One of the things that has amused me to no end in this business is the number of times I have encountered product vendors who emphatically do not want to be characterized as being “a security vendor.” I understand the rationale, as far as it goes: vendors of infrastructure and application technologies do not want to be boxed into the same pigeonhole with antivirus, network security point products, etc. Unfortunately, this has also cloaked a tendency to disregard security far too often when focusing on the primary values of a business offering. The price we have paid for this as an industry is a tendency to duct tape security over the failings of the technology we depend on, which has given us this very strange world in which we have vulnerable products whose vendors don’t want to be tainted with a security label.
Today, vendors are increasingly recognizing what we saw in our study last year of Security as a Service: businesses are feeling their limits in trying to keep up with an architecture of security products that must be constantly adapted to a threat landscape in continuous flux. To do so effectively requires expertise that is rarely a primary focus of most. This has heightened the priority given to security services – and this priority has now been escalated among product vendors who would rather not be categorized as “security vendors,” signaled most recently this morning with Dell’s announcement of its intention to acquire SecureWorks.
The acquisition of security services is hardly new. There was a substantial aspect of this to IBM’s acquisition of ISS in 2006, as well as to HP’s of EDS in 2008 (recently bolstered by the addition of ArcSight). But Dell’s move signals a new phase in security services acquisition. Of course it gives Dell a competitive response in these areas to IBM and HP – two of Dell’s most significant competitors, particularly in the data center. But security services are SecureWorks’ primary focus. Obviously, SecureWorks will not go toe-to-toe across the board with IBM Global Technology Services or the former EDS under HP. But with a recognized name in managed security services, Dell hopes to use SecureWorks as an edge, particularly where security is a primary concern – and definitely among SMBs, where a Dell-SecureWorks relationship has already been in play for some months now. From Dell’s perspective, the move is canny as it gives Dell a way to sidestep some of the entanglements of the security products space while still providing a way to bolster its offerings around solution-oriented sales. SecureWorks’ MSSP business often entails the management of on-premises technology supplemented by security consulting, both of which are much needed and may be particularly valued in the SMB space, where security expertise is often dear.
Some see the deal as giving Dell an opportunity to press further into cloud security or hosted security technologies. Today, this perception may be a bit off. Although there is something of a continuum between MSSPs and hosted security technology vendors, today SecureWorks is known primarily as an MSSP – but that doesn’t necessarily mean I would count SecureWorks out of Dell’s cloud strategy altogether. Dell’s acquisition of Boomi, for example, gives customers a way to integrate data and resources across disparate cloud services. Clearly, security needs to be a significant part of that (so keep an eye on the likes of Symplified et al). For the moment, I would read into this aspect of the SecureWorks deal a way to give Dell a resource of security expertise for shaping its cloud-based services integration strategy, with a view toward expanding the range of security services to be integrated into its cloud strategy down the road. This, however, could give pause to SecureWorks customers and prospects. Security professionals are typically leery any time an established leader is acquired. For the foreseeable future, Dell will need to allow SecureWorks to maintain the edge for which it has been recognized up to now, in order to capitalize on the opportunity it seeks with this deal.
“Not a security vendor,” eh? Because it places a primary focus on security services, Dell’s acquisition of SecureWorks will give some of those who have clung to this misplaced belief a reason to re-evaluate whether or not they really are not in the business of securing their products – and, more importantly, their customers. The position becomes even less tenable with every step vendors take farther into the world of IT-as-a-service, given the central importance of security concerns. The deal should thus be watched for what it may indicate about where infrastructure vendors seek to place their bets on delivering a more secure approach to IT and IT services, and to the value associated with security expertise.