Larger organizations are more comfortable outsourcing the management of their security functions, unlike their small and medium-sized counterparts, according to preliminary findings by market research firm International Data Corp. (IDC).
A key reason is, ironically, that big enterprises typically have dedicated IT staff to manage their security in-house, and therefore have clearly defined security policies and procedures, said Puni Rajah, vice president of consulting, IDC Asia-Pacific.
By the same token, small companies lack both the manpower and resources, Rajah added. "Typically, there's only one person that does everything. As such, he or she may not have the time to properly document the processes."
She believes that by having proper security processes with clear documentation, an enterprise can not only mitigate the risks involved in going to an external party, but also enables that company to identify critical elements of its security functions that needs to be managed in-house.
More importantly, IDC's early findings highlight an important point: Security outsourcing is an option that more companies are willing to consider -- even conservative ones.
High profile security breaches, increased Internet usage, the increased number of e-commerce initiatives undertaken as well as increased mobile and collaborative computing are business factors driving the change in attitude and old bias.
"The results we had were consistent with higher general outsourcing sentiment," Rajah said.
"What this reflects is the greater comfort (that companies have) of being in control of the solution despite delegation."
Nevertheless, one caveat remains, said Natasha David, a senior analyst at IDC Asia-Pacific. "Outsourcing IT security is a sensitive issue, and hardly the same thing as outsourcing the management of desktop PCs."
"Having the technical expertise is something that even a managed security service provider (MSSP) grapples with."
Another is the legal aspect, or the service level agreements -- how are they defined when a security breach occurs? "So while larger companies are more willing to seek out an MSSP, they are less inclined to do so anytime soon," David pointed out.
Security has, traditionally, been seen as a cost, rather than an investment, said David. "It is much of the same way that businesses view insurance," she said. Until people truly understand security, by carefully defining their processes and security procedures, security services will take a few more years to take off, she added.
According to IDC, firewall management, operating system configuration/software patch updating and intrusion detection systems are the top three functions that large organizations surveyed (those with 500 or more employees) are keen to outsource.
Said David: "The first two are a fairly mature market. Intrusion detection, on the other hand, is sophisticated, but less penetrated in the security services arena. I believe that ... in areas where companies are more -familiar with the security solutions, there will be a higher propensity to outsource."