I don't know what it is, but lately everyone I am speaking to is talking SaaS, outsourcing and MSSPs. Just today I was reading Neil Roiter's column on the latest acquisition by Perimeter eSecurity. The MSSP acquisition kings have now bought Edgeos, a vulnerability scanning service. I don't really know alot about them, but it seems their vulnerability service does not utilize a distributed or local server at the customers location. I am not sure how they deal with things like firewalls and such that would result in very different results from an internal scan, but that isn't the point here. The fact is that MSSP service providers, whether it be large carriers line Verizon or ATT or dedicated security MSSPs like Perimeter or SecureWorks or smaller MSSPs like ProtectPoint here in Florida, are finding fertile ground. I will talk more at the end of the article about what kind of MSSP will likely be your MSSP in the future.

Why are they seeing such success and who are they seeing this success with? My experience with this goes back to my days at Interliant, one of the early ASPs and managed security provider. At one time (late 90's, early 2000) we were probably the largest Checkpoint firewall provider in the eastern US. We managed a bunch of firewalls and that passed for MSSP back than. Still does for a lot of folks today. One of the critical lessons I learned at Interliant was that people will not outsource everything. You can break down what most any organization does into three categories. There are non-critical, non-core activities, critical, but non-core activities and core and critical activities. A company is never going to outsource core, critical activities. Outsourcing non-critical, non-core activities are a no brainer. Showing companies that outsourcing critical, non-core activities is the key to success of the service provider market. These are activities that are critical and therefore must have services for the organization, but they are not core to the organizations functionality and they probably don't have deep expertise in that area. Analysis will show that it is better business to outsource this non-core but critical functionality.

Security is squarely in the sweet spot here. Most organizations acknowledge that security whether for compliance or other business reasons is critical to the business function. However, it is not the core expertise of these companies. Therefore outsourcing it is a smart business move. For the most part, companies do not have the in house expertise to run their own security. Part of the blame lies with security vendors, we make our products to damn hard. Part of the problem is the complexity of the problem to be solved. Security is hard. Another part of the problem is in house security just does not, for the most part, get its fair share of the resources in order to do the job. In any event, I think outsourcing security is not just a fad and is here to stay. It will continue to grow in the years to come.

Just a couple of other things though. Finance is an exception here. Security is a core function in finance, as the security of your money and information is core to a financial institutions function. However, at the mid-size level and below, financial institutions do outsource security. I have seen several MSSPs who specialize in this vertical. Lastly, I think the real battle will be who do you get your managed security from. Do you get from a general purpose network vendor, like Verizon, ATT or IBM or HP? Do you get it separate from your network, from a security expert like Perimeter or SecureWorks? That is where the real battle is going to be over the coming months.