How the transition to Everything as a Service upended cybersecurity software models

With regard to the evolving stratification of security services, it is worth spending some time considering how reoccurring software-based service models have fundamentally upended network and cyber security businesses across the board.

With regard to the evolving stratification of security services, it is worth spending some time considering how reoccurring software-based service models have fundamentally upended network and cyber security businesses across the board. One look at Cisco, and its flagging momentum in all things hardware these past quarters, seems to paint a dire picture of an ever-increasing tensile load for the bare metal manufacturing juggernaut. In opposition to Cisco’s woes is the generally upward trending market share of SaaS-based security vendors en mass.

With the dual luxuries of hindsight and perspective, the predictability of most economic endeavors can also be seen in the security market. For example, as modern economies mature, they migrate from products to services. If we nudge down into the weeds a smidgen, we find a pattern that even a nearsighted soothsayer can see... products generally following the tried and true one-time expense path, whilst services favor a more preferable pay-as-you-go affair that is normally tied to monthly recurring revenue (MRR) models. These models have a predictable financial influence upon capital expenses and operating expenses.

Just as the dotcom bubble effectively demonstrated the evaporative efficacy of sustainable, zero-fee pay-as-you-go business models, so too has the modern push toward “cloud-based,” virtualized everything proven the ability to drain operating revenue via small (or not so small) yet sustainable cash flow leakage. Ah, the pendulum of extremes! Is there a middle ground? Maybe.

Network and cyber security services are currently rushing toward the profit-quagmire of commoditization, where maintaining net-profit margins prove challenging (at best). Given the stark contrast between the single-purchase nature of bare metal and the contiguous nature of pay-go/MRR XaaS/virtualization, it seems safe to predict that software-defined security services, of all flavors, will fill the gap between the implementation extremes of the market. It is fair to say that at some point in the recent past “shrink wrap” became unacceptable and monthly based always-up-to-date services became the norm.

The crazy thing about this is that regardless of which solution one chooses to follow, all that software-defined greatness resides ultimately on silicon, which itself is mounted on resin with copper and tin, and is further bolted into the metal chassis which are ultimately stacked in racks that are located in water and power consuming epics of information we refer to as data centers. This is happening all around the world and is not likely to go anywhere anytime in the near future.

The equilibrium within our newfound XaaS economy between all flavors of virtualization and those one-time-expense silicon (purported/alleged) holdovers is a precarious dance. Too few box makers and the XaaS industry will quickly discover a lack of real world bare metal resource options from which to vend those various MRR services which form the fastest growing revenue in the security space.

If the metamorphosis is well underway, what can we expect to see? We will likely observe the old guard Marquis’ grinding through difficult transitions using their copious reserves of momentum. Uncompetitive brands will be squeezed out of the market. And software defined solutions will become the norm. Curiously, it is precisely because of software defined solutions that the hardware scene will not be all doom and gloom: Agile and fast hardware vendors with flexible software defined integration capabilities, optimized to facilitate XaaS, virtualization and service offload of all sorts, will surely thrive.

This tug of war is not economically inconsequential to those businesses consuming information services and there are substantive implications for network and cybersecurity. Unlike networking and application support, security services involve a foe much more belligerent than unhappy customers, rather, our foe creates an unceasingly new landscape for which navigation and obstacle avoidance is necessary, reinventing itself every moment of every day. The ability to arrest the onslaught of rapidly evolving Internet scale nefarious exploitation mandates the need for a robust ecosystem of security tools and methodologies. The solution will be delivered by a combinatory, synergistic, and very flexible system of hardware and software... One that can be reinvented with the flexibility and speed of software defined security.

For those professionals and executives charged with fulfilling this duty, it is no small task to unfurl a map in gale force winds – before the ink has dried.

This article is published as part of the IDG Contributor Network. Want to Join?

SUBSCRIBE! Get the best of CSO delivered to your email inbox.