The worst economic recession in decades has compelled more companies to spend less on outsourced security services and do more in-house, according to the seventh-annual Global Information Security survey, which CSO and CIO magazines conducted with PricewaterhouseCoopers earlier this year.
Some 7,200 business and technology executives worldwide responded from a variety of industries, including government, health care, financial services and retail.
A few years ago, technology analysts were predicting unlimited growth for managed security service providers (MSSPs). Many companies then viewed security as a foreign concept, but laws such as Sarbanes-Oxley, the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (affecting financial services) were forcing them to address intrusion defense, patch management, encryption and log management. Convinced they couldn't do it on their own, companies chose outsourcers to do it for them. Gartner estimated the MSSP market in North America alone would reach $900 million in 2004 and that it would grow another 18 percent by 2008.
Then came the economic tsunami, which appears to have cast a shadow over outsourcing plans even though security budgets are holding steady. Although 31 percent of respondents this year are relying on outsiders to help them manage day-to-day security functions, only 18 percent said they plan to make security outsourcing a priority in the next 12 months.
When it comes to specific functions, the shift has already begun. Last year, 30 percent of respondents said they were outsourcing management of application firewalls, compared to 16 percent today. Respondents cited similar reductions in outsourcing of network and end-user firewalls. Companies have also cut back on outsourcing encryption management and patch management.
At the same time, more companies are spending money on these and other security functions. Sixty-nine percent said they're budgeting for application firewalls, up slightly compared to the past two years. Meanwhile, more than half of respondents said they are investing in encryption for laptops and other computing devices.
The results surprise Mark Lobel, a partner in the security practice at PricewaterhouseCoopers. "When you think about it logically, some IT organizations have the resources and maturity to manage their operating systems and patches, but many don't," he observes. "Hopefully, the numbers simply mean IT shops have grown more mature in their security understanding."
Miguel Lopez, a Los Angelas-based IT security practitioner who has worked for such companies as MSC Software and Stamps.com, observed a stark trend toward less outsourcing while at MSC (he left the company earlier this year).
"The company was doing less and less outsourcing. It was mostly due to the economic conditions more than anything else," he says. "They were certainly looking to see where cost could be reduced or eliminated. I also hear from a few of my friends in other companies that the trend is toward doing more with internal staff."
Peter Hillier, director of IT security for CMA Holdings in Ottawa, believes there are three things driving the move toward more in-house security:
1. Organizations have become more adept at do-it-yourself security since first outsourcing, though, Hillier says, "they should have done that prior to outsourcing security the first time."
2. SIM/SIEM growth has been as good for the insourcer as it is for the outsourcer. "If you can do more with less, then why pay someone else to do it?" he asks.
3. Economy is a driver, as others have noted.
Charles Beard, SVP and chief information officer for Science Applications International Corp. (SAIC), says that no matter what drives security spending decisions, companies should understand their specific security strategies and where managed security providers can offer unique value. Smart business executives understand that they must maintain control of the big picture at all times, even if a third party is managing many of the levers. Keeping an eye on security service providers and the risks they are encountering is essential. "CIOs and security officers may outsource certain functions to various degrees, but they should never outsource their responsibility," Beard advises.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.