One of those already successful services is e-mail filtering, in which inbound e-mail is scrubbed by four antivirus engines and spam is deleted through a partnership with e-mail security company MessageLabs before being passed on to the customer. “It’s the same service [Verizon customers] could get on their own,” Verizon Business CISO Sara Santarelli says, “but they’re only interacting with Verizon’s customer service.”

The second, faster-growing in-the-cloud service at Verizon is DoS protection, in which Web traffic is filtered for spikes of malicious activity. “Things like DoS mitigation and detection are far exceeding industry growth expectations across MSSPs,” Santarelli says. “A lot of customers keep traffic running through our [DoS attack] mitigation units all the time, just as added insurance.” None of which should be much of a surprise, given that companies such as Gartner suggest that customers demand DoS protection from their connectivity provider. “That’s been our recommendation,” Pescatore says. “Whoever you choose for your bandwidth, tell them, ‘I don’t want the raw bandwidth costs. Give me your price for DoS-protected bandwidth, and I’ll compare you with others on that basis—not just on who sells me the cheapest bits per second.’”

Both AT&T and Verizon declined to provide any specifics about revenue for their security operations, but Pescatore estimates that right now, telecom companies are getting about 10 percent to 20 percent additional revenue by adding security filtering to connectivity charges. The question is how long that will last. “At some point,” Pescatore predicts, “one of them is going to say, ‘Hey, we’ll give you that DoS protection for free if you switch from them to us.’”

Indeed, much of the industry’s shift to security services seems more about staying competitive than about making buckets of money. “It’s not a great portion of our revenue, but it’s strategic to our overall revenue,” Quintana explains. “When customers are evaluating AT&T versus vendor A, B or C, our security portfolio acts as a differentiator to pull through” the sale.

But Will It Work?
Longer-term, however, it remains unclear whether customers will really decide in droves to turn over their security to telecom companies—or to anyone. For one thing, not everything can happen in the cloud. Even if an Internet carrier scans incoming e-mails for viruses, for instance, the company still needs a desktop application to guard against malicious code introduced by USB drives or other portable devices. What’s more, the Fortune 1000 customers that large telecom and IT companies have historically courted are likely to have contracts with multiple telecom companies for reasons of redundancy, and also tend to want security devices on site that they can configure on a moment’s notice. The outsourcing model may be better suited to small and midsize businesses that can’t afford to hire round-the-clock security and IT staff—and even they may be reluctant to give up their boxes and blinking lights and move to a virtual model.