November 28, 2006

Some security pros believe the introduction of a third party to any phase of IT increases the risk of a security breach. There is some truth to this maxim, but experts say IT people who are too dogmatic about third-party services are overlooking an excellent way to increase security capabilities and save money: outsourced security services.

Gartner, which had long been skeptical of third-party security services, reconsidered its position last year and began recommending that enterprises use outsourcing in selected areas of security. "Why should I filter out this garbage at my end?" asked Gartner vice president John Pescatore in a presentation. "Outsource as much of the busywork as you can, as soon as you can."

Apparently, some enterprises have taken Gartner's advice. According to an annual study released earlier this year by the Computer Security Institute and the FBI, offshore IT security work has increased significantly in the past year. Of the U.S. companies that indicated they farm out their security functions, the amount of work sent overseas has doubled in the past 12 months. (See CSI/FBI: Violations, Losses Down.)

Companies with an average revenue of less than $10 million outsourced 8 percent of their security functions overseas this year, compared with 6 percent last year, according to the CSI/FBI survey. Midsize companies of $100 million to $1 billion in revenue also nearly doubled the work they sent offshore, from 7 percent last year to 1 percent this year.

Large corporations with more than $1 billion saw the biggest increase in security outsourcing, sending 15 percent of their security functions offshore, up from 9 percent last year, according to the survey.

Although the volume of security functions sent overseas jumped significantly, the number of U.S. companies that use outsourcing has remained fairly stable. This year, 39 percent of the companies surveyed indicated they farm out varying degrees of their security work, compared with 37 percent last year.

In most cases, enterprises are using outsourcing companies for labor-intensive tasks such as maintaining and upgrading firewalls or doing log file analysis, experts say. Such an approach may cut the costs of handling these tasks while improving their overall efficiency, they say. Managed security services, in which providers offer a range of antivirus, anti-spyware, and intrusion detection capabilities, are still popular in small and medium-sized businesses, but have not deeply penetrated larger enterprises.