Outsourcing: What You Can Do If Your Security Vendor Fails

ON APRIL 25, PILOT NETWORK SERVICES went out of business, abandoning 200 customers that relied on them for something rather important: security. There had long been signs of Pilot’s distress. Customers had recently reported spotty service from the managed security company. Pilot’s stock, once at $50, had plummeted to 21 cents per share, and Nasdaq delisted it. Yet this was not some high-flying dotcom that appeared one day, took some easy venture capital, then vanished. Pilot was an established, 8-year-old vendor with 400 employees and, by most accounts, superior security technology and practices. Its customers included PeopleSoft, VisionTek, The Washington Post Co. and several large health-care institutions and banks.

Despite all that, the end came quickly. Pilot employees received four e-mails in rapid succession. The first said the phones would be disconnected. The second added that pagers and mobiles would be taken away. The third said the CFO had resigned. And for anyone who couldn’t see the elephant?not just in the room but squirting river water in their faces?the last e-mail said, "At 4:30 p.m., you’re fired."

Pilot did keep a skeleton crew to manage customers’ security through the data lines. Responding to desperate pleas from Pilot customers, AT&T suspended the order and kept Pilot’s operations center connected, even though it wasn’t getting paid.

With no one watching their networks and an outage threatening at any moment, Pilot customers felt naked. They were suddenly wide open to hackers and viruses. Because some companies routed office-to-office traffic through Pilot, they were at risk of losing secure virtual private network (VPN) connections and remote access. Pilot had hosted entire Web networks for other companies, making them even more vulnerable to a complete meltdown.

One such company, Providian Financial, was so distressed that it sent several IT staffers to man Pilot’s operations center. That probably frightened Pilot’s other banking customers, none of whom were expecting a competitive financial institution to have access to their network security.

While it’s perhaps the most dire example of failure in the slowing economy, Pilot’s breakdown is not an aberration. Other managed security companies are hurting too. The Salinas Group had already folded. Exodus endured an atrocious first quarter in which CEO Ellen Hancock said everything was on track "except revenue." Recently, Exodus and another managed security company, Counterpane, announced that they are joining forces for efficiencies of scale. MyCIO.com, once independently operated, was folded back into its parent company, McAfee. Two other managed service boutiques, Vigilante and Networks Vigilance, have merged. "Spending has tapered," says Bruce Murphy, CEO of Vigilinx, another managed security company. "A billion dollars in equity just dried up."

In a matter of days, the managed security services option turned into a frightening one for CIOs. Until now, outsourcing security management to a boutique company like Pilot seemed the best way to go for two reasons: One, that’s where the most cutting-edge security expertise had migrated, and two, doing security in-house was considered too expensive and difficult for most companies. But in the wake of the Pilot disaster, many CIOs are reevaluating two alternatives: outsourcing their security needs to a large, general services company such as IBM Global Services, or taking care of them in-house.

The problem is that none of the three available options is the clear winner. Each carries significant risk, and former Pilot customers are trying them all. But all of them agree on one point. Outsourcing security is more work than just writing a check every month. It’s a full-time job that requires in-house resources. Treating it as any less?and many do?is playing Russian roulette with the entire enterprise.

1 2 Page 1
Page 1 of 2
Download CIO's Roadmap Report: 5G in the Enterprise