For years, security was an outsourcing "untouchable." No matter how much sense it made economically to outsource security activities, CIOs resisted doing so based on their concern over entrusting sensitive corporate data to outside firms.
With security-related compliance requirements increasing and hackers becoming far more sophisticated, however, more companies appear willing to outsource at least some aspects of their security programs.
Acccording to the Computing Technology Industry Association (CompTIA), a third of managed services customers plan to spend more on managed security services in 2007. An equal number plan to increase spending on storage, backup and disaster recovery.
Some 40 percent of respondents to the CompTIA survey say that a lack of in-house security expertise is driving their decision to outsource. Thirty percent say it is less expensive for them to outsource, while 21 percent say doing so allows them to focus more closely on their core business activities.
These statistics mesh nicely with ample anecdotal evidence presented in articles like this InformationWeek piece, in which a CIO says he "couldn't possibly throw enough resources at (security) internally." Another executive in the same article estimates he saves about $150,000 a year -- roughly the cost of hiring two full-time IT pros -- by outsourcing his company's firewall log analysis.
It makes particular sense to outsource security activities, which eat up the time of internal staff with little if any business payoff, says a Gartner VP in this MIS article. Thus, likely candidates for outsourcing include e-mail and spam filtering, firewall management, intrusion protection and anti-virus control.