Doors opening for outsourced security

(continued from previous page)

progress in overcoming preconceived notions about the products, said Radicati, who heads her research firm, the Radicati Group.

"We get a mixed set of responses around hosted security. It seems arbitrary, but there are still a lot of negative perceptions out there," the analyst said. "Half of the companies we ask say they would never consider doing it, and some are enthusiastic and couldn't care less that a solution is hosted. But it seems like more companies would be willing to think about it all the time."

Some CIOs have said they are worried that handing over large volumes of critical corporate data to outside providers could open the information up to being stolen, intercepted, corrupted or lost. Recent data breaches at LexisNexis and other companies, though a different kind of information exposure, have underlined the risks.

One of the reasons why executives are warming to hosted security, Radicati said, is the growing success of companies that market other kinds of online applications, such as customer relationship management provider Salesforce.com.

SOX appeal
Regulatory compliance demands, such as the Sarbanes-Oxley Act in the United States, could also help jumpstart the hosted security market, Kolodgy said. Qualys recently launched a service aimed at helping companies meet such requirements, and AlertSite offers hosted compliance tools as well.

Philippe Courtot, Qualys' chairman, said that such compliance needs are perfectly tailored to services such as those sold by his company. That's because the guidelines are pushing smaller businesses, with limited budgets and IT staffs, to put relatively complex security systems into place.

"The beauty of this timing is that these small companies can have the same sort of security performance as a larger enterprise because we devote every bit as much attention to protecting their operations as a large IT division could," Courtot said. "It's the same idea as Salesforce.com taking customers away from Siebel because they have moved faster and cost less. That's what we're trying to bring to hosted security."

Courtot conceded that some companies will always view hosted security as too risky. But he believes that as time passes, the arguments against sending such work out might lose some force if Qualys and its rivals grow.

Hoff said that WesCorp's IT department is fairly forward-thinking, so he didn't have to go to great lengths to get the hosted model adopted. But Hoff said he understands why some companies might still take a cautious approach to the tools. And although WesCorp might consider other outsourced security applications, for operations such as maintaining the company's firewall, Hoff is not ready to give up the keys.

"Outsourcing everything in your security infrastructure in terms of management--we haven't done that and don't plan to," Hoff said. "But in this case, it made good business sense and turning it on quickly was a very big lever for us. When it comes to other security services, we'll see what happens down the road."

[MrBoomshadow]

Oh, THIS'LL work...

We now have the potential to get screwed twice: once out of jobs, and then again by underpaid employees.

I'm not saying that people here haven't committed major data and identity theft; far from it--recent headlines call attention to major inside jobs at Wachovia and Bank of America.

But here, there's no extradition to worry about, and one less layer of corporate insulation over the suspects.

We need global labor standards right now. It will cause minor upheaval in the form of large corporations passing their liabilities on to us, but the market will correct for that. It always has, and it always will.

Definately a good idea

Security audit is again something like product testing; no matter how great a programmer is, he cannot find few "obvious" bugs that can easily be found by a QA team.
I think for small company that cannot hire a complete security department, it make lots of sense to use security scanner software/service like the one provided by Qualsys.
I also believe CIO should take it easy, as physical security has traditionally been outsourced, I am sure it also make sense to outsource electronic security.

Simplest solution

Amazing the sheeple that are most executives today. The answer to all the hassle of patching is easy - don't do Windows. Now how hard was that? So many alternative and many FREE, solutions out there. Guess it is too hard to give up that M$ gravy train.