Shoring Up IT Providers

Chemical company monitors the security posture of its many hosting providers with an automated scanning service

George V. Hulme, Contributor

September 24, 2004

2 Min Read

When it comes to watching just how secure hosted services are, perhaps no one knows better than Paul Simmonds, the global information security director for Imperial Chemical Industries plc.

The chemical company, with annual sales of $11 billion and more than 35,000 employees, maintains offices around the world and outsources most of its business technology to a couple of major IT suppliers and dozens of smaller ones. The companies help maintain ICI's operations in 55 countries, including ones in Europe, North America, and the Asia-Pacific region.

The company's IT security, and that of its service providers, already has been tested. ICI has 400 Web addresses representing everything from specific products to various business units, and those addresses have been targets for attacks launched against applications and corporate data. Simmonds knew he needed a way to measure and enforce security at all the network services and hosting providers.

So he turned to yet another services provider, one that specializes in vulnerability scanning and management. Qualys Inc.'s QualysGuard Enterprise Edition Web-service vulnerability scanner was installed and running in about two hours. The service's backbone is a database of more than 3,700 vulnerabilities that Qualys maintains and constantly updates. That's critical, since experts say about 50 new software vulnerabilities are discovered each week.

Using the Qualys service, Simmonds built a completely automated system that scans ICI's global infrastructure at least once a week and generates security-vulnerability status reports to each of ICI's IT suppliers. ICI maintains the right to scan supplier networks for vulnerabilities. "Security is serious to us, and we expect any security issues we find to be fixed," Simmonds says.

ICI is doing more to protect its systems from attack than most companies. According to InformationWeek Research's 2004 Global Information Security Survey of 7,000 business-technology and security professionals, only a fifth of companies use vulnerability-assessment tools to protect their systems.

A few hosting providers have learned the hard way that, when it comes to security, ICI means business. "Just two weeks ago we had to change a hosting provider because they didn't fix a security hole," Simmonds says. Most--but not all--hosting companies do fix security holes found by QualysGuard, he says. "Some won't because they're worried the fix could interfere with other customers or applications," he says. "Some simply can't. They don't have the technical expertise."

About the Author(s)

George V. Hulme


An award winning writer and journalist, for more than 20 years George Hulme has written about business, technology, and IT security topics. He currently freelances for a wide range of publications, and is security blogger at

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights