Need Ca$h? Sell Managed Security Services!


Managed security services are not only in demand right now, by businesses large and small, they also represent a way to boost revenue immediately and establish profit margins of 70% or higher, according to a new study from Heavy Reading.

Heavy Reading Principal Analyst Jim Hodges worked with security vendor Radware Ltd. (Nasdaq: RDWR) to closely examine the costs and potential revenues of cloud-based distributed denial of service (DDoS) mitigation services and concluded such services would have "strong margins and excellent growth prospects" for communications service providers.

Two versions of the service -- an on-demand model targeting small to midsized businesses and a more sophisticated always-on model primarily aimed at enterprises -- generate positive cash flow in the first year and margins exceeding 70% by years four and five, Hodges reports in a white paper and on a webinar viewable here, both sponsored by Radware.

The demand side of the story is pretty clear: As DDoS attacks become larger and last longer, businesses of all sizes aren't able to combat them on their own, says Mike O'Malley, Radware's vice president of carrier strategy and business development.

"Enterprises are looking for help," he comments. "When you get to security it is a scary complex world out there."

Radware conducted a survey of its 10,000-plus enterprise customers and found that as attacks get more complex and last longer, IT infrastructure personnel "are not equipped to handle these morphing, multi-factor attacks," O'Malley says.

As an example, he cites a month-long attack against a large bank.

"The forensics of the attack showed that, for about the first ten days or so, there were low-level attacks from all different vectors -- encrypted attacks, different protocols, checking out different ports and addresses to try to infiltrate; basically the attackers threw everything against the wall," O'Malley says. They then used "real-time learning algorithms" to determine what worked in that phase of the attack and launched a second phase doing those things in combination, at a much larger scale.

"This type of attack can go on for up to months at a time," he says. "They overwhelm the resources of even the largest enterprises."

Radware's own survey of enterprises shows that about half still want to manage their own security, but that number is dropping, he adds. The same survey showed about one third of enterprises are specifically looking to their network service provider for assistance, and the number is higher (39%) in Europe.

Small businesses are also increasingly targeted by cyber attacks because they represent easy targets, he adds, citing car dealerships as an example. They rarely have much in the way of IT resources, but they are a repository of valuable information about consumers, including credit card and social security numbers.

"It's not about the size of the company, or where they are located; it's about the information they have that can be useful to the attacker," O'Malley says in an interview. He also points to Verizon's Data Breach Information Report, an annual review of breaches, which shows 60% of all attacks hit small businesses.

For his report, Hodges defined two types of service: an always-on service, which analyzes all incoming data streams with real-time analytics, and an on-demand service which does out-of-path monitoring of selected data streams. He then factored in the upfront capex required to start a cloud-based DDoS mitigation service, based on known commercial pricing, and the ongoing opex, including fully loaded salaries and software, needed to run both types of service.

"The study used conservative telco selling and SGA expenses, and also ramped revenues conservatively, including loyalty pricing," Heavy Reading's Hodges said in his webinar presentation. "The service costs are based on known pricing models, which I took and then reduced 20%."

Even so, the model showed a five-year net present value of $198 million for on-demand services and generates net cash -- revenues after costs are deducted -- of more than $317 million. The always-on service is more expensive to deploy but in Hodges' model, generates a five-year NPV of $239 million and net cash of almost $349 million (see below).

Hodges' model tracks the cost, revenue, net cash and NPV for an on-demand managed DDoS service over five years.
Hodges' model tracks the cost, revenue, net cash and NPV for an on-demand managed DDoS service over five years.

"It is clear that the economic and business rudiments of the DDoS service scenarios considered … represent a strong and sustainable business opportunity, with strong margins and excellent growth prospects for CSPs that embrace the economic fundaments of the cyber age and commit to cloud-based DDoS service delivery," Hodges concludes in the white paper.

Radware tries to make the case even stronger by offering CSPs three different ways to get into the managed security services business, O'Malley says. In addition to buying the needed hardware and software and running it themselves, CSPs can also white label a service that Radware delivers, or start off white labeling the service to get into business quickly and over time, assume control of the service.