The continuing growth of attacks that directly target businesses is driving more organizations to outsource their network security to a managed security service provider (MSSP).

That finding comes from a new study by Frost & Sullivan, which estimates that the MSSP market in North America, which earned $1.2 billion in revenue in 2009, will reach $3.9 billion in 2016.

In addition to mitigating security risks, cost remains a major driver for using an MSSP. "There's no upfront cost, no initial investment. That's the big attraction," said Frost & Sullivan research analyst and study author Martha Vazquez, "especially because of the economic turmoil."

According to her research, from an adoption standpoint, the industries that remain most likely to use an MSSP continue to be financial services and government. "They are the early adopters and continue to have the most presence for the MSSPs," she said. In turn, MSSPs have catered to organizations in these verticals by continuing to help them address and demonstrate compliance with numerous, evolving regulations.

Now, similar compliance concerns are driving organizations in other industries -- especially healthcare, retail, and utilities -- to outsource their security to an MSSP.

Interestingly, data center virtualization also appears to be driving more organizations to use an MSSP. While the trend needs more study, she said, one possibility is that when organizations dramatically reduce their data center footprint, they're more inclined to outsource security, providing it will reduce operating costs.

Today, large enterprises account for 60% of MSSPs' revenue in North America. From a cost and benefit standpoint, however, "from my perspective, it makes more sense for small to midsize businesses to outsource due to the lack of security experts" that they tend to have in-house, said Vazquez.

From a provider perspective, the large MSSP players continue to dominate. "Verizon, IBM, SecureWorks, AT&T, Symantec -- all are top providers that are either constantly adding new and more innovative services, or acquiring other companies to add to their portfolio," said Vazquez.

Even so, she said that most MSSPs could do a better job of differentiating their services from each other, offering more flexible plans -- for example, continuing to combine on-premises and cloud-based offerings -- as well as better packaging their services for specific verticals, such as a security and compliance package for retailers.

It doesn't pay to for small and midsize businesses to protect against security threats faced by only the largest companies. Here's how to focus your efforts on the right threats. Download our all-digital supplement. (Registration required.)