According to the Yankee Group, businesses will hand over security -- initially for perimeter defenses but eventually for inside-the-firewall protection -- to managed security service providers (MSSPs) to the tune of $3.7 billion by 2008, a jump from 2004's estimated $2.4 billion.
"Enterprises are outsourcing more technology in general," said Matthew Kovar, a vice president with Yankee's security solutions group. "But we'll see a lot more in the security space. Enterprises know what they have to do, but more of them will see that [security] isn't a core competency," he added, and will hand the reins to an MSSP.
Security outsourcing will prove attractive, said Kovar, for reasons other than the cost-savings typically cited by firms farming out business processes. Among the drivers toward managed services are the accelerated attacks of today's threats -- giving enterprises virtually no time to put up defenses on their own before an attack infiltrates a network -- legislative requirements such as HIPAA and Sarbanes-Oxley, and the trend toward pushing out the network perimeter to include partners and remote workers.
"The well-defined perimeter just doesn't exist anymore," said Kovar.
These, and other factors, are outpacing the average enterprise's ability to keep up with the latest counter-measures and techniques to thwart attacks, said Kovar in his report. At the same time, security is moving from the network perimeter to protecting critical network links, key servers, databases, and end-user desktops, in part because of worms that other exploits that managed to sneak through the perimeter on laptops or through remote sessions.
While managed services biggest number of customers are currently those subscribing to anti-spam services, managed firewalls aren't far behind, said Kovar. And as the trend continues, other security defenses now solved by hardware -- such as intrusion detection and intrusion prevention -- will also be shipped out for others to handle.
"One of the easiest managed services to see success is e-mail anti-spam services," said Kovar. "People saw the pain and saw that they needed to outsource the solution."
Companies such as Brightmail and MessageLabs have capitalized on the anti-spam managed approach, grabbing part of the $140 million business that Kovar said "cropped up almost overnight."
The outsourcing of security will follow other IT outsourcing trends by going offshore, said Kovar, who expects that "security will be the next to go to Ireland, India, and beyond." Services such as application code review, he said, simply can't be done cost effectively in North America.
The vendors that Yankee Group sees in the top tier include TruSecure and Symantec, with Unisys, NETSEC, Solutionary, Internet Security Systems, and RedSiren close on their heels. Notable by its absence, said Kovar, is McAfee. "That would concern me if I was an enterprise investing in their technologies."
In the end, the winners will be the vendors with the best security gurus, or as Kovar put it, "the best knowledge gatherers. The real intellectual property for security is in advanced algorithms, intelligence, and the ability to rapidly deploy new security countermeasures in real time to a large installed base of enterprise customers and their global networks."