I do not usually schedule talks with vendors and their customers, but in the shadow of these two stories, the e-mail problems of the San Francisco Symphony and how a SaaS solution might actually have solves them appealed to me in a new and endearing way. Instead of indulging my preoccupation with critical infrastructure attacks, and my personal concern for the security and confidentiality of the Dalai Lama's communications, I found myself listening to a practical tale, with a happy ending, about people who bring Beethoven and Berlioz to the atmosphere of a major metropolis, and how technology had been applied to enhance their security and improve the productivity in an economical way.
Skaff offered me some background on the e-mail problems SF Symphony was facing before implementing Webroot.
"We had two issues: one concerned functionality (old anti-spam was not performing well, and not effectively screening spam), and the other was simply one of volume, i.e., we had roughly 1.4 million spam e-mails/month versus roughly 70,000 valid emails, which was congesting our internet pipe and overwhelming the older server the anti-spam software was running on."
He also articulated significant cost-savings and productivity gains that resulted from implementing the solution.
"We saw immediate (i.e., in a matter of days) productivity gains that were immediately noticed, and commented on by the staff here. I had folks stop me in the hall to let me know how much time the new solution was saving them. We also re-gained a significant portion of our internet bandwidth back from the spam that had been clogging it. Deployment was simple, and allowed us to achieve immediate benefits (primarily system performance and availability, in addition to the staff productivity) while we updated other components of our e-mail infrastructure."
And how did Webroot solve these problems for Skaff and the Symphony?
"By accepting our inbound mail flow via re-directed MX records, and giving us back the valid mail, and a significantly decongested pipe. On average, they have removed ~97% of the total volume as spam, and they provide an enterprise console to tune white lists, release any false positives, check logs, run reports, etc."
What is the message from this story for small and medium-sized businesses who can't afford information security expertise in-house?
"No matter what the company size, I advocate outsourcing where the numbers make sense, where the benefits are clear-cut, and where the risks are both well-defined and manageable. In this case, in the short term, it was less about infosec expertise, and more about solving a pressing business problem. Longer term, it helps me optimize our use of resources - both preserving our modest internet pipe for valid traffic rather than screening out spam, and allowing my staff to focus on supporting other areas of the business. Additionally, while we still 'own' the service delivery to our users, it makes sense to outsource this piece to a company that specializes in this particular service, and thus has more depth of knowledge than I can afford, and delivers economies of scale that are passed along to me in the form of cost savings, better support, and more features than I could achieve locally for the same cost."