Despite the hesitation to outsource, analysts claim that companies will eventually join the fold and let third parties manage mostif not allof their security functions. "In 20 years, everything will be outsourced. It will be like electricity," says Bruce Schneier, security expert and founder of Counterpane Internet Security Inc., a consulting firm that offers hosted security software.
We've heard these claims before, however. In early 2003, Gartner estimated that by 2005, 60 percent of enterprises would have outsourced the monitoring of at least one network boundary security technology. But this, like so many other analyst predictions, has not proved prescient.
"It hasn't grown at the rate the venture capitalists were hoping," admits Gartner's Pescatore.
What outsourced security has going for it though is that security services are starting to be offered as part of a package from existing outsourcers.
Even telecommunications providers are tacking on new security features to their services. These services free companies from the burden of maintaining their own equipment; rather, network traffic will be scrubbed of viruses, denial-of-service attacks, spam and other threats before they ever reach your firewall. And because the companies offering these services have many customers, "they will be most aware of what the threats are," says Axelrod. AT&T Corp., MCI Inc. and Sprint Corp. are beginning to offer such cleansing services.
If the security outsourcing market ever does start to pick up momentum, it won't be the first time. "People outsource security all the time," notes Schneier. "We all use fire departments, we don't hire our own private police force or go around with shotguns dispensing our own justice. How much would it cost you to fully stock your own fire department? When you think about it like that, the economics start to make more sense."