Menu
Menu
What You Can Do If Your Security Vendor Fails

What You Can Do If Your Security Vendor Fails

You can almost hear creaky saloon doors rattling in the wind and tumbleweed staggering through the dust.

One week after the implosion, Pilot filed Chapter 7 in Oakland Bankruptcy Court. Its website, The Pilot.net, made no mention of the company's troubles. In fact, the site looked exactly the same as it had before the collapse. It had an eerie feel, like some Western ghost town.

Pilot's outage couldn't have come at a worse time for Ann Marie Durso, CIO of VisionTek, a memory and graphics card company in Gurnee, Ill. She had joined the company in October 2000 and was in the thick of a strategic ERP project that will help the company launch online retail sales. An outage would mean revenue losses on online sales, and each day without a secure, high-speed connection would add several days to the ERP project.

VisionTek has subscribed to Pilot for four years. Like a marriage, the partners just got comfortable talking less. Security was assumed, and just two months before Pilot went down, Durso had been baited with a renewal discount. Pilot offered to renew her contract at a cut rate if she paid for a full year up front. She did.

"We got blindsided," she says. "We thought [that since] this was a provider that had been around since '96 for us, there was less of an inclination for us to question them. But outsourcing isn't an abdication. You can't just hand it off. Ultimately, the business will hold me accountable, so I have to manage the third parties. I have to constantly ask, Are they still growing? Can they handle scale? Are they keeping their skills up?"

As soon as Durso heard about Pilot, she and her network manager, Mike Brown, went from office to office briefing VisionTek's executives, one at a time, on what the collapse meant to the company.

"It wasn't pleasant," Durso recalls about the experience of having to break the news to the CEO, the CFO and the controller. Interviewed by CIO the day Pilot filed for Chapter 7, Durso was still frayed. "But we're doing the right things. We had a full contingency in place in two days," she says.

The contingency went something like this: First, get the executive staff's permission to move forward on choosing alternative security providers. Second, create a worst-case plan. For VisionTek, this meant Brown put his pager on and never took it off.

Worst case, if AT&T cut the network connections to Pilot, Brown would be paged. He'd box up his servers and drive them from Gurnee to downtown Chicago, where an alternative provider had offered space and dial-up connections until VisionTek could find a full-time provider.

Next, VisionTek brought in two ex-Pilot engineers as contract consultants because they knew Durso's security better than she did. In fact, the day after Pilot went down, VisionTek wasn't sure of its security status because it had, over time, become Pilot's responsibility to manage.

Together, the Pilot engineers and Durso figured out where they stood and got the network to a point where "we were at least able to limp along," she says. With security patched together, Durso, Brown and the consultants turned their attention to evaluating other security vendors. Ironically, she wants a partner similar to Pilot in scope and methodology. Durso liked Pilot's level of expertise. She liked its 24/7 monitoring. Finding another Pilot with stable financials is unlikely. But Durso knows larger companies often have less expertise.

Highly sought security talent flowed to the boutique companies for two reasons. First, top IT security experts often from the military and government agencies such as the CIA left public service in droves a few years ago to start their own companies. Subsequently, venture capitalists heard tales of Pentagon-level security, so there was plenty of money out there, until recently. Second, there was fraternal loyalty; security experts gravitate to companies run by their peers.

But the startup trend led to a glut. There were too many boutiques, and they were burning cash fast. That, in turn, led to aggressive selling, such as Pilot's offering discounts for a year's service for customers that paid up front. Customers took the deals, which in turn prompted the security vendors to scale up too fast. All of this is precedented; the ASP market did the same thing two years ago and has stalled ever since.

If small security-only companies can't escape the economics of their smallness, the larger general purpose IT service companies can't get out from under the weight of their hugeness. Brown evaluated several larger companies and came away unimpressed.

"My experience is the bigger companies don't have the expertise or the service," he says. "We looked at two of them, and it was a circus. They couldn't even get coordinated internally. They hadn't gotten our business, and they were already infighting as to who would handle our account."

So for Durso, it becomes a balancing act. She'd like to stay with a security-only company because of the expertise and service. At the same time, she feels as if she has to slide up the scale to find a stable business. "Really we're looking for a company like Pilot in terms of service," Durso says. "But you find yourself opting to be more conservative.

"No one has all of the story we want," Durso adds. "You're always ending up with some kind of trade-off."

As Durso now realizes, outsourcing security is not buying your way out of work but rather buying your way into expertise and then managing it. But expertise is still the thing. She'll sacrifice only as much of it as is necessary in order to find a company that won't go out of business and forget to tell her.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!

Error: Please check your email address.

More about ACTAT&TAT&TAxentBillionCA TechnologiesCounterpaneExodusGenuityHartford Financial Services GroupHISIBM AustraliaMcAfee AustraliamobilesMotionPeopleSoftPilot Network ServicesPilot Network ServicesProvidian FinancialSpeedSymantecVerizonVigilanceVigilanteVigilinxVisiontekWall Street

Show Comments
Computerworld
ARN
Techworld
CMO