Security Services Continue to Grow — In the Enterprise

In my last blog, I presented some data about the extremely critical but often ignored security skills shortage.  While 55% of enterprise organizations (i.e. more than 1,000 employees) plan to add information security headcount this year, 83% say it is “extremely difficult” or “somewhat difficult” to recruit and hire these folks.

So if you need help and can’t hire anyone new, what do you do?  What about turning to security service providers as an alternative? 

Good suggestion but in the past, many enterprises looked at security services as somewhat of a taboo.  After all, mission-critical applications and sensitive data are often considered the “family jewels,” so you simply couldn’t trust the security of these assets to 3rd parties. 

The long-standing aversion for 3rd party security services is officially gone for the most part.  According to ESG Research, 62% of enterprise organizations will use 3rd party professional or managed security services in 2012.  What’s more, 58% of organizations say that their use of 3rd party professional or managed security services has increased over the last 2 years.

There are a number of reasons for increasing use of security services but the skills shortage is certainly a root cause behind the change:

• 39% of enterprises are increasing the use of security services because “security service providers can perform certain tasks better than we can”
• 34% of enterprises are increasing the use of security services because “new types of threats persuaded my organization to seek outside expertise”
• 29% of enterprises are increasing the use of security services because “they don’t have a large enough staff to handle all security responsibilities”
• 26% of enterprises are increasing the use of security services because “they don’t have specific security skills in house.”
• 20% of enterprises are increasing the use of security services because “they couldn’t recruit/hire enough security expertise so they had no choice”

So clearly the security skills shortage has a silver lining for security services experts like BT, CSC, EMC/RSA, HP, IBM, Symantec, Unisys, and Verizon Business Services as well as VARS and resellers whose margin depends upon adding services value on top of product sales.  A few more thoughts here however:

1.  All security product vendors should consider building services themselves, creating new services for their channel partners, or extending partnerships with additional service providers.

2.  Security services demand will increase raising prices and prolonging schedules.  As services margins rise, CISOs must closely watch their top security talent as they will be heavily recruited by services companies with a growing number of projects in the queue. 

3.  While VCs tend to eschew services companies because of low multiples, it may be worthwhile to invest in security services in this climate.  A small high-end security services firm focused on a growth area like server virtualization or cloud security should be acquired at an attractive price in no time.