Security’s ongoing movement from a technology-dominated discipline to one that falls under the bailiwick of a company’s CEO, CFO and COO is good news for Solutionary, a managed security service provider that views security as part of an overall business problem, rather than a gee-whiz technology. The Omaha, Nebraska-based company has an array of offerings, including assessment, managed services, professional services and security monitoring.
Solutionary bases its managed services offering on ActiveGuard, the company’s proprietary security software. The solution continuously monitors and checks networks for changes and vulnerabilities, examines messages for irregularities and implements countermeasures. The company, which was founded in July 2000, is part of a growing market; by 2005, the managed security services business is expected to reach US$2.5 billion, compared with $1.5 billion in 2002, according to The Yankee Group.
Recently, Earle Humphreys, senior vice president of channel partners and marketing at Solutionary, described to E-Commerce Times the managed security services market, the role of the indirect channel and the transformation security is undergoing in the corporate world.
ECT: So how would you describe Solutionary?
Humphreys: Solutionary is what is known in the industry as a full-service managed security services provider. What does that mean? That means that people out-task or outsource functions of their security to us — electronic security I’m talking about — and that we monitor or manage it for them. We do it through three basic groups of services.
There is what I’ll call prevention, which the industry would call vulnerability management. I’ll give you an analogy like ADT. In this group of services, unlike ADT, what we do is not only tell you that you left a window open, we tell you when we think a thief’s going to come by and how to fix and lock the window. If you don’t lock it, we come by again and again and again, and keep hounding you.
The second group of services are detection services-detection-response. These are services where we’re monitoring or managing the environment and here, like the ADT example, we actually will tell you when you’re under attack, when we think you’re going to be under attack, something we think is suspicious that we see and, “Oh by the way, if you let us, we’ll block the attack.” It’s ADT but with teeth.
The third group of services, which have absolute play over all of them, are what you’d call consulting services or program services. These are things our clients need like forensics — if there’s an incident there has to be a very detailed investigation and that has certain rules and regulations, criminal prosecution. We do incident responses, which is not only preventing but, in some cases, counter-attacking. We also do policy. A lot of our clients [ask], “What policies will make me in compliance? What policies keep my CEO from wearing an orange suit?” We do consulting. We’re not a consulting company. We do consulting at the behest and request of our clients, hence the name “full-service.”
ECT: And what are the advantages of a company outsourcing these functions rather than doing them internally?
Humphreys: It depends on who you are. The first assertion I’ll make, which is positive not just for our company but the whole industry, if we couldn’t do it cheaper than they could and more effectively, we’d all be bankrupt. I guarantee you that any MSP is cheaper than the client.
But that’s actually not the big driver. The big driver today is what I call too much information. There is so much information that even large companies have problems actually doing something with all the data. Why have a security policy and monitoring and all that if you can’t action it? It doesn’t make a lot of sense, does it?
What we provide is not only the technology and the people and the tools to prevent, protect and respond, but also [help answer], “What do I do with that?” With what the industry would call SIM — security information management — we will create a trouble ticket to go to their trouble desk if that’s how they fix and patch. We might tell the compliance officer, “These are the patches or these are the fixes they promised you. Here’s what they’ve done.” To the senior executives or CIO, it would be graphs showing how the threat level has improved, or not improved, what the general health looks like.
Why is this important?
First of all, so you can do something about it, or else why do it? Number two, security should not have a soft benefit. I submit a security purchase, whether it’s hardware or services, should be no different than a fork-lift or toilet paper. I’m dead serious. This is not Star Wars. You need the information to make decisions about what to action; you can’t do everything in security. It also allows risk management. The way to think about it is it’s an insurance policy. If I add it up then say, “Ok, you’re going to have $1 million of expenses this year in lost revenue,” well, if the insurance policy costs $1 million, unless there are other mitigating circumstances, maybe you don’t want to buy that. You have to make those trade-offs.
Security, in my opinion, has finally gone from the cute little spike-haired techies to mainstream. Now it’s risk management, it’s compliance with a lot of regulations and internal policies. That’s something we do, and we have a platform that stretches all the various events involved from vulnerability to actual incidents.
The third bullet is nobody can do it all. You cannot be 7/24 without huge expense. We can because we’re spreading it over a number of clients. My postulate, backed up by facts is, a, we have better expertise; b, we can allow you to action it, and c, quite frankly, we can do it more cost-effectively.
ECT: As you say, that’s an edge for all quality companies that provide outsourced managed security services: How does Solutionary differentiate itself from its competitors?
Humphreys: First of all, there are a bunch of them that are product vendors like ISS or Symantec. I don’t know if you saw [comments recently] from the CEO of Symantec, but — these are his figures, not mine — 2 percent of his $2.3 billion business is consulting and managed services. Now, how much mindshare do you think that gets?
We don’t sell product. We’re pretty agnostic. The second group is tool vendors. They have great tools. A: You have to have the staff, the skills and the money to execute them. They’re not as cost-effective.
The third group is pure plays. What separates us? First of all, we are very business-oriented. We use technology as an enabler, but our focus is solving business problems not trying to wow you with our technology. The second thing — the technical thing — we don’t filter events. Many of our competitors in the industry started by filtering events. Think of it like a funnel, where you start out and get smaller and smaller. You’re looking at all these events and you throw out the ones that aren’t meaningful and you grab the ones that are. We don’t do it that way. Why? Because an event that’s not meaningful today could be tomorrow. We hold every single event and always analyze it, and then we come back. The first time, you get a pass. The second time we get suspicious. The third time we pop you up to look at you. That’s called a slow attack in business. Our technology allows us to catch that. Others don’t.
We also have a very unique way of processing the information. Our hierarchy allows us to process at many levels: Local, on your site; companywide, regional. We’re only processing the data we need to on certain levels so, quite candidly, a lot more data quicker. This allows us to see the threats, the vulnerabilities, faster.
And lastly, one of the differentiators that is starting to be important in our DNA is operations. Solutionary was not a company started by a group of techies who thought this would be cool and they built some technology, then ran out and marketed it. Actually, we were founded by a group of people who were in data processing for the financial industry — very successful, sold the business, and said, “Gee, I’m too young to retire and clip coupons. What do I want to do?” They realized they were in the security business and our CTO — Mike Hrabik — built it for CIOs by CIOs. He understood what was missing. Our company built the system and went out and got clients before they ever even started to look at hiring a sales force or marketing, so they proved it. That stems from the fact they ran 20,000 people in 12 centers, so they were very operational-oriented.
ECT: Doesn’t the fact that Solutionary has a relationship with both Visa and MasterCard also differentiate you?
Humphreys: Other people do, too, but this is how we’re different. We had a relationship with Visa, like about 10 other people. One of our core industries is banking and acquiring banks. We said we wanted to do the Visa authorizations for some of the larger merchants — in Visa’s language that’s tier one and tier two merchants and payment processes. Our bank said to us, “We’ve got all these tier three merchants.” Visa did a very clever thing. It said to the acquiring banks, of which there are 48 — these are the ones that actually issue the cards: “You have to do this for tier one and tier two. By the way, for tier three — that’s merchants with under 500,000 transactions a year — we recommend it, but that’s up to you. Oh, by the way, should there be an incident, you’re held liable for non-compliance.”
We looked at it and said, “That’s not going to work.” One, Sammy’s Cigar Shop usually is not online except for transactions. Number two, I can see us saying to Sammy’s Cigar Shop, “Are you up-to-date with all your cryptology?” I can’t repeat the words I’d hear. Tier three merchants do not have the skill-set to do this.
Now what? Well, as we explain to the bank, this is risk management. Notice I didn’t say, “technology.” If they have 150,000 tier three merchants, which some of these banks do and more, at the cheapest price you can get, it costs $15 million to do them once a year. An incident is about $2 million; this is not my number. It’s a number I’ve seen from Visa and other sources. What bank spends $15 million unless it knows the aggregate of the incident is going to exceed $15 million? What you do is take the tier three merchants and put them in various buckets: This merchant is online — higher risk. This merchant takes sensitive customer data — high risk. You take that information and using statistics — something banks are familiar with, plus risk management plus security expertise — which we have — and you can actually profile your clients and decide who to scan.
Banks say, “I’ve got all these regulations where I’ve got to keep track of all these assessments and be able to produce them.” I guess you take a strong vault and pile them up. We worked with a partner and came up with a solution that manages all that for them. Again, a business problem with a business solution.
Other than compliance with a regulation that would send your CEO to jail, why would you pay one nickel more for security? This is a business problem. Deal with it. I’m seeing more C-level people involved in this decision. I’m seeing security falling under a compliance officer.
ECT: How does the channel fit with Solutionary’s model and approach?
Humphreys: We target a couple of channels. We like security resellers because they sell a lot of security. They’re not necessarily expert on security management, but they have good relationships. They sell equipment. We don’t. They do other things for clients. We don’t. It becomes a good marriage.
We also work a lot with security consulting firms. They go in and do the heavy lifting, then we go in and leave behind our services. We also rifle-shot into selected markets like consultants that are big in banking. We work, for example, with several SAP implementers to do SAP application security. We’re also working with one asset vendor to add our technology to their asset-management program.
We don’t change their business model. We make sure our service is a feature that fits very nicely.
ECT: What sort of challenges will Solutionary and the industry in general face going forward?
Humphreys: I’ll go from macro to micro. First of all, the industry doesn’t clearly articulate its business proposition, a value proposition. I can do it cheaper. I can do it better. [Instead], they say, “Wow, look at how many log lines I can do.”
At the end of the day, I submit to you that application security will be the rage in a couple of years. If the industry is not doing more in the applications area — and that includes vendors, too — but certainly my industry, the MSP industry, then I think we’ll not be as relevant. Also, and this is a very hard one for my peers to accept, I’m not talking about Moore’s Law, but if you do not scale and if you do not find a way of improving the ROI of your clients every year, then you have a problem. In other words, prices must come down over time. There’s volume. If they don’t, despite the fact everyone thinks the offshore people won’t be big in security, that’s nonsense.
To that point, what makes us special is our relationship with Siemens. Siemens has 400,000 people and they did a make versus buy [comparison] with our technology against ISS, Symantec, everybody, a couple of years ago, we won. Siemens is adopting our technology internally. The other thing that’s important is Siemens is our global partner. So rather than a small company or a young company like Solutionary having to tackle the world, even though a lot of our clients are global, we have a father son-like relationship with Siemens, where they’re coming up in Asia and they’re already in Europe. We do North America. It’s the same platform. Siemens licenses it from us.
If we don’t provide good ROI, improving it over time, we probably will not keep our clients. That’s how we approach the world. At the end of the day, it’s the tangible benefit for the cost.
ECT: What about technological advances?
Humphreys: Obviously more threat-stopping, but including legal counter-attacks. You could make a hacker regret [attacking] if you could legally counter-attack. I think what you’re also going to see is more threat-modeling with cost-effective solutions. What’s that mean? It’s one thing to say to clients, “We model threats and these are the threats you face. Goodbye. Have a nice day.” The client says, “I can’t do all that.” “Well, goodbye. I told you.”
Or what you could do is model a threat and then look at the topology and say, “What is the smartest, most cost-effective way for them to protect themselves?” It might be reconfiguring portions of the network, not necessarily patch the world.
We build really state-of-the-art vulnerability threat data that can be customized on a client’s site. We add our German co-developer Siemen’s enhanced event data — where we’re monitoring to see if someone’s actually attacking you. Think of it as one thin management platform. What’s important with that is you don’t need just us to manage it. You can hook up things we don’t manage. It’s very open. It will all fit into our information management system. We think that’s very powerful for our clients. In other words, we’re not saying to them, “Use our SIM. It’s us or the highway.”
The other thing we’re doing is really moving ahead on what we call local scanner; the industry calls it host-based scanning. Most attacks come from the inside, right? They don’t come from the outside. We have the technology, now we’re deploying it, where you can do more inside vulnerability management — inspect the packet, inspect deeper into the devices — on the inside using local scanner.
We’re teaching our people to stop talking technology and to speak in business. We have a product our techies would call EV3. That means nothing to anybody, including me. It is vulnerability management. We told them, “Quit selling EV3. If you want to sell EVP, sell it as HIPPA compliance.”
We have developed authoring and solutions strictly for certain markets. Take the credit union market. If you look at credit unions, even the larger ones, they don’t have the IT staff. One of the things we came up with is peer benchmarking, which allows them to compare their IT profile against peers in their industry. Again, we’re trying to give them tools so they can say, “What shall I spend it on? How much?” Instead of, “Here’s a new technology. Buy it.”
The challenge is if the industry doesn’t articulate the message, we’ve got a problem. In ours, it’s called grow fast or die. We compete against big players so we’ve got to stay agile. If you don’t keep up with the technology and the business needs — that second one is more important to me — then I think if you miss a turn, you can be dead.
ECT: Do you see any verticals starting to adopt managed security service solutions because of regulations?
Humphreys: Manufacturers. There’s just the GLB and stocks driving them. Here’s something that’s driving them that we’re starting to see: A huge player, like a GM, says to its smaller suppliers, “You’re not hooking up to my network unless I know you’re secure.” That leads to the big manufacturers demanding certain standards and to be shown them.
Today, you want to do everything through electronic transactions. If you’re dirty and you’re not pure, I can’t let you into my system. Just the nature of electronic commerce will end up driving a lot of security between suppliers and clients.
ECT: Distribution immediately came to mind.
Humphreys: Exactly. Back to the regulations, while there are hundreds of regulations out there, they’re not overly helpful. It’s like, “Do good and avoid evil.” The regulations need to get a lot more tangible.
ECT: Have you seen any shining examples of industries or companies adopting managed security service solutions?
Humphreys: I have seen some very growing insurance companies who I think approached this very well. They have regulatory experts by regulation. More importantly, they do make versus buy. They treat it just like they would buy anything else so they get the best price and the best technology and they’re not too proud to outsource something. Some of the larger banks actually go both ways. I’ve seen some very good RFPs but sometimes they get hung up if they have an [internal] staff. I would say it’s more strategic to a larger bank, and they have much more sophisticated staffs.
In the larger market, you’d be shocked at some of the large companies — I’m talking $3 billion and up — where we go in to talk about the technology and they don’t even have a policy. So it really varies.
Manufacturers are catching up, and they approach it very scientifically, as you’d imagine. It’s like making another widget. They’re not enamored with the technology. They just want to know, “Can I do it better than you? Prove to me you can do it.”
ECT: What is your background? You have lived in Germany and Asia. Now you’ve been in Omaha for about a year.
Humphreys: I was an executive at Tandem Computers, which was in fault-tolerance. I was then recruited to Compaq. Compaq ended up buying Tandem within a couple of weeks. I was recruited away to Cabletron. My whole life has been in service. I’m an IE by profession. I ran large consulting groups in these companies. I had 500 engineers in 20 countries, all billing out at least $300,000 a year. What I didn’t like about consulting was every time I wanted to grow revenue, I had to add bodies. It’s not cost-effective for my clients.
Managed services have always had my interest. It’s doing what you should do with technology: Leverage it to drive up quality and down costs. To me, managed services — whether it’s network management, which I was involved in, system management, which I was involved in — were always the Holy Grail.
I sold a unit at Cabletron, and decided I was going to pour sand in my navel. [Solutionary founder and CEO] Steve Idelman asked me to come and do marketing for sales at this growing company. I owed him a favor, or believe me, I wouldn’t have done it. I was very shocked to see the DNA, if you will, of Solutionary, which fascinated me. A, it was privately funded and could be as long as the founders wanted it to be. B, it had a real operational background, so I knew we could get our costs down. C, I looked at the technology.