IT Security Outsourcing Rises with the Tide of Breaches

September, 2017

Let’s face it. IT security is a mess. If that wasn’t obvious from years of high-profile breaches, the recent Equifax tsunami certainly sealed the deal. The only good news on the cybercrime front is that IT managers are asking for help: 47% of IT organizations surveyed in our annual IT Outsourcing Statistics study are increasing their use of outside security services. And all signs point to this as a long-term trend.

As shown in Figure 4 from our full study, IT Security Outsourcing Trends and Customer Experience, only 2% of organizations using security service providers are reducing their outsourcing of this function. Nearly half are increasing their level of outsourcing.

SecOutsourcing fig 4 - IT Security Outsourcing Rises with the Tide of Breaches

“The Equifax debacle and other high-profile breaches have put security at the top of mind for IT executives,” said Tom Dunlap, director of research for Irvine, Calif.-based Computer Economics. “But the new threats present IT security staffing challenges, because the variety and sophistication of threats require new skills that can be hard to find or even identify. Service providers can be a smart way to tap into the latest skills.”

Other metrics in the full report are also revealing. For instance, the frequency of outsourcing (the number of organizations currently outsourcing security services, entirely or in part) went from 39% in 2016 to 43% in 2017. We think this trend will continue, because of the wider array of threats and the need for more specialized knowledge.

However, there are factors that keep this outsourcing percentage from going through the roof. One is that security is not a discrete function. It is intertwined into other functions such as the network, applications layer, and even end-user support. Organizations cannot outsource all of security to a service provider, because security is a mandate of nearly every IT function. It is easy to hire someone to conduct penetration testing or employee training as an aspect of security, but if an organization outsources network security to a service provider, the in-house network and development staff still has to be highly skilled in security for the organization to be safe. Because of its complexity, security outsourcing will always be a partnership between service providers and internal staff.

In light of the new realities, the full study is designed to help IT executives compare their outsourcing activity and experience with other IT organizations. We present data about the five-year trend in IT security outsourcing. We use three metrics to measure IT security outsourcing activity: how many organizations outsource IT security (frequency), how much of the workload is typically outsourced (level), and the change in the amount of work outsourced (trend). We also measure the cost and service experience of organizations that outsource this function, and determine how outsourcing activity and experience vary by organization size and sector.

This Research Byte is a brief overview of our report on this subject, IT Security Operations Outsourcing Trends and Customer Experience. The full report is available at no charge for Computer Economics clients, or it may be purchased by non-clients directly from our website (click for pricing).