Companies are choosing managed security service providers (MSSPs) to do more than block spam and encrypt email messages. Interest is growing in non-traditionally outsourced security technologies,
The market for security services providers grew by about 8% in 2009, despite the economic turmoil that stagnated some security budgets. And the growth is not necessarily all about cutting costs, said Khalid Kark, vice president and principal analyst at Cambridge, Mass.-based Forrester Research Inc. More important to most enterprises is 24x7 protection and increased security competency that many service providers can offer.
"Companies are finding that the frequency and sophistication of threats is out of control for them to handle internally and they're looking for service providers with competency to be able to handle that for them," Kark said. "IT organizations are getting pretty complicated and there's a certain level of complexity that an average security generalist may not be able to handle but can be better handled by a third party with more resources."
In the recent Forrester report: "Market Overview: Managed Security Services," Kark lays out ways the broad industry is shaping out and what companies should look for in a service provider. Instead of cutting costs, enterprises are trying to find ways to invest in the right priorities, Kark said. To do that, companies need to evaluate a number of different kinds of MSSPs, from telecommunications providers that bundle security with their services, to value-added resellers and system integrators that provide a mixture of services. Other firms are turning to outsourcing companies, which include IBM and Hewlett Packard Inc. and security product vendors, which include Symantec Corp., McAfee Inc. and VeriSign Inc.
Robert T. Ferrilli, president and CEO of the Ferrilli Information Group, turned over nearly all his systems to managed service providers when the company's Exchange server went down unexpectedly while he was on a business trip. The firm, which provides business applications for universities and colleges, has a team of 20 developers spread out across the United States. While Ferrilli still has some in-house security services, he uses TriCipher Inc. to provide a single sign-on for Web-based applications.
"I got tired of doing all the maintenance and upkeep," said Ferilli, who called the messaging server failure the final straw that led to moving all the company systems to cloud-based providers. "It allows me to manage my business versus having to manage an IT infrastructure."
Kark urged caution when selecting a service provider. Many firms have a suite of services and are happy to sell everything they offer, but enterprises with a solid set of priorities of what they want to gain from a MSSP will be able to better evaluate what partner is right for them, Kark said.
Enterprises will also need to start by finding a few service providers they trust and then decide whether the services and products they offer will easily integrate with company systems, Kark said. Pricing should also be a differentiator, Kark said. With plenty of competition, enterprises have room to negotiate deals with MSSPs.
Interest growing in non-traditional outsourced security technologies
Kark said the industry is undergoing a transformation. Instead of just gaining Web filtering or email protection, enterprises are seeking guidance from their MSSPs on security related issues, forcing some firms to invest in creating consulting services divisions.
According to Kark, content security in the form of email and Web content filtering still has the most market penetration, but other technologies are quickly gaining ground. Companies are outsourcing log management and event correlation and analysis services as well as distributed denial-of-service (DDoS) protection services. Threat intelligence alert services and outsourced patch management and configuration enforcement is also growing in popularity.
The growth of cloud computing, with more company data spread out beyond the company walls, has forced some firms to seek out specialized security providers. Kark said Symantec's MessageLabs, Google's Postini services and Zscaler Inc. serve a growing cloud security niche.
"A lot of the managed service providers are rebranding their services as cloud services," Kark said. Some telecommunications providers, including Verizon and AT&T may be better suited to provide DDoS protection and also are offering cloud-based IPS and IDS services.