Amid the changing environment, the number of organizations outsourcing IT security work has been growing steadily, if moderately, rising 15% over the past three years.
At the same time, outsourcing IT security work yields a positive customer experience. In fact, among companies that outsource the function, we rate the percentage that finds outsourcing improves service levels over their in-house capabilities as very high, as shown in Figure 1 from our study, IT Security Outsourcing Trends and Customer Experience. Clearly, the desire to improve security is a strong factor motivating organizations to outsource portions of this critical function.
At the same time, IT security outsourcing is not practiced by the majority of organizations, and our study rates the frequency of this practice as relatively low. The level is also low, which means that organizations use IT security services tend to outsource only a small portion of their total workload in contrast to the outsourcing of other IT functions.
Given the strong service success rate and steady rise in the frequency over the past few years, we anticipate the frequency of IT security outsourcing will continue to increase. However, the growth in the outsourcing level will continue at a moderate rate as indicated by the net growth trend. This shows that the number of IT organizations that plan to increase their IT security source is moderately higher than the percentage planning to cut back on these services, when compared to the net trend of other outsourcing services.
We define IT security services as including such areas as threat protection (antivirus, antispam, antispyware), monitoring (firewall management, intrusion detection and prevention), network traffic control (virtual private networks), and web content filtering. They also include consulting services such as vulnerability assessments, computer forensics, and network architecture reviews. These services can be provided on a 24/7 basis and can include security staff and security management augmentation. The most prevalent form of outsourced security is email management and web security, particularly among large companies. We do not include vendor updating of security software as outsourcing as this this is not a function IT organizations typically perform in-house.
In the full study, we present data about the five-year trend in IT security outsourcing. In light of current trends, this study is designed to help IT executives compare their outsourcing activity and experience with other IT organizations. We use three metrics to measure IT security outsourcing activity: how many organizations outsource IT security (frequency), how much of the workload is typically outsourced (level), and the change in the amount of work being outsourced (trend). We also measure the cost experience and service experience of companies that outsource this function, and determine how outsourcing activity and experience vary by organization size and sector.
This Research Byte is a brief overview of our management advisory on this subject, IT Security Outsourcing Trends and Customer Experience. The full report is available at no charge for Computer Economics clients, or it may be purchased by non-clients directly from our website (click for pricing).