The five-variable VISOR Business Model is useful for service providers to help assess the viability of a new service for a particular market. In emerging managed services markets, the search for viable business models that clarify service configuration and value-add is particularly important to customers as they evaluate these services. This document shows how the VISOR Model can be applied by managed service providers that are considering a managed security services offering to small and medium-sized businesses (SMBs). Specific Internet-based managed security services are described, including intrusion prevention, intrusion detection, firewalls, distributed denial-of-service (DDoS) protection, VPNs, endpoint protection, and security messaging services (such as antivirus, antispam, content filtering, and email encryption).
Challenge
SMB executives must maintain day-today security operations while focusing on the strategic requirements of information protection, financial planning, and strategic direction for their companies. They must balance corporate security requirements with business imperatives such as regulatory and compliance issues, detection of and defense from external and internal attacks, and reduction of their company's risk profile. Add to these the demands for increasing security efficiently with fewer staff and shrinking budgets.
The lack of experienced, well-trained IT staff and security specialists is among the greatest challenges facing SMBs. Outsourcing security services allows them to focus their internal personnel on strategic initiatives rather than operational ones, leaving security to the dedicated professionals.
This situation presents managed service providers with a significant opportunity, one that requires careful crafting of a business strategy to target the most profitable SMB markets with services and service bundles that are appropriately designed, packaged, delivered, supported, and priced.
Solution
Created by the Institute for Communication Technology and Management in the Marshall School of Business at the University of Southern California, the VISOR Business Model provides managed service providers with a methodology to understand what their strategy should be in providing a profitable service. If a service is not profitable, the methodology allows the service provider to adjust any component of the model, such as the service platform or organizing model, to deliver the product or service more attractively to the customer and thereby enhance the value proposition. VISOR can help managed service providers guide their business strategy and marketing plan for each service offering or bundle.
For example, in 2000, when Webvan started its home delivery grocery business, the value proposition for home delivery of groceries (as revealed in consumer surveys and secondary data analyses) was that consumers would accept a charge of $5 per delivery. To be able to execute its home deliveries, however, Webvan had to spend $1 billion on the service platform, which in practical terms translated to more than $5 per delivery. Webvan's failure to adjust its business model was directly responsible for the company's eventual failure.
In new market niches, business models help create a common language and framework, define the factors necessary for success, and are useful to help determine the viability of a new business offering. VISOR defines five variables that managed service providers can use to assess the viability of any service offering (see Figure 1):
• Value: The value proposition addresses why a customer will value an offering and pay a premium price for it. In general, companies that choose to outsource their network security services can take advantage of savings in capital and operational costs and the evolving new technologies that managed service providers can offer.
• Interface: The relative ease of use, simplicity, convenience, intuitive nature, and aesthetics of the user interface are important factors of an offering. In managed security services, the interface is typically a web portal with a graphical user interface that is managed by the end user.
• Service Platforms: These include IT infrastructure (including hardware and software) and architecture that enable delivery of managed security services. For example, the end-to-end connectivity provided over the Cisco IP Next-Generation Network (NGN) drives delivery and fulfillment of the services. Cisco managed security service offerings extend across the entire network and are fully integrated with applications.
• Organizing Model: This variable defines how a managed service provider or a set of partners will organize business processes, value chains, go-to-market strategies, channels, and partner relationships to effectively deliver products and services.
• Revenue: In a viable revenue model, the pricing of offerings, the delivery of services, and the investments in infrastructure should allow revenues to exceed costs and produce attractive profits.
Figure 1. The VISOR Framework
With managed security services, success depends on matching the value to customers with the provider's revenue model so that the value to customers justifies the provider's charge. The revenue model should be appropriate to both generate demand and turn a profit. For example, a high customer value proposition, as shown in Figure 2, can point to a high customer willingness to pay and therefore a high revenue stream using the VISOR model. Users may tolerate a lower interface experience or a lower quality services platform if demand is very high. If, on the other hand, the customer value proposition is low, customers may not tolerate a low interface experience, and the service platform and organizing model must be adjusted accordingly to provide the service at a cost that matches the market demand.
Figure 2. The VISOR Model for Managed Services with a High Customer Value Proposition
Establishing the Value Proposition for Managed Security Services
Do particular managed security services satisfy an unmet, latent customer demand? Or does a service provide an alternative way for customers to access an existing application or service? To understand why customer segments are interested in services or service bundles, it is necessary to understand their value proposition, what motivates a customer to pay a premium for a managed service.
Factors to consider in a value proposition for managed security services for SMBs include:
• Existing security technologies: Almost all organizations use firewall and antivirus software. Studies indicate that 84 percent of organizations use a VPN as a secure technology. This suggests that antivirus software and VPN technology are highly valued by companies of all sizes. So a managed security services bundle, at a minimum, should include these services.
• Greater security focus among SMBs: According to a 2006 CSI/FBI survey of U.S. companies, smaller companies spend more per employee on security solutions and security training than larger companies. Thus SMBs have more of a reason to consider managed security services to lower their capital and operational costs on security. A value proposition should provide evidence of how managed services can lead to lower costs.
• The degree of computer penetration per number of employees may indicate a high reliance on information technology and information networks and the need for advanced levels of protection.
• The greater the number of remote workers, mobility of workers, and number of company sites can all contribute to a heightened need for network security services.
• The sensitivity of data in industries such as medicine, law, financial services, and defense, for example, may point to the need for a higher value proposition for managed security services.
• The propensity for outsourcing or for connecting electronically with vendors and partners are indicators of companies that are likely to value managed security services.
• Other factors that contribute to higher value propositions include the increasing complexity of security threats, the lack of available expertise at SMBs, increased legal compliance guidelines and regulations for privacy and data protection, and the desire to avoid negative corporate publicity due to security breaches.
A higher penetration of computer and networking technologies in companies contributes to the propensity of companies to attach a higher value proposition for managed security services. Figure 3 shows the results of a 2008 study by IDC that investigated the level of connectivity and hyperconnectivity in different industries per employee.
Figure 3. Connectivity and Hyperconnectivity by Industry
Source: IDC White Paper, 2008
Industries that show a high degree of computer and network connectivity such as financial services, high tech, government, and retail typically demonstrate a high propensity to outsource security services.
There are also factors within companies that may impede the adoption of managed bundled security services, despite otherwise strong value propositions. These include price, cultural aversion to outsourcing, and extremely high data confidentiality requirements that would preclude an external vendor handling security.
Why Cisco?
Managed security services that are built on the Cisco IP NGN accelerate time-to-market and revenue for managed service providers and support diverse integrated service bundles with service features tuned to the needs of SMBs. Companies that choose to outsource their network security services can take advantage of savings in capital and operational costs and the evolving new technologies that managed service providers can offer.
Different types of service bundles from Cisco let managed security service providers address the needs of diverse customers. A Basic Secure Access Services Bundle, for example, can provide protection from external threats from the Internet. The "last mile" WAN connection from the service provider's network operations center to the customer site is secured to provide integrated protection against DDoS attacks and other network exploits through a managed firewall and managed VPN service.
An Enhanced Secure Access Services Bundle can provide additional internal protection so that any endpoint, such as an employee's laptop, that becomes infected will not be able to infect the network. Intrusion Prevention and Detection Services bring 24-hour device monitoring and status reporting and protection for remote users.
For More Information
Contact your Cisco account representative to find out more about Cisco managed security service solutions and how to create a go-to-market strategy geared to SMBs based on the VISOR Business Model and other tools.
