Has security's outsourcing day finally come? Some pretty big names in the industry think so -- and they're backing up those claims with money, people, and research.
The Computing Technology Industry Association (CompTIA) -- one of the world's largest associations of computing product manufacturers and service providers -- has released the findings of a new study, conducted by Harris Interactive, which suggests security has become one of the key drivers in the managed services market. According to the study, firewall (60 percent) and security (40 percent) services are the two top managed services currently employed by user organizations, and security services (33 percent) are tied with storage and backup services (33 percent) as the top managed services scheduled to be added or upgraded in the coming year.
"While there's still some skepticism out there -- security was also cited as one of the top three factors keeping companies from engaging a managed service provider -- there are some providers that have reached a kind of 'trusted advisor' status, and they are being engaged more and more frequently to deliver security services," says Richard Rysiewicz, vice president of services at CompTIA.
Although they haven't made many public announcements lately, there's a cacophony of buzz among managed security service providers as well. RSA president Art Coviello announced a few weeks ago that his division will be working with parent company EMC's professional services division for risk assessment for enterprises. (See So Long, Security Silos .) And BT, which acquired MSSP Counterpane last year, is quietly making a major push into large, global enterprises, according to security guru Bruce Schneier, CTO of BT Counterpane.
"Eventually, I think all enterprises are going to reach a point where they give up and hand a lot of this stuff off to a third party," Schneier said in an interview at the RSA conference in San Francisco. "It's not a choice between doing it in-house and doing it out-of-house. It's a choice between doing it out-of-house or not getting it done at all. Most companies who are trying to do security in-house are not getting it done."
Schneier agrees that the winning MSSPs are the ones with the big names and reputations. "In the end, it's 100 percent about trust," he says. "That's one of the reasons that we made the deal to become part of BT. We found we were winning technically as we bid for customers, but we would eventually lose because we weren't one of the big companies that everyone trusts."
The trust issue is a plus for Internet Security Systems, the formerly-independent security vendor that now has become IBM's arm for delivering managed security services. IBM/ISS has more than doubled its staff in the last nine months, largely to enable it to deliver large-scale security services as part of IBM's Global Services unit. (See IBM's Stealthy Security Play.)
Tom Noonan, a founder of ISS who now heads up IBM's security efforts, says that rather than serving as an add-on, security is now driving many outsourcing projects. "With regulatory requirements like SOX and HIPAA, security is becoming a critical initiative, and there's often special funding for it," he observes. "So now if you're a service provider, you might come in to do [security] compliance, and stay to do other things, rather than the other way around."
Other large service providers, such as AT&T, and large-scale systems integrators, such as Accenture, are also beefing up for a race in the enterprise security services market, experts say. In fact, security has become a key differentiator as large enterprises evaluate their outsourcing options, according to a study published last year by Booz Allen Hamilton.
"Buyers want a squeaky clean track record," says Vinay Couto, global leader of Booz Allen's outsourcing advisory services unit. He says the researchers "were surprised" when security showed up in the top three reasons for selecting a supplier, just behind quality of service and price.
Managed services are also getting traction in small and medium-sized businesses, where most user companies "don't have the in-house knowledge" to handle all aspects of security, says CompTIA's Rysiewicz. In the study, shortage of skills (40 percent) was the most frequently-cited reason for employing a managed service provider, he says.
Small and medium-sized businesses also are looking to consolidate the number of service providers they use," Rysiewicz reports. "Where they used to use one service for backup, another one for firewall, and another one for security, now they're looking to consolidate."
And improvements in security tools and monitoring capabilities mean that smaller players can now match up more favorably with the BTs and the IBMs of the world," Rysiewicz says. "We're seeing literally hundreds more players coming to the MSP space, and a lot of them are interested in security."
Tim Wilson, Site Editor, Dark Reading