I insist that our GSI associates refer to the people and companies who favor us with their business as clients. I admit...it's an obsession with me. I am so passionate about the client reference that when someone utters "customer" within earshot of me, the offending speaker generally knows that a well-placed rebuke will shortly follow. I've never sentenced anyone to spend an hour in time-out or put their nose in a circle on the wall; however, most everyone understands that employing "customer" in a conversation at GSI will generate a correction.

My devotion to client is all about respect – respect for the people who have trusted us with their mission-critical processes, respect for the close relationships that we have developed in supporting those processes, and respect for caliber of service delivery our ServerHeroes teams provide 24/7. We are not selling hamburgers or tanks of gas where one source is just about as good as the other. Nor are our associates manning the drive-thru lane or considering "have a nice day" as the ultimate measure of service at check-out. We are important components of our clients' businesses, and in order for GSI to exceed expectations, our associates need to understand and respect the confidence that our clients have placed in us.

Customers produce revenue – clients produce relationships. GSI is so devoted to getting the relationship right that we diligently work to know our clients' businesses, and the business processes that we are supporting. We employ our Service Quality Framework to not just define monitoring, management and escalation requirements, but to summarize the business functions and underlying dependencies that will allow our ServerHeroes to support those critical processes as if we were the clients' employees. We assign dedicated teams to specific clients in order to develop a deep knowledge of the clients' businesses, as well as their IT environments. We respond to requests and issues with haste, knowing that our clients depend upon us to do so around-the-clock. We do all of this because we desire to have long-term relationships built upon mutual respect and trust – it's about more than just the revenue.

So if you don't have a satisfactory relationship with your current service provider, go to their web site and see if you find "customer service" or "customer portal." That might indicate they are more interested in your revenue than your relationship. And then contact GSI and explore what a real service provider relationship can be.

Briefly: What is a Compensating Control?

The Payment Card Industry Data Security Standard (PCI DSS) roughly defines compensating controls as a method to meet the intent of a DSS requirement, while not implementing the control as written by the PCI Security Standards Council. This was a smart move on the part of the Council. They are saying that the prescriptive requirements may not be the best way for all situations and allow implementers to work outside the box, as long as the intent of the standard is being met.

Compensating controls have become necessary for situations where the combination of technical and business constraints prevent a control from being implemented. The typical reason for implementing compensating controls is the inherent expense involved with implementing the original DSS controls. This is not surprising considering the requirements for such things as automatic access control management, centralized logging, integrity monitoring, and all the vulnerability management technologies.

QSA's Perspective on Compensating Controls

QSAs (Qualified Security Assessors) really dislike compensating controls. It has been my experience that the dislike is due to the additional effort required to report compensating controls. For a QSA, the DSS is a list of requirements for which they test the controls. A compensating control does not have a clean pass/fail and must be fully documented in the Report on Compliance (RoC) in such a way to fully explain how it meets the intent of the requirement it replaces. Further, the QSA cannot simply use documentation provided by the merchant/service provider. The QSA must fully understand the new control so that they can make a judgment call as to whether it meets the original intent, as well as document it for the RoC. An assessment that involves multiple compensating controls will drag out much longer than one without them. Many assessment engagements use a fixed project pricing method, which means the longer an assessment takes, the thinner the profit margin for the assessment company.

Managed Hosting Impact on Compensating Controls

Compensating controls all by themselves are a wrench in the PCI DSS assessment process. Add in a third-party managed hosting provider and things get real sticky. Especially if the hosting provider does not fully support the PCI requirements, leaving the client to dig details out of a set of offsite tools that only partially describe an environment. A managed hosting provider utilized for systems requiring PCI DSS compliance will need a capability to deal with compensating controls. It means providing reasonable customization with the expertise to understand how that customization will affect a PCI DSS assessment.

Being a managed services provider, GSI must deal with the engineering, documenting, and implementation of compensating controls for client PCI DSS environments. It is not easy and there are many challenges. Any customization that pushes the boundaries of our standard operating procedures risks failure, and we must be vigilant with our audits and reporting to catch any discrepancies. Still, without doubt, it is worth having the capability to do it. Having that flexibility really tells the story when our clients continually pass PCI DSS assessments year after year.

This came up as a rather entertaining political science question the other day. "It is better for N many criminals to go free than for 1 innocent person to be punished." This concept goes way back to the 18th century, originated by English judge William Blackstone. It is now known as Blackstone's Ratio in criminal law.

A few years ago, the National Center for State Courts ran an experiment where they compared cases when both the judge and the jury could submit guilty/not-guilty verdicts. Through signal analysis, they could predict not only what percentage of the time they disagreed, but predict who was wrong. The results pointed to approximately 17% of the jury verdicts being incorrect and "N" equaling roughly 1.43 guilty parties let go per innocent punished. On the other hand, about 12% of the judge's verdicts were incorrect leading to an N of 0.1 (1 guilty person let go for every 10 punished innocent people).¹

Blackstone's pick for N was 10. My assumption for the reason behind the change in this ratio is that in the last 200 years, with tools such as modern forensic evidence, DNA sampling, fiber testing and omnipresent video cameras, we have made significant strides in being able to exonerate innocent people before the fact, and only bring guilty parties before the court.

In data security, we're continually bombarded with "false positives." We get false positives when our tools are set to be too sensitive – but most admins prefer this to the alternative of having them not be sensitive enough and miss an event entirely! This is not a new problem – what is new is that our tools are evolving in a way to reduce the amount of alerts we receiving, letting us take more time to analyze the ones that really need our attention.

As technology advances, we'll continue to lower the number of false positives we get, improving our organization's Blackstone Ratio – and this ratio is something that you can measure and prove to others that your security is improving over time. In the last year at GSI, we've dropped our false positives by 73.6% through reconfiguring and tuning our current monitoring systems. Additionally, we recently installed more security appliances that are even more accurate, so I expect this trend to continue. All of this adds up to data center security that's more accurate, more effective – and more measurable.

Footnotes
1. Spencer, Bruce, On Measuring the Balance between Wrongful Convictions and Wrongful Acquittals in Criminal Trials (November 7, 2007). 2nd Annual Conference on Empirical Legal Studies Paper. Available at SSRN: http://ssrn.com/abstract=997188

GSI founder Robin Greenhagen discusses cloud computing for small businesses in the November 2009 issue of KC Small Business magazine. The online version is available here: http://bit.ly/5nGcBP

Much attention in our industry has been given to a recent "rant" by one of the popular financial talk show hosts declaring that "the data center business is dead." His logic was that the new CPU technologies were going to render the need for all this crazy data center space moot.

Well, I want to be the first person in our entire industry to say: OK, I agree with his statements that data center square footage is not going to be on fire like it has been, but he really missed the point. The CPUs aren't the cause; the HyperVisor is the real reason data center space is dead.

GSI is regularly helping clients clean out their corporate data centers with 20-30 cabinets of hardware and putting them into 2-3 cabinets of virtualization and storage gear. Our Matrix Enterprise Virtualization Platform makes that a 100% CapEx free zone, as well. We have already invested the CapEx, so you don't have to.

Now, let's talk about the other item relevant to the concept that "data center space is dead." If you are shopping for data center space, you are REALLY MISSING THE BOAT. What you should be shopping for are the services that your business needs for your IT infrastructure: Storage Services, Computing Services, Management and Monitoring Services, Compliance Services, Backup Services, Messaging Services, Data Archival Services.

I have encountered very few corporate IT teams that can touch the depth of knowledge, certifications, experience, customer satisfaction, and speed to deploy and scale that can be found with a good, qualified managed service provider like GSI. Even when we do come across a VERY competent team, they are constantly fighting cost-control and budgeting issues. And most importantly to the business, none of the corporate IT guys are willing to put their monthly paychecks on the line to stand behind an SLA to the business.

Shouldn't your IT staff be focused on servicing the business's vertical applications and processes, and not patching servers, reading log files, and filling out those darn TPS reports? I see a good analogy here to the wireless industry. You would never consider an insurance company, healthcare provider, or financial services company building their own wireless digital cellular network across the country, hiring teams of people to deploy it, hiring teams of people to operate it, and then dealing with the constant technology upgrades, etc. They let providers like Sprint, Verizon and AT&T do that stuff; they just hand out the Blackberries and iPhones, and everyone starts talking.

Why do insurance companies, healthcare providers, financial services companies, and literally MILLIONS of other businesses think they need to buy a bunch of servers, hire some folks to run them, rehire people to backfill when they have churn in the IT team, etc.? Computing that they can just pass out and use is where they need to be. Quit buying servers, quit buying storage, quit buying data center space. Buy services that your business needs.

Sure, GSI will provide these services in a nice, cool, highly secured data center that meets or exceeds all industry standards. But the actual services are where you need to spend the most time evaluating the real value chain and potential ROI for your business.

Most of us have had this experience. Our kids convince us to buy a puppy based upon their assurance that they will be responsible for its daily care and feeding. After multiple stops at pet stores or breeders, you find the perfect fit – a little package of innocence and energy, looking at you through bright eyes and with an expectant curiosity about the days ahead. Everyone laughs at your puppy's playful clumsiness caused by its feet being as large as its head, and you happily conclude that you've made a positive addition to your family.

Unfortunately, this bliss doesn't last long. What was once kibble being eaten from your hand becomes 50# bags of dog food being purchased from the local feed store on a weekly basis. And the small accident on the kitchen rug becomes large mounds of toxic waste to be removed from your back yard before you can mow. The kids have long forgotten their pledge to take care of the dog, and you are constantly called upon to account for the barking, destruction, and general bad behavior caused by "your dog."

I've seen this same scenario play out in our business. Many prospects have come to GSI with stories of large service providers disappointing them with broken promises and unfulfilled expectations. What started out as a relationship in which they had confidence and comfort, soon turned into one in which was more problematic and costly than they ever expected. While large providers are great marketers and experts at closing the deal, once the deal is done, the client becomes just another customer to be queued up with the needs of all other customers -- just another service ticket to be resolved. The client begins to buy those 50# bags of dog food that were not included in the original proposal with an unsatisfying frequency, and the "poop removal" of service shortfalls seems to occur almost on a daily basis. Along with the wedding anniversary and the kids' birthdays, the expiration date of the service provider's contract is circled on the refrigerator calendar.

Mid-sized service providers like GSI offer an attractive alternative to the "bigs." While our marketing may not be as slick or our sales pitch as polished as a large provider, our commitment to our client and fulfillment of our promise is second-to-none. Unlike the "don't ask, don't tell" approaches of many large hosters, GSI distinguishes itself in our complete and customized solutions that set firm expectations with our clients as to service delivery and cost. Our clients are significant to our book of business, and our teams of ServerHeroes treat them like they are, delivering high-touch, fully engaged support on a consistent basis. We are proud of our ability to deliver services on task, on budget and on time, and the flexibility gained by utilizing a mid-sized provider like GSI allows clients to scale their IT environments up and down to match the dynamics of their own businesses.

So, if you are past the puppy stage of your hosting relationship, and have grown weary of buying bags of service fees or picking up the poop in the back office, call GSI and discover what we can do to make your managed IT solution the positive addition that you originally intended it to be. We have teams of ServerHeroes ready, willing and able to serve as your dedicated Dog Whisperer.