IT Burden Forces Security Outsourcing

Looking Outside for Help

When the Screen Actor’s Guild-Producers Pension and Health Plans developed an interactive Web site that allows participants, often big-name movie stars, to access their health and
pension information 24 hours a day, executives knew they needed another
company to do the heavy lifting when it came to security.

The Pension and Health Plans arm of SAG, a labor union for performers, was not only dealing with ensuring the privacy of a lot of well-known people, who draw hackers like flies to honey, but it also was faced with federal regulations, such as HIPPA, which
regulates security for health information. Amanda Bernard, executive project
manager at SAG-Producers Pension and Health Plan, says she knew it was all more than they could handle in their own IT shop.

”We had several big security drivers,” says Bernard, who chose to
outsource her work to Symantec. ”We went looking for a vendor we could
develop a relationship with and maintain it. Could we get everything we want
from them?

”We didn’t want someone who would be notified by pager that there was a
problem and then 20 minutes later they’re coming in to see what the problem
was,” she adds. ”We wanted someone who was monitoring our firewalls and
intrusion detection. We wanted someone on top of it all.”

Offshoring not an Easy Security Choice

While many CIOs consider moving their security work outside the company,
most still are hesitant to move such critical work offshore. They don’t want
their security work being done that far away, especially in such a turbulent
political climate.

But the Yankee Group’s Waterfield warns that administrators need to make
sure they know exactly where their outsourced work is being done, because
some service providers offshore the work that they’re taking in.

”An enterprise might have offshored functions if their provider offshores
functions,” she points out. ”I think it’s important that companies are
aware of it. Companies need to do due diligence on the provider. Where are
they physically located? Who is doing the work? How trained and experienced
are the people doing that work?”

Geyer says that while Symantec has six operation centers worldwide, they do
the outsourced work in the country where the client company is based.