Hydrasight research continues to indicate that the ‘appetite' for managed security services (MSS) in Asia Pacific remains moderate at best. In spite of this, we believe organisations must ensure they continue to monitor the viability of MSS providers, as larger (and more influential) vendors pay increasing attention to emerging trends such as cloud computing.

Research conducted by Hydrasight in late 2007 showed that less than 10% of respondents indicated a strong preference to use MSS for security operations in Australia and New Zealand. Looking at our results generally, it can be inferred that those who have so far chosen to adopt managed security services either wish to ‘outsource' their risk and/or are not likely to have the necessary resources to invest in security hence may find managed security services an attractive option. Similarly, the attraction of specialist/niche MSS providers can often be explained by the associated ‘economies of scale', distributed (global) reach and the ability to respond to security incidents on a ‘24 x 7' basis.

Our analysis suggests that interest in MSS, where it does exist, spans all levels of technical and business roles as well as varying industries, locations and size of organisation—excluding larger financial services firms (e.g., banks, in particular) and government. It can be presumed that these larger, often IT-intensive, organisations can afford to invest in adequate IT security and/or have complex requirements, and a greater requirement to address security directly, hence find managed security services less attractive.

At the same time, and from a market perspective, Hydrasight notes ongoing acquisition of MSS providers (e.g., CyberTrust by Verizon Business, ISS by IBM, Positini by Google, MessageLabs by Symantec). As larger vendors continue to build their cloud computing platforms, Hydrasight foresees continued investment in MSS by larger vendors in order to maintain or improve the level of (organisational) trust with cloud computing. As a result, this will create an increased need for organisations of differing sizes to ensure their sourcing strategies, and solution architectures, are prepared for increasing organisational interest/focus on IT security provided as a service at/beyond the enterprise perimeter.

Hydrasight continues to advise that organisations must ensure they consider a range of factors when evaluating managed solutions. More details can be found in our report titled "Architectural considerations for evaluating Software-as-a-Service (2008-2012)". Additionally, in the context of MSS, this must include the organisation's general approach to risk mitigation as well as its appetite for external IT security services. It should also consider the perception and level of credibility/trust that the internal IT organisation has with the business (to adequately secure the organisation's IT/information assets) relative to larger ‘specialist' security vendors.