Third Party Security -- Uncertainty about network
safety translats to market opportunities for
consulting services
By Bronwyn Fryer
Ask IT managers what keeps them awake at night, and they're likely to talk about
terrorism. Not the kind perpetrated by anthrax-toting militia, but the havoc wrought by
computer hackers. Never before have IS managers been so frightened, and never before
have they so desperately sought the help of security consultants.
According to the SANS Institute, a Washington organization that conducts seminars in
security issues, use of security-consulting services grew about one-third from 1996 to
1997. The institute expects usage to grow even faster this year.
Users are eager to sign on for security-consulting services. In a December study by
Zona Research Inc. in Redwood City, Calif., nearly 60% of 200 IT managers said they
expect security-related spending to increase; almost one-third said it would remain the
same. Says Craig Metzler, regional director of IT for the McManus Group, a New York
advertising and public relations firm that uses security-consulting services, "If you hire
an internal person, they're harder to keep on the cutting edge of security technology. A
consultant has a vested interest to do that."
Three types of companies can help plug the holes and stop the leaks:Big Six consulting
firms, including Ernst & Young, Coopers & Lybrand, and Deloitte & Touche; hardware
and software vendors such as IBM, Sun Microsystems, and Hewlett-Packard; and
"boutiques" such as Dataway Design, which are often hired as subcontractors by the
Big Six. Typically, the security services of all three types of providers include auditing,
assessment, and evaluation.
These vendors are cashing in. User companies spend as much as $35,000 for
consultants to check firewalls, says Bruce Murphy, director of the IT security services
group at Coopers & Lybrand, in New York. The price for a large-scale global
organization can soar above $1 million. "The larger contracts are the future of our
practice," Murphy says. Is it a surprise that Coopers & Lybrand's business is doubling
annually?
Security-consulting services begin with the obvious:educating employees-the same
folks who per- petrate the majority of illegal activity on corporate networks-about the
importance of password secrecy. "When an individual leaves a company, you can
change their password," says Dan Woolley, information security practice leader at
Ernst & Young in New York. "But they probably take with them knowledge of five other
people's passwords."
Next, security consultants run "penetration" tests-also known as "ethical hacking"-on
both sides of the firewall to find the holes. Then they present a report with
recommendations for building a stronger security architecture.
Big Talk
Convincing upper management to purchase such services is easier for Big Six firms
than it might be for other security consulting firms, because they speak the language of
management. "A CIO or CEO wants to know how security will benefit the bottom line,"
says Coopers & Lybrand's Murphy.
Nevertheless, security types need to speak not just the language of bucks, but also of
bits and bytes, says Al Decker, a former Coopers & Lybrand veteran who today heads
IBM's security-consulting practice. "The Big Six have the business view from the
financial root, and IBM has it from the technology root," he says. Decker points to
IBM's Global Security Analysis Lab, an organization dedicated to security research.
"These guys invented the 1,000-MHz chip," he says. Coopers & Lybrand's lab is good,
he concedes, "but here at IBM, the walls pulsate."
Decker believes the need for specific technical expertise is why hardware vendors have
entered the security-consulting arena. In January, Sun unveiled its global Security
Consulting Practice-a move that makes particular sense, says Paul Rochester, VP and
general manager of Sun Professional Services. Because more than half of Internet traffic
is conducted on Sun's platform, he says, Sun is the obvious choice for securing a
global network.
Maybe, but pure consultants argue that they are more impartial-and hence more
trustworthy-than hardware or software vendors offering network security services with
an eye toward selling products. "The problem with vendors is that they are
vendor-centric," says Luther Garcia, co-founder of Gray Peak Technologies, a security
consulting firm in New York that subcontracts to the Big Six.
Boutique Shopping
For every large consulting firm or vendor in the security act, there are hundreds of
smaller boutique shops. Many large companies prefer working with these. Metzler of
the McManus Group, for example, prefers working with Dataway Design to get the
Check Point security tool on his global network, and then keep an eye on it. "We use
Andersen for other consulting stuff, but they're fabulously expensive, and everything
requires an opinion, a second opinion, and a quote," he says.
By contrast, Metzler finds Dataway much more responsive. "My guy [at Dataway]
found something on the network in Europe, and he got on a plane and just went there,"
he says. "It's much less effort to work with him than dealing with a big company."
Dave Dugan, VP of systems development at the Chicago Mercantile Exchange, takes a
mix-and-match approach to protecting the Merc's Globex international
electronic-trading and other systems. Because he has specific needs for expertise in
online financial transactions, Dugan works with four or five small and medium-sized
security-consulting firms. Though he won't discuss specifics, Dugan says he hires
consulting-services companies with expertise in real-time transactions, guaranteed data
delivery, firewalls, and specific network technologies. To find them, he works his
referrals. "Basically," Dugan adds, "it's a who-you-know thing."
In a business where an oxymoron like "ethical hacking" is a common expression, "who
you know" also takes on a double meaning. That's because the line between legitimate
security consultants and the hacker community can sometimes be a fine one. Ernst &
Young, for example, hired an infamous hacker known as Phiber Optik to perform some
aspects of penetration testing, albeit with the "full awareness and consideration of the
clients who requested he be involved," says Ernst & Young's Woolley. "But now, we
get the guys in the white hats."
Looking The Other Way
Though Coopers & Lybrand's Murphy insists his firm doesn't hire hackers because
"some are convicted felons," the cross-germination between the security and hacker
communities continues. IBM's Decker, for example, sends people who look like hackers
to sniff around at hacker conferences. "It's like taking an ex-burglar and making him an
adviser for a security company," says Jim Balderston, an analyst at Zona Research.
Plus, with networking skills in short supply, some companies are willing to look the
other way, Balderston adds
Sniffing around in hacker discussion groups or at conferences differs, of course, from
actually hiring a hacker. Mike Davis, director of IS at Robert Mondavi Winery in
Oakville, Calif., performs Mondavi's security operations and occasionally consults for
other companies. One organization he consulted for learned the hard way that once a
hacker has broken into a network, he or she can be hard to keep out. "If I'm a manager
who knows nothing about networks, and I hire a hacker to shore me up, the hacker can
learn all about my systems," warns Davis.
Ultimately, the security-consulting business will change, especially with the advent of
new monitoring tools and services from companies such as IBM, Internet Security
Services, and Network Associates. These tools catch network attacks in real time.
Standalone products, too, such as Check Point's FireWall-1 or ISS's Internet Scanner,
will find their way into routers, operating systems, and servers. Says Zona's
Balderston:"It will be as simple as throwing a switch. |
