Why security services are an emerging sweet spot for telcos

Security, especially cybersecurity, is a growing challenge for all enterprises as they accelerate digitization of their networks, operations and relationships with customers. It is an issue for communications service providers (CSPs), too, but it is also one of their best opportunities to tap new revenue as providers of managed security services, as we explore in this excerpt from our benchmark report Mapping a path to telco revenue growth.

In the survey conducted for our recent Mapping the path to revenue growth, CSPs chose security as the most promising sector for new revenue growth with two thirds calling it a significant opportunity. Based on our research, we estimate that revenue for security services grew by almost 20% in 2020.

Telcos’ businesses are particularly susceptible to security breaches. They face prolonged attacks, in some cases from foreign governments, which can go unnoticed for long periods of time. CSPs are targeted because they operate critical national infrastructure and deliver connectivity to a country’s entire population.

But in implementing policies, strategies and technologies to thwart cyberattacks, they have developed capabilities they can sell.

Many CSPs offer managed security services to enterprises of all sizes. To perform this role, they need to employ large teams of cybersecurity experts and offer products and services that enable enterprises to anticipate, identify, prevent, detect and respond to attempted security breaches. It is not uncommon for a telco to employ 2,000 or more experts in its security operations centers (SOCs).

Acquiring security expertise

Most large CSPs have bought security companies to get into the managed security services business or to bolster their strategies. In some cases the operators have allowed the companies to retain their brands and continue operating with a degree of autonomy.

Orange, for example, made two major acquisitions – Secure Link and Secure Data – and both continue to operate as standalone businesses. But the telco also offers security services via its Orange Business Services subsidiary.

While Secure Link and Secure Data offer pure-play security services and serve a whole range of medium and large companies, Orange Business Services mainly offers security as part of larger managed telecoms infrastructure projects. Such projects increasingly focus on the transition to cloud-based technologies, adoption of edge computing and new vertical market use cases.

Growing the business

The cybersecurity market is growing by 8% per year according to Gartner, which gives it an approximate value of $150 billion in 2021. If CSPs could capture just 10% of the total market, it would be equivalent to almost 1% of total telecoms revenue.

CSPs are relatively small players in the security services market, which is dominated by global IT services companies such as IBM, Accenture and Atos, alongside specialist firms such as DXC Technology and Secureworks.

However, several Tier 1 operators are already generating significant revenue from security services, either through acquisitions or acquisitions plus organic growth.

They include AT&T, BT, Deutsche Telekom, NTT, Orange and Verizon which all provide a wide range of security services to large and medium enterprises. Based on the companies’ publicly reported financial data and our estimates, we believe each is generating at least $100 million in revenue, and some could be generating close to $1 billion.

Types of services

Traditionally, enterprises have taken a siloed approach to security, spending separately on hardware security, identity protection and managed devices.

But the growing threat posed by cyberattacks is leading many to adopt a more holistic strategy that includes buying consulting and auditing services.

Following are the areas that most enterprises want to protect from cybersecurity threats:

• Networks – many large organizations operate private networks that require the same kind of security as the public network. As enterprises increase their use of software defined wide area network (SDWAN) services, vulnerability to security breaches increases because each internal router connects into the public internet rather than a dedicated private network.
• Remote workers – the growing popularity of homeworking, particularly during the pandemic, has exposed companies’ employees to scams using emails, text messaging and voice calls. While the bring-your-own-device trend is not new, the increase in home working will necessarily result in wider use of corporate applications on employees’ own devices.
• Cloud networks – enterprises are increasing their use of public and private cloud services. Hybrid cloud networks require the same kind of protection as private communications networks. Generally, the more suppliers, networks and systems involved, the greater the security risk.
• IoT – most large organizations are deploying or planning to deploy IoT networks, and given that such services will often support critical applications, security is a primary concern.

Researchers have identified real or potential security risks through devices as diverse as light bulbs, printers, gas stations, smart speakers and security cameras. Large enterprises, particularly in verticals such as financial services, have built considerable in-house cybersecurity expertise, but a large proportion of small and medium enterprises (SMEs) do not have internal expertise.

Even if they wanted to hire talent, they likely could not as a global shortage of security experts and the high cost of recruiting such talent are insurmountable obstacles. For these companies, using a managed security service is the most viable option.

Telcos gain confidence

As noted, CSPs offer security services through SOCs, where experts identify, investigate, prioritize and resolve potential or real security issues. Operators build SOCs wherever they have large numbers of customers, so the telcos offering global services have the most SOCs.

Many operators now talk confidently to their shareholders about the performance and potential of their security businesses. For example, Orange Business Services held a half-day analyst event in August with a specific focus on security services. Orange splits its revenue from security services into four categories: consulting, integration, managed security service and equipment resale. The first three, which represent 75% of Orange’s total security revenues, include IT services and require the deployment of large teams of experts. Orange has 2,500 security experts worldwide.

Security for consumers

While security services are principally aimed at enterprises, some CSPs offer security services in the consumer market. For example, Swisscom has launched a travel insurance service called Easy Cyber Insurance which offers customers legal protection while web-surfing and smartphone protection.

South Korea’s SK Telecom has a dedicated security services subsidiary called SK Infosec which offers a full range of physical security products, software and services. The telco is planning an initial public stock offering for its security business and aims to position it as a “Life Care Platform Provider” that “assures safety and protects lives and properties of people…by encompassing physical and cyber security domains.”

Orange, SingTel and Telefónica publish annual or quarterly revenue numbers for their security businesses, while other CSPs provide “snapshots” of their security businesses. For example, Deutsche Telekom’s T-Systems professional services subsidiary discloses the percentage of its total revenue that comes from security services.

Swisscom reports that its security revenue doubled between 2016 and 2020. Telecom Italia’s security revenue, which comes from its dedicated Telsy subsidiary, grew by 20% year-on-year in the first quarter of 2021. Vodafone, meanwhile, aims to triple its security revenue between 2021 and 2025.

Security services outlook

CSPs’ security services businesses will grow with more deployment of new connectivity and computing services such as 5G, cloud, edge, IoT and mobile private networks. The adoption of open architectures to support these services will increase the points of vulnerability in enterprise networks, systems and processes.

CSPs that have already invested heavily in security capabilities are confident about the potential for growth and synergy between their security and core network businesses. We believe that revenue growth rates of 10% annually are realistic for this group of operators.

As noted in the introduction to this report, this forecast and others are based on a combination of moving-average model forecasting from historic data, analysis of growth actuals from comparable segments (in telecoms and IT sectors), and adjustments for current market pressure resulting from the pandemic.

CSPs with smaller enterprise lines of business are likely to find it difficult to make a case for buying or building a security services business, but they can partner to develop capabilities. Vodafone, for example, is targeting the SME market through a partnership with Accenture.

Rather than partnering with firms that provide professional security services, some small CSPs may choose to partner with Tier 1 telcos. For example, earlier this year Telekom Malaysia announced that it is working with Telefónica Tech, an ICT services division that Telefónica launched in 2019, to develop a global cybersecurity strategy for the Malaysian market.