Outsourcing security functions is a viable option for enterprises, but the security service provider market "is still maturing," so users must exercise caution and perform due diligence before selecting a provider.

That was the upshot of a session presented last week by Matt Barzowskas, vice president and research analyst for the investment bank First Albany Corp. in Boston, at INT Media Group's E-Security Conference and Expo in Vienna, Va.

Barzowskas, who follows the security industry for the bank, says firewall and virtual private network services are the most mature, followed by anti-virus, intrusion detection, vulnerability assessment and content security.

In assessing whether to sign on with a particular provider, he says to examine how the company is structured and positioned for growth. Providers that plan to simply add additional employees to take care of new customers are destined for failure, as that kind of strategy won't scale effectively. Instead, providers should have a "secret sauce" that enables one staffer to monitor numerous clients at a time.

"The companies that are surviving now are those that understand the tools that are out there and how to use them effectively," Barzowskas says.

Look For Mutual ROI

Customers should also make sure that the outsourcing deal has a proven return on investment for both their own company and the provider. "If the provider's not getting a return, they won't survive," he says.

In general, mid-size companies, with 100 to 1000 employees and $100 million to $1 billion in revenue, are ripest for outsourcing security. Larger companies are more likely to perform security functions internally.

Another session at the E-Security show featured a panel discussion on the outsourcing topic that included Patrick McBride, executive vice president and chief technology officer for META Security Group, a security service provider in Herndon, Va.

"Outsourcing doesn't enable you to give up responsibility for anything," McBride cautioned. He noted that in the 1980s and '90s, many companies outsourced various IT functions and made the mistake of thinking that meant they could forget about them, leading to numerous "train wrecks."

Additionally, he notes that companies need a well-tuned incident response plan even if they outsource some security functions. "If you don't, why bother outsourcing? [The provider] is going to ring the bell at some point and you won't be able to respond."

Companies need to know what they want to outsource, why, and what they want to get out of the arrangement, McBride says. That enables companies to assess whether the arrangement is working as anticipated once a few months go by.