Security outsourcing is now the fastest-growing segment of IT security budgets, according to a Forrester Research report. Although IT security spending was relatively flat in 2009, investments in managed security service providers (MSSPs) grew by roughly 8 percent.
Reasons include pressures in staffing and expertise, an ever-shifting threat landscape, and a growing compliance burden. Service providers are also broadening their offerings and sometimes providing valuable advisory services.
MSSPs have traditionally helped companies in areas such as network firewall monitoring and e-mail and Web filtering. Such services are still among the most prevalent, according to Forrester, but services are now offering assistance with more holistic security needs such as log management and event monitoring. Organizations’ technology and processes churn out large amounts of data, says Forrester; some MSSPs can sift through it and even present findings in a neat dashboard.
A growing percentage of attacks are also targeting applications as opposed to network infrastructure. MSSPs can provide managed application firewalls and application security scanning and penetration testing.
MSSPs are also helping companies take a more risk-based approach to security. Rather than helping with one or more regulations, they are increasingly helping clients make decisions based on a standard or risk-based framework, according to Forrester. Some MSSPs are also providing metrics in areas such as efficiency and return on investment. Companies are also turning to MSSPs because of the 24 x 7 support.
Conducting adequate due diligence is important before hiring a service provider, says Forrester. Companies should understand MSSPs’ strengths and weaknesses and also speak to customer references. Organizations should also continue to make key policy and strategy decisions themselves. MSSPs can provide “the bare minimum, but you still need to understand your environment and what it requires.”