Merrill Lynch's Chief Information Security Officer Speaks Out About The Benefits of Outsourcing Network Security

InformationWeek: Let's start with what you were looking to solve and why you chose to pursue outsourcing rather than manage these functions in-house.

Bauer: It's all about being the best that you possibly can be. We're doing a good job running our perimeter defenses. But on the intrusion-detection piece, there are two pieces to this, firewalls and intrusion-detection systems. On the intrusion-detection piece, we have a lot of [network] activities, as a lot of companies do, but now we're going to get analysis of all our activity in context with what else is going on in the world. It's not just about data; it's about intelligence. And with intelligence, you can make better decisions.

With a company like VeriSign, who does this for many other companies, as well as the data they have from running the .com domains, they probably have more information about security incidents than anyone else. We can get analysis of events going on with us in context as to what's going on in the rest of the world. That allows us to make better decisions. It also gives us early warning. They can, often before others can, see an attack occurring on the Internet. We are doing it so we can be better by having the kind of intelligence network we couldn't possibly do on our own.

InformationWeek: So you can increase security by leveraging information from VeriSign and, through them, information they learn from the other companies whose security they manage?

Bauer: Everyone is seeing things on their intrusion-detection systems. But they don't know if it's just happening just to them or if it's happening across the Internet. Is it a random [attack], or is it targeted? Is it a sophisticated attack or not? Well, now we can get answers to those questions. We can decide that we may not have to worry about an attack. Or maybe it's an attack we do have to worry about.

InformationWeek: Why VeriSign and what services will it be providing?

Bauer: Firewall and intrusion-detection management and monitoring as well as break/fix and stuff like that. They have an expert team. We were doing a great job, but they have some better tools and more knowledge because of all of the customers that they manage.

InformationWeek: This will free your internal security resources?

Bauer: Yes. It lets us worry about the evaluation of the data as opposed to the monitoring of the data. I'm a big fan of this risk-managed approach. Now we can take the data and do risk analysis against it and act on it, as opposed to having to do the day-to-day stuff. So firewall operations, what's that about? That's about pushing rules and worrying about disk capacity and patches. That's something that is easily done by people with scalable tools.

InformationWeek: So what will you worry about now?

Bauer: Now we can worry about what we should be doing next. What will our next strategy be? We can focus on the brainwork, the bigger risk-management picture. And that's where you want to be instead of chewing up resources on the operations.

InformationWeek: With new reporting tools and security event monitoring consoles, can't you build this on your own?

Bauer: Yeah, but you spend a lot of money and you still don't have the contextual data. So this is something that is very easy to leverage. We'll leverage the critical mass that VeriSign has developed and we can now free up cash resources for other things.

InformationWeek: Why did Merrill choose VeriSign?

Bauer: We evaluated all of the usual suspects and we actually found they had the best operation, the best technical people, and the most sophisticated tools of all of them. I guess you can imagine that we wouldn't just go with anyone.

InformationWeek: How will this be implemented?

Bauer: The implementation is under way. But you don't just flip the switch; it has to be planned carefully and will be implemented over the summer and the fall. We've been running globally already, so it's a change in strategy for Merrill.

InformationWeek: A few years ago not a lot of companies, maybe 25%, were looking closely at managed security providers. Is that changing?

Bauer: I think companies will take different approaches on this. I think it will change. I was talking to a bunch of my peers at a conference last week, and they were really interested in what we were doing. They don't have the contextual analysis [of what is happening across the Internet that could affect their security] either. And they need to also manage their scarce resources more efficiently. We think we are a thought and strategy leader about how we are approaching this. And I think others will start doing the same thing. Another thing that's changed is that the service providers have matured. A couple of years ago when they were first building their toolsets it would have been difficult to swallow a company like Merrill, or any other big company. Some of the security services providers can handle the big companies, but not all of them.