Large systems integrators, such as Computer Sciences, IBM, Unisys, and Wipro, will most likely win security deals as portions of larger outsourcing projects, but pure-play security companies such as Symantec and carriers such as AT&T should also be able to grow their lists of customers, according to the analyst.

Speaking at the IDC Security Forum in New York on Wednesday, Edward Amoroso, chief security officer for AT&T's services division, predicted that enterprises will begin adopting more "virtual" security capabilities from their carriers and ISPs in the coming years.

The executive specifically said that carriers are better positioned than anyone else to do battle with problems such as botnets, spam, and DoS attacks.

"Our feeling is that when you look at what needs to be done for perimeter security, we're in the best place to provide that," Amoroso said. "We can't address something like the insider threat, but instead of putting security technologies in place at the pipe, we and other carriers can virtualize those services into the pipe itself."

Among technology providers, some say the prospect of selling products to outsourcing companies is as attractive as marketing tools to customers themselves, and perhaps even more so.

Officials with data leakage prevention specialist Tablus, one of Wipro's 39 official security partners, said that the outsourcing channel represents a significant opportunity for growing its own businesses in the coming years.

"There are obvious benefits for customers to lean on experts who spend their lives focused on security. With the complexity of threats, networks, growth via mergers, and the pull on internal resources, there are a lot of macro forces driving interest in security outsourcing," said Anne Bonaparte, Tablus' chief executive. "As a relatively small player, working with outsourcers is very central to our growth; some customers may still not get it, but those who are more enlightened understand the benefits, and we think others will follow."

In the face of such heady enthusiasm, some enterprises who are already dipping their toes into security outsourcing warn that while there are obvious advantages of lowered expense and staffing demands, customers must be careful how they approach the process.

Also speaking at the IDC conference on Wednesday was Lynda Fleury, chief information security officer for Unum, a massive financial services provider based in Chattanooga, Tenn.

Fleury said that her company has had mixed results with its security outsourcing efforts thus far, and she cautioned that the process of handling partners must be exacting and that customers must actively monitor the service providers they choose to work with. 

As a result of its experiences, Unum has decided to bring some tasks it previously outsourced back in-house.

"You have to make sure that every I is dotted when it comes to service-level objectives. We found in some cases that we had no sight into what the service provider was doing," said Fleury.

After outsourcing its network access management tasks to a service provider, Unum found that the company wasn't sufficiently policing the number of administrative accounts that were added to the system and that the people hired to do the job were more interested in sticking to wording of their contract than helping the firm build comprehensive protection.

"We ended up with nothing more than paper-pushers who eventually told us that they were being told not to challenge access credential requests," the CISO said, "so it's pretty clear that you need to be careful."