ready now: middle market shift to network security-as-a ... · commissioned by p fiq netwrks 6...

©COPYRIGHT 2017 451 RESEARCH. ALL RIGHTS RESERVED.

Ready Now: Middle Market Shift to Network Security-as-a-Service M A R C H 20 1 7

B L AC K & W H I T E PA P E R

CO M M I SS I O N E D BY

2COMMISSIONED BY O PĀQ N E T W O R K S

About 451 Research451 Research is a preeminent information technology research and advisory company. With a core focus on technology innovation and market disruption, we provide essential insight for leaders of the digital economy. More than 100 analysts and consultants deliver that insight via syndicated research, advisory services and live events to over 1,000 client organizations in North America, Europe and around the world. Founded in 2000 and headquartered in New York, 451 Research is a division of The 451 Group.

© 2017 451 Research, LLC and/or its Affiliates. All Rights Reserved. Reproduction and distribution of this publi-cation, in whole or in part, in any form without prior written permission is forbidden. The terms of use regarding distribution, both internally and externally, shall be governed by the terms laid out in your Service Agreement with 451 Research and/or its Affiliates. The information contained herein has been obtained from sources be-lieved to be reliable. 451 Research disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although 451 Research may discuss legal issues related to the information technology business, 451 Research does not provide legal advice or services and their research should not be construed or used as such.

451 Research shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.

About this paperA Black & White paper is a study based on primary research survey data that assesses the market dynamics of a key enterprise technology segment through the lens of the “on the ground” experience and opinions of real practitioners — what they are doing, and why they are doing it.

NEW YORK1411 Broadway New York, NY 10018 +1 212 505 3030

SAN FRANCISCO140 Geary Street San Francisco, CA 94108 +1 415 989 1555

LONDONPaxton House 30, Artillery Lane London, E1 7LS, UK +44 (0) 207 426 1050

BOSTON75-101 Federal Street Boston, MA 02110 +1 617 598 7200


B L AC K & W H I T E PA P E R | R E A DY N OW: M I D D L E M A R K E T S H I F T TO N E T WO R K S EC U R I T Y-A S-A-S E RV I C E

IntroductionWe recently conducted a custom survey of just over 300 executives, IT managers and tech practi-tioners to find out how current infrastructure challenges, near- term spending plans and the availabil-ity of new network security-as-a-service offerings could help steer organizations closer to their goals.

Security technology, and in particular traditional protection at the network perimeter, remain on pace for reinvention as cloud-based services. This shift is accelerating to keep up with business transfor-mation and the inherent dangers of pervasive interconnectivity, which include a relentless attack environment and security skills shortages.

In addition to the challenges presented by IT security’s extensive functional fragmentation, prod-uct-centric segmentation dominates marketing and influences demand at the industry level. Recent-ly, however, customer-driven requirements for simplification, deeper interoperability and services in-tegration has fomented emerging demand for converged, cloud-based service alternatives to many types of premises-based security.

New services target not only long-standing requirements to secure data assets and users but also to serve new requirements for flexibility, visibility and the needs of the distributed enterprise. A range of operating challenges associated with network security appliances, even for companies of material size and in-house expertise, presents a rich target of opportunity for improvement. And financially, for customers, innovators and investors, global market demand for unified threat management (UTM) devices is at the multibillion-dollar annual level.

This paper examines both the difficult challenges and new opportunities that small and medi-um-sized businesses face with respect to network security. Our hypothesis approaching this topic was that SMBs have been relatively underserved by security technology, in terms of simplicity, value and products’ ability to enhance agility, performance and risk management.

Key Findings � Respondents indicate clear interest in adopting network security-as-a-service as a means to sim-

plify and centralize security management and reduce costs. Top priority use cases for cloud-based security point to the significant risks incurred by commonplace perimeter security bypass from remote users. (See Making A Change pp. 6-7)

� Visibility and control over the distributed environment is generally characterized as moderate to low. (See Challenge – Low Visibility and Control, p.11)

� Security function work encompasses significant amounts of non-value-added activities, which may be reduced, in part, by shifts to network security-as-a-service. (See Challenge – Work Coordi-nation, pp. 13-14)

� A high majority of respondents indicate near-term timing priority for network security-as-a-service adoption. (See Urgency, p. 15)



Goals & Implied Technology DependenceFigure 1: SMBs Have Diverse GoalsAllocate 100 points among the following organizational goals.

Source: 451 Research

As most executives and corporate managers will tell you, revenue is every employee’s business. And so even though the top organizational goal reflected in our survey is to increase revenue, the overall balance of priorities was just as striking. We view the spread, top to bottom, as indicative of the diverse operating demands and characteristics of SMBs, such as high relative value ascribed to fungible business and IT skills, automation and the benefits available from the shift to software-as-a-service.

Notably, in our survey the goal to speed up innovation (No. 5) scored nearly as strongly as reduce risk/strengthen security (No. 4). Security automation innovation is increasingly focused on the user interface and user experience, reflecting the reality of scarce expert skillsets. In the SMB space and in all strata, there is a strong likelihood that IT and security generalists will have to provide the bulk of human eyes-on assistance and judgment, in coordination with automated platforms.

Regarding how our surveyed organizations view new technology, an 80% majority view themselves as willing make the nec-essary changes to evolve and succeed. And we believe our survey indicates that high interest in security-as-a-service, spending inclination and urgency are converging to perhaps significantly change the market outlook for network security management.

26% 18% 17% 14% 12% 14%2,001-2,500 Employees

27% 16% 17% 14% 12% 14%1,001-2,000 Employees

25% 17% 17% 14% 12% 14%501-1,000 Employees

Mean Allocation of 100 Points Among Categories

Increase revenue

Lower costs

Improve product or service quality

Speed up innovation

Improve agility

Reduce risk / strengthen security protection



Figure 2: Technology Adoption

Which of the following best describes your organization’s approach to NEW technology adoption?


Given relatively strong perceptions of either early adoption or pragmatic prioritization of new technology, it is unsurprising that 80% of respondents indicated a preference for something other than on-premises solutions for managing security, with a substantial 72% choosing security-as-a-service. Software-as-a-service is now as essential to building strong IT and support processes as it is to serving front-office sales efforts and building a digital presence and bridge to customers.

Physical presence is also a requirement, and represents a particular scale challenge for SMBs. In our survey, 70% of respon-dents operate between four and eight branch offices, and 10% operate eight or more, with significant implications for IT security and compliance, as we illustrate later in this paper.

Figure 3: Primary Security PreferencesPlease indicate your preferred primary solution for managing security.


41%

39%

19%

1%

We are early adopters on the leading edge

We are pragmatic, but will act sooner rather than later

We are conservative and takea wait and see approach

We are skeptical and usually late to the game

72%

9%

19%

Security-as-a-service

MSSP

On-premises



Making a ChangeFigure 4: Appetite for Cloud-Based Security Would you invest in a cloud-based security service from a network security-as-a-service vendor that simplifies and centralizes security

management and reduces costs?


We asked our survey respondents whether they would invest in a cloud-based security service from a network securi-ty-as-a-service vendor that simplifies and centralizes security management and reduces costs. Results indicate an over-whelming interest, with roughly 90% in favor. Two-thirds of respondents were favorably disposed to managed or co-man-aged offerings, while respondents in the financial services vertical in particular were notably more inclined to favor a managed approach, at 52% of respondents vs. 37% overall.

We also asked respondents to rate various value propositions; the top choice was ‘simplifies security manage-ment and reduces complexity,’ followed by ‘centralizes security management’ and then ‘tightens security control and enhances visibility.’

37%

30%

18%

5%4%

3% 1% 2%Yes — for the purpose of managing security

Yes — for the purpose of co-managing security in your environment with a vendor

Yes — for the purpose of monitoring your network environment

Yes — because I don’t want to manageon-prem security products

No — we are happy with our current security products and services

No — we don’t see this as a current need

No — we are locked into existing security investments

No — I believe it wouldn’t offer enough protection



Figure 5: Top Cloud-Based Security CapabilitiesOn a scale of 1-10, how important to your organization are the following potential cloud-based security services/capabilities?

Frequency Where Functions Were Rated 8 or Higher (on 1-10 scale)


In terms of security functions that were cited as important potential cloud-based service offerings, data loss prevention (DLP), encryption and network access control (NAC) ranked highest, topping threat management (which is the top priority for additional capability in current environments – see Figure 9). We believe this data supports the view that security man-agers and buyers are increasingly aware that cloud-based services can enable aggressive deployment of advanced technologies that directly address the requirements and challenges of distributed enterprises. In terms of use cases, threat management was most often cited as No. 1 (37% of respondents) or No. 2 (27%), followed by branch-office enable-ment and optimization, with significant declines after the top two choices.

68%

72%

73%

75%

77%

77%

80%

URL filtering

SSL decryption

Application access control

Threat management

Encryption

NAC

Data loss prevention



Figure 6: Top Cloud-Based Security Use CasesPrioritize use cases in order of importance to your organization.


37%

25%

13%

9%8%

5%

27%

17%

12% 12%

14%

12%

0%

5%

10%

15%

20%

25%

30%

35%

40%

Threatmanagement

Branch officeenablement andoptimization

MPLSdisplacement

MSSPdisplacement

On-demandsecurity

SecuringSaaS apps

#1 Rank #2 Rank



IT and Network Security SpendingOur survey indicated that respondents spend $461,000 annually on average for IT security, and $178,000 for network security. Results were highly sensitive to, but not strictly linear with, the number of employees, as shown in Figure 7.

Figure 7: IT Security and Network Security Spending by Company Size

METRIC 501-1,000 EMPLOYEES 1,001-2,000 EMPLOYEES 2,001-2,500 EMPLOYEES

Average total spend on IT security by companies surveyed

$328k $471k $666k

Average spend on network security by companies surveyed

$131k $182k $249k

Average increase in network security spending over next 12 months

10.40% 11.40% 10.90%


Respondents indicated, by a more than five-to-one margin, plans to increase network security spending in the coming year. The average increase was 10-11%, with some notable variation, including nearly 40% who indicated growth plans of 10-20%. Clearly, network is a growth area for security investment, despite the fact that the market is widely considered universally pen-etrated, and on-premises security appliances – particularly those suited to SMB deployment – represent a neglected area of innovation for some time, in our view.

Figure 8: Network Security Spending Outlook For your network security solutions, do you expect your organization to increase its spending, decrease its spending, or will spending on each of

these services stay about the same over the next 12 months?


16%

18%

21%

22%

8%

7%

–2%

–1%

–2%

–2%

–1%

-5% 0% 5% 10% 15% 20% 25%

Remain the same

Increase > 20%

Decrease > 20%

Increase 16–20%

Decrease 16–20%

Increase 11–15%

Decrease 11–15%

Increase 6–10%

Decrease 6–10%

Increase 10–5%

Decrease 10–5%



We also wanted to find out what areas of overall security spending represented near-term priorities. Respondents cited 2.3 categories on average, with threat management most often cited – by a 61% majority. NAC placed second, while data/appli-cation control ranked third.

Strong interest in threat management underscores its evolution to the level of layered suite that combines methods and functions for detection, prevention and enforcement. NAC, cited by 48% of respondents, has improved as an effective means to address the proliferation of personal devices on corporate networks. And application/data controls, which offer CASB-like visibility (and potential restriction or enforcement) regarding what employees access directly over the internet, was cited by 47% of respondents.

Meanwhile, we believe that the interest shown in endpoint technologies (cited by 44% of respondents) could reflect recent innovation around signatureless detection and automated response. In general, security managers remain burdened with project lists and priorities that require a significant array of skillsets to operate and manage, let alone acquire and implement.

Figure 9: Targeted Functional Improvements – Percent of RespondentsWhat additional security capabilities are you considering?


1%

32%

44%

47%

48%

61%

Other

Web security

Endpoint security

Data/Application control

Network access control

Threat management



Challenge – Low Visibility and ControlFigure 10: Levels of Security Visibility and ControlRate the level of security visibility and control you feel you have over your distributed network assets:

DATA CENTER

PUBLIC CLOUD

BRANCH OFFICES

REMOTE USERS

MOBILE DEVICES

THIRD PARTIES IOT

High/Complete 57% 39% 36% 34% 31% 30% 34%

Moderate/Incomplete 41% 44% 53% 49% 56% 52% 49%

Little 2% 14% 9% 16% 12% 17% 12%

None 0% 3% 2% 1% 1% 1% 5%

100% 100% 100% 100% 100% 100% 100%


We asked survey respondents to rate security visibility and control across seven asset categories and environments, from the datacenter to the cloud to branch offices. Not surprisingly, the datacenter ranked highest in visibility and control; however, less than 60% of respondents indicated ‘high/complete’ visibility/control for datacenter. Overall, and especially given the fairly weak datacenter rating, these results point to a dismal network security environment for distributed enterprises. Look-ing at the overall tally of ‘moderate’ to ‘none’ visibility/control ratings, we observe that third parties, mobile devices, remote users and IoT all ranked from 65-70% of respondents. Such lack of distinction between mobile devices and remote users vs. third parties and IoT is striking, as is the good showing – in relative terms – by public cloud, which scored the second-highest percentage of respondents giving it the ‘high/complete’ rating.

Figure 11: Barriers to Improved SecurityWhat are the barriers that you feel are preventing you from improving visibility and security control over your distributed network assets?


11%

32%

42%

52%

62%

Unaware of effectiveMSSP offering

Lack of time

Personnel/expertise

Lack of budget

Legacy IT



The Big PictureHere is a high-level recap of our findings thus far. As a group, our survey respondents:

� Indicate that 35-40% of IT spending is devoted to network security

� Operate at low levels of visibility and control across most of the IT environment, constrained by a number factors, including legacy IT

� Plan to grow network security spending by twice their overall rate of IT spending, in order to gain new capabilities

� Would clearly prefer security-as-a-service offerings.

The challenges of scalability, visibility and control are well known in legacy distributed IT environments, and these chal-lenges are not confined to security functions. Even the essential question of knowing what assets are attached to the net-work, and the detailed attributes of such assets, is a significant issue in legacy IT. As traditional networks evolve to feature software-defined functions, these problems of scale, visibility and control – including policy – are much easier to address.

For many, if not most, small and medium-sized businesses, gateway firewalls and UTM appliances in the headquarters and branch locations represent the bulk of current network-based defenses. However, bypass of network protections is common, whether in the branch or anywhere a mobile device is accessing the internet directly. For SMBs, security bypass presents significant risks, not least of which is the likelihood that directly accessed web content will likely introduce mal-ware – first onto the mobile devices of remote users and then eventually onto the enterprise network. Today malware still represents the top overall challenge associated with security; it’s not hard to see the potential business risks associated with ransomware, for example, among SMBs.

Figure 12: Enterprise Security PrioritiesWhat do you consider your top internal information security pain point within your organization for the previous 90 days?

Source: 451 Research Voice of the Enterprise Workloads and Key Projects: Information Security, July 2016

Malicious Software

Data Loss/Theft

User Behavior

Staffing Information Security

5.7%

6.3%

7.2%

7.6%

8.4%

9.0%

17.9%

Org Politics/Lack of Attention

Accurate, Timely Event Monitoring

Application Security



Challenge – Work CoordinationFigure 13: Security Staffing LevelsHow many FTEs do you have focused on security?

What percent of security FTEs are:


Some of the biggest challenges associated with IT security relate to simply executing the tasks and activities inherent in the work that individuals do. Low levels of automation and product interoperability and high levels of manual intensity are addressed in virtually every new product and service, but the security skills shortage remains a real issue. Our survey results show that security work is substantially dependent on non-full-time professionals, with over 40% of security full-time equivalent (FTE) work reflecting some combination of in-house staff with multiple responsibilities, managed service providers or contractors. We believe this represents far less-than-optimal coordination, with a mix of in-house and external resources (with the latter at 25% of FTEs). Our survey found a fairly broad range of FTE resource counts, with 84% of respon-dents claiming 2 to 5 FTEs, while nearly 40% of respondents utilize 5 or more.

0%

2%

10%

18%

29%

27%

5%

2%

7%

0

1

2

3

4

5

6

7

> 8

10.9%

14.1%

17.4%

57.6%

MSSP

Contractor

Partial FTE

Full-time professionals



We also asked respondents to estimate their resource hours devoted to spending, procuring, implementing and managing network security. A huge majority – 82% – estimated 20-60 hours per week for these activities, which companies could see (as we do) as adding no value relative to the direct execution of security objectives (e.g., monitor, analyze, respond, investigate, remediate).

Ultimately, automation will be pervasive across most security functions. Until then we do not expect to hear much, at least not with great authority, about how to right-size security staffing. In the meantime, companies have to retain the strong skills in which they have invested, and push to match people with their highest-value use cases.

Figure 14: Network Security WorkloadHow many hours a week are your in-house resources spending procuring, implementing and managing network security products

and services?


2%

7%

42%

40%

9%

> 80

61–80

41–60

21–40

< 20



UrgencyFigure 15: Vendor Delivery Time FramesWhat is your timing for a network security-as-a-service solution from a trusted vendor?


We hoped to get a sense of urgency or general timing from those who would adopt a network security-as-a-service solution. The data strongly supports the view that such a change is highly sought, and quickly so. More than 85% of respondents indicate the timing is ‘important’ (within 12 months) or ‘critical’ (within three months). And the remainder of study respondents would consider the switch within two years’ time.

We also asked about specific important priorities, and found branch-office enablement and threat management again topping priorities.

Figure 16: Deployment Time FramesPlease indicate timing of need or plan for implementation.


0%

0%

13%

19%

Already using a network security-as-a-service provider

Unimportant: > 2 years

Considering (relativelyimportant: 1-2 years)

Important: 4-12 months

Critical: < 3 months

68%

Next 12 months Next 6 months

36%

39%

40%

42%

40%

52%

55%

66%

74%

74%

74%

76%

84%

85%

Securing SaaS applications

MPLS displacement

MSSP displacement

Backhaul offload

On-demand security

Threat management

Branch office enablement



Estimating Total US Addressable MarketsFigure 17: Total Security and Network Security TAM

METRIC

BANKING AND FINANCIAL SERVICES

RETAIL AND WHOLESALE

ENERGY & UTILITIES

HEALTHCARE PROVIDERS LEGAL OTHER TOTAL

Survey N 61 60 60 50 50 20 301

Average total spend on IT security

$529 $453 $508 $420 $395 $398 $461

Vertical Rank 1 4 2 3 5 6

Average spend on network security

$203 $168 $188 $171 $159 $154 $177


12 month increase in network security spending

12.9% 9.7% 13.1% 7.7% 10.8% 9.4% 10.9%



We estimated 2016 total addressable markets (TAMs) for IT security and network security of $5.9bn and $2.3bn, respec-tively, for our survey scope of US-based enterprises with 500-2,500 employees. Looking forward, our survey data implies a five-year projected compound annual growth rate of 8.9% for network security, and a 4.4% CAGR for IT security.

These TAM estimates highlight the importance of network security within the overall scope of the security mission, con-suming nearly 40% of IT security spending. IT security spending overall remains on a long-term upward trend; however, operational pressures (to reduce vendor counts, for example) could pinch and delay spending in 2017. For network security, spiky demand relating to product cycles should give way to steadier optimism relating to cloud and software-defined fea-ture and architecture advantages, especially those that enable companies’ digital transformation initiatives.



Respondents ProfileOur survey documented the challenges, required resources and complexity associated with SMBs’ execution of the IT secu-rity function, with emphasis on securing assets and users connected over wide-area networks. We focused on companies with an overall employee count ranging from 500 to 2,500, and we estimated 2016-2021 addressable market opportunities for IT security and network security for that segment of US businesses.

Figure 18: Respondent ProfilesWhat is the primary industry of your business?

* primarily media, pharmaceutical, and medical technology

What is your title?


7%

17%

16%

20%

20%

20%

Other*

Legal

Healthcare Providers

Energy & Utilities

Retail and Wholesale

Banking and Financial Services

34%

11%

30%

36%

Senior Executive

CISO

VP/Director

IT Manager/Practitioner



Conclusions � Key reasons to consider a network security-as-a-service offering are control, visibility and cost savings. Funda-mental security considerations should drive strategy and choices regarding network security. Nevertheless, high up-front costs, as well as complexity and questionable effectiveness, have become significant issues with respect to SMB on-premises security deployments. Cloud-based services offer potentially significant advantages, in terms of simplicity and access to better methods to secure distributed businesses, and may prove to be less expensive, by several definitions, than traditional on-premises network security.

� Most respondents are spending 35-40% of their IT security budget on network security. However, visibility and control is rated less than ‘high or complete’ for substantial amounts of the IT environment. On-premises threat management suite deployment has become a relatively expensive and complex project involving architectural choices that can impact operations – for example, by imposing latency effects on application data traffic. While respondents indi-cate significant interest in a range of new network-based and other security capabilities, we believe that project returns and success rates are likely to be low with predominantly on-premises security deployments going forward.

� Security execution is substantially dependent on non-full-time professionals. Our SMB respondents augment full-time professional work with part-time in-house assignments, contractors and MSSPs. Less-than-optimal coordination is a likely result. There are also real pressures related to skills shortages and retaining talent. New network security-as-a-ser-vice options should help alleviate these significant operating pressures related to staffing.

� Cloud-based access and protections can be optimized for centralized visibility and unified policy provisioning and enforcement over a wide area. As an attack surface, the cloud represents the opposite of what attackers hope to encounter. At scale, cloud-based IT is more easily configured correctly, monitored and updated than on-premises IT in-frastructure, including security. Cloud-based services enable aggressive deployment of advanced security technologies, such as software-defined perimeters, dynamic isolation techniques and behavior-based analytics that directly address the requirements and challenges of distributed enterprises.

� The cloud is the network – at least that’s the way the business now views it. As simplification becomes a top security operations priority in 2017, IT organizations of all sizes should drive toward attainable, singular abstractions that can improve flexibility and business results over the long term. Network security-as-a-service offerings are on a path toward providing single network abstractions – similar to how business process owners perceive the situation – and the means to implement unified security policy across diverse enforcement infrastructure and endpoints.

ready now: middle market shift to network security-as-a ... · commissioned by p fiq netwrks 6...

Documents