Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/27/2010
04:35 PM
50%
50%

Security Services Improve, But Bargains Few

Enterprises more focused on quality and functionality of services than on cost, experts say

The quality and functionality of third-party security services has improved in recent years, experts say. Unfortunately, the cost of those services hasn't.

Despite the budget pressures caused by a bad economy, most security services firms have not cut their subscription prices, experts say. Although market pressures have driven costs slightly lower than they were five years ago, current prices are more stable, says Jason Hilling, executive for management and service strategy at IBM.

"The costs are not going down significantly with the maturation and saturation of the market," Hilling says, "but companies are delivering more for the same cost." As more enterprises move to managed and cloud security services, providers are differentiating themselves through value-added services, Hilling says. For example, managed intrusion detection systems that served at 1 gigabit per second (Gbps) five years ago can now run at 10 Gbps for the same price today.

If you're looking to cut the costs of security services, then you should focus on contracts, say market experts. Firms locked into a long contract at a relatively high service price can benefit by renegotiating their contracts, says Khalid Kark, vice president of security and risk management for analyst firm Forrester Research.

"In the interest of getting a good deal, many firms would sign long-term contracts with [service providers]," Kark says. "Yet now they've found out that costs have come down more than expected five years ago."

While a multiyear contract may not have been a good deal in years past, the relative stability of today's security services pricing could mean a long-term deal now will help to cut future costs, says Kathy Jaques, chief marketing officer for managed security provider SecureWorks. A big advantage of long-term contracts is that clients get a predictable cost structure, she says.

"Partly because of the economy and partly because of how budget cycles work, predicting the cost has become very important for clients," Jaques says. "They are locking into contracts so they will know what the costs will be two to three years out."

Typically, the size of the company and the length of the contract are two major factors in service price. Depending on the client's needs, SecureWorks also rolls hardware prices into the cost of the service. "It depends on whether capital expenditures are easier to approve for the client or operational expenses are easier to approve," Jaques says.

Software-as-a-service models are another good way to cut costs and are often delivered at a single subscriber price. When e-mail security provider Postini was bought by Google in 2007, the company underwent a study of its pricing and decided to ditch the old model of contracts and volume discounts, says Adam Swidler, senior product marketing manager for Google's Postini service.

"We really changed the artificially high pricing to a realistic list price," Swidler says. "We put the price online so people could see it, and we enabled them to buy the service online, as well." Postini now has 50,000 companies -- about 18 million users -- using its service.

Forrester has estimated that managed security services will see significant growth in the next few years. The number of companies that outsource their e-mail security, for example, will likely jump to more than one-third in the next 12 months, up from 25 percent today. And while 13 percent of companies already outsource vulnerability management, another 19 percent are very interested in doing so in the next year, according to a Forrester report released last month.

Although enterprises are looking to save budget dollars, costs are not the main reason for their interest in managed security services, according to Forrester. Round-the-clock monitoring and better protection of IT assets are more important factors in the outsourcing decision, according to its survey of firms. Greater competency of security services' professionals ranks third, with cost reduction running a close fourth place.

"The services have all become comparable in the past few years," Kark says. "The value-added services are where they are differentiating themselves."

Google's Postini has also found that costs are not always the only reason companies consider its service. Many customers are attracted by Google's infrastructure, which all but the largest companies would have a problem creating, Swidler says. The availability of a third-party infrastructure frees a company's IT staff to work on other projects, he notes.

"The notion is that you can take the IT resources that were dedicated to the care and feeding of your IT systems and put them to work on other strategic projects," Swidler says.

During the past three years, security service prices have become much more affordable for small and midsize businesses because telecommunications firms and Internet service providers are rolling up security services into their connectivity packages. Companies interested in reducing costs can look to see if their local providers offer security as part of the service bundle.

"Telcos have really come up with some interesting models for cost reduction," Forrester's Kark says. "In the future, a lot of these services will be baked into the infrastructure."

IBM's Hilling agrees. "The telcos' bundling of security services will really drive the business for SMB in the next few years," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-30481
PUBLISHED: 2021-04-10
Valve Steam through 2021-04-10, when a Source engine game is installed, allows remote authenticated users to execute arbitrary code because of a buffer overflow that occurs for a Steam invite after one click.
CVE-2021-20020
PUBLISHED: 2021-04-10
A command execution vulnerability in SonicWall GMS 9.3 allows a remote unauthenticated attacker to locally escalate privilege to root.
CVE-2021-30480
PUBLISHED: 2021-04-09
Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat softw...
CVE-2021-21194
PUBLISHED: 2021-04-09
Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-21195
PUBLISHED: 2021-04-09
Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.