Security demands for online applications such as e-commerce and Web services are prompting more corporate customers to hand off security functions - such as intrusion detection and firewalls - to outside service providers.
Users are finding that third-party security service providers can also help augment an internal security strategy by preparing reports required by many new government regulations.
As a result, the trend toward outsourcing security functions, which peaked during the Internet boom, is slowly angling upward again as companies discover that handing off routine security activities enables them to focus internal security expertise in more critical areas.
However, hurdles remain and many companies still prefer to keep such sensitive IT functions in-house.
"As we've seen the economy pick up over the past six or eight months, we've seen companies turn to outsourcing because they want to use their security staff to address security needs for e-commerce and VPN and Web applications - the let-the-good-guys-in sort of stuff to connect with customers, partners and employees," a principal Gartner analyst, Kelly Kavanagh, said.
"The routine monitoring and maintenance of firewalls and monitoring of [intrusion-detection] traffic for alerts are things they are finding have a great impact on their staff time and is something they can give to somebody who does that 24x7," he said.
Since the beginning of the year, clients had more questions about outsourcing security and more were on the brink of contracting with service providers, Kavanagh said.
"The question now is 'who', not 'whether' or 'if'," he said.
Still, analysts note that the move to outsource security functions is a slow one. One reason is that the so-called managed security service provider market continues to consolidate - Level 3 acquired Genuity early last year, and VeriSign snapped up Guardent in February this year - leaving some enterprise customers wary about contracting with a firm that might not be around in a few months.
Gartner expects consolidation to continue as smaller players band together to compete with larger providers and those large firms seek to expand their security expertise through acquisition. In addition, companies for a variety of reasons are still reluctant to hand off security functions to outside parties.
Associate director of networking for computing and information services at Texas A&M University, Willis Marti, said increasingly complex security needs linked to proliferating viruses, patch management and other issues actually made him more likely to keep security in-house.
"The more complex the task, the more difficulty in structuring an agreement with an outside party," said Marti, who oversees a network that connects more than 60,000 users.
"Security has to be provided in the context of business operations ... There is almost no chance we'll do any outsourcing of security functions. Part of the reason is a special expertise we have, part is because I'm not aware of any really successful outsourcing, and part is the close-to-unique nature of a major university."
Last month, Credit Suisse in Zurich, Switzerland, announced that it was outsourcing security for the first time, entering into a three-year contract with Ubizen to monitor the bank's Intrusion Detection System (IDS).
"Monitoring and administering an intrusion-detection system in a complex IT environment requires specialised know-how, which must be available 24x7 and continuously updated," chief information security officer for Credit Suisse, Ralph Holbein, said. "This is very challenging as well as costly and, obviously, not a core function of a financial institution."
Holbein would not say how much Credit Suisse is saving by outsourcing its IDS monitoring, but said that having access to Ubizen's expertise would increase the quality and effectiveness of its security.
Savings come from being able to reallocate IT staff, eliminating the need to add IT staff as security needs increase, for example.
That's what the EMI Group was looking for when it outsourced some of its security functions about a year-and-a-half ago. The music giant in New York found that as its online business grew, so too did the demands on its internal IT staff.
"We had put firewall technologies in place and we were managing them ourselves, but we weren't happy with the service level we were able to provide internally," senior director of network services at EMI, Jim Russo, said.
So the company turned its firewalls and related technology, such as intrusion detection, over to ISS.
"While we're the largest pure music company globally and operate in 50 countries, we're on a very thinly funded model," Russo said. "The ability to run true 24x7 operations with rapid response to the changing Internet environment was more than we could budgetarily design. We had to look at partners."
Director of information security at Dow Chemical, Theresa Grant, said the bottom line was that companies could expect benefits from outsourcing security because of the expertise they would gain access to, but that they had to be vigilant about how the service is delivered.
"Companies should ... consider their decision to outsource security in terms of their organisation's overall outsourcing strategy, and determine if their internal audit organisation has the tools or capacity necessary to manage the outsourcing relationship," she said.
"Companies can't take for granted the importance of monitoring activity; provisions must be made to ensure that companies get the services they are paying for."