Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Security Outsourcing Heats Up

Security has become one of the key drivers in the managed services market, says Harris Interactive

Has security's outsourcing day finally come? Some pretty big names in the industry think so -- and they're backing up those claims with money, people, and research.

The Computing Technology Industry Association (CompTIA) -- one of the world's largest associations of computing product manufacturers and service providers -- has released the findings of a new study, conducted by Harris Interactive, which suggests security has become one of the key drivers in the managed services market. According to the study, firewall (60 percent) and security (40 percent) services are the two top managed services currently employed by user organizations, and security services (33 percent) are tied with storage and backup services (33 percent) as the top managed services scheduled to be added or upgraded in the coming year.

"While there's still some skepticism out there -- security was also cited as one of the top three factors keeping companies from engaging a managed service provider -- there are some providers that have reached a kind of 'trusted advisor' status, and they are being engaged more and more frequently to deliver security services," says Richard Rysiewicz, vice president of services at CompTIA.

Although they haven't made many public announcements lately, there's a cacophony of buzz among managed security service providers as well. RSA president Art Coviello announced a few weeks ago that his division will be working with parent company EMC's professional services division for risk assessment for enterprises. (See So Long, Security Silos .) And BT, which acquired MSSP Counterpane last year, is quietly making a major push into large, global enterprises, according to security guru Bruce Schneier, CTO of BT Counterpane.

"Eventually, I think all enterprises are going to reach a point where they give up and hand a lot of this stuff off to a third party," Schneier said in an interview at the RSA conference in San Francisco. "It's not a choice between doing it in-house and doing it out-of-house. It's a choice between doing it out-of-house or not getting it done at all. Most companies who are trying to do security in-house are not getting it done."

Schneier agrees that the winning MSSPs are the ones with the big names and reputations. "In the end, it's 100 percent about trust," he says. "That's one of the reasons that we made the deal to become part of BT. We found we were winning technically as we bid for customers, but we would eventually lose because we weren't one of the big companies that everyone trusts."

The trust issue is a plus for Internet Security Systems, the formerly-independent security vendor that now has become IBM's arm for delivering managed security services. IBM/ISS has more than doubled its staff in the last nine months, largely to enable it to deliver large-scale security services as part of IBM's Global Services unit. (See IBM's Stealthy Security Play.)

Tom Noonan, a founder of ISS who now heads up IBM's security efforts, says that rather than serving as an add-on, security is now driving many outsourcing projects. "With regulatory requirements like SOX and HIPAA, security is becoming a critical initiative, and there's often special funding for it," he observes. "So now if you're a service provider, you might come in to do [security] compliance, and stay to do other things, rather than the other way around."

Other large service providers, such as AT&T, and large-scale systems integrators, such as Accenture, are also beefing up for a race in the enterprise security services market, experts say. In fact, security has become a key differentiator as large enterprises evaluate their outsourcing options, according to a study published last year by Booz Allen Hamilton.

"Buyers want a squeaky clean track record," says Vinay Couto, global leader of Booz Allen's outsourcing advisory services unit. He says the researchers "were surprised" when security showed up in the top three reasons for selecting a supplier, just behind quality of service and price.

Managed services are also getting traction in small and medium-sized businesses, where most user companies "don't have the in-house knowledge" to handle all aspects of security, says CompTIA's Rysiewicz. In the study, shortage of skills (40 percent) was the most frequently-cited reason for employing a managed service provider, he says.

Small and medium-sized businesses also are looking to consolidate the number of service providers they use," Rysiewicz reports. "Where they used to use one service for backup, another one for firewall, and another one for security, now they're looking to consolidate."

And improvements in security tools and monitoring capabilities mean that smaller players can now match up more favorably with the BTs and the IBMs of the world," Rysiewicz says. "We're seeing literally hundreds more players coming to the MSP space, and a lot of them are interested in security."

— Tim Wilson, Site Editor, Dark Reading

  • Accenture
  • AT&T Solutions
  • BT Counterpane
  • EMC Corp. (NYSE: EMC)
  • IBM Corp. (NYSE: IBM)
  • IBM Internet Security Systems Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    7 Old IT Things Every New InfoSec Pro Should Know
    Joan Goodchild, Staff Editor,  4/20/2021
    Cloud-Native Businesses Struggle With Security
    Robert Lemos, Contributing Writer,  5/6/2021
    Defending Against Web Scraping Attacks
    Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2021-05-14
    YFCMF v2.3.1 has a Remote Command Execution (RCE) vulnerability in the index.php.
    PUBLISHED: 2021-05-14
    Unrestricted File Upload in LAOBANCMS v2.0 allows remote attackers to upload arbitrary files by attaching a file with a ".jpg.php" extension to the component "admin/wenjian.php?wj=../templets/pc".
    PUBLISHED: 2021-05-14
    Cross Site Scripting (XSS) in LAOBANCMS v2.0 allows remote attackers to execute arbitrary code by injecting commands into the "Homepage Introduction" field of component "admin/info.php?shuyu".
    PUBLISHED: 2021-05-14
    In YFCMF v2.3.1, there is a stored XSS vulnerability in the comments section of the news page.
    PUBLISHED: 2021-05-14
    Prototype pollution vulnerability in 'deep-override' versions 1.0.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code execution.