We love conducting surveys at conferences. Not only do we gain insights from some of the smartest people in attendance, but we get a few extra minutes to mingle and get to know them better.
So, while we were at SpiceWorld in Austin this year, we sought to capture thoughts on outsourcing security. Of the attendees, 380 participated in our survey to bring us the following insights.
How Much is Outsourced?
The first question was to establish a baseline as to how current security operations programs are currently sourced.
A majority, at 60 percent, run security operations completely in-house. On the other side of the spectrum, a shade under 5 percent of participants’ companies completely outsource security operations.
The remaining participants outsource some aspects of their security operations with most keeping the majority of functions in-house.
Attitudes Towards Outsourcing
The question that then arises is how participants felt about outsourcing security operations as a whole.
Just over a quarter, 26 percent, believed that security should never be outsourced.
However, 41 percent believed that security operations should be outsourced as much as possible, as long as the service provider is good. Perhaps the key point here is the caveat being the quality of the service provider. Companies looking to outsource any aspect of its security operations should vet potential providers and assured that the provider is fulfilling its part of the deal.
Gaining that assurance can take many forms. At a simple level it could be unplugging a server and waiting to see how long it takes for the provider to notice. Alternatively, at the risk of sounding like Jeremiah Grossman, the right incentives are needed here. Be that in the form of the vendor providing some warranty, or even insurance.
Another aspect which we did not go into were some of the drivers that lead to companies outsourcing.
The skills gap is an important discussion point. Many companies don’t have the right staff, or the right number of staff internally to fulfill the increasing needs. According to the 2018 (ISC)2 Cybersecurity Workforce Study, there is a shortage of nearly 3 million cybersecurity professionals.
Another factor could be that many security operations tools, technologies, and processes have become increasingly standardised over the years. This standardisation allows companies to outsource certain aspects of security operations in a relatively commoditised manner.
In an attempt to get an indication as to the direction the market is heading, we sought to understand budgets and future spending trends.
The majority of participants believe that the return on investment is justified when outsourcing security. This should not be surprising for most security operations tasks that have good economies of scale.
Furthermore, both in-house and outsourced security operations budgets are largely looking to increase. For in house-security operations, 33 percent reported a planned increase in budget over the coming year, and 25 percent are looking to spend more on outsourcing security operations.
In a short survey with a limited audience set, it is difficult to draw hard and definitive conclusions, but it does provide some good indicators that are worth exploring.
Compared to a few years ago, there appears to be greater acceptance and adoption of managed security partners to handle security operations. This trend looks to increase with a combination of factors including a skills shortage, standardisation of security operations technologies and processes, and an increased level of confidence in the services and monetary value offered by service providers.