Educational Testing Service (ETS), the company that brings terror to the hearts of high school students everywhere with the SAT, was facing a test of its own. Technology has been revolutionizing the academic testing business, with No. 2 pencils poised to go the way of the dodo bird. But ETS, a nonprofit based in Princeton, N.J., was lagging behind in its own back office technology, especially in safeguarding the sensitive personal information that is the company's bread and butter.
"Risk management is a fairly new concept to our company," said Mike Ducsak, director of information security at the company. "ETS is a legacy company, and we're bringing it into the new century. We have to be concerned on many, many levels."
Last year, ETS hired a vendor to develop a login and monitoring tool to protect the company's data from intrusion. The multimillion dollar project floundered, months behind schedule, until ETS finally pulled the plug.
"It was not cutting the mustard," Ducsak said. "The vendor wasn't able to deliver."
Instead, ETS turned to an off-the-shelf product from Cupertino, Calif.-based ArcSight Inc., a security management vendor.
"We were able to plug it into our network and get up in 30 days," Ducsak said. "The other solution would have taken six months to a year. Time is money."
The turnkey solution was not only cheaper to deploy, Ducsak said, but it also required two part-time staffers to run instead of the five full-time staff members the company had been allocating for the custom project.
Recently regulatory compliance mandates -- such as the Health Insurance Portability and Accountability Act (HIPAA ) and the Sarbanes-Oxley Act -- have forced many CIOs to add risk management to their portfolio. In the midmarket, where IT execs are perennially tasked with doing more with less, this has meant CIOs are required to get up to speed quickly on issues with which many companies had only recently begun grappling.
Khalid Kark, an analyst at Forrester Research Inc., noted that ETS was typical in discovering that it's easier to buy than build risk management tools.
"Technology is the easiest part of the solution," Kark said. "The people and the process are the tough things. The majority of data breaches happen because people aren't aware what to do. The process needs to be there to make sure sensitive data is protected."
That becomes more difficult as midmarket firms venture into the international arena, where standards for privacy protection may be different from U.S. requirements.
"The more organizations become global, the more partners and clients and relationships they have, the more need there is to share sensitive data," Kark said. "How are you managing and protecting that data if you share it? You need to vet the partners thoroughly."
Firms that share sensitive data should audit the practices of their partners as often as quarterly to ensure the proper processes are being followed, he suggested.
"You need to constantly keep them on their toes," Kark said. "Having it in the contract doesn't mean it will get done. It's your responsibility if the client's data gets compromised. Have the right relationships and ensure there's a way to keep up to date with the environment of the third party."
At ETS, Ducsak said the company prefers not to share its most sensitive data with outside developers because of such concerns.
"We have a lot of software partners," he said. "But we do a fair amount of development in-house, depending on the nature of the data."
At ALN Medical Management in Littleton, Colo., CIO Eliot Payson said economic pressure drove the company to find a way to get more for its risk management buck.
"Physicians are under great financial pressure due to declining reimbursement and are careful about how they spend money so IT solutions must be cost effective," Payson said.
The company handles billing and revenue cycle management for physicians, which involves data that is federally protected under HIPAA.
"Our initial understanding of a risk management strategy was very limited," Payson said. "We work with patient health information daily. We think about and discuss risk management regularly as part of our overall HIPAA-mandated compliance. We need to protect the information we store, while at the same time ensuring that our physician customers have reliable and redundant access to this information 24/7. We are constantly evaluating how we eliminate potential risks of improper access to patient information and deploy systems and applications that have guaranteed availability and redundancy."
ALN turned to ITonCommand, a Denver outsource provider that hosts the infrastructure for the company's practice management, business and clinical applications.
"The ability to leverage the redundant infrastructure, backup, security and top-tier Microsoft knowledge [that] ITonCommand provides is critical to our ability to grow our business while managing risk," Payson said. "We have been able to leverage technologies, experience and capital that we would not have been able to utilize on our own. It has enabled our IT team to focus on implementing, integrating and supporting the business applications that are critical to our business."
Michael Ybarra is a monthly columnist for SearchCIO-Midmarket.com and a former senior writer at CIO Decisions magazine. He is also the author of Washington Gone Crazy. Write to him at firstname.lastname@example.org.