Chris Hoff isn't ready to throw caution to the wind, but the CIO is defying the conventional mindset about outsourcing enterprise security.
To keep operations safe at Western Corporate Federal Credit Union--known to some as the "credit union to credit unions"--Hoff has a long list of security issues to consider. And for one important element of WesCorp's defense--testing its IT systems for potential weak points--he signed on with an outside software provider, Qualys.
Hoff said he had to change a few minds in WesCorp conference rooms to get acceptance for his decision to use hosted vulnerability management. Wescorp has been using Qualys' online applications for the last year.
News.context
What's new:
Hosted security companies are offering to take over the job of checking the defenses of corporate networks.
Bottom line: Despite some customers' misgivings about outsourcing security, hosted providers are likely to see their prospects take off, analysts say
"I don't think that it would be fair or prudent to say, 'The time is right; the applications are here. So you can just outsource all your security operations.' But there are places where (hosted applications) can work as well anything else," he said.
"When we looked at the various delivery models and compared costs at having to maintain and manage everything, including upgrades, the functionality and ease of deployment with hosted made for a very strong case," Hoff said.
The task of keeping up with security patches is one of the most demanding and frustrating jobs assigned to IT departments, which are often caught in a race to fix problems before an attack hits. For a network with more than 500 staff to serve, it can take more than 100 hours of work to do everything needed to fix just one flaw, according to Research and Markets.
With that in mind, companies that promise to take over the job of defending corporate networks against intrusions and vulnerabilities are likely to see their prospects take off, analysts say--especially as regulatory compliance becomes more of a concern.
The flow of threats such as the Sober virus is another ongoing worry. To help, Oracle puts out a monthly bundle of security updates, as does Microsoft, which pioneered the approach. But the various patch programs can be a headache for administrators, as the tussle over automatic installation of Microsoft's Windows XP Service Pack 2 illustrated.
It all adds up to a significant opportunity for companies such as Qualys and its rival, AlertSite, which also sells hosted vulnerability management. IDC analyst Charles Kolodgy said there are a number of reasons why customers, in particular small and medium-size businesses, will increasingly look to hosted security applications.
"There's a great business case with vulnerability management specifically," Kolodgy said. "The ability to install new threat updates easily and to cut time and costs by letting someone else manage all of that is a key. And you have a number of companies looking to improve those sorts of capabilities, in light of growing compliance or privacy concerns."
"There's a great business case with vulnerability management specifically."
--Charles Kolodgy, IDC analyst
Qualys, which was founded in 1999 and is privately held, grew from $8 million in revenue in 2003 to roughly $16 million in 2004, according to Kolodgy's estimates. The Redwood Shores, Calif.-based company has said it will double that sales total by the end of 2005. By marketing itself as a low-cost, rapidly installed alternative for companies looking to improve their ability to manage vulnerabilities right away, the analyst said, Qualys might easily achieve that figure.
Traditionally, most companies have used packaged software from security specialists such as Symantec and McAfee to tackle such tasks, or have developed their own systems.
Stepping outside
The switch to Qualys' online security hosting has worked out for Hoff, who is an unpaid advisor to the company. The CIO said the scanning tools produce a low number of false-positive results for vulnerabilities and said that its applications have integrated easily with WesCorp's other systems.
Overall, Hoff said that any reservations he may have harbored regarding hosted security have eased the longer he has been a customer--an experience that industry experts said is becoming more common among other companies.
Almost half the business executives that technology researcher Sara Radicati has interviewed said they might consider such online applications. That marks significant
We now have the potential to get screwed twice: once out of jobs, and then again by underpaid employees.
I'm not saying that people here haven't committed major data and identity theft; far from it--recent headlines call attention to major inside jobs at Wachovia and Bank of America.
But here, there's no extradition to worry about, and one less layer of corporate insulation over the suspects.
We need global labor standards right now. It will cause minor upheaval in the form of large corporations passing their liabilities on to us, but the market will correct for that. It always has, and it always will.
Security audit is again something like product testing; no matter how great a programmer is, he cannot find few "obvious" bugs that can easily be found by a QA team. I think for small company that cannot hire a complete security department, it make lots of sense to use security scanner software/service like the one provided by Qualsys. I also believe CIO should take it easy, as physical security has traditionally been outsourced, I am sure it also make sense to outsource electronic security.
Amazing the sheeple that are most executives today. The answer to all the hassle of patching is easy - don't do Windows. Now how hard was that? So many alternative and many FREE, solutions out there. Guess it is too hard to give up that M$ gravy train.
Chamtech's spray-on antenna uses a nano material to provide a low-power boost to antenna range. The wireless-in-a-can product may some day bring an end to unsightly cell towers.
Whether Apple will release a new iPad next month doesn't seem to be the question as much as what day it will happen. A new rumor has it down to the day.
Tommy Jordan, the man who shot his daughter's laptop for YouTube, gets a visit from police and child protection services. Oh, and Good Morning America.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
As UC Berkeley students, the co-founders of "Back to the Roots" discovered they could grow mushrooms using recycled coffee grounds. Now their mushroom kit sells at grocery stores across the country.
Despite some customers' misgivings about outsourcing security, hosted providers are likely to see their prospects take off, analysts say
I'm not saying that people here haven't committed major data and identity theft; far from it--recent headlines call attention to major inside jobs at Wachovia and Bank of America.
But here, there's no extradition to worry about, and one less layer of corporate insulation over the suspects.
We need global labor standards right now. It will cause minor upheaval in the form of large corporations passing their liabilities on to us, but the market will correct for that. It always has, and it always will.
I think for small company that cannot hire a complete security department, it make lots of sense to use security scanner software/service like the one provided by Qualsys.
I also believe CIO should take it easy, as physical security has traditionally been outsourced, I am sure it also make sense to outsource electronic security.