Quality of Provider Plays Big Role in Decision to Outsource Security
We love conducting surveys at conferences. Not only do we gain insights from some of the smartest people in attendance, but we get a few extra minutes to mingle and get to know them better. At SpiceWorld in Austin last year, we sought to capture thoughts on outsourcing security. Of the attendees, 380 participated in our survey to bring us the following insights.
- How Much is Outsourced?
The first question we asked was intended to establish a baseline as to how current security operations programs are currently sourced.
A majority, at 60%, run security operations completely in-house. On the other side of the spectrum, a shade under 5% of participants’ companies completely outsource security operations.
The remaining participants outsource some aspects of their security operations, with most keeping the majority of functions in-house.
- Attitudes Toward Outsourcing
The question that then arises is how participants feel about outsourcing security operations as a whole.
Just over a quarter, 26%, said they believed that security should never be outsourced.
However, 41% said security operations should be outsourced as much as possible, as long as the service provider is good. Perhaps the key point here is that the caveat is the quality of the service provider. Companies looking to outsource any aspect of its security operations should vet potential providers and ensure that the provider is fulfilling its part of the deal.
Gaining that assurance can take many forms. At a simple level it could be unplugging a server and waiting to see how long it takes for the provider to notice. Alternatively, the right incentives are needed—such as the vendor providing some warranty or even insurance.
We also looked into some of the drivers that lead to companies outsourcing.
The skills gap is an important discussion point. Many companies don’t have the right staff, or the right number of staff internally, to fulfill the increasing needs. According to the 2018 (ISC)2 Cybersecurity Workforce Study, there is a shortage of nearly 3 million cybersecurity professionals.
Another factor could be that many security operations tools, technologies and processes have become increasingly standardized over the years. This standardization allows companies to outsource certain aspects of security operations in a relatively commoditized manner.
To get an indication of the direction the market is heading, we sought to understand budgets and future spending trends.
The majority of participants believe that the return on investment is justified when outsourcing security. This should not be surprising for most security operations tasks that have good economies of scale.
Furthermore, both in-house and outsourced security operations budgets are largely looking to increase. For in house-security operations, 33% reported a planned increase in budget over the coming year, and 25% are looking to spend more on outsourcing security operations.
In a short survey with a limited audience set, it is difficult to draw hard and definitive conclusions, but it does provide some good indicators that are worth exploring.
Compared to a few years ago, there appears to be greater acceptance and adoption of managed security partners to handle security operations. This trend looks to increase with a combination of factors, including a skills shortage, standardization of security operations technologies and processes, and an increased level of confidence in the services and monetary value offered by service providers.
Javvad Malik is a London-based IT security professional.
This guest blog is part of a Channel Futures sponsorship.