In the last three months of 2001, the software that stands watch for health insurer Regence Group captured 145,645 attempts to break into the company's computer systems. That's about one violation a minute. Trouble is, not every incident is an electronic burglary in progress. But there's no way of knowing that, because security software doesn't distinguish between the digital equivalent of a cat burglar jiggling the doorknob to see if it's locked and a determined thief who smashes the window with a crowbar and climbs inside. For Regence's 45-person security staff, responding to every alarm would have been like a small-town police force having to fight a big-city crime wave. That's a huge problem when you take into account FBI statistics: 1% of all Internet attacks are successful--or, in the case of Portland (Ore.)-based Regence, more than 1,400 attacks should have successfully breached its network.
Instead, Regence called in the digital Pinkertons. A year ago, it hired tiny Counterpane Internet Security Inc., a Cupertino (Calif.) company that manages computer security for corporate clients. At Counterpane's state-of-the-art control rooms, engineers monitor traffic in and out of Regence's three data centers, 500 servers, and 10,000 desktop computers. Security experts keep a vigilant eye out for hackers, unauthorized insiders, and malicious viruses. "When we looked at having to do this service ourselves, it scared the hell out of us," says David MacLeod, chief security officer for Regence. "This is not something we could do."
Plenty of other companies are just as terrified. Growing concern over increasingly malevolent hacker attacks and viruses, as well as the rising cost of round-the-clock surveillance and qualified cyber-sleuths, have many companies turning to others for protection. For a fee, you can hire someone to patrol your network, signal a break-in, and take appropriate action. The hired hand will monitor firewalls, authentication software, and antivirus services, and warn about dangerous developments on the Internet.
According to market researcher Gartner Dataquest, worldwide revenue from cyber security services is set to take off, more than doubling from $1.8 billion last year to $3.9 billion by 2004. "Security is moving outside the realm of what companies can do themselves," says John Pescatore, security analyst for market researcher Gartner Inc. "The [tech] staff can't monitor systems all day, support the enterprise, and roll out new stuff at the same time."
The days of wide-eyed optimism about the Internet have given way to cyber checkpoints and pragmatism. The terrorist attacks of September 11 delivered a wake-up call to business: spend as much time protecting computers as is spent connecting with customers, suppliers, and employees. That will be especially true as the Web allows computers to automatically share programs, data, and services to manage everything from product design to supply-chain management to trading information with business partners. "Boards are becoming much more aware of computer security, especially as it relates to business continuity," says Richard Diamond, chief information officer of The Doctors Company, a Napa (Calif.)-based provider of malpractice insurance. The directors of his company handed computer security headaches to Symantec Corp. (SYMC
It's a decision that will likely save him more than security headaches. It should help the bottom line, too. Regence's MacLeod pays Counterpane approximately 25% of the $500,000 a year he figures it would cost just to hire the people to provide a 24-hour watchdog service. That's without spending a dime on security hardware or software. And because he's using a service already approved by Lloyd's of London, it was easier to get an insurance policy covering the company in case of any shutdowns from technical glitches, hackers, or computer viruses.
That's assuming MacLeod could find enough digital Sherlocks. Staffing shortages are the other big reason for outsourcing security. Sure, companies often have plenty of programmers on the payroll, but it's tough to turn a software developer into a security expert. The work is erratic. Staffers can endure months of boredom--then suddenly face hours of sheer panic. "It's very difficult to justify the cost of experts when you might not need them every day," says Maria A. Cirino, co-founder and CEO of Guardent Inc., which provides security services to corporate clients.
When the alarm sounds, companies need workers who can assess the degree of danger in seconds, because security software often isn't up to it. Hackers scan thousands of systems for an opening, which software records as an attack, even if the network wasn't penetrated. With the steep rise in assaults, companies are drowning in data generated by security programs. "What used to be a weekly report that was half an inch thick is now 17 inches high," says Cirino.
Just as technology hasn't replaced the need for a police force in the physical world, security software can't protect the virtual world without people who can assess the threats. "What about computer security is flawed?" asks Bruce Schneier, founder of Counterpane. "You need people." That means that if he plays his cards right, he's in for lots of work, because he has the gumshoes for the digital age.
MARCH 25, 2002