Security as a service: how are the patterns of risk and reward changing?
Security as a service can provide cost savings and accelerated implementation cycles, just as software as a service (SaaS), writes John Pescatore, vice-president and distinguished analyst at Gartner. However, the "as a service" approach can fail if applied under the wrong circumstances using a poor implementation methodology. Security as a service offerings must be built on highly reliable and highly secure platforms, and must use open and/or standard interfaces and data definitions. Service providers can offer the model to better compete or to complement their service offerings, but security as a service is not a good match for many security applications.
Security service offerings vary primarily by how much investment (in capital expense and ongoing staffing) the business is required to make versus the amount of customisation and control of the service the organisation has. Gartner predicts security as a service will see a compound annual growth rate of more than 30% from 2007 through 2012.
Security as a service offerings already provide significant revenue in distributed-denial of service protection, message security, remote vulnerability assessment, secure web gateway and security intelligence services.
The model has features that will restrain or accelerate its adoption. First, there is no permanent organisation-owned equipment or software, so failure of a security as a service provider will mean total disruption of service. Second, security as a service is a one-to-many model organisations that need high levels of customisation will not find it attractive and they can also lose control over their security applications. Third, security as a service requires high-availability and high-speed connectivity to the provider. This can be a significant cost that may reduce savings, unless the security as a service provider is also the bandwidth provider. Finally, the model may result in "hidden lock-in" where the security as a service offering does not provide open interfaces to data that may be retained at the provider's facility.
However, the model avoids capital expense or large, single-fiscal-year software expense hits, but it must be priced aggressively to show direct cost savings over other delivery models. The security as a service trend will drive corporate pressure to use security as a service, just as the outsourcing trend has driven security outsourcing. The predictable revenue stream from security as a service will drive financial analysts to assign higher multiples to vendors with security as a service revenue streams than to those that are pure hardware or software vendors.