"If you dive down a well without a rope, you may find the water you wanted, but you're not going to get out of the well without the rope," he says. "What if you have a breach and you need to leave the cloud? Can you get out if you have to?"
Insourcing Security Management
A few years ago, technology analysts were predicting unlimited growth for managed security service providers (MSSPs). Many companies then viewed security as a foreign concept, but laws such as Sarbanes-Oxley, the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act (affecting financial services) were forcing them to address intrusion defense, patch management, encryption and log management.
Attacks on data have increased faster than any other security exploit. The top target: databases.
How Attackers Get Your Data
File-sharing applications: 46%
Removable Media: 23%
Backup Tapes: 16%
Multiple Responses Allowed
Convinced they couldn't do it on their own, companies chose outsourcers to do it for them. Gartner estimated the MSSP market in North America alone would reach $900 million in 2004 and that it would grow another 18 percent by 2008.
Then came the economic tsunami, which appears to have cast a shadow over outsourcing plans even though security budgets are holding steady. Although 31 percent of respondents this year are relying on outsiders to help them manage day-to-day security functions, only 18 percent said they plan to make security outsourcing a priority in the next 12 months.
When it comes to specific functions, the shift has already begun. Last year, 30 percent of respondents said they were outsourcing management of application firewalls, compared to 16 percent today. Respondents cited similar reductions in outsourcing of network and end-user firewalls. Companies have also cut back on outsourcing encryption management and patch management.
At the same time, more companies are spending money on these and other security functions. Sixty-nine percent said they're budgeting for application firewalls, up slightly compared to the past two years. Meanwhile, more than half of respondents said they are investing in encryption for laptops and other computing devices.
The results surprise Lobel of PricewaterhouseCoopers. "When you think about it logically, some IT organizations have the resources and maturity to manage their operating systems and patches, but many don't," he observes. "Hopefully, the numbers simply mean IT shops have grown more mature in their security understanding."
Security Budgets Hold Stead
More companies are increasing spending than cutting it.
Direction of Spending