Ways to Do More With Less

Stanley “Stash” Jarocki is used to getting plenty of attention. Once the VP of IT security at Morgan Stanley, Jarocki knows what it’s like to manage a staff of dozens at a Fortune 50 company that spends millions of dollars on technology. When he called a vendor, the vendor answered. Quickly. “I’d pick up the phone, and the company—service provider, hardware provider, software provider—would be in the door tomorrow, today,” Jarocki says.

But that was then. Jarocki has had to change his tactics and expectations now that he works in one of the trickiest spots in security: right in the middle. He is senior VP and information security officer of New York City–based Bessemer Trust, a privately held wealth management company with $40 billion in assets and just 600 employees. When it comes to information security, analysts say, working at this size company can be the worst of both worlds.

“The companies are often big enough to be targets, but not necessarily big enough to have the staff and the budget to do security well,” says John Pescatore, a vice president at research company Gartner. “They often don’t have strong IT discipline, and that causes all sorts of security problems. But they’re big enough to be targets of cybercrime—somebody saying, Let me go after this plumbing supply company. It’s not so big, but maybe I can find a credit card file.” What’s more, mid-market organizations may face the same bevy of regulators as companies 10 times their size.

But the smaller guys—that is, companies with revenue between $100 million and $1 billion—are being pushed to get better at security. And the best among them have tips about managing security on a budget that even CIOs with gargantuan budgets could learn from. Here are three ways they’re doing more with less.

1)Find good generalists—and know when it’s time to call in extra help.

When Robert Lewis, CISO of Cambridge Health Alliance in Cambridge, Mass., was nominated for Information Security Executive of the Year for the New England region, he remembers going to the gala affair and watching the CISO of State Street pick up the award.

“Her staff in security was larger than our entire IT department,” recalls Lewis, who is also director of telecommunications and network services at the nonprofit group, which has annual revenue of $466 million.

The biggest challenge? Finding and keeping a small stable of talented security employees who are jacks-of-all-trades, in a marketplace that values specialization. “In a very large organization, your security group will have a huge amount of specialization,” says Jim Reavis, founder of an eponymous security consulting group. At small companies, by contrast, “You have people who wear a lot of hats.” Mid-market organizations are lucky to have even a couple of people whose jobs are entirely devoted to information security.

But having generalists on staff isn’t a bad thing, mind you. “In many cases, generalists are able to address business problems better,” says Christofer Hoff, who until late 2005 was CISO of WesCorp Federal Credit Union, which had 2004 revenue of $500 million. (Hoff is now chief security strategist at Crossbeam Systems, a threat management vendor.) A lean staff of generalists also can help keep headcounts low and costs down, with organizations bringing in extra help as needed.

“In past lives,” Hoff continues, “I’ve been blessed with smart generalists who realize that at times when they don’t have the skill sets, they [can] raise their hands and suggest that we need to augment our skill sets. I’d rather have that than a guy who can only fire a bow and arrow. What happens when he runs out of arrows?”

At Cambridge Health, Lewis doesn’t worry about his group’s two security engineers needing only arrows. They advocated, for instance, that the organization’s approach should be to keep things simple by focusing on security “appliances”—products that do one thing, like content filtering or intrusion detection, but offer little customization. Because the appliances stand alone instead of running on a server, when something goes wrong there’s no question about whether the problem lies, say, with the operating system or another piece of software.

“It just does what it does,” Lewis says, describing such an appliance, “and if you have a problem you call the vendor. By its very nature it’s intended to be robust, basic. It’s a workhorse.” This approach means that even a small staff can keep the organization’s security defenses up and running.

At some midsize businesses, the entire security staff is made up of generalists in a broader sense—meaning that their responsibilities are not just in security. At Dallas-based Hudson Advisors, for instance, CSO Mark Lynd is also the global chief technology officer. Lynd, who is a certified information systems security professional (CISSP), spends maybe 60 percent of his time on security; the rest is spent on technological and operational duties. His staff of four, one of whom also is a CISSP, each spend about 40 percent to 50 percent of their time on security.

“We do that because we’re so decentralized,” says Lynd, whose company, a fast-growing mortgage servicer and real estate management firm with annual revenue of $130 million, has seven data centers, including ones in Guadalajara, Mexico; Taipei, Taiwan; and Frankfurt, Germany.

Lynd has the equivalent of two full-time staff in Dallas, with two others in the field. He could, theoretically, have one of his Dallas staff devoted 100 percent to security. But by having each person spend 60 percent of his time on security, Lynd ensures that there can be round-the-clock coverage.

Another tactic: The IT manager at each of Hudson Advisors’ data centers has security built into his job responsibilities. And when Lynd needs further expertise, he calls in consultants from DynTek, a Calif.-based technology service provider.

2) Make the most of VARs, which have become more about “value added” and less about reselling.

Now that Jarocki doesn’t work for a Fortune 50 company that rockets him to the top of a large service provider’s call-back list, he has found that the way to get plenty of attention for his organization is to not work directly with manufacturers at all. Instead, he has turned increasingly to value-added resellers, or VARs. These often regional companies sell products from the biggest security and information technology manufacturers but add their own expertise.

For instance, Jarocki works with AlliantWare, a division of Alliant Technologies, which sells products from Hewlett-Packard, RSA, Symantec and others. He also works with Calence, which has offices in New York and specializes in Cisco and intrusion detection monitoring systems.

Jarocki says that some VARs focus on mid-market organizations and are often able to give smaller companies more attention than the big vendors can. The trick, as usual, is picking the right ones and then the right technologists from within them. To do this, he relies on recommendations both from peers and from the manufacturers themselves.

“They’re used to helping smaller organizations, so they understand our problems,” Jarocki says, speaking about the VARs Bessemer works with. “They have well-trained people certified in the products that we use. They’re providing a quality knowledge base, but you have to pick and choose from those people.”

The approach is pretty typical, according to James Browning, a vice president of Gartner’s Small and Midsize Business Research Organization. “Networking and security are two prime areas where [small and midsize businesses] buy all those products and solutions and services through a VAR, because A) they don’t have the resources to install, deploy and manage it [all] on their own, and B) most of these projects are more complex than the staff can handle on their own.

“The VAR will basically come in and tell the [small business], You should do these two things this year and these two the next,” Browning says. “They’re serving the roles of consultant, adviser and integrator. They’re the folks that are actually deploying this and training the internal IT staff on how to manage it.”

Observers say they expect the trend going forward is for VARs to do more, not less—largely because the VARs have learned that the margins on consulting are so much larger than on simply bundling and reselling software or other goods.

3) If you can’t buy it, share it (especially when it comes to compliance expertise).

In days gone by, Jarocki used to have a sizable research budget. Now, though, the best research information he gets is not from pricey consultants but from his peers. “You have to network to the nth degree, and listen to what other people are doing,” Jarocki says. “You read enough that you finally go to your peers that have implemented something and you say, What did you go through? Then you hear if a product didn’t work.”

Jarocki is a cofounder of the Financial Services Information Sharing and Analysis Center (an industry group), so he has plenty of contacts in the industry. And nowhere does his networking pay off more than in dealing with all the regulators that Bessemer, as a brokerage, must answer to—agencies as wide-ranging as the Treasury Department’s Office of the Comptroller of the Currency to the NASD (formerly the National Association of Securities Dealers).

“You listen to what [the regulators] said the year before, and you talk to your peers to see what they’re looking for this year,” Jarocki says. “There are high points. The high points right now are intrusion detection—they want to know if any client data is being hacked. They’re hot on business continuity. The other one is controls—they look at internal controls, access control.” He uses the information he gleans to focus his energies. “You go down [the list] and say, Gee, what am I doing in that area?” This is one reason why his one full-time security employee, who has a broad skill set, is getting extra training in business continuity.

For mid-market companies—especially ones that have to comply with the Sarbanes-Oxley Act—putting in place a strategy for efficient regulatory compliance is key. “For the ones that are publicly traded, Sarbanes-Oxley has thrown a wrench in the works,” Gartner’s Pescatore says. “If you’re a publicly traded company doing $100 million in business a year and being hit with the same audit capacity that GE’s being hit with, that’s awful.”

Pescatore says that some small companies are talking about being delisted so that they don’t have to comply with Sarbanes-Oxley, but he notes that these difficulties soon may lessen a bit. In December, an advisory panel to the Securities and Exchange Commission recommended that the SEC ease the auditing requirements for companies with revenue of less than $250 million.

But Jarocki, for his part, is prepared for more regulation, not less. “The auditors have taken Sarbox, they’ve taken the [Gramm-Leach-Bliley Act], and melded the two together and said, Here’s our audit program,” he says. “Now you tell me I’m not being held to Sarbox, and I’ll say phooey on you. The bottom line is, if an organization wants to be properly run, you go for the best you can. You go for the best controls in place because you want the company to stay around.”

Another growing point of pressure: the security requirements of larger business partners. Says consultant Reavis, “Larger companies looking at their supply chains are concerned about risk, but cutting off a partner from their supply chain is not feasible.” For instance, Visa is trying to improve security among merchants and payment processors with its PCI data security program. “That’s where you’re going to see a pain point for the midsize companies.”

Some of the regulations have had a positive effect. At WellSpan Health, VP and CIO William “Buddy” Gillespie says that the Health Insurance Portability and Accountability Act, or HIPAA, was a major driver for the IT group to get funding for security and disaster recovery. Gillespie has an IT security manager who also has a dotted line reporting relationship to the director of compliance for WellSpan, a nonprofit health-care system with two hospitals and about $619 million in annual revenue. That manager has four full-time employees whose primary responsibility is ensuring that any information that’s considered protected health information under HIPAA is kept confidential.

What all this amounts to is that mid-market information security organizations are being forced to play catch-up with their larger brethren. In fact, Lewis’s approach is to benchmark Cambridge Health not against other regional hospital groups, but against much bigger, for-profit organizations that have a lot more resources.

“It’s good to watch the people who have the money and watch the decisions that they make and try to learn from that,” Lewis says, noting that he does this by reading trade publications, talking to peers and attending meetings of professional associations such as the Information Systems Security Association. “We follow what banking and investment houses do, because they can afford much more. We try to learn from that. Then we have to face reality based on what we have and say, How closely can we align ourselves to the best practices at the top financial houses? We’re striving for that. It’s way beyond what we can afford, but it gets us thinking.”