More than merely managing

Managed services often become a temptation for businesses seeking to make ‘efficiencies’ - or, in plain English, cuts - in their IT budget.

But simply spending less is not quite the issue. Instead, infrastructure and equipment can be consumed on an as-needed basis, with things like storage and even computation spun up and down as business needs evolve.

Naturally, when this kind of flexibility is wanted, massive capital outlay on hardware is a barrier: will equipment have to be upgraded before it is fully amortised? Should much more expensive equipment be purchased just to make sure this does not happen?

And then there’s the issue of capital in general: cynics may see it as an act of booking legerdemain, but there is no question that Irish business is increasingly interested in moving from capital expenditure to operating expenditure.

Of course, the increase in managed services is about more than just accounting practices: it is also a question of the relentless march of technology, and the deployment of widespread connectivity has made it possible to consume a wider range of IT services.

Edel Creely, managing director and founder of Trilogy Technologies Group, said one significant change is that, increasingly, the IT infrastructure being managed is not on-premise at all.

“In the early days, we were managing core infrastructure that people have on-premise, but now it’s typically hybrid cloud,” she said. “All businesses are dependent on IT platforms to run their businesses, and because of that increased dependency, you have to look at the risks: if the infrastructure is not available or of their is a breach, things like that.”

Karen O’Connor, general manager of ICT services and solutions at Datapac, said the move towards managed services is a process of rationalisation, not rationing. Organisations that engage with managed service providers are concentrating on their business, not on the digital equivalent of plumbing.

“Businesses don’t have their own in-house plumbers and heating engineers,” she said.

Over time, the sophistication of services that can be consumed have increased, “which is arguably just as well, because IT becomes a more complex proposition with every passing year”, O’Connor said. “The services are more than just basic helpdesk too: networking and security for example, which are very highly skilled roles.”

Datapac has clients from the small and medium business sector right up to enterprise level, but the significant growth area right now is right in the middle, said O’Connor, and more and more of those companies are looking to consume everything as a service.

“We’re seeing a huge amount of growth in fully outsourced. Up to now, we’ve seen mostly some services being kept in-house, but now much is being taken as a service, particularly in that mid-market sector, ranged between 120 and 600 users.”

This is not pure happenstance, she said, nor is it just a case of emulating the ‘big boys’. In fact, more and more businesses are struggling to keep control of IT at all.

“When we looked toward the rationale, we found it was because they were swimming against the tide: training was bad, people were leaving, and it was bad for business continuity. Your database, your business, still has to run if you lose people.”

IT staff have not typically been laid off, she said. Instead their roles have changed from day-to-day operations and firefighting to more strategic questions.

“Where they still had people in-house, those people were moved onto project-based IT,” she said.

In the beginning, there was print

Arguably, the first significant inroads into enterprise made by managed services were in an area tangential to information technology proper: photocopying. From there, though, it was only a short hop to print and, later, managed document services.

“The copier industry was the first to push this. IT channel partners didn’t come onboard as fast,” said Adrian Diviney, regional sales manager for Oki Europe.

Today, though, the picture has changed: managed print became the norm for most organisations as it not only reduced costs but also the significant hassle involved in maintaining printers. Now enterprises, having already enjoyed efficiencies, are demanding more, according to Diviney.

“Previously printers were just in the background and were added on as needed. What we’re seeing now is a convergence of IT managed services and print managed services all into one,” he said.

Beyond print, managed document services are top of the list of requirements for business, partly to decrease environmental ‘footprint’ but also in order to keep up with the contemporary, data-centric mode of operations.

“Print is a fully managed IT service; we’re all looking at the costs of software now, though cutting down on the use or paper is always an issue. A lot of what people now want is in software, digitalisation of documents, scanning directly to Sharepoint and Dropbox,” said Diviney. “It also helps with GDPR compliance.”

Another natural fit for managed service provision has been infrastructure such as telephony and networking. This is not simply the same as the telephone or broadband contracts of old, though, said Karl McDermott, head of business ICT for Three Connected Solutions at Three.

“True managed services aren’t just about the service,” he said. “They’re about the management of the service in the same way as if you had your own IT department. We are monitoring all of the equipment: we have a network operations centre looking after it. The old phone system [typically] had a maintenance contract: you’d contact someone if there was a problem and have them come out.”

Three’s customers are primarily interested in unified communications and networking such as LAN and WAN. They are also starting to think about consumption of those services in a different way, according to McDermott.

“It’s moving toward outcomes rather than time: the outcome is the business outcome as part of the SLA, not just ‘five-nines’ uptime,” he said.

When they choose infrastructure as a service, what they want is a one-stop shop that provides an end-to-end service, said McDermott.

“It’s for the same reason you’d want to run print as a managed service: if running printers isn’t your core business, then it’s probably fair to say that neither is running phones. Their core business is making widgets and selling them to customers,” he said.

Inside out

From today’s perspective, it can seem strange that certain IT services were ever consumed on an on-premise basis, and this is particularly true of network storage in the small business sector.

It often was, though, said Michele Neylon, founder and chief executive of Blacknight Solutions. “They did want to do it themselves originally,” he said. “If I talk to my guys who had a background in IT services, they remember doing it. Small office servers were huge back in the day. There was definitely a shift, though, because if you buy a server, you have to maintain the thing. But still, back in the late 1990s and early 2000s there was a big push for mail services and general web stuff too.”

It sounds bizarre, but Neylon said, at the time at least, it was not as irrational an idea as it may now sound: “Let’s face it, at the time internet connectivity was crap, and you couldn’t have your information in data centres without a decent connection.”

So what happened? For one thing connectivity did improve, albeit haphazardly in Ireland, but another significant factor was the bursting of the dotcom bubble in 2001, after which €100,000 servers from Sun Microsystems seemed more an indulgence than a necessity.

And by the time the 2008 economic crisis rolled around, the idea of running even the likes of a small white-label mail server internally seemed positively quixotic.

“After the crash, a lot of companies were looking at cutting costs and trying to manage hardware and security, and all of that was just a headache they could do without. From there, there was a growth move into data centres and then, more recently, cloud,” said Neylon.

The movement is not entirely one way, however: some businesses are retreating from certain managed services, at least partially.

“At the enterprise level, there was a survey done of Fortune 500s, and 200 of them were in a repatriation, as in they were moving away from the cloud,” said Daniel O’Neill, head of managed service provision at Paradyn.

For O’Neill, the problem is that digital transformation, the process driving a significant amount of discussion around service provision, is not quite a simple as many had hoped.

“People have been sold the migration path as an easy way to move away from the cap-ex of digital transformation. In reality, they understand - after 18 to 24 months - that it has not always delivered what was expected. However, being agile is still essential,” he said.

In order to help its clients make the transformation, Paradyn provides training to ensure that the services are actually used by staff.

“What we’ve found with the adoption of digital transformation was that adoption wasn’t what we expected until we put in training. There was too much frustration [among staff] post-switchover, we front-loaded a training process for our clients, on-site or remote. The administration, security and compliance is managed by ourselves,” he said.

Mark Charmant, head of service transformation for Auxilion, has recognised a similar ebb and flow. But is everyone moving to managed services for everything? Not quite.

“I wouldn’t say all customers. We tend to have trends in IT where things move one way and then back. I’ve seen both in my career,” he said.

Adoption of managed services makes most sense, Charmant said, when it is about expanding the capabilities of a business. “Generally you see people go to managed services when there is something new out there and they’re not equipped to do it in-house,” he said.

Naturally, with big data and digital transformation on everyone’s lips, this is an area in which many businesses are seeking help. “Right now cloud is the biggest disruptor; big data and cloud. The rate of change is so fast that it’s very hard to do in-house.”

Charmant said that, in this instance, managed services can bring a certain amount of democratisation to the market by making things possible for smaller organisations.

“The difference with big data is that previously it was the remit of the tech giants, who had the computational power to query all the data out there, but now, everyone has access to the cloud. They can purchase the cloud space, generate their own data, and then through the cloud again purchase the tools and compute to do the job,” he said.

It’s a fair point: if big data is the future, how else can ‘small’ businesses compete with the likes of Facebook and Google? And what businesses aren’t small when sat next to that kind of 800-pound gorilla of data?

“It puts the power into everyone’s hands,” said Charmant. “A lot of companies would have had to have had massive data centres, physical infrastructure. That’s expensive for anyone, but small players can’t afford that at all.”

Can’t get there from here?

For Charmant, though, the actual managed service, whatever it happens to be, is actually the last piece in the puzzle. The first thing to do is work out what, and why, you want to move to a service provider.

“Your journey might start off with a consultation,” he said. “That could be a business consultation or a technical one, or both.”

In either case the objective would be to align the decision-making process to the business.

“It’s fine to adopt the latest tech but if it doesn’t match your business’s needs you’ll find yourself with a problem a few years down the line,” Charmant said.

Only after this has been worked out should building the system begin. “Once we understand your business needs, we bring in our infrastructure professionals who are experts in digital transformation. We’re then able to help you to make that transformation with our project management group. The final piece is the manager service itself: the designed solution that we have created for you, as the bedrock of your delivery, that we support for you,” Charmant said.

Noel O’Grady, senior business development manager at Sungard Availability Services, said that although business do tend to move from in-house to managed services one system at a time, they don’t do it haphazardly. Instead, he said, there is something of a rational route.

“I think that there is a rational order for managed services. For instance, if we were talking to a customer today, if you take our disaster recovery and back-up services, that’s a kind of background service rather than a production service, so it’s a very simple one to start with.”

In simple terms, this would mean that the potential for disruption to business continuity would be much reduced.“You can see how that goes and [then] start looking at the production systems,” he said.

For O’Grady, though, this correct ordering of service provision can be expanded, again on rational business grounds. “Within the productions systems I would say there is a natural route, too,” he said.

In short: move the things that won’t immediately break. “You may have one application that is very proprietary in house, for example, but then you will [also] have more generic applications.”

The most generic of all services is surely email. “Most companies looking at cloud will move things like email first and then it’s probably getting into the line of business applications depending on how custom they are,” O’Grady said.

Securing the system

One of the most significant — and fastest growing — areas of managed service provision is in the realm of cyber security. David McNamara, managing director of Commsec, has a simple explanation for why this is so.

“Security is a minefield: where do you put your money? It’s getting worse in the market too, particularity with the emergence of compliance,” he said.

Moving to security as a service allows companies to not only obtain the services of security professionals whom they would otherwise struggle to attract to staff positions, but also to rethink how security can be achieved. It’s about the importance of the data, said McNamara, not about whatever anti-virus (AV) measures can be put in.

“More and more companies are realising it’s about data, not just about putting in AV. More and more companies are aware of that; that it’s really all about their business,” he said.

What businesses need to be aware of is the damage that a breach can cause. Notably, of course, a breach of GDPR compliance may result in fines of up to €20 million, or four per cent of annual worldwide turnover of the preceding financial year, whichever is greater.

This isn’t the worst outcome, though, said McNamara: it’s what customers will think of you is. “Frankly, reputational damage is the worst damage that can happen to a company,” he said.

Security as a service should be designed, he said, not simply delivered as a generic service, and the company purchasing the managed service should have a role in setting the terms.

“The first thing we recommend is to do an audit and to be pragmatic. It’s a question of risk-reward. The Data Protection Commissioner will look at mitigating factors, they won’t just fine you because they don’t like you,” he said.

Cost is always a factor, too, and this finds an echo in the message that IT should be supporting the business rather than the business existing to deploy IT.

“We base it on the ISO 270001 infosec standard but each business is different. The fact is that most organisations in Ireland are small to medium-sized businesses, with the exception of banks and government departments; IT is not their business, and certainly IT security is not their business,” he said.

Three’s Karl McDermott said security and compliance are drivers not only for the purchase of security as a service, but for managed services in general.

“Companies are looking at the compliance and security issues and thinking: ‘This isn’t my business! I can’t deal with this’,” he said.

Having a managed service provider doesn’t get anyone off the hook in terms of legal compliance, but it does wrap it up in contract law. Specialist security services can be wrapped on top, too.

“The managed service provider is responsible for making sure your data is encrypted and so on. Frankly, all of the components we deliver have an element of security built into them: the WAN would have firewall services, for example, but if you want a broader range you would also go to someone for introduction detection,” said McDermott. “We as a company, though, are looking to expand our [security] offering.”

When it comes down to brass tacks, security as a service can be as comprehensive as an organisation wants, but in all cases it should be about doing things that are simply not possible in-house.

“We take threat hunting very seriously: we actively look for threats and, with the customer’s permission, place honeypots. We try to think like a hacker would,” said Commsec’s McNamara.

“Once you have a plan, it’s about implementing it: encrypting, firewall configuring, enacting process and policy, because of course a process has to be adhered to and it has to be rigorous, but is also has to adhere to what your business processes are.”

Having a managed service provider come on board can always be seen as a form of insurance: a way of making sure someone is responsible for keeping the lights on. If this is true at all, then it is doubly true of security as a service, where the stakes are so high that failure could mean bankruptcy.

“It’s not just about taking the call and hitting the service level agreement; it’s about actually responding. If you fail, we fail, so we have to stand shoulder to shoulder with you,” said McNamara.

“There’s no point in us going: ‘Oh well, you didn’t do this or you didn’t do that’. If you go down, we go down with you.”

Avoiding the cloud shock

Public cloud has a well-deserved reputation for being reliable, flexible and scalable. It also has a reputation for being, as business grows, eye-wateringly expensive.

Both Daniel O’Neill, head of managed service provision at Paradyn, and Noel O’Grady, senior business development manager at Sungard Availability Services, said this could be avoided.

“When you’re on a multi-tenant platform like Azure of AWS, the problem as I see it is op-ex creep. Historically we have seen that people’s costs increase exponentially,” said O’Neill.

“You can solve that problem with clever design. In reality, managed service providers now have bundles when you can price-fix a server for a fixed time and then align more to how you would measure return on investment with traditional cap-ex.”

O’Grady said public cloud can be taken as a managed service, thus avoiding the possibility of a welcome explosion of business resulting in a ruinous explosion in costs.

“Looking at managed public cloud makes for a change. When you shift to public cloud you move to a [typical public cloud] usage model that can lead to bill shock in some cases, though some people do save money. Consuming that [public cloud] as a managed service can avoid that kind of price shock,” he said.

Understanding the security crisis

One area of managed services that is truly prospering is the provision of security services. It’s not hard to understand why, either: put simply, cybersecurity is in crisis.

The problem is two-fold: at precisely the same time the threat has exploded, with criminals targeting networks across the globe, there is a shocking shortage of qualified and experienced security professionals.

The problem keeps getting worse, too. In 2014, Cisco said there were one million unfilled vacancies globally. A year later Symantec said it expected the shortfall to rise to 1.5 million positions. A 2016 report prepared for the British parliament by IASCA said the shortage would grown to two million unfilled jobs.

By 2017, Cybersecurity Ventures predicted there would be be 3.5 million unfilled cybersecurity positions by 2021. A 2018 report from the non-profit International Information System Security Certification Consortium, ‘Cybersecurity Professionals Focus on Developing New Skills as Workforce Gap Widens’, backed this up: the organisation estimated 2.93 million unfilled positions.

The result is serious, too. A May 2019 Trend Micro survey said the skills shortage had had an impact on 74 per cent of enterprises, while the the third annual global study of cybersecurity professionals by the Information Systems Security Association (ISSA) and independent analysts Enterprise Strategy Group (ESG) said this was “the root cause of rising security incidents”.

Edel Creely of Trilogy Technologies Group said that this made hiring difficult for many businesses as they cannot attract the talent. “There’s no question that people will security skills are highly in demand,” she said.

Trilogy itself has expanded its security service by purchasing Zinopy, one of Ireland’s best known security providers.

As traditional anti-virus and simple firewalling is no longer enough, a generalist IT specialist cannot be expected to man the fort, either.

“There’s a whole realm of knowledge that needs to be gained and experience that needs to be gained,”said Creely. “If you’re a relatively small business and you hope to have that all in one person it just isn’t really possible.”