Security outsourcing on the rise as CISOs seek cyber relief

Security software and services spending is growing faster than staffing budgets, recasting security leaders in the role of quantity surveyors rather than builders of enterprise security.

Gartner predicts that security services spending will increase 15.8% to reach $86.1 billion next year. The long-running global skills shortage in the cybersecurity industry is pushing investment towards security services, reshaping how enterprises approach the challenge of securing their infrastructures.

CISOs are turning to managed security services to take advantage of seasoned practitioners that they would struggle to hire and retain internally.

Hiring freezes and fewer promotions are becoming more commonplace despite an increase in spending on security software and service that is expected to continue for at least the next few years.

IDC predicts a global five-year CAGR of 12.2% for 2023-28 for managed security services.

Craig Robinson, research vice president of security services at IDC, told CSO that more enterprises are outsourcing security services partly because infrastructures have become more hybrid and more reliant on the cloud, particularly since the COVID-19 pandemic.

“The existing tools enterprises have had have become insufficient because of the increased attack surface that has come from the migration of more IT functions to the cloud,” Robinson said. “Companies are faced with too many alerts so taking advantage of outsourced technologies to handle functions such as managed detection and response [MDR] suddenly starts to make a lot of sense.”

Foundry’s 2024 Security Priorities Study offers a rundown of top IT security functions CISO are outsourcing to managed service providers over the next 12 months, with threat detection and response (24%), security awareness training (23%), and security operations (23%) leading the way, followed by threat intelligence (22%), vulnerability assessment (22%), and backup and recovery (22%).

Foundry / CSO

In the survey, 82% of those quizzed said they would outsource security functions to a managed security services provider or other third-party in the next 12 months.

Outsourcing security technologies such as extended detection and response (XDR) and security information and event management (SIEM) offers companies the “biggest bang for their buck” and are particularly popular, IDC’s Robinson said. Other sweet spots for managed security services include governance, risk management, and compliance (GRC), firewall, and managed digital identities, according to Robinson, who added that relying on managed security services makes it much easier to achieve around-the-clock coverage.

“CISOs are being asked to prune back internal operating expenses while still securing increasingly complex infrastructures,” according to Robinson. “Relying on greater automation and taking advantage of managed security services makes it easier to get the most efficient use of in-house staff.”

Navigating an evolving threat landscape

“Outsourcing security services has become a crucial strategy for many CISOs facing an increasingly sophisticated and rapidly evolving threat landscape,” according to Forrester senior analyst Madelein van der Hout.

With the added pressures of regulatory compliance, developing and executing security strategies, and managing boardroom expectations, CISOs are often stretched thin.

Budget pressure due to current macroeconomic conditions and the persistent talent shortage further complicate the ability of CISOs to maintain their in-house capabilities. As a result, many CISOs are turning to external security providers in order to bridge the gaps.

Advantages of outsourcing

According to a recent security survey by Forrester, 36% of C-level or senior decision-makers leverage outsourcing to alleviate staffing pressures, while 35% prioritize the specialized skills and improved quality of protection that external partners provide.

Speed of implementation (31%) and regulatory demands (30%) are also significant drivers, according to Forrester.

“One key advantage of outsourcing is the ability to dynamically adjust the talent and skillsets required throughout different phases of a project — something that’s more difficult and expensive to achieve in-house,” van der Hout explained.

Another advantage of outsourcing is that 24×7 coverage becomes more accessible and cost-effective through outsourcing — factors that help CISOs reduce complexity and manage costs. Because many other IT functions are already outsourced, it makes sense for organizations to extend this approach to security services, so there is less corporate pushback against the potential risks of trusting a third party to deliver mission-critical services.

Forrester’s latest cybersecurity benchmarks survey found cybersecurity budgets split along the following lines: software, 35.9%; personnel, 28.3%; outsourcing, 18.1%; and hardware, 17.7%.

Outsourcing spending — which includes true outsourcing/offshoring, managed security services, cybersecurity consulting, and managed detection and response services — ranges from 8% to 34% of budgets, with smaller businesses spending proportionately more than larger enterprises.