Security Outsourcing Grabs Hold

by Bill Brenner
CIO Decisions Magazine
September 2005
Excerpt

John Lambeth and Rick Casteel didn't become CIOs so they could spend all their time fending off Trojan horses, setting Sarbanes-Oxley controls and poring over HIPAA requirements.

But Lambeth, vice president of IT at Blackboard Inc., a $111.4 million e-learning company in Washington, D.C., and Casteel, vice president of management information systems at Bel Air, Md.-based nonprofit Upper Chesapeake Health, found themselves increasingly bogged down with those security management tasks. The time had come to consider outsourcing them.

One did.

"Security and compliance requires more specialized expertise, and it makes more sense to outsource that so the staff can stay focused on the core business objectives," says Lambeth, who uses four service providers to help his business handle security.

The first items to outsource are the things you have trouble keeping up with, says Gartner analyst Kelly Kavanagh. "For example, let's say you realize you'll never keep up with the variety of vulnerability announcements coming out, and you'll never keep up with the onslaught of IDS [intrusion detection system] signatures. That's safe to outsource." It's a plus to do so, he adds, because once an outsider helps a company sift through all those reports, the in-house IT staff can patch systems and block suspicious network activity faster and more efficiently and then move on to other things..

Blackboard's e-learning product is essentially a templated, hosted intranet that professors can use to communicate and share files with their students. Professors can post lecture notes, students can share files for group projects, and groupware enables virtual classes, live chat and other features. It currently has more than 12 million users across the globe and is looking to grow.

The emphasis on growth is part of why Lambeth and CFO Peter Repetti opted for outside security help. It would let the company's IT staff zero in on business-building projects. "I have an IT staff of 17, and I want them spending most of their time engineering the infrastructure and applications to help us grow," Lambeth says. "Security and compliance require more specialized expertise, and it makes more sense to outsource that so the staff can stay focused on the core business objectives." Those objectives include constructing a fiber optic network to connect Blackboard's Washington, D.C., headquarters to the data centers of its application service providers and deploying voice over IP globally.

The company's global scope, in fact, was another reason to outsource. "You have to consider other security requirements in other parts of the world--the [European Union] privacy laws, for example," Repetti says. "An outside entity can keep track of those global regulatory requirements and help us integrate them into our process."

Founded in 1997, Blackboard uses a host of IT providers already. Likewise, Lambeth and Repetti found they needed more than one MSSP to take on their security and compliance needs. Blackboard's projects fell into four categories: e-mail filtering, network security, vulnerability scanning and an annual security assessment. That variety ultimately led to hiring four MSSPs.

So Blackboard hired Mountain View, Calif.-based Counterpane Internet Security Inc. to provide around-the-clock IDS services. "Counterpane can survey all the potential threats worldwide," Lambeth says. "They can provide a much wider, more current view of the threats. That's something we can't do, because it's not our focus." Vulnerability scanning is an important part of Blackboard's efforts to comply with regulations such as the Sarbanes-Oxley Act and the Payment Card Industry's (PCI) Data Security Standard. "We process credit card transactions and need to be PCI-compliant to conduct business," Lambeth says. "This requires a scan of our entire security posture to ensure there are no vulnerabilities." The company hired Chicago-based AmbironTrustWave for this.

So how has the IT staff taken this shift of its security responsibilities?

"Overall, the IT staff has worked well with outside contractors," Lambeth says. "Never have we transferred labor from the internal IT staff. As an IT leader, you have to make sure the staff understands why you're doing this and that they are focused and on board. It frees them up to get trained on upcoming technology and challenges. They can focus on the next engineering challenge."

Repetti says Blackboard's IT staff also wins because it learns from the outsiders. "These providers let us leverage the strengths of our in-house staff and allows our IT staff to gain the collective knowledge of experts," he says.

Click here to view full article