A key reason is, ironically, that big enterprises have typically dedicated IT staff to manage their security in-house, and therefore have clearly defined security policies and procedures, said Puni Rajah, vice-president of consulting at IDC Asia-Pacific.
By the same token, small companies lack both the manpower and resources, Rajah added. "Typically, there's only one person that does everything. As such, he or she may not have the time to properly document the processes."
Rajah believes that proper security processes with clear documentation not only mitigate the risks involved in going to an external party, but also enable that company to identify critical elements of its security functions that need to be managed in-house.
More importantly, IDC's early findings highlight an important point: Security outsourcing is an option that more companies are willing to consider - even conservative ones.
High-profile security breaches, increased Internet usage, the increased number of e-commerce initiatives as well as increased mobile and collaborative computing are all driving the change in attitude and old bias.
"The results were consistent with higher general outsourcing sentiment. What this reflects is the greater comfort [that companies have] of being in control of the solution despite delegation," Rajah said.
Nevertheless, one caveat remains, said Natasha David, a senior analyst at IDC Asia-Pacific. "Outsourcing IT security is a sensitive issue and hardly the same thing as outsourcing the management of desktop PCs."
"Having the technical expertise is something that even a managed security service provider [MSSP] grapples with."
Another is the legal aspect, or the service level agreements - how are they defined when a security breach occurs? "While larger companies are more willing to seek out an MSSP, they are less inclined to do so anytime soon," David said.
Security has, traditionally, been seen as a cost, rather than an investment, said David. Until people understand security by carefully defining their processes and security procedures, she added, security services will take a few more years to take off.
According to IDC, firewall management, operating system configuration/software patch updating and intrusion detection systems are the top three functions that large organisations surveyed (with 500 or more employees) are keen to outsource.
Said David: "The first two are a fairly mature market. Intrusion detection, on the other hand, is sophisticated, but less penetrated in the security services arena. I believe that... in areas where companies are more familiar with the security solutions, there will be a higher propensity to outsource."