Comprehensive Nuclear Test Ban Treaty

Organization, International Data Center in Vienna, Austria; and has served in both the public and

private sectors with organization such as the University Corporation for Atmospheric Research,

and Emerson.

Before I hand it over to Scott, I did want to mention that he will be concluding today’s

presentation with a Q & A session, while he will be deferring your questions to the conclusion of

the event, we do encourage you to log your questions at any time, using the Q & A functionality

located in the right hand column of your screen. If you’re in full slide view, simply look for the

floating tool bar, you’ll see a question mark icon, click on that and you can log your questions

that way. Also, I wanted all attendees to know that you will be receiving an on-demand version of

today’s webinar, as well as a PDF of Scott’s presentation. I’ll be sending that email out either

tomorrow, or early next week. And now I’d like to go ahead and turn things over to Scott. Scott?

Scott Crawford

Thank you very much, Raleigh, and welcome everyone to today’s presentation. We’re going to

take a look at the findings of EMA’s 2010 survey into what we term, generally, the securities of

service; with an emphasis primarily on managed security services and what we term security

SaaS, so our hosted security services, offered by a third party. The trend of adoption of security

services, particularly by a hosted security service, is something that has attracted increasing

attention over the last few years.

We wanted to dig a little bit deeper on this and find out what are some of the issues that are

motivating customers to consider third party services, particularly as this is an area that has been

very sensitive when it comes to outsourcing in the past. A lot of organizations have been very

reluctant to turn to third party providers for security management, but that does seem to be

changing in recent years, and our study was intended to dig a little bit deeper on that and find out

some of the drivers and factors that are motivating this transition.

So we’ll be taking a look at some of the highlights from this year’s study, including some of the

key factors driving what we term best security services, and security SaaS with the summary

definition that I offered a moment ago, basically hosted security top technology offered by a third

party, delivered as a service. Now, that’s a lot of loaded terminology there, as a lot of people have

Page 2 of 18

probably picked up on right away. We want to make some differentiation here between – in a

general sense, security in the cloud, for example, considering that SaaS may be considered by

some as a form of cloud delivery, at least, anyway.

We’re not taking a look here particularly at issues such as virtualized appliances offered as part of

portfolio services, or the infrastructure of the service provider, per se; nor are we looking at things

that would generally be available in any kind of SaaS offering such as basic and access control

for user accounting, for that matter. We’re looking at hosted services that are intended primarily

to deliver security technology, security functionality, and for that we’re using security SaaS as a

general term, which might be available to change over time as concepts around hosted and

(inaudible) computer services continue to mature.

We’re going to look at some of the IT and security budget and trends affecting these movements,

as well as the security management challenges that factor into services adoption. We’ll certainly

be taking a look at the primary benefits of respondents indicated as the reasons why they are

turning to security services and some of the common factors that lead to success of service

offerings. For services not in use, or use is declining by respondents, we probed those respondents

to try and get some insight into the reasons why, to give both vendors and customers an idea of

what the issues are, and things they want to be aware of before they consider services adoption

more seriously.

We’ll also take an overview look at some of the issues around service level agreements - this is an

area where traditionally performance has not been so amenable to management as it has been in

say, network performance and availability management, for example. But we see this changing as

well, too. And a view toward the future; what is really motivating the move toward hosted

services in particular, and what does it portend for the future of IT?

With that, I’d like to take a moment to thank the sponsors of this research, HP and Qualis, who

supported our survey of more than 200 practicing IT and security professionals worldwide. About

that survey, we originally approached a field of more than 1000 working professionals in both IT

and the business side of the house, globally. We qualified an initial group of 233 respondents

based on their knowledge of IT security operations, from either a management or an operational

and practical level. This field was further narrowed to 150 based on the use of either managed

security services, or a security SaaS, third party hosted security technology.

This group of 150 answered a number of in depth questions that we posed to them, about the

drivers and the factors behind services adoption, such as budget and security management

challenges I mentioned earlier. Those using services spoke to the value of the advantages of using

a services approach. The most significant benefits that they saw, aspects of service agreements as

indicated earlier, and as I mentioned, non-users and former users provided insights into concerns.

Page 3 of 18

Because we qualified service users on whether or not they were using either managed security

services or hosted technology, those not using the other did provide some insight into why they

weren’t considering these options, or if they had used them in the past or were reducing their use,

the reasons why. We felt this would be very valuable to vendors and practitioners alike.

So demographics, the group of 150, a large segment of course in financial services which is fully

to be expected given the sensitivity of that segment to security issues, as well as distribution

across a number of other industries including manufacturing, which is somewhat surprising, but if

you think about it, if you look at areas such as supply chain integration, and the extent to which

these types of organizations already work with third party suppliers and providers in integrations

of IT beyond the enterprise boundary, that is not so surprising anymore, and this group did

provide some very interesting insight in those areas.

We looked primarily to decision makers, and in particular there was about a 15-15-15% split

between senior level executives, senior level management, IT related executives such as a CIO,

and the CISO, the Chief Information Security Officer, as well as IT management at both the

director and manager level for insight into the adoption of services. The reason for this is that the

decision to go with security services is often a multi-faceted one. Sometimes it has to do with

operations, sometimes it has to do with available resources, available technology management

resources, as well as personnel, and budget issues and making sure that security management

programs align with the key values of the business. So with this in mind, we really targeted those

who were more the decision makers in making the decision to acquire security services for their

insight on the motivations for why they’re pulling the trigger in those cases.

Some of the useful breakdowns of demographics for survey analysis in this case, there were two

main areas that provided a lot of interesting insights for this study, most interesting was in terms

of breakdown based on organization size. We had 37% of all respondents of 150 using services,

representing the largest global enterprises; enterprises of 20,000 employees or more. The reason

for this will become evident when we start talking about security budgets here shortly, but the

primary reasons are, talk about having to do more with less – security teams in these

organizations are sometimes remarkably small. They really need automation, and they really need

the tools to enable them to manage really broad scale programs, and we’ll talk about this in a little

bit more detail shortly.

Again, nearly another third represented organizations of fewer than 2500 employees, and I really

wanted to get a good look at what the factors driving the small to mid-sized business are in the

adoption of security services. As far as the global distribution, most respondents were located

within North America, however a quarter of them were outside North America; although, 60% of

respondent organizations had a presence outside of North America, or were global businesses in

their own right. So what are some of the factors that come into play here? Well, not too surprising

considering the distribution of respondents as far as annual IT budget, these numbers are pretty

Page 4 of 18

much within expected boundaries, although there are some interesting data points that came out

of looking at the differences between organization size, IT budget, and total revenues for the

organization.

One of the things, in comparing somewhat of an apple to orange comparison in this case, are

things that seem to indicate the way that IT budgets and IT security budgets are squeezed really at

both ends of the spectrum. For example, while 41% of respondents reported revenues in the

billion or more, per year, only 18% of them reported and IT budget of approximately 10% of

revenues or larger. So, broadly, this may mean that the largest organizations tend to have, may

have smaller overall IT budgets, and therefore really place a higher value on the tools of

automation for extending limited people, and technical resources, as far as possible across the

enterprise.

On the other hand, it was interesting to note that while 51% of the respondents reported IT

budgets up to $25 million, only a third of the respondents reported revenue over $20 million. So

that there’s this constant pressure back and forth to do more with IT, make more of an investment

in IT and IT security, and at the same time to do more with less. Services begin to enter into

trying to strike a balance within organizations between these two pressures.

In particular we noted something of the squeeze, if you will, among smaller to mid-sized

organizations; if you look at the distribution of budget across the board for both large and small to

mid-sized organizations, as depicted on this chart, a fairly even sort of bell chart distribution for

the largest enterprises, but for small and mid-sized enterprises, there’s a definite concentration,

almost a feeling if you will, a majority, at around 15%. Most small to mid-sized organizations, as

a practical matter, simply cannot spend more than that on their security measure priorities. Now, I

have to put an asterisk next to any comment about looking at IT security budget as a percentage

of overall IT budget, because different organizations have different priorities.

Some organizations will necessarily have to spend more on security, if they are in financial

services, even if they are a small organization; whereas other organizations may not have the

same requirements or regulatory compliance, for example. But overall, we do see this spike

among the small to mid-sized business that does suggest that regardless of the need, they’re very

limited in what they can do recourse wise, and are looking for alternatives because they often

times face the same sort of security challenge that larger organizations and larger enterprises do.

Furthermore, the attackers are aware of this. It’s not unknown for attackers to target smaller

organizations, particularly websites for smaller organizations, because they are aware that these

organizations simply do not have the resources to manage the security of these sites to the extent

that a larger enterprise does in a lot of cases.

Page 5 of 18

In taking a look at budget factors, there’s another interesting data point that came out of the study.

One is that, looking at this chart here, bear in mind that data for this chart was collected in the

first quarter of this year, and at that time there was increased optimism about potential recovery

of the economy so you are seeing this breakdown of – those who had increased their IT budget

from last year to this year was about the same as the total of those who both decreased their

budgets, or their budgets have stayed the same, roughly.

Today I think that shift might be a little bit more in the direction of greater balance between

increased and decreased budgets, given questions about economic uncertainly and potential for a

double dip recession that many are discussing today. But regardless, we saw that at the time of

the survey about a quarter of our respondents reported that their IT budgets had decreased from

last year to this year; which compare that to security budgets, and the number of those decreasing

the budget drops by half, so security spending remains a priority for all organizations, even in

times of economic stress, and it not an area that they are willing to cut as extensively as other

aspects of IT budget, simply because a lot of organizations feel that they can’t. Here again, new

alternatives, new resources, needed for managing some very daunting problems.

So, what are those problems as seen by our survey respondents? Well, first of all, by far the

majority of respondents see the difficulty of threats, exerting control over today’s threats,

becoming much more challenging that in the past, they see attacks becoming, at the same time,

more sophisticated and yet still persistent in terms of, if you will, common everyday or simple

attacks, that leverage social engineering, that continue to target individuals and the behavior of

individuals to be successful; like phishing, for example.

We see a lot of attacks against the browser itself, and browser functionality as well as against web

applications, because web applications tend to be unique, and they tend to be developed and

managed by the organization, or contractors to the organization, and following up with

vulnerability and risk management in these cases can be very challenging. The attackers are

certainly aware of this. These are just a few examples of how threats are becoming more difficult

to control, how attackers are becoming – have become focused on tangible gains, and in some

cases, become a lot more sophisticated in the techniques that they use to exploit the organization,

and there’s obviously a great deal of concern about that among survey respondents.

But the next three areas have to do with resources and resource availability in a general sense;

difficult economy, restricted budgets, controlled operational costs, resource drains due to

compliance, and audit demands which in itself is kind of an oxymoron in some cases, because

compliance is intended, in a lot of cases, to foster better IT security, but the approach too many

organizations take, it seems, is they see compliance as the ceiling and not the floor, and they see

that requirements of compliance moreover, exacting demands that may or may not have an

impact on security overall.

Page 6 of 18

When we take a look at the top three security issues that have concerned respondents the most

over the previous year, interesting to see the breakdown between North America and the rest of

the world, because two things that really stand out about North American respondents, first of all

is the emphasis on data privacy, that since the data itself has become a significant target of attack

and this has become a priority for North American organizations. Any line with vulnerabilities

and vulnerability management, has a way to access sensitive data, unfortunately, and one of the

things that is gratifying about this study is we are beginning to see more awareness of the fact

that attacks on web servers and web applications are becoming a much more sensitive issue

among organizations.

But does this mean that they are able to manage their web application vulnerabilities

successfully? There are still very significant challenges in managing web security. Twenty seven

percent of large enterprises with more than 2500 personnel, and twenty four percent of

organizations of 2500 or less, claim they still do not have enough resources to manage web

application security, and yet, particularly among small to mid-sized businesses, two-thirds of

these organizations still say that web application security assessment is done manually, either in-

house or by a third party. There’s a lot more opportunity to take advantage of the tools of

automation that can make these processes a lot more effective, and help foster more effective

security management processes generally for applications, and services are becoming a way to

deal with some of these most serious concerns of security management.

Access to security expertise is another factor that has plagued a lot of organizations. We see that

many respondents feel that they are somewhat understaffed in terms of IT security staffing, and

that’s not terribly unusual. But we definitely see the majority of small to mid-sized businesses

that are understaffed. There is something hidden in this data point about the large enterprise,

though; I alluded to it earlier. In talking with some of the customers that we interviewed for this

research, I’m looking at particularly the largest global organizations. It may surprise some to

know just how small the security management team is for some of the world’s largest

organizations. In one case, we looked at an organization that had an IP network that could be sub-

netted into more than 56,000 subnets, that was aspects of vulnerability management in terms of

exposure to public networks, as managed by roughly a dozen people, not all of them devoted to

the task fulltime.

So these are organizations that really do need the tools of automation in order to cover their

responsibilities more effectively. In the small to mid-sized businesses, of course, it’s not terribly

surprising that resources are not only limited, but those responsible for IT may not just be

generalists, they may be the business themselves, if you go to the smallest organization. The

primary responsibility of those who are handling IT and IT security is not in IT or security, it’s

the primary responsibility for the business, and obviously these are primary targets for security

services because they simply need resources to augment capability with the level of skill

necessary to measure up against today’s level of vulnerabilities and threats.

Page 7 of 18

Taking a look at managed security services, in looking at 223 respondents who were qualified

based on their knowledge of IT and IT security operations in their organization, 42% of them said

that they used managed security services today, so we use this as a gauge of penetration of

managed security services in the market as a whole. Among current users of managed security

services we see that the distribution of services is really quite broad. Almost anything we could

have mentioned or suggested as a managed security service, there’s a fair amount of interest and

as this graph indicates, increasing use.

At the far left, the lighter blue, if you see that in color, is substantially increasing use, reported or

at least perceived by respondents. Use increasing somewhat, and use may not mean just new

contracts with new service providers, but may be the volume of security events, messages, or data

under management is increasing. So again, the distribution of managed security services is quite

broad across the spectrum, so that’s good news for manage security services providers, but it also

indicates increased level of willingness from organizations to outsource a lot more aspects of

security than they would have in the past. It’s going to be really easy to misconstrue this research

in view of the fact that the security services are just being generally outsourced. Anything is open

to outsourcing. We’ll talk about this a bit more in detail a little bit later on in this webcast, but

there are areas that organizations do have reservations about outsourcing. There’s aspects of

outsourcing that do concern them greatly. We’ll come back to there here in a bit.

Regardless, overall respondents to the survey among current managed security service users do

expect their use to increase over the next 12 months. Overall, 37% expect managed security

services to increase somewhat, with another 9% expecting significant increase in managed

security services use, and the reason this is happening; cost factors are on a par with being the top

issue of outsourcing managed security services, but their also on a par with being able to

demonstrate positive performance to organizational management in terms of security program

management.

Outsourcing security management to a third party that has dedicated expertise for which security

isn’t itself the primary business of the organization, does have it advantages. For the typical

customer, security is often a cost center. It’s something that they have to do, it’s not necessarily

an area of organizational expertise. For the service provider, security is a profit center. It is their

business, it is what they choose to excel in, and as a result it does tend to attract expertise in

security management; and for these reasons, the third party service provider does become an

attractive alternative for demonstrating more effective security management. If the terms of

contract, the terms of agreement, can be defined well enough to satisfy the organization that this

is actually the case, and we’ll talk about service under management a little bit further on. We’ll

talk about some of the issues that customers have around defining types of agreements.

One of the things that is interesting about this chart, though, is that considering the long standing

reluctance to outsource security management to third parties, confidence in the provider for

Page 8 of 18

managing sensitive access or functionality is actually one of the primary motivations for adopting

security services. It’s probably the number 2, after the top 3 categories in this survey. 42% of

respondents saying that they have confidence in their provider for managing that sensitive access.

This is something of a sea change considering that in the past so many organizations were

reluctant to outsource sensitive functionality, because of the potential impact on the organization.

It hasn’t gone away, but the perception of it seems to be changing.

Because of the extent of the security services that are being outsourced, and because of the value

of turning to a third party provider for whom security is their primary business, the majority of

respondents do tend to see their use of managed security services as more strategic than tactical.

In other words, they see managed security services as a way to define their security strategy, to

expand their capability in security management, or to assure a more secure environment overall;

as opposed to tactical measures, just to fill operational gaps, meet existing obligations, or specific

compliance obligations, per se. This again may be something of a sea change in terms of the

positive view that organizations have to turning to third parties in security management. Does this

mean that organizations are abdicating their primary responsibilities before assuring their own

security obligations? Not necessarily.

When we asked respondents about the nature of services that they’re outsourcing, and the nature

of alternatives of what they’re – the nature of what they want to outsource to a provider, they

tended overall to see – well, we gave them these general categories, they tended overall to see

their outsourcing as more higher level, tactical if you will; in other words, they’re looking to

outsource the more highly skilled functions that may be difficult to find the right personnel to fill.

It can be very difficult to find truly qualified security expertise, and this is one area where the

third party service provider really does stand out. Not necessarily for low level simple, repetitive

tasks, although 38% of organizations do see – get outsourcing for low level tactical operations

such as log parsing and so on, adds having value in itself. But the majority do not outsource

strategy itself, although 38% of respondents do look to third-party service providers to outsource

strategy planning, and in some cases even program management.

This definitely has appeal to the small to mid-sized businesses, for example. It does not have the

resources to feel it can credibly manage its own security priorities and does turn to a third party

service provider for those needs. So what about, push back, if you will, against the security

services. Part of the issue that have caused survey respondents to curtail or decline their adoption

or use of security services, or not to adopt any security services. The top issue, not very

surprisingly, because it comes up in so many areas of security management, and that’s –

particularly when turning to third-parties, and that’s concerns regarding data security or data

privacy.

There may be some concern about what the third-party or service provider will do with sensitive

information, and in some cases those issues have yet to be truly or effectively resolved. It comes

Page 9 of 18

up in parallel areas, such as cloud computing, for example, quite often. However, the other

leading factor at the top of the list here in terms of security management, cost will increase or not

be reduced. That trend, leads in general to disappointment with the value proposition demand

security services, which could have to do with a number of factors. On one hand it may be the

way the enterprise positions the service, but then on the other hand, it may be the customers

expectation of the value to be received. A lot of times customers do not fully anticipate of

services adoption, nor do they fully appreciate the full value that they are getting from their

security services, because they don’t truly understand the total cost of what it is they seek to

outsource, and therefore, they don’t have a real effective handle on the different and the

advantage to be gained from outsourcing in those cases.

So, both customers as well as vendors could do a better job of being aware of what both the

impact and the benefit of adoption, services adoption will be, but I hasten to emphasize that these

data points come from 66 respondents out of the entire study, so this is still a minority of those

involved, respondents in the study who were qualified with a knowledge of security operations in

their organization. Regardless, it’s a fairly significant number, and these are data points that

should not be overlooked, particularly by managed security services providers.

Moving on to a discussion of security SaaS, third party hosted security technologies and services,

very similar level of penetration here. Among all those survey respondents who were qualified

based on their knowledge of security management, security operations in their organization, 43%

of them (inaudible 0:28:40) security SaaS third-party hosted security servi

IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING

View Webinar & Listen On-Demand

Back To Library

IT & DATA MANAGEMENT RESEARCH,INDUSTRY ANALYSIS & CONSULTING

View Webinar & Listen On-Demand

Back To Library

IT & DATA MANAGEMENT RESEARCH,
INDUSTRY ANALYSIS & CONSULTING