Here's the reasoning behind the growth, from IDC's security services research analyst, Irida Xheneti:
"Among the many dynamics shaping the U.S. managed security services market today, growing security complexity, the evolving pace of today's technology, and stringent compliance mandates are driving demand and spending for managed security services."
While I'm sure those all play a role in driving security demand, I think the wind behind the sails of MSSPs today is cost-cutting. The last time MSSPs were making a significant splash was in 2001 - when the tech bubble had just tanked. Back then, research firm Yankee Group forecasted that companies would spend about $1.7 billion in security services by 2005, up from just $140 million in 1999.
Considering that IDC pegged managed security services at $1.3 billion in 2007, Yankee Group was only slightly off the mark in their prediction. And the mantra in 2001 was to slash costs, and build operational efficiencies.
Here's a quote from a feature story I wrote about MSSPs way back in 2001. It's from a security manager working at a major hospital on why companies outsource security:
The reason is economics. "When decisions to outsource security are made, it's generally done by the CFO and is based on cost savings," says Bruce Peck, information security manager at St. Vincent Hospital & Health Services, a network of eight hospitals in Indianapolis.
I thought Bruce Peck was correct seven years ago, and I think he's still correct today. When you hear that companies are outsourcing security to maintain a competitive edge, or to keep up with complex threats, or regulatory compliance concerns - they really mean they're trying to cut costs. And the further the economy tanks, the greater the benefit to managed security providers.