Late last year, the Computer Security Institute asked almost 500 security professionals what percentage of their IT security functions were outsourced - more than 60 per cent answered "none". So why are many organisations still reluctant to take that route?

For IBM's Internet Security Systems business unit executive, Dermot McCann, many still baulked at the cost, while Klikon Solutions' senior security consultant, Daniel Smith, said they wanted to retain control of their networks. This view was supported by TippingPoint's regional sales director, Sean Abbott.

"Keeping security in-house means they are in control and have the flexibility to make changes," he said. "They can also choose the products they need to achieve security goals."

Network Box managing director, Keith Glennan, agreed the concept of reduced control had been an inhibitor for managed security services but claimed those concerns were unfounded.

He said customers that adopted managed environments often found they had more control because there's no empire building, it's transparent and the service is managed to meet service level agreements (SLAs).

"All too often in mid-sized organisations security is seen as a negative because it's an inhibitor to the business when the person responsible has a disproportionate amount of power," he said.

Firewall Systems' marketing director, Nick Verykios, said this happened because technical security specialists didn't understand business process. SLAs were the key - you need to create policy, add technology to it and then nail it down with an SLA, he said.

Dimension Data's security business development manager, Anthony Stitt, said one common problem was the difference be-tween an SLA a business would create internally and that offered by an outsource provider.

"The outsourcer creates an SLA where everything is beautiful and the business likes the idea but isn't willing to pay for it. All they see is that it's going to cost more than what they do now," he said. "The devil's in the detail because some services like mail are very suited to outsourcing but it's a much finer line with service guarantees for others like Web."

AirMagnet's systems engineering director, Jesse Frankel, said another issue was that organisations often managed a certain part of the security process their own way.

"When they look at all the pieces they get from a managed service, they don't necessarily all line up," he said. "They've already decided in terms of cost and expertise that it would be a good idea but are reluctant to give up unique little things they're endeared to."

So is this a matter of market maturity or will resellers always be dealing with requests to do things differently? Klikon's Smith suggested the IT industry needs to mature in terms of business thinking.