Insourcing Security Management
A few years ago, technology analysts were predicting unlimited growth for managed security service providers (MSSPs). Many companies then viewed security as a foreign concept, but laws such as Sarbanes-Oxley, the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act (affecting financial services) were forcing them to address intrusion defense, patch management, encryption and log management.
Attacks on data have increased faster than any other security exploit. The top target: databases.
How Attackers Get Your Data
Databases: 57 per cent
File-sharing applications: 46 per cent
Laptops: 39 per cent
Removable Media: 23 per cent
Backup Tapes: 16 per cent
Multiple Responses Allowed
Convinced they couldn't do it on their own, companies chose outsourcers to do it for them. Gartner estimated the MSSP market in North America alone would reach $US900 million in 2004 and that it would grow another 18 percent by 2008.
Then came the economic tsunami, which appears to have cast a shadow over outsourcing plans even though security budgets are holding steady. Although 31 per cent of respondents this year are relying on outsiders to help them manage day-to-day security functions, only 18 per cent said they plan to make security outsourcing a priority in the next 12 months.
When it comes to specific functions, the shift has already begun. Last year, 30 percent of respondents said they were outsourcing management of application firewalls, compared to 16 percent today. Respondents cited similar reductions in outsourcing of network and end-user firewalls. Companies have also cut back on outsourcing encryption management and patch management.
At the same time, more companies are spending money on these and other security functions. Sixty-nine percent said they're budgeting for application firewalls, up slightly compared to the past two years. Meanwhile, more than half of respondents said they are investing in encryption for laptops and other computing devices.
The results surprise Lobel of PricewaterhouseCoopers. "When you think about it logically, some IT organizations have the resources and maturity to manage their operating systems and patches, but many don't," he observes. "Hopefully, the numbers simply mean IT shops have grown more mature in their security understanding."
Security Budgets Hold Stead
More companies are increasing spending than cutting it.
Direction of Spending
Increase: 38 per cent
Stay the Same: 25 per cent
Decrease: 12 per cent
Don't Know: 24 per cent
Numbers may not add up to 100 per cent due to rounding
Gius of Atmos Energy offered another possible explanation: Companies see a lot of chaos in the security market with an avalanche of mergers and acquisitions. One independent security vendor after another has merged with or been acquired by other companies. Examples include BT's acquisition of Counterpane and IBM's acquisition of Internet Security Systems. IT leaders are simply getting out of the way until the industry settles down.
Gius says Atmos Energy is handling most of its security in-house right now. "We pursued a number of open-source and lower-cost solutions to manage it ourselves," he says. "We invested in two people to help ensure we had the skills to manage that environment." But he'd like to outsource more if it makes sense financially. He notes that security is increasingly integrated into the platforms provided by the likes of Microsoft, Cisco and Oracle, as well as telecom providers like Comcast and Verizon. It makes sense to him to have those providers manage the security of their systems.
Beard, with SAIC, says that no matter what drives security spending decisions, companies should understand their specific security strategies and where managed security providers can offer unique value. Smart business executives understand that they must maintain control of the big picture at all times, even if a third party is managing many of the levers. Keeping an eye on security service providers and the risks they are encountering is essential. "CIOs and security officers may outsource certain functions to various degrees, but they should never outsource their responsibility," Beard advises.