News Stay informed about the latest enterprise technology news and product updates.

Attacks spur upturn in MSSP business

Attacks spur upturn in MSSP business

Necessity isn't often high on the list of factors driving gains in the IT security industry. At least, that was...

the case prior to the Sept. 11 terrorist attacks on America when security was often one of the first budget items to be scaled back.

Since Sept. 11, however, managed security service providers are reporting marked increases in requests from customers looking for everything from vulnerability assessment to incident response planning to monitoring.

Bottom line bears all
The proof, however, will be in the budgeting.

Most organizations are in the planning stages for their 2002 fiscal years, so it will be interesting to see where security spending stands when the spreadsheets shake out.

IDC analyst Allan Carey said it's too early to give a definitive opinion on whether security spending will go up. He notes a recently announced $1 billion federal resurgence package that includes an IT security component that hints at a tax break for those with secure infrastructures.

"Our industry hopes there is an increase in IT spending on security," Carey said. "Companies realize they have to. But stepping out on a limb and saying they are going to increase their security spending? The economy determines that and I don't think the market is going to turn around by the first of the year."

Fifty-one percent of voters on a recent searchSecurity poll said that their security budgets were going up. The increases were incremental: 1%-3% increase, 13% of the voters; 4%-6% increase, 14% of the voters; 7%-10% increase, 11% of the voters; more than 10% increase, 13% of the voters. Twenty percent said their budgets were staying the same. Fourteen percent said their budgets were being sliced and 16% did not know.

"Threats don't supercede the economic conditions," Carey noted.

Michael S. Mimoso,
News Editor


"The requests are coming from companies that may not have had security services performed in the past or companies just validating the health of their security," said IDC analyst Allan Carey. IDC predicts that managed security services will be a $2.4 billion business by 2005. The market was $720 million in 2000.

Carey noted that resource constraints, both human and financial, are always driving companies toward MSSPs.

"Networks are becoming more complex and the security to protect them is becoming more complex from a management standpoint," Carey said. "Overall, it's more cost-effective for some to outsource their managed security needs, rather than build them in-house."

Generally, Carey hinted, large enterprises are the only organizations capable of housing their own security teams and infrastructures. But even they need outside help.

"Large companies often want an independent assessment of their security posture to have an independent third party to validate their work," Carey said.

Since Sept. 11, however, phones at companies like Red Siren that offer security monitoring and management of networks have been ringing off the hook.

"By the afternoon of Sept. 11, clients were calling us for temporary assistance and enhancements of service," said Red Siren's operations manager, Helen Jones. "They were asking us to increase the level of monitoring and add services in the first 48 hours because no one knew what was coming next."

The demand has not subsided much in the interim, Carey said.

"(Sept. 11) is more of a wake-up call. Companies are realizing that, yes, the potential exists for their organization to be vulnerable," Carey said.

Nationally, awareness in computer security is growing because of government information campaigns highlighting insecure critical infrastructures. Organizations, perhaps for the first time, are becoming proactive about IT security as customers demand to know how secure their data is. In other cases, legislation like the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach Bliley Act are forcing the health care and financial sectors to protect crucial data.

"A lot of companies, those who don't have to respond to legislation like HIPAA, were calling us. 'Help us evaluate our defenses. Tell us what's wrong,' " Jones said. "The reason is that interest in security has skewed off from an internal, protect-my-interests focus to being driven by customer demand."

The upshot for MSSPs: "Outsourcing was a 'wanna-have'. Now it's become a must-have. Clients are coming to companies and asking what they are doing to ensure the safety of their information," Jones said. "There have been no significant increase in cyber-attacks since Sept. 11. Still, a number of companies are coming to us and their biggest requests are for vulnerability assessments and the need for consulting to evaluate their environments. And they're asking us to do monitoring."

Red Siren normally serves mid-sized companies that don't have the staff or financial resources to manage security needs. Since Sept. 11, interest is spiking from bigger fish that used to rely on in-house expertise. Third-party evaluation is also becoming a must-have for these companies that used to outsource everything but security, Jones said.

"Now, the industry and marketplace has changed considerably. Unless you're a large company with enormous resources, you're faced with two choices: invest in outsourcing or face the fact you need to do it yourself," Jones said.

Yankee Group estimates companies are in for a $750,000 expense in the first year to set up security infrastructure.

"Not many companies retain the personnel to do so," Jones said. "Not a lot of organizations are up to it. It's not a core business."


searchSecurity has the Best Web Links on outsourcing

Send your outsourcing questions to one of searchSecurity's site experts

Talk to your peers about this story inside one of searchSecurity's anonymous Discussion Forums

Dig Deeper on Security industry market trends, predictions and forecasts

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.