July 28, 2003

Information security is still a do-it-yourself proposition for most companies, according to InformationWeek Research's 2003 U.S. Information Security Survey.

Large companies--those with the biggest budgets and staff--will do the most security outsourcing in 2004. Companies with annual revenue of $1 billion or more outsource twice as often as the 9% of small and 8% of midsize companies that say outsourcing security is a business priority.

Large companies say it's all about focus. "It's all about being the best that you possibly can be," says David Bauer, chief information-security officer at Merrill Lynch. In May, the brokerage said it had selected VeriSign Inc. to manage much of its firewall and intrusion-detection systems. Outsourcing certain facets of network and security-event monitoring leaves his security team free to focus on other projects, Bauer says. There's another plus, he says: Benefiting from VeriSign's ability to spot trends based on what's happening to its customers. "It's not just about data. It's about intelligence," Bauer says. "And with intelligence, you can make better decisions."

Large companies see the value in outsourcing security monitoring while the security pros at small and midsize companies may be more worried about job security, says John Pescatore, research director at Gartner.

Despite this year's lackluster interest in security outsourcing, Gartner forecasts the market for security services to grow from $4.1 billion in 2001 to $9.0 billion in 2006. At 40% of the projected market in 2006, consulting will be the largest security-services segment, while managed-security services will experience the fastest growth rate, at 20% through 2006.

This article originally appeared in InformationWeek magazine, July 28, 2003.For more on this story, visit: http://www.informationweek.com/story/showArticle.jhtml?articleID=12803139