It's an understatement to say that IT organizations face exceptionally challenging times. For many, budget cutbacks for 2009 were worse than predicted.
As a result, many IT organizations are taking a hard look at what is and is not core to internal IT, assessing their teams and moving people to strategic areas to concentrate on more important projects. Even organizations that traditionally kept services in-house are assessing whether to selectively outsource day-to-day monitoring and management to third parties in order to take advantage of the predictable monthly expense that managed services offer. Security managed services are no exception.
Sixty percent of participants in Nemertes Research's 2009 Spring Benchmark say they're planning to increase their use of managed services in 2009 and beyond, with top drivers being falling budgets, shrinking staffs, a lack of specialized expertise and rising demand to support more complex applications. The increasingly distributed workforce also place a role because managing remote sites poses a particular challenge to IT (which is often highly centralized). In the branch office, this trend has accelerated dramatically. In 2006, 27% of research participants were using some form of managed services. By 2008 that number had more than doubled to 65% and in 2009 60% of participants are expanding their use of managed services.
Managed security services were used by 47% of participants in our benchmark. Among small and midsize businesses (SMB), 46% were using managed security services. Almost 50% were laos outsourcing business continuity planning and disaster recovery services, (slightly less at 32% for SMBs). Security managed services cover many different types of services, from antispam in the cloud to managed on-premise firewalls. Whereas carriers dominate most areas of managed services, in security they are selected by 37% of outsourcing buyers. Most managed security services are bought from system integrators (42%) with the rest bought from regional or specialty providers (21%). This is not surprising since security services were first offered by specialty providers and system integrators. Nemertes Research expects to see a shift in the market as more and more of these services are provided by carriers.
As noted in previous articles, cost is not the only or even leading criterion for selecting a managed security service provider. In our research we find that the breadth of services offered is the top criterion, followed by cost. Third is the cost to implement (start-up costs), then geographical reach of the provider and the length of time they have been in business. Security is clearly not a "lowest cost" service and there is a significant element of trust, which influences the decision too.
Once a security service is outsourced, most companies (60%) rate their outsourcing engagement as a success. They evaluate the success based on a range of criteria, highest being a properly structured SLA, followed by a properly structured contract and good communication with the provider management. Getting outsourcing to work well is not easy, but it is a worthwhile investment as it can deliver predictable cost and a consistent and verifiable security posture.