"We´re not interested in breaking in new security vendors. Iwant to see Wall Street firms and large banks on theircustomer list. My ideal would be a large, funded company withdiversified resources," he says. His last requirement is thetricky part---an outsourcing partner has to be "one that´salso highly competent." While the expertise still resides inthe boutiques, the CIO anticipates that large general servicecompanies will start bailing out the smaller companies. Thatway, they acquire the smarts, they have steady bottom lines,and they make security a component of larger managed servicespackages. And indeed, AT&T was ready to buy Pilot but walkedaway at the last moment, several ex-Pilot sources andcustomers say. Symantec has already bought a boutiquecompany, Axent.

If this expertise-through-acquisition scenario plays out assuch, CIOs will have the best of both worlds---stablebusiness and expertise. But that presents otherchallenges. For example, Symantec has products tosell. Partnering with Symantec likely means partnering withSymantec´s products too. And service levels may drop as thesmaller boutiques are subsumed by larger companies.

But for the health-care CIO, less service and expertise isfine. Outages are not.

Three weeks after the incident, with his contingency up andrunning, he says, "We dodged a bullet."

Taking It In-House