When Blackboard went public in 2004, the change brought several new requirements: compliance with the Sarbanes-Oxley Act and the Payment Card Industry Data Security Standard, as well as external audits of its information technology security.
"We started to look at pieces of security where we could leverage economies of scale," said John Lambeth, vice president of IT and security.
By the end of the year, the online education software and service provider had outsourced its intrusion detection system (IDS), firewall management, spam filtering and ongoing penetration testing.
"We have a talented network engineering staff here that was spending quite a bit of time thinking about security," Lambeth said. "Now I'm able to utilize them on other activities that bring even better productivity to the company."
Outsourcing security is a trend sweeping through more and more businesses as the field becomes increasingly regulated, intensive and expensive. Some vendors do offer managed security services (MSS) through the channel, but most prefer to sell directly to clients, said Benjamin Jun, an advisory board member for the RSA Conference.
Direct or channel?
Most MSS providers work exclusively and directly with end users because third-party attempts to customize security services can cause compatibility problems, Jun said.
Blackboard outsources its security to a combination of vendors and the channel. For spam filtering, the company deals directly with Postini, a San Carlos, Calif.-based managed security service provider (MSSP). But for its router infrastructure, Blackboard uses Cisco products configured through a third party, Lambeth said.
"Most of these SMBs already have existing relationships [in the channel]," said David Puzas, the business line manager for enterprise services at IBM ISS.
Although larger businesses have so far been the leaders in security outsourcing, Puzas predicted that SMBs will follow suit -- providing new opportunities for the channel.
"Most of these customers are looking to the channel," he said. "You're going to see significant growth."
End users have come to rely more on security outsourcing over time, said Eric Maiwald, a senior analyst with The Burton Group, a research and advisory firm based in Midvale, Utah.
"Originally it was just things like firewalls and IDS," Maiwald said.
Now, end users like Blackboard would rather outsource the setup and maintenance of most of their security systems. It's not because of the increase in potential threats; rather, "it's driven more by pragmatic thinking," Maiwald said.
Outsourcing eliminates the need for large capital expenses, because all costs are part of a monthly or yearly contract, Maiwald said. And it frees up money for end users, who no longer have to pay high-level technical staff to monitor security around the clock, he added.
MSSPs can also notice anomalous behavior and respond more quickly, Jun said.
"You have a company whose sole job is to monitor these networks for a large number of customers," he said.
BT Counterpane, an MSSP in Mountain View, Calif., makes that one of its biggest selling points. End users that keep their security in house have a hard time retaining quality security staff because "security events don't happen all that often," COO Doug Howard said. An MSSP with hundreds of clients, on the other hand, can hold on to qualified employees because they are regularly responding to threats.
"People are buying security because they want to be secure," Howard said. "Part of our value proposition is, 'We can do it better than you can do it.'"
The cost savings of security outsourcing depend on a client's size. Returns on investments (ROI) in MSS range anywhere from 50% to 1,000%, Howard said.
"We are a minimal cost compared to trying to build it yourself," he said.
Compliance is another driving force, he added. Auditors used to only check for firewalls and IDS. Now they look for event response protocols, reports and resolutions.
SurfControl, a London-based vendor, announced this week that its new MSS area grew 40% in the last quarter, turning a profit three months earlier than expected. Those results "reflect the higher levels of market demand for Secure Content solutions delivered via an on-demand service or an appliance, as compared to licensed software," the company said in a statement.
Even vendors that are known more for their business in other areas are looking to take advantage of the trend. Earlier this month, AT&T rolled out its Web Security service to "to help remove the dependency on hardware and software while supporting a 'defense in depth' architecture with security features built into different network layers and supporting processes," according to a press release.
BT Counterpane's annual Attack Trends Report named security-service outsourcing as one of the major trends of 2006 and predicted it will continue this year and beyond. Lambeth agrees.
"I could see, down the way, us looking at managed security in particular around strong token authentication" and identity management, he said.
Let us know what you think about this story; email: Colin Steele, Features Writer.