Symantec said it believes that its customers are ready to begin outsourcing more of their security operations on the online model, mirroring the shift that has transformed the manner in which companies use other types of business applications such as SFA (sales force automation) software.
Officials with Symantec, based in Cupertino, Calif., said the company will introduce multiple hosted security software services at some point in the next few months.
While the company wont yet detail what types of applications it will launch under the online model, the initial offerings will likely be focused on infrastructure-oriented technologies, according to Jeff Hausman, senior director of product management for Symantecs Security Response and Managed Security Services business units.
"Weve seen the evolution of the model and we know there are certain types of customers who dont have the desire to deploy traditional software products," Hausman said. "If you look at our existing portfolio of software and services, the vision is for us to take all the applicable technologies and enable them in the software-as-a-service model; our vision is to allow customers to consume the technology in any manner they want."
When Symantec Chief Executive John Thompson outlined the companys latest corporate vision in early 2006, he said the longtime anti-virus market leader will increasingly focus on providing the security and availability technologies necessary for organizations to keep their infrastructures up and running. Hausman said the firms initial SAAS plans will support that strategy.
Much as hosted business applications provider Salesforce.com sowed the seeds for its current success in the enterprise SFA space by initially targeting its online services at midmarket customers, Symantec believes that its initial opportunity with SAAS will come from SMBs (small and midsize businesses), the company said. However, the company expects that enterprises will soon follow.
"We certainly see the opportunity starting with the midmarket in the same way as other areas where software services have been successful, and theres already a sweet spot with some companies that didnt have access to some of these products in a traditional format," Hausman said. "But obviously the concept and the benefits it provides are applicable to many types of customers."
Proponents of the hosted applications model boast major benefits in terms of lowered overhead IT costs and increased budget flexibility due to moving from perpetual software licenses to subscription-based pricing. In addition to those rewards, Symantec contends that it will also be able to provide improved protection for IT assets via its ability to distribute software updates immediately to SAAS customers, and to detect anomalies in network traffic long before companies that secure their own operations could.
Symantec is already providing online applications services, in the sense that businesses rely on the company to provide them with a constant stream of automated security software updates. Symantec has also dabbled in the hosted applications arena through a partnership between its managed services division and security SAAS pioneer Qualys, based in Redwood Shores, Calif.
Under the partnership, announced in March 2006, Symantec offers Qualys on-demand security software to its managed services customers for systems vulnerability scanning and threat assessment. Executives at privately held Qualys contend that demand for security SAAS is growing rapidly and expect the company to raise its $18.5 million 2005 revenues by just under $10 million in 2006.
Driven by factors such as the increasing complexity of IT threats and the need to comply with federal regulations that relate to security, such as the Sarbanes-Oxley Act, security software services are poised for rapid growth in the immediate future, said Philippe Courtot, chief executive of Qualys.
"The barriers[to adoption of security SAAS] are rapidly falling down and in many cases we are now seeing purchasing companies eliminate solutions which are not delivered as a service," Courtot said. "The main barrier still can come from established IT teams that do not want to relinquish the control they erroneously believe they have if they install a security product; We still have to do a better job at educating the market that a SAAS solution lets them fully run or control the application while removing the hurdle of deploying and managing the infrastructure."
A look at Qualys customer list shows several major enterprises that have already transitioned to security software services, including ABN AMRO Bank, DuPont, Levi Strauss and Nissan Motor.
Symantec executives admit that the work of transitioning the companys existing software products into services and moving the firm from revenues built around perpetual licenses to much shorter engagements wont be easy, or achieved overnight. But company officials said they believe the company is well-positioned to make the shift, based on its current business.
"There are obviously challenges, but Symantec among the traditional security software players is uniquely positioned because of the infrastructure we already have to deliver virus definitions and managed services," Hausman said. "As with any major business transition, we dont think this will all play out in some big bang—it will take time to move the technology and business over, but we have the DNA that others dont have, and feel were well-positioned to realize the opportunity."
Industry watchers agreed with the theory that demand for security software services will likely come first from the midmarket, but that adoption will likely move into enterprises as the hosted applications become more mature.
According to recent study of SMBs conducted by Forrester Research, companies with under 1,000 users ranked hosted security applications as their top interest in moving to SAAS products. Some 44 percent of the companies polled by Forrester said they are actively using or interested in adopting security software services today.
The areas of the security software market where Symantec and its rivals should find the most demand for their SAAS offerings will be those that have become more commoditized, as was the case with contact management tools in the SFA business, according to Liz Herbert, analyst with Forrester.
"There does seem to be a general trend across [SAAS] where adoption starts with smaller companies and then moves upstream," Herbert said. "And like most other areas, more commoditized pieces of security will likely take off as hosted services first; for something like desktop security, where the process used is very similar between companies, there will be the best fit, while for more specialized security applications there wont be as much interest."
Editors Note: This story originally included incorrect earnings estimates for Qualys for the year 2005, when the company had revenue of $18.5 million. The originally reported figure of $9.1 million in revenue is correct for Qualys fiscal 2004. The company expects to report $28 million in revenues for fiscal 2006.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog.