Transcription
SaaS Industry SpotlightMay 2008“Security”-as-a-Service: Revolution or Evolution?www.tmcapital.comAn M&A International Inc. partner firm
Providing Tech M&A Advisory Services on a Global ScaleHitachi Consultinghas been acquired by:FUJITSU CONSULTINGhas acquired:has acquired:casetaIT ServicesSell-Side AdvisoryIntelligent Traffic SolutionsBuy-Side AdvisoryIT ServicesBuy-Side Advisoryhas been acquired by:has been acquired by:has been acquired by:2CromptonGreavesEnergy & Utility SolutionsSell-Side Advisorycedarhas merged with:CRESTONEI N T E R N AT I O N A LIT ServicesMerger AdvisoryInfrastructure Broadcast EquipmentSell-Side AdvisoryEnterprise SoftwareSell-Side AdvisoryHitachi Consultinghas acquired:iteration2IT ServicesBuy-Side Advisoryhas acquired:a Parsons Brinkerhoff CompanyIntelligent Traffic SolutionsBuy-Side Advisory
SaaS Industry SpotlightMay 2008“Security”-as-a-Service: Revolution or Evolution?T“Security”-as-a-Servicehe Software-as-a-Service (“SaaS”) delivery modelhas taken hold in various segments of the enterprisesoftware market, most notably in the CRM sector.Champions of the SaaS model, like Salesforce.com,have proven the viability of an “on-demand” solutionand demonstrated a compelling ROI to customers. Asdemonstrated in Figure 1., the markets have rewardedSaaS focused businesses with a premium valuationto those of traditional software vendors. With SaaScompanies in the spotlight and with high bandwidthpipes all but ubiquitous in the corporate environment, itseems logical that the SaaS model would be increasinglyprevalent in other segments of the enterprise market,such as security. SaaS oriented HR, ERP, and CRMvendors have allayed many of the initial concerns ofa hosted delivery model including data security andavailability, integration and customization, yet for certainsoftware sectors, the SaaS model may take a differentevolutionary path. The security market exemplifies asector in which traditional desktop deployments, hostedapplications, outsourced solutions and true multitenant SaaS are manifesting themselves in a variety ofcombinations to meet the unique needs of clients.Many of the generic attributes of the SaaS modelcan be applied to the security space, including lowerupfront capital expenditures and a reduction of ongoingmaintenance and support costs. There are also aFigure 1: Total Enterprise Value to Revenue Multiples7.0x6.5x6.0x5.75.65.5x5.0xCompeting pressures in the IT services space areproviding fertile ground for the growth of security-as-aservice opportunities. As general economic conditionsworsen, IT budgets are tightening. Forrester Researchdownwardly revised its IT services spending estimatestwice in the first quarter of 2008 due to the deterioratingmarket conditions. In spite of this spending pull back, thedemands for a secure IT environment have never beenhigher. The system intrusions at TJX Companies, whereover 45 million customer accounts were compromised,along with an increasing focus on compliance concernsand risk management, all highlight the increasing needfor secure IT environments. Security-as-a-serviceaddresses the heightened demand for best-of-breedsecurity solutions offered in an economical 5x2.0x1Q05Source: Capital IQ2Q053Q054Q051Q06On Demand Software2Q063Q064Q061Q07Traditional SoftwareIndex Companies:Traditional Software: ARBA, CA, EPIC, INTU, LWSN, MSFT, MSTER, ORCL, QADI, SAP, SPSSOn Demand Software: BBBB, CNQR, CYBS, TRAK, DRIV, KNXA, KNTA, LPSN, LOOP, N, OMTR, MOW, CRM, TLEO, ULTI,VOCS, WSTM2Q073Q074Q07
Industry Spotlight“Security”-as-a-Service: Revolution or Evolution?Figure 2: Security-as-a-Service Temperature CheckBetter Economics/ROIEver Changing Threat LandscapePerceptionLow Switching CostsIncrease In ThreatLevel and Pressure onIT Budgets “Networked” Threat MitigationEffectAvailabilityReduced Bandwidth CostsIncreased Audit ResultsSource: TM Capital Corp.StimuliInhibitorsShared Equipment(configuration andpolicies)Market Adoptionnumber of specific nuances to the security market thata SaaS delivery model can help address. For example,bandwidth costs for an enterprise can be substantiallyreduced by the remote removal of worms and viruses(that can consume bandwidth through their scanningactivities) and through the elimination of spam emaill,which accounts for upwards of 90% of email traffic.SaaS also allows for reporting and auditing functions tobe outsourced and can reduce security and regulatoryrelated storage costs. Switching costs are also negligiblewith little to no equipment requirements and minimalchanges to network architecture. The benefits of SaaSare enhanced in the SMB environment where costsavings and the level of security provided are magnifieddue to the shared security infrastructure model.Despite a market that seems primed for a SaaSrevolution, a full security-as-a-service model has beenslow to take hold. Commonly cited challenges toadoption include: the use of shared equipment whichmay limit configuration and policy options; availability;and financial stability of the vendor (given that manyproviders are relatively new firms). Even the perceptionof not having on-site security equipment can create anegative bias to the hosted model. While the economicsof a hosted security solution are compelling, those dollarsavings cannot overcome the potential cost of a securitybreach. This potential, which could result in irreversibledamage to reputation and customer confidence, not tomention sizable dollar costs, appears to be the primaryadoption inhibitor.Perhaps the most significant driver of the security-asa-service model is the rapid speed in which the threatenvironment changes. New threats emerge on a dailybasis, but the cycle to identify the correct risk mitigationproduct and to integrate the solution into an on-premisesecurity platform can be protracted. Solutions need tobe put in place nearly as fast as the threat is identified.Leveraging the most current security technologies in acost effective manner without latency is a key merit ofthe on-demand model. One additional important benefitof a hosted security model is the networked effect: oncea threat is detected, everyone benefits instantly.www.tmcapital.comVendor StabilityAs such, the security-as-a-service landscape appears tobe evolutionary, not revolutionary. Firms will graduallyadopt on-demand solutions on an application specificbasis rather than pursue an enterprise-wide hostedsecurity roll-out. Solutions that are likely to see moreimmediate adoption include those focused on securecontent management, especially in the email and antivirusdomains and remote vulnerability assessment. Longerterm we expect to see a more holistic approach to theon-demand security offering that would include remotevulnerability management and mitigation. We also expectto see security SaaS offerings touch tangential sectors.For example, Qualys recently released a SaaS suite- -
Industry Spotlight“Security”-as-a-Service: Revolution or Evolution?Cornering the Security SaaS Market: Focus on StorageLegacy security software vendors are generally playing ahead of the SaaS adoption curve and preparingthemselves for a potential market shift. However, there are nuances in strategy to capture market share.For example, both Symantec and EMC have storage-as-a-service offerings, but they are approaching themarket from different angles.Symantec entered the SaaS market in 2007 when it launched its Symantec Protection Network (SPN)and then followed up with its integrated online backup and online storage offerings earlier this year.Symantec plans to leverage the popularity of its Backup Exec solution, which is among the most popularon-site backup and restore offerings. The company hopes to upsell existing Backup Exec customers onSPN’s offsite data protection services. So as to counter claims that it may cannibalize its own on-siteoffering, Symantec also believes it can convince SPN customers to license Backup Exec for additionalon-site protection.Meanwhile, EMC may be looking outside of its core capabilities to entrench its storage-as-a-serviceoffering. In February 2008, news leaked that EMC was in discussions with SAP to help provide a newhosted version of SAP ERP’s offerings. As such, EMC storage solutions may ultimately tie to managedERP systems.The market is also seeing startups like Vembu and Asigra, which specialize in storage-as-a-service, emergeon the scene along with some altogether surprising competitors. For example, Amazon’s S3 storageservices are believed to be employed by several large managed service providers.Several years ago it would been very hard to imagine Symantec, EMC and Amazon all vying for the samecustomer. As evidenced by the storage market, we expect segments in the security-as-a-service marketto remain highly fluid in the coming years.Evolving Models: No Glass Slipper YetUnlike Salesforce.com, which has demonstrated theviability of a “pure-breed” SaaS model in the CRM sectoracross various industries, we believe that the marketwill see many “mutts” in the security arena. In the nearterm, a security environment will likely continue to be apatchwork of products managed by a variety of methodswith specific nuances by vertical application. Forexample, it is not uncommon for an enterprise to havescanning tools from Qualys, email and antispam filteringfrom MessageLabs and web filtering from Scansafe. Assuch, we believe that the SaaS focused security winnerswill either be a best-of-breed niche solution provider orthose that significantly address the needs of a particularvertical.that combines security with compliance. The productprovides a new policy compliance application next to itsvulnerability management and PCI applications. Despitethis progress, some security tools, like network accesscontrol (NAC) systems and endpoint-oriented products,may never be successfully provided via SaaS.Critics of remote security correctly point out that alarge number of enterprise attacks occur internally,either by disgruntled employees or by those that havegained internal system access. They argue that as longas the enterprise systems reside on premise, some sortof security solutions will also have to remain onsite. Tohelp address these types of concerns, different modelsfor security service delivery that incorporate elementsof an on-demand solution are also taking shape.In the large company universe, the co-managed solutionsmodel will likely become the predominant delivery- -
Industry Spotlight“Security”-as-a-Service: Revolution or Evolution?Figure 3: Security Service Delivery ModelsIn-SourcedOutsourcedOn-DemandOn-Site (nooutsourcing)In-SourcedManaged SEM(Security oachIn-HouseIn-HouseCo-ManagedCo-ManagedOn DemandLocationClientClientClient and VendorClient and VendorVendorStaffClientClientClient and VendorClient and VendorVendorPolicies, Processesand ProceduresClientClientClient and VendorVendorVendorTechnologyClientVairable, exisiting ornewVariable, existing ornewVendorVendorDescriptionAll internal resourcesVendor helps set upsystem24x7 monitor byvendorVendor managessecurity via its owntechnologyFull on demand security solution fromstaff to technologySource:TM Capital Corp.that makes the ROI calculation harder to compute onlyhurts SaaS vendors.model and be the precursor to further SaaS adoption.A full SaaS delivered security solution has the potentialto dominate the lower end of the SMB market, but midand large size clients will likely remain tied to portionsof their on-premise security strategy for some time. Asdemonstrated in Figure 3, co-managed players will leaveportions of their hardware at the client’s location, buthandle the bulk of delivery off-site. While this hybridsolution removes some of the cost efficiency of themulti-tenant SaaS model, efficiencies can be gained inareas where shared resources can be deployed.Security Market Health: Why Down Means Upfor SaaS ProvidersRegardless of the delivery model, security softwarevendors and service providers are susceptible to themarket environment. Preliminary guidance suggeststhat security software spending has slowed in thefirst quarter of 2008. To put it bluntly, Deutsche Bankreported, “spending growth expectations for the [first]quarter as well as the next twelve months were thelowest in the 5 year history of our [security softwarespending] survey.” As recently as the fourth quarter of2007, sequential security software market growth waspredicted to be 3.4% - now that growth estimate hasdropped to 0.7% (See Figure 4). The Deutsche Banksurvey also notes that nearly 60% of security vendorsare feeling the impact of a slowing economy and thatnew deployments and expansions are taking the hardesthit.Buried in the various models of delivery are variouspricing schemes, from subscription on the SaaS sideto traditional license and maintenance on the legacysoftware front. One of the attractive attributes of aSaaS model is the ability to pay based on usage; however,there are many flavors of per-use pricing. For example,Veracode offers its binary code analysis service on a pertest basis. Thus, their clients only pay for the tests thatthey run using the hosted testing engine (and do notpay for upgrades, etc.) Other more aggressive pricingmodels in the binary test market charge per lines ofcode scanning or charge per CPU. We believe thatsimplicity is the key in pricing schemes and anythingwww.tmcapital.com- -
Industry Spotlight“Security”-as-a-Service: Revolution or Evolution?Relevant Acquisitions by TechLeadersAs is the case in nearly all evolvingtechnology markets, mergers andacquisitions are playing an importantrole in defining and shaping the SaaSsecurity landscape. In the followingsection we explore some of thesecurity transactions completed bytech and communication bellwethersthat have implications for the SaaSdelivery model.Figure 4: Sequential Growth Expectationsfor Security 5%3.0%Google acquired Postini for 625million in July 2007. Postini’s revenueswere approximately 75 million at thetime of the deal, representing an 8.3xrevenue multiple. This high valuationresembled Cisco’s SaaS acquisition3.4%3.8%2.0%2.6%1.0%03Q .0%040.7%Source: Deutsche Bank 1Q 2008 IT Security SurveyFigure 5: Security Sector ti-spamGoogle acquires Postini3.6%3.0%4QWhile this data is grim, we do believethat there is a silver lining for thosevendors that are leveraging the SaaSdelivery model. The cost advantagesof the SaaS model, from both lowerupfront capital expenditures toreduced support costs, grow inimportance in a slackening economy.Ignoring security developments issimply not an option in many verticalsand thus, a SaaS alternative generally isthe lower cost alternative. SaaS playersare looking at the current marketdownturn as an opportunity to grabmarket share. Also favorable to SaaSoriented providers are the areas ofsecurity which are garnering the mostattention. For example, as illustratedin Figure 5. anti-virus protection, webfiltering and intrusion preventionare all seeing relative strength in themarket. These are all areas in whichcompelling SaaS products are 0%25%75%20%10%10%80%20%20%30%30%40%40%50%50%Seeing StrengthSource: Deutsche Bank 1Q 2008 IT Security Survey- -60%60%70%70%80%80%100%90%90% 100%Seeing Weakness
Industry Spotlight“Security”-as-a-Service: Revolution or Evolution?On the Front Lines: Conversation with Brian Ahern, CEO of Industrial DefenderTM Capital recently sat down with Brian Ahern, CEOof Industrial Defender, to discuss the future of a SaaSdelivered security solution. Recently recognized byFrost and Sullivan as the leader in cyber security forcritical infrastructure markets, Industrial Defender has developed a best-of-breed co-managed solutionto meet the needs of its clients today and serve as an introduction to on-demand offerings.“As a necessity, critical infrastructure players think about protecting their physical assets with on-premiseguards and fences, and this mentality extends to their IT networks,” said Ahern, “at this stage a completein-the-cloud solution is not viable.”Industrial Defender’s target market includes verticals such as power generation, utilities, energy,transportation and chemicals, or in other words, industries dominated by massive companies withsubstantial, mission critical systems.One only needs to remember the blackout that occurred in the Northeast portion of the U.S. andCanada in 2003 to understand why these verticals are labeled “critical”. The blackout affected anestimated 50 million people and caused outage-related financial losses of 6 billion.“Last year Industrial Defender launched the industry’s first comprehensive co-managed security servicewhich provides a complete monitoring and management program for the perimeter, network and hostenvironments,” said Ahern. “Today, this is the dominant solution in the market for real-time processcontrol.”Industrial Defender currently protects over 25 percent of the United Kingdom’s power generation,Europe’s longest metro line and over 10,000 miles of oil and gas pipeline in North America. IndustrialDefender’s significant progress demonstrates the evolutionary nature of the SaaS model and theimportance of vertical specialization in the security sector.“As the threat environment continues to increase and as government regulation and enforcementintensifies, we expect to see rapid adoption of co-managed services and growing interest in on-demandoptions,” concluded Ahern.of WebEx, which was completed at an 8.4x revenuemultiple earlier in the year. The high multiple was drivenby precedents such as the WebEx deal and by the factthat Postini was in a favorable position to pursue an IPOat the time of the transaction.a suite of security products to complement its Postiniacquisition which will be deployed via SaaS. Theseproducts provide email message filtering and messagesecurity that is comparable to those solutions employedat many large companies for a fraction of the cost. Googlebelieves that large enterprises have been reluctant to useGoogle Apps due to security and compliance reasons- preferring the traditional, desktop-based solutionsoffered by the likes of Microsoft and IBM. At the time ofthe acquisition Google was already licensing the Postinitechnology, but the acquisition helped to build a morecompelling security story for Google.Postini provided a number of on-demand productsincluding message security, archiving, encryption andcompliance solutions. The company touted over 35,000commercial clients accounting for over 10 millionusers globally. Like Google Apps, Postini’s serviceswere entirely hosted. More recently, Google launchedwww.tmcapital.com- -
Industry Spotlight“Security”-as-a-Service: Revolution or Evolution?Keeping Channel Partners Happy: Both Sides of the FenceChannel partners for those legacy security software and hardware vendors that are migrating towardsa SaaS model are worried. First, some vendors opt to sell their SaaS offerings directly to customers,cutting out the partner completely. For those vendors that say they would like their partners to helpbring their SaaS product to market, the role that they would play is different from historical norms.Some channel partners are being pushed into new territory, such as consulting, hosting and managedservices. Partners typically ad
Nov 10, 2017 · a hosted delivery model including data security and availability, integration and customization, yet for certain . control (NAC) systems and endpoint-oriented products, may never be successfully provided via SaaS. . Symantec also believes it can convince SPN customers
