Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


After Years Of Struggle, SaaS Security Market Finally Catches Fire

Shifts in economy, threats make SaaS an easier choice, oldest providers say

Indeed, the demand for SaaS services appears to be driving both large security vendors and startups to launch new service offerings. In addition to Symantec, McAfee, RSA, and Trend Micro now all offer a wide range of SaaS services, including antivirus, antispam, encryption, archiving, backup, and Web security. Smaller service providers, such as Webroot and AppRiver, have also emerged to offer some or all of these capabilities, creating a dizzying array of offerings to choose from.

"At any given time, we're tracking about 50 players that are in our space in some way, and those are only the most serious contenders," Palmer says. "In addition to the larger players, there are many local competitors that do well in some geographies, particularly in the non-English-speaking countries."

The nature of SaaS service offerings is also changing, the executives say. Where once enterprises were willing to purchase services for a single problem -- say, email antivirus capabilities -- most enterprises today are looking for a provider that offers a variety of services with one throat to choke.

"[Enterprises] start out looking for some help with one problem, like email security, and then they add [instant messaging] security, archiving, and encryption fairly quickly," Palmer says. "They don't wait 12 months anymore before they're willing to outsource another security component. They trust SaaS enough now to move more quickly."

The economy has also caused enterprises to change their attitudes about SaaS, the executives say. Today's businesses are looking for ways to reduce capital expenditures, stretch security staff resources, and make costs more predictable -- all elements that work in SaaS's favor.

"Eighteen months ago, price would have been one of the lowest priorities for customers in evaluating SaaS offerings," Palmer says. "Now I'd say it's up at the top."

The threat also has changed, Tuvey says. "Twenty-three percent of the billion or so threats we blocked in 2008 were threats that were not picked up by traditional, signature-based, on-premises software tools," he says. "With so many zero-day threats out there, a cloud-based offerings is much more effective."

So with a skyrocketing market and a plethora of players, how can enterprises -- particularly small businesses, which generally don't have security skills on-staff -- choose the right provider? For many, the answer is to outsource that decision, too -- to a value-added reseller of SaaS services.

"I would say we do about 50 percent of our business through direct channels, and 50 percent indirect," Palmer says. "Interestingly, it's sort of the reverse of most other channel models -- the resellers come more into play in the large enterprise, where the need is for more commodity services, and we do more direct sales in small businesses, where there's a need to work more directly with the customer to deliver what they need."

ScanSafe's sells its services through many of the largest Internet service providers, including AT&T and Sprint. The company's market share in SaaS-based Web security services is "10 times our nearest competitor," Tuvey says, quoting from an IDC study. MessageLabs also claims huge market share, holding 60 percent of the email security market to Google/Postini's 20 percent and Microsoft's 10 percent, Palmer says.

But these discrete market segments may soon become obsolete, the executives concede, as each provider dips into the other's business. MessageLabs, which made its name in the email space, now does about 20 percent of its business in Web security, Palmer says. And ScanSafe, which cut its teeth on Web security, now offers a full range of email security services. Most of the companies that have built their businesses on premises-based security software now have SaaS offerings, as well.

But Tuvey says users should think twice before buying SaaS services from a vendor that comes from software roots. "Is there a successful company that can do both [SaaS and software]?" he wonders. "I think it will be difficult. SaaS and traditional software have very different customer support models. Software companies are concerned about cannibalizing their software sales. It's hard to do both. It will be interesting in the future to see how it evolves."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio


Recommended Reading:

2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/22/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Is Zero Trust the Best Answer to the COVID-19 Lockdown?
Dan Blum, Cybersecurity & Risk Management Strategist,  5/20/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-25
The Knock Knock plugin before 1.2.8 for Craft CMS allows IP Whitelist bypass via an X-Forwarded-For HTTP header.
PUBLISHED: 2020-05-25
The Knock Knock plugin before 1.2.8 for Craft CMS allows malicious redirection.
PUBLISHED: 2020-05-25
EM-HTTP-Request 1.1.5 uses the library eventmachine in an insecure way that allows an attacker to perform a man-in-the-middle attack against users of the library. The hostname in a TLS server certificate is not verified.
PUBLISHED: 2020-05-25
An issue was discovered in the Image Resizer plugin before 2.0.9 for Craft CMS. There are CSRF issues with the log-clear controller action.
PUBLISHED: 2020-05-25
An issue was discovered in the Image Resizer plugin before 2.0.9 for Craft CMS. There is stored XSS in the Bulk Resize action.