I attended two really great presentations at MSPWorld yesterday. This is a very interesting conference, sponsored by the MSPAlliance[i] and co-hosted with IT-Expo but focused on managed service providers. Both dealt with the issue of MSP (MSSP) valuation. Many of the attendees are SMB (MSP/MSSP) business owners and this was a hot topic.

So what is an MSSP worth and if someone wanted to buy a business like this how much should they pay?  This is an important question for Forrester’s IT clients because the rules of valuation can help IT clients evaluate potential partners.  Financial stability and the intermediate and long-term plans of the MSSP should factor into the decision of selecting an MSSP.  In any negotiation it’s also always good to know what the other side is thinking.  Here’s the list:

1.     Recurring Revenue – What is the firm’s recurring revenue profile? What are the sources of revenue and how much of this revenue comes from long-term (multi-year) contracts?

2.     Service Agreements – What is the nature of the service-level agreements the firm has in place with other clients?  Do they address risk management and risk sharing? How much liability is the MSSP willing to accept for regulatory compliance and information breaches?

3.     Service Revenues – What percentage of the MSSP’s revenue comes from what types of business?

This month I published a new report on information security metrics, best practices as well as a maturity model to measure your maturity in the reporting process.  This report outlines the future look of Forrester's solution for security and risk (S&R) professionals looking to build a high-performance security program and organization. We designed this report to help S&R pros develop and report the appropriate security metrics for their security organization. Security metrics are a key initiative for chief information security officers (CISOs) today, but many struggle with picking the right metrics. Some CISOs use a broad-brush approach, using operational metrics to demonstrate security. The problem with this approach is that most people don't understand what the metrics are saying, and they don't understand how these metrics make their lives easier or harder. Good metrics are easy-to-understand, incite actions, and change behavior by providing a clear idea of why the audience cares. When CISOs present metrics, they must be able to clarify "What it means" and "What's in it for me?" Use this paper as a set of guidelines to develop a well-formed security metrics strategy and to drive behavior change and improve performance.

Take a look at these links:

• Develop Effective Security Metrics
• The Forrester Information Security Metrics Maturity Model

I am excited to announce my latest research, The CISO's Guide To Virtualization Security. This is the first report in a new series focusing on securing virtual environments.  The reduced costs and flexibility of virtualization have led to widespread adoption of the technology.  Despite this adoption, security and risk professionals haven't given their virtual environments the attention that is required.  Our research interviews revealed several themes:

• Business as usual is the status quo. IT departments rely upon traditional security solutions (end point and network security) to secure their virtual environments.  Depending on the network architecture, virtualization can create blind spots in your network leaving you blind to intra-virtual-machine (VM) communication. 
• Many security pros aren't aware of the virtualization aware solutions available on the market. One CISO we spoke with wasn't aware that his organization's current antivirus vendor offered a virtualization aware solution.  This isn't necessarily surprising; many of the virtualization aware security solutions are relatively new to the market.  Virtualization aware solutions afford us the ability to have potentially greater visibility into workloads than we might have in our traditional physical environment.
• Many security pros have a general discomfort with virtualization. Security pros, especially CISOs and other security leaders who have risen up the technical ranks, aren't as confident in their virtualization knowledge as they would like to be. This is particularly the case when we compare virtualization with more mature security areas, such as network security.

I've blogged and published research before about the emerging Simple Cloud Identity Management (SCIM) standard. The SCIM group has just approved Version 1.0. No, it's not your imagination: important standards around loosely coupled identity management really are being developed, tested, and deployed at a faster rate than ever before.

What does this new pace mean for security pros? New identity protocols can be disruptive to large enterprises that have already deployed older solutions, but these new solutions will enable IT organizations to reduce costs and improve agility in managing access to/from smaller partners and customers that don't have the means to deploy the heavy stuff. That makes access control easier to achieve in a Zero Trust world. (Andras Cser and I touch on the theme of "leaner and cleaner" identity protocols in our just-published Identity And Access Management: 2012 Budget And Planning Guide, and I do a deeper dive, assessing the future of SAML and the business value of newer federation protocols, in OpenID Connect Heralds The "Identity Singularity".)