But security services is becoming a busy marketplace. IBM Corp spent $1.3bn in August on Internet Security Systems Inc, a security software firm that offers complimentary services such as testing and assessment.
In addition to the big global services firms, network and telecom firms area also targeting the security space as part of their service offerings. As we reported last week, BT Global Services paid an undisclosed amount for Counterpane Internet Security Inc, a private managed security services provider.
Security products leader Symantec Corp has been aggressively building its own services interests in order to compete with these big players, and wisely so, considering its recent sluggishness growth in security sales.
The company’s strategy, 10 by 10 by 10, is to hit $10bn in annual sales by 2010, with 10% of revenue, or $1bn, coming from its professional services division, according to Greg Hughes, Symantec’s executive vice president for worldwide services and support.
The company already makes more than $1bn a year from its product support business, technically the other part of its services operation. The professional services wing, which includes implementation services, outsourcing, and consulting, currently accounts for about 5% of Symantec’s $5bn in annual revenue according to Hughes – this week, Symantec posted $55m in services sales for its latest quarter, a 14% increase from last year.
The company plans to meet its target through annual organic growth of between 20% and 25%, with the rest coming from acquisitions and partnerships.
Symantec has built up its services business on a number of acquisitions over the years. In September 2004 it bought @stake, a security assessment and consulting vendor with what Hughes described as a top-notch US client base. It also purchased consultancy Liric Associates, which provides similar services in the UK and has a strong government presence.
Then in December 2004 came the huge $13.5bn takeover of storage software company Veritas Software Corp. Since the two companies had little in the way of common products in the first place, their services teams were completely different, Hughes said. But the same logic that drove Symantec’s decision to buy Veritas — to get in on the growth in compliance-driven storage management and storage security market — also guides a large part of Symantec’s services strategy today.
Symantec’s services now include Veritas’ domain of storage and data protection services and the Symantec stronghold in security services such as monitoring and management. On the outsourcing front, Hughes said the company handles a lot of what companies consider highly risky, but non-core areas such as data backup, a truly behind-the-scenes business process, in which there are not only compliance issues, but also major operational issues should something go awry.
Similar storage/security tie-ins can be found in services around data leakage, helping enterprises protect their vast chambers of data, often bound up in different systems or across different locations. Another Symantec specialty is branch risk, whereby an organization may be protected at its main branches but struggles to secure information at its peripheral sites, Hughes said.
The problem with most organizations is that they don’t have the in-house expertise to identify these constantly changing risks and evaluate their own vulnerability. Even companies that outsource their desktop and data center management to outside vendors often do their own security report cards and are far too lenient on themselves, Hughes said.
Symantec’s consultants will give companies an assessment of these and plenty of other risks. Clients can receive testing and vulnerability services, simulations and diagnostic advice, all the way to business continuity planning.
After the consulting and advisory stage, Symantec’s services team will handle the implementation and management of storage and security tools. Often this means working with outsourcers who are handling desktops or data center operations, or perhaps competing against these companies’ own security offerings for business.
If Symantec is chosen for a managed services role, Hughes said the engagements typically last three to five years. Consulting gigs are naturally shorter, but he noted that many advisory projects were becoming more comprehensive and thus longer.
It’s a tricky but potentially advantageous position that Symantec occupies in the security services marketplace. It is clearly larger than the specialized firms (in either expertise or geography) such as @stake or Liric once were.
But with some 1,000 employees in its services division, excluding the 2,000 workers dedicated to support, Symantec doesn’t have the manpower typically associated with a global services provider. IBM Global Services, for example, has more than 3,500 experts in its security services practice. Symantec will surely grow, and the current headcount isn’t necessarily an impediment if the company continues to target security- and storage-specific service areas.
But the market is consolidating in many ways. Storage vendors are getting into security and big outsourcers are taking on specialists. If it can scale in the next few years and fend off some of the coming competition, Symantec should be well positioned to hit its $1bn services target by 2010.
