Yankee Group Says Security Outsourcing Set to Explode

Managed security service providers to dominate security market by 2010

A paradigm shift—for IT networks and network security—is underway, reports the Yankee Group. Organizations are increasingly viewing the corporate network less as an entity unto itself and more as a means to an end for employees. As a result, expect approaches to information security to change, too.

In other words, administrators must ask how users can accomplish their necessary communications tasks quickly, easily, and securely.

To answer that question, and comply with such regulations as the Health Insurance Portability and Accountability Act, Sarbanes-Oxley, and Basel II, organizations are increasingly turning to outsourcing. As a result, Yankee Group predicts 90 percent of security will be outsourced by 2010.

Pivotal to that growth are managed security service providers (MSSPs), companies that are increasingly becoming a one-stop shop, especially where connectivity meets security and particularly for MSSPs in the carrier infrastructure (telephony or packet-based networks) market. The market for carrier-based managed security services was about $150 million in 2003, and is expected to hit $570 million by 2008.

New investments in core Internet protocol (IP) networks will help lay the groundwork for offering one-stop security. According to Infonetics Research, after neglecting their IP networks for years, service providers recently began snapping up routers and switches. Such sales, predicts Infonetics, will continue to grow 15 percent annually, to $8.5 billion in 2007. The firm says such purchases reflect renewed interest by service providers in revamping and maintaining their IP networks; the increasing importance of Voice over IP (VoIP) in both the consumer and business markets may be a driver. As a result of the investments, carriers will increasingly be able to offer clients the advantages of converged networks.

With convergence will come bundled, managed-security services, and especially carrier-based managed services, says the Yankee Group. For example, as companies aggregate “frame relay, ATM, private IP, [and] public Internet,” they’ll be able to offer companies security services regardless of whether it’s to be applied to e-mail, VoIP, or other packet-based services.

For example, a company could contract for one-stop connectivity to the public Internet, including VoIP, secure it all, and add more-secure connectivity—perhaps via IPSec VPNs—where necessary.

The Lucent Softswitch is one current switch able to handle both data and voice services provisioning. “This platform also could be used to provision security services on demand,” notes Yankee. Besides Lucent, other companies that were early to the carrier space market include Cisco, Contivity, Juniper (via its NetScreen acquisition), and Nortel.

New, next-generation security switch vendors have also hit the market. They include CloudShield, Crossbeam, and iPolicy. Today’s SSL-based VPN providers can also handle aspects of perimeter security. Such vendors include Aventail, Cisco, F5, NetScaler, NetScreen (acquired by Neoteris), and Nokia. Some long-time managed service providers also offer managed firewalls or IPSec VPNs. They include AT&T, Qwest, and Sprint.

Many organizations already outsource aspects of their information security, at least when it comes to their firewalls, antivirus, anti-spam, or general perimeter security. Starting in 2005, however, Yankee Group predicts organizations will increasingly opt for bundled outsourcing services, ultimately saving themselves time and money.

Today most organizations choose best-of-breed, or “autonomous,” security solutions for their firewalls, intrusion detection and prevention, antivirus, anti-spam, and vulnerability scanning tools. Yet "by 2005, enterprises will no longer purchase autonomous security solutions," predictsYankee. "Rather, enterprise security requirements will dictate the purchase of comprehensive security risk management (SRM) solutions."

Astute marketing will also help drive the overall outsourcing market. Since initial, executive-driven programs were termed “vulnerability management” initiatives, says Yankee, vulnerability-scanning vendors and services providers renamed their products as “vulnerability management services.”

In this case, however, marketing may actually equal reality. “Managed security service providers are merely naming the services to align with what executives are trying to do. It was pure happenstance that the product name matched enterprise need,” says Matthew Kovar, the vice president of security solutions and services at the Yankee Group.

With those enterprise needs being addressed, Kovar predicts the MSSP market will grow from $2.3 billion in annual revenues this year to $3.7 billion by 2010.

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.