As IT departments continue to struggle to meet the growing demand for their services with fewer people and shrinking budgets, the idea of outsourcing more of their security functions is becoming more and more attractive. And analysts and industry observers say that trend is likely to continue for the next several years as managed security services offerings mature and enterprises grow more comfortable with the concept.
Security vendors have been offering various managed services for nearly 10 years, including vulnerability scanning, network security monitoring, managed IDS and managed firewall services. Those offerings have done well in certain segments of the market, but many enterprises still are hesitant to give a third party that much control of their security operations. But today's economic realities are putting off-premises services, including software-as-a-service products, on the short list for security managers.
Several companies, including HP, IBM and Webroot Software Inc., have begun to offer some of their security products as SaaS options. Webroot, of Boulder, Colo., this week introduced its new Web Security SaaS product, a comprehensive Internet security offering that includes content control, URL filtering, threat protection and other features. The service routes all of a customer's Web traffic through Webroot's servers and scours the requests for malicious content. HP, meanwhile, recently dipped its toe into the SaaS world as well with an on-demand version of its Assessment Management Platform. IBM has had an on-demand version of its AppScan Enterprise Edition product available for some time.
Analysts say that the trend is indicative of a general willingness on the part of enterprise IT staffs to look for more economical solutions, as well as a recognition on the part of the vendors that customers may be ready to accept some outside help. That trend will only accelerate in coming years, they say.
"Three to five years from now, there will be a lot more focus on external services," John Pescatore, an analyst at Gartner Inc., based in Stamford, Conn., said at the company's IT Security Summit in Washington this week. "Product choices by customers will be driven by what kind of services are offered."
Pescatore estimates that in 10 years, the market for outsourced security services will jump significantly. By 2018, 70% of all messaging security products will be offered as a service, he said, and 65% of secure Web gateways and 85% of security intelligence products will be services. Part of the reason behind this is the fact that many enterprises have reached a saturation point with the number of appliances and security gateways they have in their environments, and they're looking for ways to cut hardware costs and data center costs. It's the same set of circumstances driving the interest in virtualization at the moment.
"CIOs are telling us, I don't care what Gartner says, the only way I ever reduce IT costs is by reducing box count," Pescatore said.
That would seem to portend a continuation of the trend toward vendors offering customers the option of buying products as services instead of as appliances or shrink-wrapped software. That option can be especially enticing for small and medium-sized organizations that don't have the personnel and budget to dedicate to security functions.
"What we're going to see more of is the concept of the security switch and security in the cloud, along with software-as-a-service," Pescatore said.