Some industry participants complain about increased competition as a factor in depressing their security sales. However, let’s take a quick look at a typical large European country as a “market” for example Germany or the UK. This reveals that there will be, on average, ten firms providing Managed Security Services (MSS), with the biggest firm holding about a 20% market share. There will also be around 30 firms providing various Security Consulting services and we’ll perhaps find one with the biggest market share of 10%. This would mean HHI indexes of competitive intensity of 526 and 135 respectively.
Glancing back at our economics textbooks, we find that this is not an overly competitive market to be selling security services in, even if we accept that defining the actual ‘market’ may be the trickiest part of this type of analysis.
Then there is another way: proving security ROI. Of course, ROI is a valid financial tool. In the security industry, however, every vendor seems to have one, which is slightly different from other vendors’ and which ‘proves’ that buying that vendor’s product or service makes the best economic sense. For example, I’m sure we’ve all seen the statistics stating that having someone else to manage your company’s firewalls is a 400% ROI over one year, when compared to managing them in house.
Whenever we are confronted with such figures, there are several things we need to ask: How many firewalls do these figures refer to? How many different technologies? Were these devices located in one company office, or distributed on a country or continental level? What service levels do the costs refer to? How many clients participated in the survey, how many vendors?
Many ROI calculations adopt a simplistic and/or simplified view of the underlying costs. They also tend to disregard ‘communications’ costs, human and skills costs, dealing with process or operational exceptions, with network upgrades. One must always seek to understand the assumptions of any ROI model. As a final note, an IDC study in 2003 found that 83% of companies do not track ROI for their security investments. Things are likely to have changed, but caution and scrutiny should still be applied to ROI models.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.