|
Security as a service
By Ken Anderberg
Publisher/Editor
Communications News
One of the interesting takeaways from the bustling RSA Conference last month was the plethora of companies offering managed security services. I talked with at least seven companies at the San Francisco event that provide such services, which equates to about one-fourth of the vendors I met with. But are their customers ready to hand over their network security oversight?
I asked that question repeatedly at RSA and received the predictable responses. Security as a service unburdens IT departments and lowers costs, vendors said–almost as if they had rehearsed their lines together before arriving at the show. Both of those benefits are most likely true, generally speaking, but I am not convinced that IT departments are comfortable with handing over the reins of this job responsibility just yet.
In our recently completed Subscriber Profile Survey, only 11 percent of respondents said they plan to purchase any managed services this year, with a smaller percentage than that presumably in the market for managed security services. (The survey did not ask specifically about managed security services.) In contrast, 39 percent of those polled plan to buy security hardware or software in 2008.
According to an annual survey by the Computer Security Institute, security outsourcing has not shown any increase in interest in the last three years. Only 2 percent of the 479 security professionals surveyed said their organizations outsourced at least 81 percent of their security functions–61 percent said none of those functions were outsourced.
Security as a service has some attraction, given the fast pace of change in technologies and the shortage of experienced security staff many organizations are dealing with. Theoretically, a service provider will have the necessary trained staff and will keep its hardware and software up to date. But will that service provider feel the urgency to fix problems that the customer experiences when there is a security problem? Will that outsourcer really understand the customer’s pain? And who gets blamed if something goes wrong?
Many of today’s security tasks do lend themselves to a services approach–patch and vulnerability management and antivirus support come to mind–but for many tasks, most IT organizations still prefer to have control. And today’s security monitoring tools often make managing security functions less daunting to IT staffs, many of who contend they still have to monitor the service provider anyway. So why not just handle security themselves?
For many of the vendors at RSA I talked with, the small and midsize enterprise market is the sweet spot for managed security services. That makes sense, as those organizations are more likely to have staffing and budget restraints that would lead them to use managed services. Those smaller enterprises, however, may also need more education to convince them that a security service is secure.
That is where the vendors will have to step up. They will need to venture out of their vertically oriented editorial and marketing comfort zone and get their messages to a more horizontal audience of enterprise IT professionals and operations management. Preaching to the “security professionals choir” is not enough.
Reprinted with full permission of Communications News Magazine www.comnews.com
|
