Businesses are reluctantly turning to security services as a means to reduce costs while maintaining an adequate level of protection of the data and IT assets. According to a new report by content security vendor Websense, 60 percent of IT decision makers surveyed at the recent IDC Security Summit are considering security services.

What’s interesting about the Websense report isn’t the consideration level, but the anxiety associated with outsourcing security functions to a third-party. Eighty-three percent of those surveyed said they’re reluctant to switch to a security service out of fear of losing direct control over security controls and incident response. Another 63 percent said that security services are simply outside the comfort zone of their organizations.

While the world is migrating to the cloud at an exponential rate (see “Cloud Computing Adoption Jumps 320%”), security practitioners continue to resist. If it weren’t for the recession, security decision-makers would likely remain behind their digital battlements favoring on-premise solutions that they can touch and feel. This is probably true even though the Websense survey found that 52 percent of security decision-makers see security services as being more or equally effective as on-premise solutions.

The security world will be dragged kicking and screaming into the cloud because of one issue: trust. When the first managed security service providers appeared nearly a decade ago, they all faced steep learning and acceptance curves in their target enterprise markets because chief security officers were reluctant to give up the keys to their digital kingdom to a third-party provider no matter how many SLAs and confidentiality agreements were in place.

It always seemed like a specious argument given that many enterprises protect their physical infrastructures with contracted security services. The military uses security contractors to protect and guard access to its installations. And Homeland Security isn’t staffing airport security checkpoints; those are mostly contractors. What to these physical world contractors have in common? They’re mostly low-paid, undertrained hourly employees without a vested interest in performance outside of the fear of losing their jobs. And, of course, contracted security guards typically have the keys to a company’s physical and digital kingdoms.

Security services are professional that absolutely have a vested interest in performance. Yes, many of the admins working in security operations centers (SOCs) are not high-paid engineers; but they are trained to recognize anomalous activity and escalate to high echelon support. And all activity preformed by security service providers is monitored and recorded for auditing; nothing escapes inspection.

When it comes to costs, Websense says security services are 80 percent less expensive than on-premise solutions. Perhaps, but cost savings associated with services will vary on the type, scope, scale and provider. The point of engaging in services isn’t necessarily cost savings, but aggregation of resources. By pooling security infrastructure capacity, service providers can scale expert support and services across many customers, cross-correlate and share intelligence, and proactively response to emerging threats. Cost savings do come as a result of scalability, but many services are simply faster and better than most on-premise security practitioners.

In a recent conversation I had with Doug Howard, chief strategy officer of Perimeter eSecurity, he said that security is the foot in the door when selling a suite of communication and collaboration services. Perimeter acquired USA.net, which provides hosted email and messaging services. The two companies offer an interesting and powerful suite of collaboration and security, but Howard said the sales cycles are still long despite the obvious cost savings and labor reduction benefits.

What really stands in the way of security as a service and managed service adoption is reliability. Over the last six months, Postini—the email security services arm of Google, has had a half-dozen service outages; two in the last month alone. The last two outages left subscribers unprotected for nearly a day. Postini’s woes have caused many of its customers to jump ship to competing providers or to revert back to their on-premise solutions.

A recent report by IT consulting firm Avanade found than nearly one-third of SaaS and cloud computing business subscribers had experienced a service disruption that lasted at least one day. While some businesses can go without email, CRM or Twitter for a few hours, security’s tolerance for service disruptions is next to nil - especially when there’s no failover to a redundant system.

While vendors like Websense want to make the security services argument about cost savings over on-premise solutions, the evidence is clear that adoption is more contingent upon performance and reliability rather than any perceived or real ROI. Budget pressures and cost savings are just the catalyst pushing businesses into services.