Surf’s up for managed security at earthwave

Sholto Macpherson

It may be a bad time to be an investment banker, but an economic downturn is good news for those in the managed services business, said Carlo Minassian, founder and CEO of managed security provider, earthwave.

The security company is seeing a strong demand for its services from customers wanting to save money. The standard line in managed services is a 10 to 60 percent drop in costs, depending on what is outsourced. Downsizing companies can only mean good times for MSPs.

After eight years in the game, earthwave counts itself in the top three for managed security services in Australia, with 200 customers and more than 3000 security devices under management.

Its competitors on tenders are the tier-one global service providers, which may be much larger in absolute terms, but sometimes have fairly limited local presence. One US company has more than 15,000 security devices under management, but only 1200 of those in the Asia Pacific.

“On a global scale we don’t compete, we are five times smaller [than] our next biggest competitor. But Asia Pacific is not an area of focus for global providers,” said Minassian.

This is changing, however. The global providers are lowering prices to increase market share by using economies of scale and outsourced support to Asian countries.

“This has been a big challenge in our space. At least two of my biggest competitors have opened operations in the past two years in India. They are driving the prices down, it is putting pressure on our profits and our overall revenue.”

Offshoring to India may lower costs for his competitors, but it also locks them out of important parts of the market. Keeping the support, infrastructure and data local forms the centrepiece of earthwave’s differentiation strategy, and Minassian said it works well.

Australian customers deal with an Australian company so “they [can] talk to an Australian on the other end of the phone line and not a junior offshore, sitting in a call centre in India [who] doesn’t know or understand their network and has difficulty communicating”.

To earthwave’s enormous benefit, government is particularly sensitive to the idea of information travelling offshore. Minassian said that earthwave’s Australian certification and presence form a large part of winning business.

The Defence Signals Directorate (also an earthwave customer) annually certifies the company, the data centre and security operations centre is certified by ASIO, and the data centre in North Ryde is certified to the ISO27001 standard.

Government and enterprise customers take comfort in knowing that customer configurations, logs and security events are stored in Australian industry-certified locations in the country, said Minassian.

“Every one of our competitors [sends data offshore] and because of that they are seen as a risk. Their customer is dealing with someone in the world that they can’t meet, they can’t see their face, they have difficulty communicating with them, and they can’t walk into their office and pick up their configurations and logs – it’s sitting somewhere else in the world.

“How do they know the level of security [where their data is stored?] Is it certified? How can they enforce that?” asked Minassian.

Earthwave is prepared to set aside the home-team advantage and go overseas, but only if a “big brother” helps pay for it. Minassian said he has had enquiries from partners or carriers in New Zealand, Singapore, Hong Kong and Thailand, but nothing concrete has emerged.

His preferred destinations are further afield – Europe, UK and the US, where there is a much higher acceptance of managed security and outsourcing in general. The low cost of labour in Asia encourages companies to keep services in-house rather than pay someone else for them.

The biggest problem is the same that faces US global providers operating in Australia. Governments the world over (and many enterprises) much prefer their data to stay within national boundaries, which would mean building local data centres to win government contracts.

Having taken the best part of a decade to build earthwave to where it is today, Minassian is keenly aware of the amount of capital required, even without the added difficulty of doing it all again in a foreign country.

“This is the reason we don’t go – many of them expect you to deliver the service and have everything reside in the country. This is becoming less and less of a barrier, especially for commercial organisations which have a global presence and understand the global service delivery model, whereas governments don’t.”

Luckily, there are plenty of opportunities at home. In a big win at the start of the year, earthwave launched a network for more than 50 independent schools called ISONet.

Two of the 11 carriers who responded to the tender were pushing earthwave, but the Association of Independent Schools NSW told the carriers it wanted to deal with earthwave directly.

The managed security specialist was hired to keep the network safe from internal and external threats, but also to keep an eye on the four carriers signed to deliver the network.

The schools “wanted to make sure that each carrier was delivering what was promised. We became in effect a watchdog of the carriers,” said Minassian.

This reprised earthwave’s role with the Parliament of NSW, a reference site where the company again held the carriers to their SLAs. The need to monitor the carriers is good business practice, said Minassian, and is necessary not just because telecommunications is a tough industry where oversubscribing lines and resources is part of the business model.

“The other problem with the carriers is that a lot of them are very big and they’ve got too much work, they’ve got too many customers and they are overwhelmed. The issue is managing all the different customers’ expectations and the services they are sold.”

As the carriers have grown, so has their internal bureaucracy, which makes it difficult to co-ordinate and deliver services to customers as promised.

Integrators such as earthwave depend on tight relationships with the carriers’ internal teams and engineers to ensure that customer issues which occur daily are resolved promptly. The close partnerships give the company an insider’s view of how dysfunctional large corporations can become.

“We have seen the complexity and the miscommunication as a result of their size. We did one small project recently with a carrier and they had three project managers in the room, three project managers just to do this simple job.

And you think, how many managers do you need to do this?

“The project involved a few elements including network, desktop and Internet, and for each of those areas they had a different project manager. They all turned up to the meeting and typically they all go away promising big and no-one comes back with the goods.”

Given the likelihood of poor service from a carrier it makes sense to employ a third party to monitor performance against SLAs.

But sometimes it is a hard sell convincing people to pay for it. Carriers throw in network and security management at a very low price or at cost to win a network, which means customers are less likely to value those services.

“I have found that the customers who have had bad experiences in the past are very specific about having that segregation [between network provision and managed security]. They know exactly what they want and how they want it done this time round because they were burned in the last three contracts they signed.”

The reality is that carriers in Australia focus on carriage and resell the services of a managed security provider to secure the perimeter and inside network, look for fraud, insider threats, and so on.

Smaller customers may get by with the basic security services that carriers provide in-house, but bigger customers will always specify for managed security providers in their tenders.

Watching over schoolchildren using the ISONet requires a different mindset.

“Education is a case of massive insider threat and insider attack as opposed to external threat. Our focus is really combating attacks from the inside rather than people on the outside trying to attack [the] Education [Department].”

Young computer minds aren’t just keeping earthwave busy defending its network. Minassian said every quarter he receives calls from up to five state police agencies alerting him about illegal activity on the network.

The most common is using hotmail accounts to perpetrate eBay fraud, where a buyer accepts payment, but never sends the product advertised to the auction winner.

Unfortunately for the victims, there’s not much earthwave can do about it.

“That communication is completely legitimate as far as network traffic is concerned. It’s not a threat, it’s not an attack, it’s someone using a legit hotmail account to do a legit eBay transaction. We don’t stop that. And the whole thing is encrypted so you can’t even look inside the data.”

With the success of the ISONet behind it, expanding into the education market would seem a logical step. However, Minassian said there is not the same opportunity among public, Catholic and private schools, which already have their own individual service providers and contracts.

ISONet, with its inward-looking security monitoring, has proven a good template for the company’s latest project.

In late October, earthwave announced another major contract to deliver Internet services to 720 McDonald’s restaurants in Australia. The MSP is providing security through its “Clean Pipes” service to the wi-fi hotspots used by McDonald’s 1.45 million customers.

The McDonald’s CIO said that earthwave’s fulfilment of Australian laws and American compliancy standards, such as Sarbannes-Oxley, were also significant factors in the successful bid.

The wins vindicate a bare-bones model for IT delivery which outsourced everything except the service for sale.

Minassian had built up a range of IT skills and subcontracted for seven years as an IT architect.

When he decided to start his own company, he evaluated the market and looked at five or six areas for a new business: an applications service provider, an infrastructure provider in hosting, or a network company.

“I decided to focus on security because it was my passion and it required the least amount of investment to get off the ground.”

The business plan was to build a wholesale business that provided only the security service and outsourced all sales to the channel.

“We only hired operational people and decided to outsource anything that is non-core to the company’s services, which included things such as call management, the data centre, salespeople, legal, accounting, finance.”

The plan worked.

Earthwave now has six elite partners, who rebadge the company’s services and do all design and deployment themselves and generate 70 percent of revenue; six premier partners, who sell and market the services but don’t do deployment, and bring in 25 percent revenue; and 30-40 associate partners, who are essentially opportunity finders.