About the same time Durso shook hands on her discount, the CIO at a major health-care organization on the West Coast called a meeting with a Pilot executive. This CIO, who asked not to be named because he believes it would paint a target on his network, had been an early sign-on for Pilot.

About 10 months ago, he watched his service lag and Pilot's stock swoon at the same time. It gave him pause, so he set up a "frank discussion" with a high-level Pilot executive. At the meeting, the CIO challenged the executive on service levels and asked direct questions about the health of Pilot's business and its capability to support him. The Pilot executive answered each question, and the CIO was reassured.

Even so, he wasn't taking chances. After meeting with Pilot, he revisited his contingency plan and now feels fortunate that he was ready to go when he found out that Pilot was no more. "We worried," he says. "We probably should have worried more. Next time, I'd be even more aggressive."

This CIO's contingency was relatively smooth. He started with a crude but sturdy frame-relay connection provided by Verizon. Once that was working, he set out to upgrade to a high-speed connection also provisioned by Verizon. After that was in place, he worked on adding secure access to his network in the form of a VPN. His e-mail contingency followed the same slope: first, low-bandwidth access to e-mail, then high-bandwidth access, then secure high-bandwidth access, which brought him back close to what Pilot had provided.

Concurrent to building the network up, he reinserted security services into his network while he sought a new managed security partner. He started by assigning one person to monitor the network, a pale substitute compared with what he was paying Pilot to do. But it was monitoring nonetheless.

For the first awful week, the CIO had to rely on volunteer ex-Pilot and Providian employees, who composed the management skeleton crew. But within three days, he was out from under Pilot, albeit with a temporary structure. "We're still sorting it out," he says. "We have some services. We won't have others like filtering for a while. What we have now is OK."

In choosing his next outsourcer, this CIO echoes Durso as he considers the trade-offs between the small vendor with talent versus the big vendor with a stable business. But he's leaning the other way toward a bigger company with more generalized services. He chose Genuity for his network connections. Choosing a managed security provider is predictably taking longer, but he wants a similarly large company, possibly Genuity.

"We're not interested in breaking in new security vendors. I want to see Wall Street firms and large banks on their customer list. My ideal would be a large, funded company with diversified resources," he says. His last requirement is the tricky part an outsourcing partner has to be "one that's also highly competent." While the expertise still resides in the boutiques, the CIO anticipates that large general service companies will start bailing out the smaller companies. That way, they acquire the smarts, they have steady bottom lines, and they make security a component of larger managed services packages. And indeed, AT&T was ready to buy Pilot but walked away at the last moment, several ex-Pilot sources and customers say. Symantec has already bought a boutique company, Axent.

If this expertise-through-acquisition scenario plays out as such, CIOs will have the best of both worlds stable business and expertise. But that presents other challenges. For example, Symantec has products to sell. Partnering with Symantec likely means partnering with Symantec's products too. And service levels may drop as the smaller boutiques are subsumed by larger companies.

But for the health-care CIO, less service and expertise is fine. Outages are not.

Three weeks after the incident, with his contingency up and running, he says, "We dodged a bullet."