Re: Outsourcing Firewalls/Internet Security count

[David HM Spector <spector () zeitgeist com>]

Unfortunately, this outsourcing of security *IS* a reality --
especially in the financial community.

I developed/ran the Internet services group at a really large Wall
St. money center bank (which shall remain nameless :).  In late 1995
said bank was about to outsource most of its key technology
operations; not being happy with that state of affairs, I left to
pursue "other opportunities," as did most of my group.

Over the last two years, they have indeed outsourced ALL of their
firewall operations/installation/management.  The quality of the
people running the service now from what I understand, are, um, not
folks I would trust to deliver a letter, let alone be responsible for
the network and infrastructure security one of the top-5 banks in the
US.  The folks running the service work for an "alliance" of vendors
to whom a myriad of services have been entrusted and have, no
allegiance to the firm at which they sit; after all they're just
consultants.

Unfortunately, on Wall St. (and probably soon on main street) there is
a real backlash against technologists (not technolgy).  The cost of
our kind of services keeps going up (to keep up with the implemenation
to the technology and the complexity of the threat) and the ability of
management to actually UNDERSTAND why what we do is crucial to their
ability to actually conduct business is dropping.  It's the MEGO
factor.  The quality of the deliverable (i.e., security) is being
caught in the squeeze-play.

The bottom line is that corporate management is buying the line from
major hardware vendors and (especially) from charlatan "research
firms" like (pick one) {Gartner|Forrester|Jupiter|...} that
infrstructure security is just something that you can throw a box and
a minimally trained body at, and not something that requires serious
thought or investment.  Therefore, management for the most part thinks
that they can just buy a FW-1 box (not to single them out) and put a
20 year old in charge of it and they have built a safe infrastructure.

The results of this kind of thinking will be, eventually, obvious when
one of these firms have what I used to refer to in security talks I
would give to senior management as "a billion dollar day."


_David


-- 
-------------------------------------------------------------------------------
David HM Spector                                         spector () zeitgeist com
Network Design & Infrastructure Security                 voice: +1 212.579.8573
Amateur Radio: W2DHM (ex-N2BCA) (ARRL life member)       GridSquare: FN30AS
-.-. --- -. -. . -.-. -  .-- .. - ....  .- -- .- - . ..- .-.  .-. .- -.. .. ---
"New and stirring things are belittled because if they are not belittled, 
the humiliating question arises, 'Why then are you not taking part in them?'"
                                                        --H. G. Wells