IT Security Outsourcing Shows Steady Growth

May, 2013

Despite some tumult, IT security outsourcing has been growing slowly but steadily during the last three years, with 38% of organizations outsourcing at least some element of this function in 2012. This growth will likely continue. More than one-fifth of survey respondents expect their IT security outsourcing to increase in the next year. At the same time, our outsourcing study shows strong cost benefits and service benefits to security outsourcing. In fact, the percentage of organizations that find outsourcing improves service is very high at 94%, tied for first place among the 11 IT functions included in our survey.

Clearly, improving service is a strong factor motivating organizations to outsource their IT security functions. Why aren’t more enterprise organizations doing so? Organizations are taking a measured approach to outsourcing the function because it is critical to the enterprise. The highly competitive outsourcing landscape could also be sowing uncertainty. Outsourcing partners need to do a better job of demonstrating their usefulness before the outsourcing of this vital IT function gains wider traction.  

The outsourcing profile in Figure 1, from our report, IT Security Outsourcing Trends and Customer Experience, shows how IT security outsourcing compares with the outsourcing of 10 other functions.

ITSecOut Fig1 - IT Security Outsourcing Shows Steady Growth

  •  Outsourcing frequency is low, but level is moderate. Security outsourcing scores in the low range in frequency, meaning that the number of organizations currently using these services is low relative to the outsourcing of other functions. The outsourcing level is moderate: when organizations outsource IT security, they often outsource only a portion of the function. Organizations often maintain control of security functions that they deem especially sensitive or critical to their underlying business operations.
        
  • Trend indicates growth may be slowing. The growth trend is a measure of the number of customers that plan to increase the amount of IT security work given to outside service providers in the current budget cycle, minus the percentage that are decreasing the amount of work outsourced. In relative terms, growth in the amount of work organizations are outsourcing will be low. The volatility, meanwhile, is very low. The percentage of organizations changing the amount of work they outsource, regardless of whether the change is up or down, is low compared with other outsourced IT functions.
        
  • Cost and service experiences are strong. Finally, the profile shows the relative performance on our two measures of customer experience. IT organizations experience moderately high success in reducing costs when outsourcing the IT security function. In fact, 76% of survey respondents noted a positive cost experience. Meanwhile, the percentage that find outsourcing improves service is very high at 94%, tied for first place among the 11 IT functions included in our survey. Clearly, improving service is a strong factor motivating organizations to outsource their IT security functions.We define IT security services as including such areas as threat protection (antivirus, antispam, antispyware), monitoring (firewall management, intrusion detection and prevention), network traffic control (virtual private networks), and web content filtering. They also include consulting services such as vulnerability assessments, computer forensics, and network architecture reviews. These services can be provided on a 24-7 basis and can include security staff and security management augmentation. The most prevalent form of outsourced security is email management and web security, particularly among large companies.

In the full study, we present data about the five-year trend in IT security outsourcing. In light of current trends, this study is designed to help IT executives compare their outsourcing activity and experience with other IT organizations. The study uses three metrics to measure IT security outsourcing activity: it determines how many organizations outsource IT security (frequency), how much of the workload is typically outsourced (level), and the change in the amount of work being outsourced (trend). We also measure the cost experience and service experience of companies that outsource this function, and determine how outsourcing activity and experience vary by organization size and sector.
 


This Research Byte is a brief overview of our report on this subject, IT Security Outsourcing Trends and Customer Experience, The full report is available at no charge for Computer Economics clients, or it may be purchased by non-clients directly from our website (click for pricing).