Managed security services gain as companies seek expertise

By Neil Roiter. Senior Technology Editor, Information Security magazine 23 Mar 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

More than 60% of midsized and large enterprises in the U.S. and Western Europe are either outsourcing or considering outsourcing at least part of their security operations, according to a recent survey.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The Symantec survey of 1,000 companies with a median size of 10,000 to 25,000 employees showed that about a quarter were now using managed security service providers (MSSPs) or some other form of outsourced security. Another third are either evaluating outsourced security or plan to do so over the next 12 months.

The numbers reveal a dichotomy between security haves and have-nots.

Interestingly, more than half of the companies surveyed in January said they had adequate security staffing and budget, implying that most enterprises with less than adequate resources are moving quickly to security services.

Managed security services: Perimeter eSecurity acquisition shapes managed security services: Small businesses are turning to managed security service providers. The industry is growing and Perimeter eSecurity's aggressive acquisition spree is shaping the market. Could managed security services cause data woes? In this podcast, SearchSecurity.com editors discuss managed security services, the increase of SQL injection attacks and whether secure software coding is improving. What are the benefits of identity managed as a service? How do Software as a Service (SaaS) and IAM interact? Identity and access management expert Joel Dubin weighs in on how to approach the integration of the two.

Dollars and head counts don't tell the whole story, however. Many companies reported difficult finding and hiring people with the required security skill sets. Accordingly, nearly half the respondents cited access to expertise as a reason to adopt or evaluate outsourcing. More than half (55%) also cited the need for 24/7 coverage -- you can't assume the bad guys work regular business hours and bots don't sleep.

The findings mirror Symantec's own experience, says Grant Geyer, vice president of managed services at Symantec.

"Customers come to us for three reasons," Geyer said. "They don't have staff or expertise to handle security in house; they have the staff, but want to keep them focused on more strategic projects; or they have had a breach, have a gap identified and quickly need to shore up the walls."

Not surprisingly, reducing overall costs and mitigating security risks were also frequently cited reasons for outsourcing. Enterprises also cited (in descending order) predictability in expenses, the burden of regulatory requirements, focusing in-house IT resources on the core business and easing staffing challenges.

Enterprises are looking to outsourcing in traditionally strong areas for managed services, security monitoring and management. However, the top area (55%) in using or considering outside help is identity management, reflecting its crucial role in data protection and compliance with SOX, HIPAA and other regulatory directives.

SearchSecurity radio:

Perhaps most startling is that nearly a third of the respondents said they were either outsourcing or evaluating services for their entire IT operations.

"As organizations are trying to save on IT expenditures in general," Geyer said. "They are looking to turn the keys over to an outsourcer."

Policy compliance and vulnerability management were also fairly high priorities for outsourcing. Geyer said he believes endpoint security will grow as a managed service, but it still ranks near the bottom.

In evaluating service partners, enterprises ranked timely incident responses as their highest priority, followed by expertise, the ability to gather and analyze security intelligence and cost.

The survey did not establish direct cause and effect between mounting security threats and adoption of managed security services -- but the implication is pretty clear. A number of questions gathered information on the type and frequency of attacks enterprises have suffered in the past two years and expect to suffer in the next two. More than a third said cyber threats increased and the same number said they held steady. The numbers for expected growth were identical.

Tags: Security Industry Market Trends, Predictions and Forecasts,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Industry Market Trends, Predictions and Forecasts SCADA system, critical infrastructure security lacking, survey finds Security architects fear savvy botnet attacks, IPv6 security issues Security compliance predictions for 2010: New regulations, new technology IAM trends: Rebuilding security with provisioning technologies Gartner acquires Burton Group, bolsters presence Securosis adds Security Incite, Rothman to its roster Five security industry themes to watch in 2010 How to advance in your infosec career in the current economic storm Top cybersecurity stories of 2009 Security industry praises Schmidt but sees challenges ahead Security Industry Market Trends, Predictions and Forecasts Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary backscatter body scanning  (SearchSecurity.com) marketecture  (SearchSecurity.com) NCSA  (SearchSecurity.com) Palladium  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary