By Angela Sutherland
Although managed services are rapidly becoming a strategic option for IT savvy CIOs in the Middle East, end users are treading cautiously when it comes to handing over their organisation’s security reigns to a third party.
|~|Michael-J-Gallagher-web-2.jpg|~|An increasing variation in vulnerabilities and new technologies is driving companies to re-assess their IT security requirements. Mike Gallager, director of MSS at ISS EMEA. |~|Although managed services are rapidly becoming a strategic option for IT savvy CIOs in the Middle East, end users are treading cautiously when it comes to handing over their organisation’s security reigns to a third party.
“The demand for these services has not picked up in the Middle East, however, security awareness is increasing among organisation and this will automatically create demand for such services at a later stage,” says Jitendra Kapoor, business development manager for security business unit at OnLine Distribution. “There is a lot of scope for such services [as] businesses grow in leaps and bounds. Hiring the right [person] for the right job is a tedious and expensive task; hence professional companies that offer managed services can provide for the best balance of personnel required, offering the best person for the job at the right time,” Kapoor explains.
Cisco Systems believes the demand for managed security services (MSS) in the Middle East has been relatively slow. The networking giant says corporations want to manage their own security requirements. “Managed security services are not new and are not going to fully replace self-run security operations by internal teams. It is important to keep in mind that with respect to legal frameworks such as SOX or HIPPA, security can be outsourced but not the risk itself,” says Abderrafi Belfakih, manager of systems engineers at Cisco Systems.
“However, organisations are and will continue to use outsourcing contracts with MSSPs. A managed service is like hiring a pilot to fly your aircraft, however, you keep control of the flight plan,” he adds.
The UAE’s spending on IT services rose by 12.7% to US$308.5 million in 2004. Global research firm IDC says end users are moving away from the basics of implementation and support to customisation and outsourcing. As a result, IDC expects the region’s managed services market including security, to grow consistently at approximately 12% for the foreseeable future, eventually reaching more than US$535 million by 2009. It expects to see maturity first in the managed virtual private networks (VPNs) and firewall arenas.
Research firm Current Analysis says the threat protection market, which includes intrusion detection/prevention systems (IDS/IPS) and anti-virus (AV) products, among other technologies, remains vibrant and growing. Currently, these solutions remain in separate markets with a similar goal: to provide enterprise security against malicious code or behaviour.
However, the markets are beginning to blur. Vendors are looking towards providing integrated security solutions that can accomplish the tasks of both IDS/IPS and AV systems. The largest trend in both these markets is to enable protection from unknown attacks. This is usually accomplished through a combination of behavioural techniques in addition to traditional signature-based approaches. More generally, the market is demanding proactive approaches to security as opposed to traditional reactive solutions. Behaviour-based techniques are also helping to combat spam and phishing threats, which are of growing concern to corporate users.
Managed services vendors are providing discreet outsourced IT functions or a cluster of processes, consolidating execution and supervision of those activities on a turnkey approach by using contingent workers. A managed service provider saves money for its clients and provides expertise in areas of IT that are rapidly changing, but whose internal mastery is not vital to clients. The concept of managed security services is a growing discipline for a number of reasons, according to the Kelly IT Resources report. To begin with, there is a rapid rise in the number of organisations that provide services.
As these companies acquire more corporate clients, they establish economies of scale that allow them to provide services at an extremely cost-competitive price. They also develop an expertise in a particular IT realm, which enables them to deliver more informed and increasingly reliable performance, the report states.
“There is an increasing awareness of data as lifeblood of a company and managed services are a great model for companies that do not have the IT resources to provide network security internally. Companies with adequate in-house resources and budget will tend to keep their security services internal. Today, most outsourcing models are geared towards large enterprises. Infonetics Research indicates smaller companies are most likely to subscribe to managed security services,” says Shahnawaz Sheikh, regional sales manager for SonicWall MEA.
Cisco’s Belfakih says managed services allows enterprises to focus on their core business and not worry about security issues, breaches, viruses and interruptions to their businesses processes. By outsourcing the security services, corporations can rely on experts to guarantee operations and world-class capabilities. In addition, corporations can redirect their workforce from the security management to focus on customer generating revenues and enhancing customer satisfaction by reducing and controlling operating costs. Mike Gallager, MSS director at Internet Security Services (ISS) EMEA, shares Belfakih’s sentiments.
He believes an increasing variation in vulnerabilities and new technologies is driving companies to re-assess their IT security. Faced with increasing workload in maintaining security and meeting compliance regulations, enterprises are turning to managed services as a viable alternative. “The use of managed services is forecast to grow strongly in the coming years and will probably account for 30% of all IT security spending. Global manage services are growing in the range of 10% to 15% annually,” says Gallager. “Various hybrid models involving sharing of security workloads will also contribute to the total MSS market share within the security marketplace.”
However, enterprises need quality strategic and practical guidance about how to work with these emerging companies to maximise their own information security. This includes well-defined practices to evaluate, select, contract with, manage and terminate relationships with managed security providers. Managed services will continue to evolve to provide managed protection services as a results orientated service rather than just an outsourcing of labour and expertise.
The general perception among enterprises is that data is safer when it is close to the source. This perception can give a false sense of security in that attacks often involve data being redirected from within the company's network to the malicious source. In this case there is no respect for country boundaries. Providing adequate protection has to be the priority for service providers. “In a managed environment, device log files are frequently moved to international SOC locations and not company data. Security is achieved by providing access to servers, applications and desktop system for authorised users only, not by viewing application data or company information. Further to this, any managed services provider must provide absolute integrity and secrecy to its clients. Even the slightest compromise can prove to be disastrous to the parties concerned,” he adds.
While service providers are trying to convince enterprises to trust them or their local partners with security elements of their IT management, CIOs are realising that by handing over part of the responsibility to an experienced third party they can focus better on their core competencies. As the Abu Dhabi Islamic Bank has found, that outsourcing has enabled it to lower the total-cost-of-ownership (TCO) of its systems, allowing the bank to rest assured its network is maintained with the latest technologies.
“When we started investigating the possibilities of managed services back in 2003, we were not convinced by the prospects available at the time — we concluded the market was not mature enough at that time. There was only one vendor (Datafort) that was ready in the region at that time and we did not want to risk it,” says Adel Ahmed Al Zarouni, the senior vice president of IT at the Abu Dhabi Islamic Bank. “However, two years on, managed services is providing the bank with a systematic approach to handling our IT requirements, and many other organisations are starting to understand the potential of this option. I believe this is a trend that will gain momentum in the Middle East,” he adds.
Applications consulting and customisation was the largest single IT services segment in the UAE in 2004, according to Philip van Heerden, analyst at IDC. "However, the real barometer of maturity is the outsourcing segment," says van Heerden. "Outsourcing was the sweet spot last year in terms of growth. To take advantage of this, providers will need to re-invent themselves almost continuously, demonstrating clear specialisations that appeal to potential clients. While larger firms may aim to be one-stop shops, smaller firms will be better off finding a niche in which they can excel."
Managed security services can be more beneficial to smaller organisations. These businesses can capitalise on a service provider’s experience, economies of scale and technology. They will also benefit from building predictability into their IT budget as they can account for security services and maintenance as part of a regular monthly cost. Furthermore, as part of the service, they will benefit from increased security, access to security expertise and the latest security technologies, reduced costs and improved efficiency in their network.
“Outsourcing is the number one topic these days. Everyone is looking to outsourcing as a major way to grow their business and increase the value of their business. It is the best way to have sustainable, recurring revenues,” says Sameer Khoory, IT manager for e-TQM College. “We believe the most popular outsourced security services will be those that provide a total security service covering both hardware and dynamically updated services [because] this combination provides a constantly renewed level of protection against all the latest internet threats,” notes Khoory. ||**||