More than 60% of midsized and large enterprises in the U.S. and Western Europe are either outsourcing or considering outsourcing at least part of their security operations, according to a recent survey.
The Symantec survey of 1,000 companies with a median size of 10,000 to 25,000 employees showed that about a quarter were now using managed security service providers (MSSPs) or some other form of outsourced security. Another third are either evaluating outsourced security or plan to do so over the next 12 months.
The numbers reveal a dichotomy between security haves and have-nots.
Interestingly, more than half of the companies surveyed in January said they had adequate security staffing and budget, implying that most enterprises with less than adequate resources are moving quickly to security services.
Managed security services:
Perimeter eSecurity acquisition shapes managed security services: Small businesses are turning to managed security service providers. The industry is growing and Perimeter eSecurity's aggressive acquisition spree is shaping the market.
Could managed security services cause data woes? In this podcast, SearchSecurity.com editors discuss managed security services, the increase of SQL injection attacks and whether secure software coding is improving.
What are the benefits of identity managed as a service? How do Software as a Service (SaaS) and IAM interact? Identity and access management expert Joel Dubin weighs in on how to approach the integration of the two.
Dollars and head counts don't tell the whole story, however. Many companies reported difficult finding and hiring people with the required security skill sets. Accordingly, nearly half the respondents cited access to expertise as a reason to adopt or evaluate outsourcing. More than half (55%) also cited the need for 24/7 coverage -- you can't assume the bad guys work regular business hours and bots don't sleep.
The findings mirror Symantec's own experience, says Grant Geyer, vice president of managed services at Symantec.
"Customers come to us for three reasons," Geyer said. "They don't have staff or expertise to handle security in house; they have the staff, but want to keep them focused on more strategic projects; or they have had a breach, have a gap identified and quickly need to shore up the walls."
Not surprisingly, reducing overall costs and mitigating security risks were also frequently cited reasons for outsourcing. Enterprises also cited (in descending order) predictability in expenses, the burden of regulatory requirements, focusing in-house IT resources on the core business and easing staffing challenges.
Enterprises are looking to outsourcing in traditionally strong areas for managed services, security monitoring and management. However, the top area (55%) in using or considering outside help is identity management, reflecting its crucial role in data protection and compliance with SOX, HIPAA and other regulatory directives.
Perhaps most startling is that nearly a third of the respondents said they were either outsourcing or evaluating services for their entire IT operations.
"As organizations are trying to save on IT expenditures in general," Geyer said. "They are looking to turn the keys over to an outsourcer."
Policy compliance and vulnerability management were also fairly high priorities for outsourcing. Geyer said he believes endpoint security will grow as a managed service, but it still ranks near the bottom.
In evaluating service partners, enterprises ranked timely incident responses as their highest priority, followed by expertise, the ability to gather and analyze security intelligence and cost.
The survey did not establish direct cause and effect between mounting security threats and adoption of managed security services -- but the implication is pretty clear. A number of questions gathered information on the type and frequency of attacks enterprises have suffered in the past two years and expect to suffer in the next two. More than a third said cyber threats increased and the same number said they held steady. The numbers for expected growth were identical.