IT Security Outsourcing: Still Small but Promising

June, 2009

IT managers sometimes worry that IT security is too important to a company’s health and well being to turn over to a third-party service provider, an unknown outsider unfamiliar with the organization’s inner workings. But outsourcing at least a portion of an organization’s IT security operations increasingly makes sense in our online real-time malware-infested business environment.

Security threats are expanding at every level. The Conficker worm made evident the insidious menace represented by botnets. Spam may not be growing at its previous torrid pace, but still claims a very high percentage of overall email traffic — 97%, according to Microsoft’s most recent survey. Data security is a particular concern: The number of data breaches last year increased 47% from the year earlier, according to the Identity Theft Resource Center. Even information warfare and cybersabotage, so much science fiction fodder just a few years ago, seem like very real possibilities these days.

This Research Byte is a summary of our full report, Use of IT Security Outsourcing Low But Rising as Threats Grow.

Unfortunately, economic uncertainties have had a negative impact on IT budgets, and that includes spending on a seemingly endless array of security tools and point solutions. Even if companies were hiring IT workers, which many of them are not, security expertise is a scarce and valuable commodity. This is why outsourcing security, or at least some portion of your security operations or functions, may make sense. As is true with many other areas of IT operations, security is both a strategic and tactical effort, and outsourcing can be an efficient way to lower the costs of tactical functions and boost the effectiveness of strategic operations.

Despite skepticism among both top management and IT pros, the use of outsourced security services is firmly, if not widely, entrenched. According to our survey involving more than 200 IT organizations, one-quarter of all organizations outsource at least some portion of their IT security operations, as shown in Figure 1. Another 74% do no security outsourcing, however, which makes IT security outsourcing one of the least frequently outsourced functions among 11 areas we track.

SecOut Fig1 - IT Security Outsourcing: Still Small but Promising

The full version of this report examines data on the percentage of organizations outsourcing security for the composite sample, by organization size, and by sector. It also looks at the level of satisfaction with IT security service providers, the amount of security work outsourced by organizations, and the trend in terms of the percentage of organizations increasing, maintaining, and decreasing security outsourcing. Our analysis also discusses the types of outsourcing services, changes in the industry, and cost and benefits of security outsourcing. The report concludes with reasons why we think security outsourcing will continue to grow as the industry matures and evolves.

Turning to third-party service providers for help with almost every aspect of IT planning, implementation, and execution has become an accepted practice, yet outsourced security continues to be looked at with skepticism by many organizations. Still, observers predict a steady increase in the market for security services, and there are several compelling reasons why potential customers should consider the possibilities carefully.

This Research Byte is a brief overview of our report on this subject, IT Security Outsourcing Low But Rising as Threats Grow. The full report is available at no charge for Computer Economics clients, or it may be purchased by non-clients directly from our website (click for pricing).