- Major Studies
- Advisory Reports
- Valuation Data
Companies that are using IT security service providers this year will most likely still be using them next year. Of all the organizations surveyed in our IT Security Outsourcing Trends and Customer Experience report, not a single organization plans on reducing the amount they outsource.
As shown in Figure 4 from our full report, none of the organizations using security service providers are reducing their outsourcing of this function. Nearly half, 48%, are increasing their level of outsourcing.
“IT security is always evolving, and skilled IT security professionals are hard to find these days,” said David Wagner, vice president of research for Irvine, Calif.-based Computer Economics. “With an ever-growing array of threats, including threats coming from national states, it just makes sense to get outside help.”
However, there are factors that keep this outsourcing percentage from going through the roof. One is that security is not a discrete function. It is intertwined into other functions such as the network, applications layer, and even end-user support. Organizations cannot outsource all of security to a service provider because security is a mandate of nearly every IT function. It is easy to hire someone to conduct penetration testing or employee training as an aspect of security, but if an organization outsources network security to a service provider, the in-house network staff still has to be highly skilled in security for the network to be safe. Because of its complexity, security outsourcing will always be a partnership between service providers and internal staff.
Another issue is that adoption of public cloud infrastructure and cloud-based software puts more of the security onus on the host rather than the organization. Hyperscale cloud companies have generally been found to follow stricter security protocols and provide a better security experience. As companies shift an increasing amount of their workloads to hosted systems, they shift the focus of IT security personnel.
In light of these pressures on IT security outsourcing, the full report presents data about the five-year trend in IT security outsourcing. In light of current trends, this study is designed to help IT executives compare their outsourcing activity and experience with other IT organizations. We use three metrics to measure IT security outsourcing activity: how many organizations outsource IT security (frequency), how much of the workload is typically outsourced (level), and the change in the amount of work being outsourced (trend). We also measure the cost and service experience of companies that outsource this function, and determine how outsourcing activity and experience vary by organization size and sector. We conclude with ways to capitalize on the evolving trends in IT security outsourcing.