Security demands for online applications such as e-commerce and Web services are prompting more corporate customers to hand off security functions - such as intrusion detection and firewalls - to outside service providers.

Users are finding that third-party security service providers can also help augment an internal security strategy by preparing reports required by many new government regulations.

As a result, the trend toward outsourcing security functions, which peaked during the Internet boom, is slowly angling upward again as companies discover that handing off routine security activities enables them to focus internal security expertise in more critical areas. However, hurdles remain, and many companies still prefer to keep such sensitive IT functions in-house.

"As we've seen the economy pick up over the past six or eight months, we've seen companies turn to outsourcing because they want to use their security staff to address security needs for e-commerce and VPN and Web applications - the let-the-good-guys-in sort of stuff to connect with customers, partners and employees," says Kelly Kavanagh, a principal analyst at Gartner.

"The routine monitoring and maintenance of firewalls and monitoring of [intrusion-detection system] traffic for alerts are things they're finding have a great impact on their staff time and is something they can give to somebody who does that 24-7," he says.

Since the beginning of the year, clients have had more questions about outsourcing security and more are on the brink of contracting with service providers, Kavanagh says, adding that "the question now is 'who,' not 'whether' or 'if.'"

Still, analysts note that the move to outsource security functions is a slow one. One reason is that the so-called managed security service provider market continues to consolidate - Level 3 Communications acquired Genuity early last year, and VeriSign snapped up Guardent in February this year - leaving some enterprise customers wary about contracting with a firm that might not be around in a few months.

Gartner expects consolidation to continue as smaller players band together to compete with larger providers and those large firms seek to expand their security expertise through acquisition.

In addition, companies for a variety of reasons are still reluctant to hand off security functions to outside parties.

Willis Marti, associate director for networking for computing and information services at Texas A&M University in College Station, says increasingly complex security needs linked to proliferating viruses, patch management and other issues actually make him more likely to keep security in-house.

"The more complex the task, the more difficulty in structuring an agreement with an outside party," say Marti, who oversees a network that connects more than 60,000 users. "Security has to be provided in the context of business operations. . . . There is almost no chance we'll do any outsourcing of security functions. Part of the reason is a special expertise we have, part is because I'm not aware of any really successful outsourcing, and part is the close-to-unique nature of a major university."

John Halamka, CIO of Harvard Medical School and CareGrou p Healthcare System in Boston, began outsourcing network security monitoring to Counterpane in 2001, but brought those functions back inside the organization last year.

Click to see:

"Because we're a healthcare organization it was essential to develop a core competency in doing network security," says Halamka, who estimates his network is attacked about every 7 seconds on average. "With [the Health Insurance Portability and Accountability Act], we wanted to have our own internal staff who could be extraordinarily vigilant and fleet of foot to respond to issues instantaneously and constantly advise how to improve our infrastructure to guard against ever-wily hackers."

It was access to this type of advice that was part of the reason why financial publisher Bowne & Co. in New York outsourced its IDS monitoring to Internet Security Systems (ISS).

"We have a good mix of in-house expertise and good standard operating procedures and a service that has been reasonably priced and has given us access to additional expertise that has been quite helpful," says Ruth Harenchar, Bowne's CIO.