Telcos as security companies

The idea of a telecommunications company acting as a security provider is nothing new. For years, telephone companies and Internet service providers have used their existing relationships with businesses to spread security services onto the network connectivity that's their bread and butter. Gene McLean, CSO of Telus, the $7 billion Canadian telecom company, says security services have always been part of his company's offerings; they've just never really been marketed. "When we're dealing with big clients or government contracts, then we put on our security consulting hat," McLean says simply. "We look at it as a differentiator."

Typically, telecom companies sell virtual private networks (VPNs) and take over such rote tasks as managing firewalls, intrusion detection systems or other customer premises equipment. This frees up business customers to keep lean staffs or focus on more strategic operations. While standalone managed security service providers (MSSPs) have the same capabilities and, arguably, deeper security expertise, telecom companies have one gigantic advantage: They are already on the payroll.

"Telcos don't find themselves in the position of having to market the way that pure-plays do," says Loren Rudd, an industry analyst at Frost & Sullivan, a research and consulting company. "The pure-plays have to evangelize on almost every sale that they make. It's easy for the enterprises who are migrating to managed security services to call up their telco [and add a feature] like you were adding a cable channel to your TV."

That's basically what Dan Antion of American Nuclear Insurers did when he chose to outsource security to AT&T, which had been his phone and Internet vendor for seven years. "It just seemed to make sense," says Antion, VP of information services at the Glastonbury-based underwriter for the nuclear power industry. "We'd been through a lot of projects with them."

Given the middling need for marketing, it shouldn't be surprising that few people noticed when the telecom companies overtook most of the pure-plays in terms of market share for security services. According to Frost & Sullivan, three of the eight largest MSSPs in North America are telecom companies: AT&T, Sprint and Verizon. Three more are IT services companies--Getronics, IBM and VeriSign--that have gotten big in the MSSP space mostly by eating up smaller pure-plays (most notably IBM's purchase of Internet Security Systems earlier this year). Until recently, Cybertrust and Symantec were the last two large MSSPs with an information security focus. Symantec, though, is positioning itself more as a purveyor of "infrastructure software," and the pending purchase by Verizon of Cybertrust further narrows the field.

The market is still fragmented, though, with plenty of room for competition. Frost & Sullivan estimates that these large companies combined have only 40 percent of the MSSP market--a market it expects to grow about 20 percent a year through 2010. "I personally think that, if implemented correctly, telcos are a good match for the managed security market," Rudd says. "The growth trajectory of MSSPs has proven itself in recent years. It's not speculative for a telco to get involved."

Telecom companies have reach and resources in their favor, of course. But "it's not just economies of scale" that give them an advantage, Gartner's Pescatore says. "It's that the carriers have access to information that the individual enterprise doesn't."

That's the information that AT&T CSO Amoroso sees through his window on the Internet in northern New Jersey. And that's the information that he's hoping to use to move AT&T's security business from one focused on simply managing customers' security equipment, to one that's truly cleaning up the pipes and plumbing of the Internet. "It's like the blind men and the elephant," Amoroso says, referencing the folktale of the blind men who each, upon feeling a different part of an elephant, draw vastly different conclusions about the creature before them. "When you sit as one node on the network, you don't have context. The service provider sits right smack in the middle of the context and has a vantage point that nobody else can have." His favorite example is that AT&T security analysts knew about the 2003 Slammer worm before it hit, because of strange traffic going to port 1434.

"I've looked at this traffic," Amoroso continues, "and realized that there's just a gold mine of security information."