Necessity isn't often high on the list of factors driving gains in the IT security industry. At least, that was the case prior to the Sept. 11 terrorist attacks on America when security was often one of the first budget items to be scaled back.
Since Sept. 11, however, managed security service providers are reporting marked increases in requests from customers looking for everything from vulnerability assessment to incident response planning to monitoring.
"The requests are coming from companies that may not have had security services performed in the past or companies just validating the health of their security," said IDC analyst Allan Carey. IDC predicts that managed security services will be a $2.4 billion business by 2005. The market was $720 million in 2000.
Carey noted that resource constraints, both human and financial, are always driving companies toward MSSPs.
"Networks are becoming more complex and the security to protect them is becoming more complex from a management standpoint," Carey said. "Overall, it's more cost-effective for some to outsource their managed security needs, rather than build them in-house."
Generally, Carey hinted, large enterprises are the only organizations capable of housing their own security teams and infrastructures. But even they need outside help.
"Large companies often want an independent assessment of their security posture to have an independent third party to validate their work," Carey said.
Since Sept. 11, however, phones at companies like Red Siren that offer security monitoring and management of networks have been ringing off the hook.
"By the afternoon of Sept. 11, clients were calling us for temporary assistance and enhancements of service," said Red Siren's operations manager, Helen Jones. "They were asking us to increase the level of monitoring and add services in the first 48 hours because no one knew what was coming next."
The demand has not subsided much in the interim, Carey said.
"(Sept. 11) is more of a wake-up call. Companies are realizing that, yes, the potential exists for their organization to be vulnerable," Carey said.
Nationally, awareness in computer security is growing because of government information campaigns highlighting insecure critical infrastructures. Organizations, perhaps for the first time, are becoming proactive about IT security as customers demand to know how secure their data is. In other cases, legislation like the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach Bliley Act are forcing the health care and financial sectors to protect crucial data.
"A lot of companies, those who don't have to respond to legislation like HIPAA, were calling us. 'Help us evaluate our defenses. Tell us what's wrong,' " Jones said. "The reason is that interest in security has skewed off from an internal, protect-my-interests focus to being driven by customer demand."
The upshot for MSSPs: "Outsourcing was a 'wanna-have'. Now it's become a must-have. Clients are coming to companies and asking what they are doing to ensure the safety of their information," Jones said. "There have been no significant increase in cyber-attacks since Sept. 11. Still, a number of companies are coming to us and their biggest requests are for vulnerability assessments and the need for consulting to evaluate their environments. And they're asking us to do monitoring."
Red Siren normally serves mid-sized companies that don't have the staff or financial resources to manage security needs. Since Sept. 11, interest is spiking from bigger fish that used to rely on in-house expertise. Third-party evaluation is also becoming a must-have for these companies that used to outsource everything but security, Jones said.
"Now, the industry and marketplace has changed considerably. Unless you're a large company with enormous resources, you're faced with two choices: invest in outsourcing or face the fact you need to do it yourself," Jones said.
Yankee Group estimates companies are in for a $750,000 expense in the first year to set up security infrastructure.
"Not many companies retain the personnel to do so," Jones said. "Not a lot of organizations are up to it. It's not a core business."
FOR MORE INFORMATION: