Security outsourcing on the rise

Security services offerings growing steadily as companies get comfortable with outsider management

As one of the world's largest outsourcing providers Wipro Technologies is ramping up its security services business in a big way.

While the massive Indian company has had a security practice in place since 1998, Wipro staff say that the group has seen dramatic expansion over several years as customers warm to the idea of offloading IT systems protection to external specialists.

With five individual areas of business, nearly 1500 workers, 170 customers, and a claimed internal growth rate of 100 per cent per year, the Bangalore-based outsourcer contends that the time for security outsourcing take off has already arrived.

Faced with an ever-changing IT threat landscape and increasing pressure in the form of compliance mandates, businesses worldwide are getting over their fear of leaving security in someone else's hands and choosing outsourcing as a means to solve their problems, Wipro executives said.

"Attacks are getting more sophisticated, data leakage has become a huge concern, and customers understand that constantly implementing new policies and technologies has become a challenging task," said Prasenjit Saha, global head for security services at Wipro.

"We're working with customers to build the comfort factor, and most often, the projects start small, but as customers see what we can deliver and we build confidence under the co-managed model, we're slowly taking over more work," he said.

Since security budgets began rising in 2003, Saha claims that Wipro's services unit has flourished. Among the areas of rapid growth for the firm are such projects as access management, security event management, data monitoring, and compliance automation.

And while pricing has admittedly driven much of the growth of Wipro's business thus far, the executive said that his company is now winning deals based on its level of expertise.

"I have feeling that going forward, if we are focused and can provide good solutions that meet requirements, customers will increasingly look at outsourcing," Saha said. "It will be a cycle, but these deals won't always be driven by cost-savings, they will also be driven by our ability to outperform internal security."

By expanding its footprint slowly within customers over time, the executive contends that any negative perceptions of security outsourcing are being rapidly conquered.

"If you look at the positioning we're taking with customers, our objective is to work as strategic security partner and provide integrated solutions and services; some people feel it is a risk to outsource security, but those who have made the leap see the efficiency, and they're expanding their projects," Saha said.

Industry watchers agree that the security outsourcing space is moving fast.

Analysts with market research firm Gartner are charting growth of the sector at just under 20 per cent per year in 2007 and say that there will likely be continued growth as the practice of outsourcing security becomes more widely accepted.

While he believes that Wipro and other providers of broad infrastructure-outsourcing services are still lagging behind security specialists like Symantec, IBM, ISS, and VeriSign in terms of recruiting customers in North America, Gartner Analyst John Pescatore said that the model was becoming increasingly popular.

"Outsourcing is growing in general, and some companies are finding that if they can offload some routine tasks like firewall management and handling of intrusion detection alerts, they can spend more time reacting to emerging business needs," said Pescatore.

"Some security groups are being forced to do it by management, and these are the ones that will likely always hate the idea, but those who are doing it by choice are giving the model mostly positive grades," the analyst said.

SMB stake to security outsourcing

Beyond the enterprise, Pescatore predicts that security outsourcing is attracting SMBs struggling to deal with work like compliance automation that typically demands heavy investment and expansion of IT staffing.

Large systems integrators, such as Computer Sciences, IBM, Unisys, and Wipro, will most likely win security deals as portions of larger outsourcing projects, but pure-play security companies like Symantec and carriers like AT&T should also be able to grow their lists of customers, according to the analyst.

Speaking at the IDC Security Forum in New York, Edward Amoroso, chief security officer for AT&T's services division, predicted that enterprises would adopt more "virtual" security capabilities from their carriers and ISPs in coming years.

The executive said carriers were best positioned to battle problems like botnets, spam, and denial-of-service attacks.

"When you look at what needs to be done for perimeter security, we're in the best place to provide that," Amoroso said. "We can't address something like the insider threat but , instead of putting security technologies in place at the pipe, we and other carriers can virtualise those services into the pipe itself."

Among technology providers, some say the prospect of selling products to outsourcing companies appeals to customers as much as marketing tools do, perhaps even more so.

Officials with data leakage prevention specialist Tablus, one of Wipro's 39 official security partners, said the outsourcing channel represented an opportunity for growing its own businesses.

"There are obvious benefits for customers to lean on experts who spend their lives focused on security. With the complexity of threats, networks, growth via mergers, and the pull on internal resources, there are a lot of macro forces driving interest in security outsourcing," said Anne Bonaparte, Tablus' chief executive.

"As a relatively small player, working with outsourcers is central to our growth; some customers may still not get it, but those who are more enlightened understand the benefits and we think others will follow."

Yet some enterprises already dipping their toes into security outsourcing warn that, while there are obvious advantages of lowered expense and staffing demands, customers must be careful how they approach the process.

Also speaking at the IDC conference on Wednesday was Lynda Fleury, chief information security officer for Unum, a massive financial services provider based in Tennessee.

Fleury said her company had mixed results with its security outsourcing efforts and she cautioned that partners must be handled exactly and that customers must monitor their service providers.

Unum had decided to bring some tasks back in-house.

"You have to make sure that every 'i' is dotted when it comes to service-level objectives. We found in some cases that we had no sight into what the service provider was doing," said Fleury.

After outsourcing its network access management tasks to a service provider, Unum found that the company wasn't sufficiently policing the number of administrative accounts added to the system and that the people hired were more interested in sticking to the wording of their contracts than helping the firm build comprehensive protection.

"We ended up with nothing more than paper-pushers who eventually told us that they were being told not to challenge access credential requests," the CISO said. "So, it's pretty clear that you need to be careful"