Step up your IT security

A list of security company is being discussed with each being placed in one of four kinds of companies that are available.

Through the early '90s, few businesses had a corporate IT security policy in place. But the Internet and a global rush to e-commerce spawned a security evolution. Now even the corporate board of directors knows about the barbarians at the Internet gates. And savvy management knows that more breaches come from the infidels inside the company than from external hackers.

Computer security these days covers everything from locked file cabinets to network architectures. With the financial stakes increasing and customer confidence at stake, analysts say companies are boosting their annual security spending by 50 percent (from 2 percent to 3 percent of the IT budget) or more.

From Padlocks To Barricades

With the e-business game on the line, companies of all sizes are seeking partners to lock down their networks. Just as no one product fits every company, no one security company can be a partner to all.

We've identified four types of players in the security market, presenting various degrees of partner opportunities. These firms run the gamut from consultancies to full-service security shops. If you can't do it alone in-house, one or more of these types of partners can help. As an entity that certifies firewalls and virtual private network (VPN) products, ICSA.net's name should be familiar. The vendor-neutral company is also the publisher of a weekly online newsletter and a monthly magazine.

ICSA's TruSecure certification service covers both internal and external security threats. The $80,000-per-year service is publicly low-profile, but the certification is accepted as bona fide for the banking industry's SAS70 Audit and the health-care industry's HIPAA data-security requirements.

TruSecure starts with ICSA-standardized security practices, which are available to anyone with a Web browser. According to Peter Tippett, ICSA's chief technologist, the easily implemented practices cover about 70 percent of all security needs.

ICSA follows through with a comprehensive on-premise inspection of the site's physical security and practices, periodic scans to detect vulnerabilities, and checks for specific vulnerabilities when a new threat emerges. ICSA-dispatched alerts to subscribers rank the upcoming threats from important (take action within the next couple of weeks) advisories to red-hot (run to the console now) alerts—and viruses such as ILUVYOU qualify as red-hot.

Advantage Credit International, a consumer credit verification firm for mortgage companies, chose TruSecure upon request of its credit-partner Experian. Ed Tisdale, director of information for Advantage, also saw ICSA as a knowledgeable and credible company whose scans had fewer false positives against their network than other options. "ICSA is the best security firm out there," asserts Tisdale.

ICSA.net has partnering opportunities for xSP and Web hosts, among them, reselling the TruSecure service. As ICSA.net revises its partnering arrangements, some additional integrator/ reseller opportunities may emerge. Either way, ICSA.net is on a security partnership roll. For clients that don't have the personnel to keep up with security or that have offices spread across the country, myCIO.com offers a one-stop, Web-based subscription shop for firewall/VPN chores, vulnerability checks, and/or keeping antivirus software up to date.

You might view myCIO.com, parented by Network Associates, as the Web-based version of the company's offerings. MyCIO tackles its role of managed security provider (MSP) with the Gauntlet firewall/VPN, CyberCop scanner and McAfee antivirus software. The service is backed by updates, monitoring and alerts from the company's 24 x 7 network- security operation center. Clients can choose any or all of the site's offerings.

MyCIO.com targets small businesses that can't afford a dedicated security staff. Other prime targets for the service include companies that lack security expertise and businesses that are too busy to lock down their networks on their own.

Lee Rocklidge, network manager for facilities and office builder DPR Construction Inc., found that the myCIO.com antivirus service freed up his PC technicians to provide "proactive, as opposed to reactive, customer service." Rocklidge believes the service is cost-effective, running a little more than $1 per user per month.

Since myCIO.com runs as a pure service, it requires somebody on-site to touch the system if anything needs to be done. (That spells opportunity for you.) The service also doesn't address physical or employee-related security threats.

However, the service has the most partner opportunities for resellers, integrators and xSPs. Partners can sell the service, repackage the service with additional offerings, or rebrand the service as a custom offering. MyCIO.com shows that connecting to the Internet should be an asset rather than just a threat. Watchguard Technologies is well-known for its red-colored FireBox firewall and VPN hardware. The company's LiveSecurity Service extends the value, giving tips, content filtering, fast-response updates for incumbent threats and security flashes.

Like many other vendors in this space, resellers and ISP partners provide physical installation, configuration and monitoring of the products. But partners that make a higher commitment can partake in the Watchguard for MSS program, which entails additional partner responsibilities.

The partner is required to establish, staff and maintain a 24 x 7 security operations center (SOC) and use additional monitoring components, one type installed at each client and a second type installed either at the SOC or at network POPs. The partner either passes through or re-dresses the Live Security service pieces to the client.

Both UUNet and Genuity have partnered with Watchguard and other vendors to offer managed security services. Bob Blakley, manager of security services for UUNet, oversees the InterManage (IM) program for large enterprises based on Checkpoint equipment. He also supervises the InterManage Watchguard (IMW) program for small and midsize businesses. Both programs have opportunities for resellers, integrators and xSPs. The monthly fees for the IMW program are about one-third the price for the IM program.

The IMW program, launched in April, is aimed at an estimated 3.5 million small and midsize enterprises (SME) that have installed a mere 450,000 firewalls, according to industry estimates. "With the bandwidth more affordable," notes Blakley, "more businesses are connecting to the Internet and looking for an affordable security solution."

Watchguard's sole focus on small to midsize businesses makes the company the perfect partner for UUNet. "We didn't want to pro-vide [SME] customers with a skimpy service," explains Blakley. "With Watchguard, we have the capability to offer customers a richly featured service." Guardent Inc. combines a dream team's expertise and the tenacity of the "We'll-do-anything-for-a-dollar" three-brother band. The company is a full-service boutique that will provide any security service, ranging from audits to managed security services.

Guardent was founded by Maria Cirino, Dan McCall and David Samuels, all of whom are former executives of Web integrators Razorfish and i-Cube (which since have merged and operate under the Razorfish moniker). The Guardent formula for success is to recruit top security talent, maintain a vendor-agnostic position, and offer a complete menu from which customers can choose any or all pieces.

However, Guardent's service isn't for everyone. The company seeks only Fortune 1000 companies as its clients. G. Mark Hardy, managing partner, jokes that they will consider "Fortune number 1007 or so, but Joe's Corner Deli isn't for us."

Guardent meets with a client's senior managers to outline potential security threats. Next, the company designs a security blueprint that includes best industry practices, on-site consultants and managed security services.

Guardent hires the top security talent that Fortune 1000 corporations crave, but can't retain. Security, Hardy says, is a moving target. As such, when top security people are tied to a single project, they emerge with obsolete skills and extensive retraining needs. "By drawing on our pool of people, who can shift through the projects as needed, a company can have the best talent available."

Given the touchy subject matter, Guardent's clients declined our requests for an interview. Also, partnering with a company like Guardent will limit your engagement to referral fees.Although Guardent seeks to be the sole security solutions provider to big firms, partners may not be so fortunate. Partnering opportunities in the security sector vary from company to company. The business model for a reseller may not be ideal for the xSP crowd, including ISPs and Web-hosting firms.

Integrators and resellers can join with consulting firms to offer a full-service solution to clients. Often, the client will involve the integrator or reseller in work with the consultancy.

Integrators also can repackage or rebrand security ASP services for ongoing revenue opportunities. The same group also may resell capabilities. Engagements with a full-service firm are usually done gratis or limited to a potential referral fee.

As an xSP, you can refer clients to one of these security partners as a favor or for a fee. Selling-through, repackaging or rebranding a security ASP's services can be a good revenue stream. However, the largest continuing revenue stream is to become a managed security provider, or MSP. And to do that, you'll need to partner with one or more vendors.

Clearly, the Internet is motivating more companies to take computer security seriously. With the right partner choices, the increased emphasis on security can be a proverbial gold mine for your business. Deciding to turn the keys to the kingdom over to a security firm could give top management a case of extreme heartburn. After all, the client is trusting an outsider with the corporate network's crown jewels.

Companies should be more comfortable using security firms to handle the chore, states Guardent's G. Mark Hardy. "Few companies generate their own electricity, and most corporate employees fly commercially rather than on company planes. Outsourcing security allows corporations to concentrate on their core competency."

Peter Tippett of ICSA.net also notes that in the '80s and '90s, companies found it practical to outsource their data-processing needs. "The parallel to outsourcing security is the same."

A security firm often can offer the talent or service that a company can't acquire or can't afford. The current price for top security gurus on Wall Street is $150,000 a year, before benefits. Even midlevel security personnel are top five-figure income earners. Many small to midsize companies can't handle those numbers.

Retaining top talent is another task. Security is an ever-changing field, and keeping one's skills fresh takes many hours of hands-on work. Being tied to a single implementation or project for several years is almost career suicide to a security person. Security firms can keep a pool of talent moving among projects and keep the skills fresh.

Some companies, like DPR Construction, found that an outside security firm could free up personnel and provide additional assurances. Lee Rocklidge, the company's Network Manager, also thinks that myCIO.com gives his company "peace of mind. We don't have to think about it [virus attacks]."

And don't be afraid to seek a national company. Finding the right talent or service locally may be impossible. Ed Tisdale of Advantage Credit International needed to enlist professional security help for the company's Web site but couldn't find an appropriate company in the Pensacola, Fla., area. ICSA.net in Pennsylvania became his choice.