Security outsourcing on the rise

As companies get more comfortable with outsiders managing security, the amount of security services being outsourced is growing steadily

As one of the world's largest outsourcing providers, Wipro Technologies is ramping up its security services business in a big way.

While the massive Indian company has had a security practice in place since 1998, Wipro officials say that the group has seen dramatic expansion over the last several years as customers gradually warm to the idea of offloading IT systems protection to external specialists.

With five individual areas of business, nearly 1,500 workers, 170 customers, and a claimed internal growth rate of 100 percent per year, the Bangalore-based outsourcer contends that the time for security outsourcing take off has already arrived.

Faced with an ever-changing IT threat landscape and increasing pressure in the form of compliance mandates, businesses worldwide are getting over their fear of leaving security in someone else's hands and choosing outsourcing as a means to solve their problems, Wipro executives said.

"Attacks are getting more sophisticated, data leakage has become a huge concern, and customers understand that constantly implementing new policies and technologies has become a challenging task," said Prasenjit Saha, global head for security services at Wipro.

"We're working with customers to build the comfort factor, and most often, the projects start small, but as customers see what we can deliver and we build confidence under the comanaged model, we're slowly taking over more work," he said.

Since security budgets began rising in 2003, Saha claims that Wipro's services unit has flourished. Among the areas of rapid growth for the firm are such projects as access management, security event management, data monitoring, and compliance automation.

While pricing has admittedly driven much of the growth of Wipro's business thus far, the executive said that his company is now winning deals based on its level of expertise.

"I have feeling that going forward, if we are focused and can provide good solutions that meet requirements, customers will increasingly look at outsourcing," Saha said. "It will be a cycle, but these deals won't always be driven by cost-savings, they will also be driven by our ability to outperform internal security."

By expanding its footprint slowly within customers over time, the executive contends that any negative perceptions of security outsourcing are being rapidly conquered.

"If you look at the positioning we're taking with customers, our objective is to work as strategic security partner and provide integrated solutions and services; some people feel it is a risk to outsource security, but those who have made the leap see the efficiency, and they're expanding their projects," Saha said.

Industry watchers agree that the security outsourcing space is moving fast.

Analysts with market research firm Gartner are charting growth of the sector at just under 20 percent per year in 2007 and say that there will likely be continued growth as the practice of outsourcing security becomes more widely accepted.

Though he believes that Wipro and other providers of broad infrastructure-outsourcing services are still lagging behind security specialists such as Symantec, IBM-ISS, and VeriSign in terms of recruiting customers in North America, Gartner analyst John Pescatore said that the model is becoming increasingly popular.

"Outsourcing is growing in general, and some companies are finding that if they can offload some routine tasks like firewall management and handling of intrusion detection alerts, they can spend more time reacting to emerging business needs," said Pescatore.

"Some security groups are being forced to do it by management, and these are the ones that will likely always hate the idea, but those who are doing it by choice are giving the model mostly positive grades," the analyst said.

SMBs take to security outsourcing
Beyond the enterprise, Pescatore predicts that security outsourcing is quickly becoming attractive to SMBs that are struggling to deal with work such as compliance automation, which typically demands heavy investment and expansion of IT staffing.

Large systems integrators, such as Computer Sciences, IBM, Unisys, and Wipro, will most likely win security deals as portions of larger outsourcing projects, but pure-play security companies such as Symantec and carriers such as AT&T should also be able to grow their lists of customers, according to the analyst.

Speaking at the IDC Security Forum in New York on Wednesday, Edward Amoroso, chief security officer for AT&T's services division, predicted that enterprises will begin adopting more "virtual" security capabilities from their carriers and ISPs in the coming years.

The executive specifically said that carriers are better positioned than anyone else to do battle with problems such as botnets, spam, and DoS attacks.

"Our feeling is that when you look at what needs to be done for perimeter security, we're in the best place to provide that," Amoroso said. "We can't address something like the insider threat, but instead of putting security technologies in place at the pipe, we and other carriers can virtualize those services into the pipe itself."

Among technology providers, some say the prospect of selling products to outsourcing companies is as attractive as marketing tools to customers themselves, and perhaps even more so.

Officials with data leakage prevention specialist Tablus, one of Wipro's 39 official security partners, said that the outsourcing channel represents a significant opportunity for growing its own businesses in the coming years.

"There are obvious benefits for customers to lean on experts who spend their lives focused on security. With the complexity of threats, networks, growth via mergers, and the pull on internal resources, there are a lot of macro forces driving interest in security outsourcing," said Anne Bonaparte, Tablus' chief executive. "As a relatively small player, working with outsourcers is very central to our growth; some customers may still not get it, but those who are more enlightened understand the benefits, and we think others will follow."

In the face of such heady enthusiasm, some enterprises who are already dipping their toes into security outsourcing warn that while there are obvious advantages of lowered expense and staffing demands, customers must be careful how they approach the process.

Also speaking at the IDC conference on Wednesday was Lynda Fleury, chief information security officer for Unum, a massive financial services provider based in Chattanooga, Tenn.

Fleury said that her company has had mixed results with its security outsourcing efforts thus far, and she cautioned that the process of handling partners must be exacting and that customers must actively monitor the service providers they choose to work with. 

As a result of its experiences, Unum has decided to bring some tasks it previously outsourced back in-house.

"You have to make sure that every I is dotted when it comes to service-level objectives. We found in some cases that we had no sight into what the service provider was doing," said Fleury.

After outsourcing its network access management tasks to a service provider, Unum found that the company wasn't sufficiently policing the number of administrative accounts that were added to the system and that the people hired to do the job were more interested in sticking to wording of their contract than helping the firm build comprehensive protection.

"We ended up with nothing more than paper-pushers who eventually told us that they were being told not to challenge access credential requests," the CISO said, "so it's pretty clear that you need to be careful."