To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://software.silicon.com/security/0,39024655,39124203,00.htm

What is the future of your security?
In-house or outsourced?

By Will Sturgeon

Published: Wednesday 22 September 2004

Managed security services are set to take off as the viable protection of choice for companies, large and small, according to analysts and industry figures speaking at this week's Gartner IT Security Summit 2004.

A market valued at $548m in 2002 will almost treble by 2007 – hitting $1.4bn, according to figures from the analyst house.

Khalda Parveen, research analyst at Gartner, told the conference the managed security service model removes a great many headaches for companies, from budgeting and staffing the security effort to the daily fire-fighting of ensuring the system is protected.

Many have claimed it is a far more robust, 24/7 model - especially in smaller companies where it is not always possible to effectively resource dedicated security staff within the IT department. Others are simply calling it a "no brainer".

Parveen said: "Attacks don't just happen in business hours. If an attack happens on a Saturday morning can you really wait until Monday morning before you even start dealing with it."

While to some that may sound like a sweeping generalisation, there are others who are aware that an on-call security team is a luxury many smaller firms in particular cannot afford.

According to Parveen, cost savings are likely to be the biggest driver. Engineering firm Smiths Group claims to have reduced its outlay by three-quarters, from $1m per year to £250,000, by outsourcing its IT security. Such dramatic bites out of the running costs are still likely to take precedent over expertise and intelligence, though a combination of the three, managed within "an acceptable level of risk" is the ideal scenario for companies looking to explore this model, Parveen said.

According to Eldar Tuvey, a director at managed web antivirus firm ScanSafe, the biggest selling point his clients go for is the ability to go back to running their business. The costs associated with freeing up staff from the daily management of its IT security cannot be quantified in monetary terms as clearly as the saving off the bottom line at Smiths Group, but Tuvey claims it is an invaluable boost to the business.

Typically the firms who are likeliest to pick up such managed services contracts are those who have an existing relationship with the companies putting IT security out to tender.

"Security is a sensitive issue," said Gartner's Parveen. "Organisations will select somebody they trust and that is likely to be a company they have worked with in the past."

In the case of ScanSafe, which is part-owned by managed email security firm MessageLabs, the sale is made far easier by the fact its customers, generally through their association with MessageLabs, have already bought into the managed services model.

However, Tuvey conceded that companies approaching customers cold with the idea may come up against a reticence to hand over control of their IT security.

And not everybody is convinced. Given the sensitivity of security issues, some companies are not prepared to consider handing over the "keys to the kingdom" just yet.

Richard Cross, information management officer at Toyota, said: "We don't like the idea of outsourcing our security. We have a very mature business and we like to keep everything in-house."