Though the new business model has been some time in preparation (Safeboot has just finished its first six-month...
trial), the timing couldn't have been better. Security software vendors are quietly expecting a bonanza amid the furore over HM Revenue & Customs' 25 million misplaced child benefit records.
Yet the extent of data security laxity in the UK appears to be so great that one has to wonder, should the UK's public sector collectively pull its socks up?
Even so, this will not have Britain's data security problems fixed over night. Safeboot's service cannot grow too quickly without eating its own babies.
"You can't have that [service model roll-out] when you've got resellers because of the way the licence gets paid," says Churet.
Resellers get paid a margin on the sale of capital deals, while a software service is rented. A change in the sales model might require a change in the constituency of Safeboot's sales channel and that is not something that can be rushed.
Accordingly, Safeboot is implementing only modest plans for expansion. It has approved the model after completing a trial with 2E2, a systems integrator and provider of other software services. Churet says he'll sign another four or five software service partners and handle about 15 per cent of its licence sales through them in 2008.
Ironically, the aspect of the model that makes it difficult to implement is the one that should make it most attractive to customers. Renting the software also hands responsibility for hardware and maintenance to the supplier and allows the customer to avoid paying huge amounts from its capital budget on data security.
This has been the pitch used to sell the software service model since it was first posited in the late 90s (then known as the ASP - application service provider model). The big opportunities were always thought to be in the mid-market, among firms that could not afford to hire the specialists to handle data security internally.
Eldar Turvey, CEO of ScanSafe, which claims in 2004 to have been the first firm to supply Web traffic scanning as a service, says he started out intending to supply the mid-market, but found larger companies more open to the idea. Customers were not ready to trust outsiders to manage their software and the networks supplying mid-sized firms were not good enough.
Now the model is proven, it is growing quickly. Scansafe boasts a 180 per cent revenue increase on last year. "A record", apparently, but Turvey refuses to divulge the numbers with the explanation that his company is registered in the tax haven of Delaware.
Yet the benefits of transparency may yet become apparent to firms like ScanSafe. Tariq Saied, managing director of Redstone Managed Solutions, which has agreed to launch Safeboot's second software service trial, says that while the mid-market is now ready for the software service model, the public sector has quite suddenly become the most interesting market. It's adherence to the principle of transparency forces it to deal more forcefully with problems that the private sector prefer to keep hush-hush.
As, Saied says: "The other big area is in government - especially with what's going on recently with lost records."
Even before the HMRC gaff, things were already looking up for security software vendors. Safeboot had seen the trend like everyone else when it launched the trial of its software service last year. Likewise, Redstone launched an email scanning service in November. Security behemoth Checkpoint, meanwhile, resurrected the same mid-market sales pitch in the summer with the launch of a software service for its sales channel partners.
The HMRC, meanwhile, confessed to at least six other serious data losses before the House of Commons Treasury Select Committee in December. Richard Thomas, the information commissioner, told the same committee that several government departments had admitted privately to similar blunders.
The year ended with the government promising to give the information commissioner the power to make data security spot checks on public sector (but not private sector) organisations, while the commissioner is demanding more power to prosecute firms that don't do enough to protect their data. The FSA has been rattling its sabre over data security as well.
Yet the expectation that someone can wave a magic wand and solve the UK's data security must be tempered.
"People high up in government departments are asking what they need to do so they aren't the next ones," says Mike Howse, managing director of Protegrity, a UK database encryption firm. "But government is huge. Until a proper audit is done then they are not in a position to put a proper [data security] solution in place. Not enough attention has been paid to this. They need to smarten their act up."