SME Toolkit

Letting go of your security worries

Matt Hines CNET News.com

Published: 26 May 2005 13:35 BST

Chris Hoff isn't ready to throw caution to the wind, but the CIO is defying the conventional mindset about outsourcing enterprise security.

To keep operations safe at Western Corporate Federal Credit Union — known to some as the "credit union to credit unions" — Hoff has a long list of security issues to consider. And for one important element of WesCorp's defence — testing its IT systems for potential weak points — he signed on with an outside software provider, Qualys.

Hoff said he had to change a few minds in WesCorp conference rooms to get acceptance for his decision to use hosted vulnerability management. Wescorp has been using Qualys' online applications for the last year.

"I don't think that it would be fair or prudent to say, 'The time is right; the applications are here. So you can just outsource all your security operations.' But there are places where [hosted applications] can work as well anything else," he said.

"When we looked at the various delivery models and compared costs at having to maintain and manage everything, including upgrades, the functionality and ease of deployment with hosted made for a very strong case," Hoff said.

The task of keeping up with security patches is one of the most demanding and frustrating jobs assigned to IT departments, which are often caught in a race to fix problems before an attack hits. For a network with more than 500 staff to serve, it can take more than 100 hours of work to do everything needed to fix just one flaw, according to Research and Markets.

With that in mind, companies that promise to take over the job of defending corporate networks against intrusions and vulnerabilities are likely to see their prospects take off, analysts say — especially as regulatory compliance becomes more of a concern.

The flow of threats such as the Sober virus is another ongoing worry. To help, Oracle puts out a monthly bundle of security updates, as does Microsoft, which pioneered the approach. But the various patch programmes can be a headache for administrators, as the tussle over automatic installation of Microsoft's Windows XP Service Pack 2 illustrated.