Re: Outsourcing Firewalls/Internet Security count

[Bennett Todd <bet () rahul net>]

On Thu, Dec 04, 1997 at 11:05:26AM -0500, David HM Spector wrote:
> Unfortunately, this outsourcing of security *IS* a reality --
> especially in the financial community.

Interesting. News to me, but then I've only working in a couple of Wall
St. firms, and have friends in a few more; I'm by no means an authority
on the industry as a whole.

> [...] a really large Wall St. money center bank [...] In late 1995
> [...] was about to outsource most of its key technology operations;
> [...]
> Over the last two years, they have indeed outsourced ALL of their
> firewall operations/installation/management.  The quality of the
> people running the service now from what I understand, are, um, not
> folks I would trust to deliver a letter, let alone be responsible for
> the network and infrastructure security one of the top-5 banks in the
> US.

I've gotta be glad to hear about competitors who do things like that.
Makes the rest of our jobs easier --- ``I don't have to run faster than
the bear, I just have to run faster than _you_''. Competitors with poor
security will lure potential attackers away from me. Hooray!

> Unfortunately, on Wall St. (and probably soon on main street) there is
> a real backlash against technologists (not technolgy).

This I haven't seen, and don't expect to; I wouldn't work at a place
that dislikes me, obviously:-). But I gotta say, that sounds pretty odd;
I hadn't heard anything like that from friends.

> The cost of our kind of services keeps going up (to keep up with the
> implemenation to the technology and the complexity of the threat)

More stuff I hadn't noticed; the cost of a serious systems analyst
seemed kinda stable for the last few years; while there are the
occasional outlandish offers they haven't so far had attractive
realities behind 'em. But I really don't understand that parenthetical
comment at all.

> and the ability of management to actually UNDERSTAND why what we do is
> crucial to their ability to actually conduct business is dropping.

Then the the management in question has been hiring ill-qualified people
--- explaining what we do, teaching management the basic concepts,
giving them a clear understanding of the threats so they can weight
benefits -vs- risks -vs- costs and set the right policy for the firm ---
that's the single most important job of a security admin.

> The bottom line is that corporate management is buying the line [...]

I don't know what to make of this; you paint a picture that's pretty
grim, but I work in the same industry, and have friends in other
companies in the same industry, and I haven't seen anything like this.
So I guess what this must mean is that there are some nice, juicy,
attractive targets out their helping to keep the carrion feeders off me.
Gotta be grateful for that, anyway.

-Bennett