Building a Suit of Armor for Your Client's Network

The problem facing information systems security consultants is that "historically, security hasn't been a boardroom or executive issue," explains Edward Giorgio, principal, Booz-Allen & Hamilton, in part because information system security has been detached from the business issues that concern executives. Although the management consulting firm had long maintained an extensive technical security practice focused on the government, "only in the last few years have security issues — information security, business continuity, privacy — become boardroom issues," he continues. Now the firm aggressively leverages the deep technical capabilities of its government security practice team as it performs comprehensive risk assessments for corporate clients.

Suddenly, information security has become strategic. As a result, it may begin attracting serious corporate investment. In a published survey conducted by J.P. Morgan Securities, Inc., 53 percent of the respondents reported plans to increase the proportion of their IT budgets devoted to security, with large companies — those with $500 million or more in revenue — earmarking the largest percentage, 11.2 percent, to security. Last year, companies surveyed spent, on average, 7.4 percent.

Small and midsize businesses lag behind the large companies in security spending, but even that may be changing. "Managers now realize that they face a very real risk of losing the business" in the advent of an attack, says Peter Giannacopoulos, president, Myrmidon Networks, Inc., a network security firm based in Norwood, MA, that focuses on small and midsize businesses. Still, "executives balk at spending money on network security," he continues, although he has had success by starting companies small and encouraging them to increase spending incrementally. Any security spending, it turns out, is an achievement: In a survey by Information Week, 45 percent of small companies and 37 percent of midsize firms reported no provisions to protect their intellectual property, which consists primarily of information assets.
If the events of September 11 haven't impressed managers with how vulnerable and how critical their information systems are — maybe they see it as a one-time occurrence that won't happen to them — the latest figures from CERT should sober them up. In a published report last year, the CERT Coordination Center at Carnegie Mellon University, Pittsburgh, projected that there would be 40,000 security incidents in 2001, more than doubling the year 2000's total. And the attacks are getting more dangerous. The Code Red and Nimda worms reportedly damaged hundreds of thousands of systems and cost the affected companies more than $1 billion. More recent worms such as Goner even attack the antivirus systems designed to defend against such threats.

Surveys showing lack of commitment to security don't surprise veteran information security consultants. "Most companies haven't even mastered the basics of network security. They don't have the most basic policy statements on privacy or anything," says Sandy Bacik, senior security consultant, Breakwater Security Associates, Inc., Seattle. These policies define such issues as who owns the data and what employees are allowed to do with it. "The use of any security tools and technology will fail if organizations have not put the policies and procedures in place to back it up," she insists.
The need to create coherent security policies and procedures and align the organization's security strategy with its business objectives creates new opportunities for consulting firms, especially those that may lack the hands-on technical capabilities required to actually implement information system security programs. "Security today is about securing the business, not the network. Companies need to map [information systems] security to their business requirements," Hunt explains.
In this sense, information systems security becomes as much about business process alignment as it is about firewalls, intrusion detection systems, and biometric authentication. And this kind of business analysis and assessment is something almost any good consulting firm can handle. The actual implementation of security programs can then be subcontracted to technical specialists or turned over to managed service providers, which are jumping into the security area in droves.

The Booz-Allen & Hamilton experience offers a lesson to other consulting firms intent on pursuing this opportunity. Network and information security consulting proved to be a low-margin business. As a result, the company provided it only to government agencies where the scale made it financially feasible. To make money on the corporate side, the company elevated its security offerings to address issues such as business continuance and privacy at a high level. For corporate clients, it offers high-value vulnerability and exposure reviews, packaging it all together as a risk assessment service that combines Booz's understanding of the organization's vulnerabilities, the likelihood of various threats, and the value of the assets being threatened.
"What we're offering is a strategic service starting with policy and risk assessment. That leads into security system architecture and design to mitigate and manage the risks," says Giorgio. When it comes to the actual implementation and 24/7 security operations, however, Booz is just as happy to steer the customer to a specialist in that area.
E&Y follows a similar approach, performing security reviews, risk assessments, and penetration evaluations. For E&Y, information systems security, in effect, represents an extension of the auditing work the firm has long performed. "We work with the CIO, the chief security officer, and the internal audit group," says Sfoglia. The firm competes with the other big accounting/audit firms as well as with boutique network and systems security companies for the security engagements. The boutiques generally offer lower prices, while E&Y and its fellow big accounting firms leverage existing relationships.

Managed security service providers like Guarded Networks, Inc., Hollywood, FL, take over where the large consulting firms stop — at the implementation stage. Guarded Networks runs a 24/7 operations center that continuously monitors its customers' on-line traffic. "We analyze the traffic, and if we see suspicious behavior, we take the appropriate action," says Richard Dobrow, president. Previously, Dobrow had been with Arthur Andersen's Technology Risk Practice, and before that, at PwC.
This past year, PwC decided to partner with Internet Security Systems (ISS), which provides a 24/7 managed security service. "PwC does things that are beyond our capabilities, such as security policy and all the related business issues," says Glenn McGonnigle, vice president/alliances, ISS. The global alliance between PwC and ISS is nonexclusive. Each partner contracts individually with the client. No money changes hands between PwC and ISS, which preserves PwC's integrity as an independent auditor.
Although industry pundits have predicted managed security services as the wave of the future, the concept remains unproven and many service providers have folded. Consulting companies will need to perform their own due diligence before they start recommending particular managed security service providers.

Consulting firms that steered clear of network security because they saw little profit or leverage for what they do in fighting hackers, viruses, and worms may find the new, business-oriented approach to network security more appealing. Instead of battling denial-of-service attacks, the firms can help customers align their information systems security and business objectives, develop strategies, design security architectures, and write policies — while leaving the tricky implementation details and ongoing security operations to others.

Sidebar: Collaborative Workplaces Find New Appeal Among Security-Minded

Network security looms ever more important as organizations shift to on-line conferencing and collaboration while they try to reduce travel in the wake of both the September 11 attacks and the continuing recession. But before the corporate network and the Internet can deliver viable alternatives to face-to-face meetings and side-by-side collaboration, organizations will need to ensure that their networks are secure.
Even before September 11, on-line collaborative workspaces had been identified as a hot and growing market by numerous industry observers. IntraLinks, Bungo, eRooms, and Xdrive, among others, all provide shared space for on-line collaboration. In addition, industry-specific on-line exchanges increasingly offer collaborative workspace, and tools ranging from PTC's Windchill to Groove, from the inventor of Lotus Notes, enable organizations to create on-line workspaces themselves.

IntraLinks, for example, handles much of the network security as it enables organizations to collaborate outside the enterprise on complex business. Through such security measures as 128-bit encryption and audit tracking, IntraLinks offers a secure, neutral, on-line environment for inter-organizational collaboration across the Internet. A number of consulting firms such as Ernst & Young and KPMG, as well as their Fortune 500 clients, are using IntraLinks digital workspaces for a variety of tasks.
Within two weeks of the World Trade Center disaster, IntraLinks offered free digital workspaces to companies either displaced or suffering from downed networks due to the terrorist attacks. "Given current communication challenges, we are offering complimentary workspaces to companies suffering hardship from the attack," said IntraLinks CEO James Dougherty at that time. Only a handful of companies, however, have taken up the free workspace offer to date.

A number of IntraLinks clients in the New York financial district were adversely affected by the events of the September 11, but through the use of IntraLinks, many were able to stay in touch with business partners and keep projects and transactions moving. Since April 1997, more than 100,000 participants worldwide have used IntraLinks' digital workspaces to communicate and collaborate on more than 8,000 projects and transactions. Companies primarily in the financial services, insurance, legal, pharmaceutical, and professional services markets have adopted IntraLinks.
For example, E&Y 's Litigation Advisory Services partnered with IntraLinks to propose and implement IntraLinks' digital workplace for GE's legal department. As a result, E&Y professionals and GE lawyers can collaborate on projects at hand from wherever they are via a Web browser and the Internet. GE's litigation department and outside parties can work together, securely sharing confidential legal documents from anywhere in the world.
The on-line collaboration fit neatly into GE's overall business strategy, of which GE CEO Jack Welch had declared e-business to be a major part. By dovetailing with GE's e-business interests, E&Y won the engagement. "IntraLinks services were part of what distinguished us from the competition," notes Warren Nicholson, partner, E&Y Litigation Advisory Services.

To make the on-line collaboration work, E&Y consultants analyzed the financial aspects of GE litigation and then assessed the strengths, weaknesses, and gaps in its processes. IntraLinks, according to published reports, would supply digital workspaces — secure neutral project worksites accessible via Web browser — to organize and categorize analyses while also encouraging invaluable collaboration among E&Y professionals, GE counsel, and other participants. — Alan Radding