Contractors Are A Security Threat -- Both Active And Passive

CIOs have to rely on outside contractors for some IT jobs -- I don't know any who don't use at least a few. And the security problems third parties represent are well documented. But whatever happened to plain, old competence?Two Congressmen are calling for an investigation into computer break-ins at the Department of Homeland Security last year that were traced to a Chinese language Web site. The perpetrators are, apparently, still unknown. But contractors working for Unisys are being investigated for, first, not preventing the breaches and then attempting to cover them up, according to stories by the Associated Press and the Washington Post.

Call it closing the barn door after the horses have gone -- and that's generally the proper analogy when investigating computer security breaches.

What's upsetting is that Unisys was awarded a $1.7 billion contract to build and maintain the Homeland Security Dept.'s network, including its security systems. According to a recent report by Input, a research firm that studies government use of IT, Homeland Security is fourth on the list of ten government agencies that represent 65% of the federal government's overall spend on IT products and services.

You'd think, for that kind of money, you could get at least competent execution. The problem, in this situation, is that it involves security: If an application isn't built competently, you get what? A system crash. If a security system isn't put together competently, you get what? An insecure system.

And when that system is running in the Dept. of Homeland Security, well, the implications are obvious.

Is this a case of, if you want it done right you have to do it yourself? Is network security better done by in-house staff? Do you have third-party contractors working on security in your organization? And do you sleep well at night?