Security has become a major focus for IT leaders in 2021, and companies are now increasing their spending to secure the enterprise. This is because the threat landscape is evolving with increased reliance on the cloud, a greater diversity in the IT service portfolio, more employees working from home, and a more burdensome regulatory environment. The recent ransomware attack on Colonial Pipeline is just one example of the increasing threats. To combat these threats, organizations are turning to IT security outsourcing firms to handle higher-value, end-to-end security tasks.
Figure 2 from our full report, IT Security Outsourcing Trends and Customer Experience, shows that IT security is outsourced, entirely or in part, by 38% of IT organizations, up from 36% last year. The most recent peak was 2017, when 43% of organizations outsourced IT security work.
The reasons for the increase are numerous. We explore them in our full report. They include:
- Companies are simply spending a larger percentage of their budget on securing the enterprise, whether that is in-house or through outsourcing. The number and variety of threats continues to rise, and with it, security spending.
- Highly regulated industries such as banking, healthcare, and life sciences have higher compliance needs, and some industries, such as retail, are seeing increased expectations for privacy.
“There are very few organizations that can do an adequate job securing the enterprise without outside help,” said Tom Dunlap, director of research for Computer Economics, a service of Avasant Research, based in Los Angeles. “The more sophisticated security skills needed are difficult to find, so it makes sense to turn over some of those to third parties who can provide those sophisticated security functions.”
However, some factors keep this outsourcing percentage from rising much further. One is that security is not a discrete function. It is intertwined into other functions such as application development, as well as embedded in the network and even end-user support. Organizations cannot outsource all of their IT security to a service provider, because security is a mandate of nearly every IT function. A company can hire someone to conduct penetration testing or employee training as an aspect of security, but if an organization outsources network security to a service provider, the in-house network staff still has to be highly skilled in security for the network to be safe.
In the full study, we present data about the five-year trend in IT security outsourcing. In light of current trends, this study is designed to help IT executives compare their outsourcing activity and experience with other IT organizations. We use three metrics to measure IT security outsourcing activity: how many organizations outsource IT security (frequency), how much of the workload is typically outsourced (level), and the change in the amount of work being outsourced (trend). We also measure the cost and service experience of companies that outsource this function and determine how outsourcing activity and experience vary by organization size and sector. We conclude with ways to capitalize on the evolving trends in IT security outsourcing.
This Research Byte is a brief overview of our study, IT Security Outsourcing Trends and Customer Experience. The full report is available at no charge for Computer Economics clients, or it may be purchased by non-clients directly from our website (click for pricing).