Information Security Outsourcing: The View From Europe and Australia

The following article first appeared in the December ’02-February ’03 edition of CSC World.

By Kim Valois and Mats Vikström

When it comes to information security, companies around the world are beginning to realize they need more than they can get from their own staffs. Turning that security function over to vendors would seem to be the logical solution to the problem. Willingness to take that step is not universal — historical and cultural factors have prevented most countries from moving as quickly as the United States — but it is growing.

Two factors are driving European and Australian companies toward outsourcing their information security: the steep, post-September 11 rise in concern about disaster recovery and business continuity; and growing awareness of how tightly their business has become intertwined with information technology. The growth of the networked economy is elevating information security from internally focused protection to an externally focused business asset.

From physical security to information security

Security used to mean physical security. That remains a necessary function, and most companies are comfortable outsourcing it. Most corporate security managers, however, are not well equipped to handle information security issues.

In Europe attitudes left over from World War II and the Cold War add to the limitations of the traditional industrial security perspective. Companies looking for security services are reluctant to look outside their own borders for fear of how proprietary information might be handled. Companies don’t want to let go of their crown jewels.

The problem with physical security is that adding business value never has been part of the job description for traditional security managers. Adding business value, though, is what information security is all about.

Weighing and sharing risk

Companies have been taking advantage of IT advances for at least two decades. The results were that business became increasingly dependent on IT, and that the Internet became the place where more and more business was done. Protecting a company’s crown jewels is still an important aspect of security, but companies now must pay attention to more than just their own crown jewels. What is needed in the networked economy is secure transactions and information exchanges with customers, business partners and suppliers.

Because companies now routinely exchange confidential information with other companies and with individuals, protecting that information becomes a fiduciary responsibility and a matter of corporate integrity. A system outage that lasts a day or two can have not only a huge financial impact, but also a public relations and legal impact.

In much the same way as Y2K, information security is a matter of shared risk. Companies are no longer responsible only for their own security. Because they need to assure other companies that transactions between them are secure, security has become a business asset, and security policy has become a matter of business judgment.

Companies now must weigh the benefits of e-business against the risks. A survey conducted in Australia last summer found that companies there are well aware of the risks posed by doing business over the Internet. Asked to rate the level of concern about those risks, 70 percent gave ratings of between seven and nine on a scale of 10.

A recent IDC survey in Europe provides more evidence that companies are beginning to look at information security from a business perspective. IDC reported that 60 percent of companies in the UK, Germany, France and Italy reported higher-than-expected returns on their investments in information security. The percentage among Scandinavian countries was even higher: 85 percent.

Both the European and Australian surveys revealed a sharp increase in security awareness after September 11. Seventy-eight percent of the respondents in the Australian survey cited disaster recovery and business continuity as their main concern. That would not have been true a year earlier, in Australia or in Europe.

Nothing did more to raise awareness of the need for this kind of protection than the weeks-long spectacle of watching so many companies struggling to keep their information systems operating under extremely difficult circumstances. What that did for IT managers everywhere was remind them that the real danger to their business lies in the technology in which it is entwined. That attitude is beginning to be evident in the boardrooms.

The technology matures

Another factor that’s changing attitudes in the boardrooms is the maturity of the technology itself. Companies no longer have to depend on vendors for technical information. Academics, computer emergency response teams, and the business press all provide reliable information that companies need to make decisions about security policy. Some of this information comes from the companies’ own auditors.

The reason nearly all companies now have firewalls is not because security software vendors talked them into it, but because their auditors told them they needed firewalls. Now the auditors are telling companies they need intrusion detection systems. Managers are reluctant to make new purchases in hard economic times, and many are convinced they’ve never been hacked anyway. Of course, companies don’t know whether they have been hacked until they look, and vendors are eager to let potential customers see for themselves. Getting a more detailed view of what goes on in their own systems often is all an IT manager needs to act on an auditor’s recommendation.

Larger vendors already are taking responsibility for some security functions because they can offer that service as part of IT outsourcing contracts. Outsourcing the security component as such, however, is not yet happening in either the private or public sectors. Nowhere in Europe or Australia is there anything like the information security outsourcing contracts entered into by several large US companies.

Information security in the market

Companies and governments do, however, want to draw upon lessons learned elsewhere. More and more, companies want to know what others in their industries are doing, and how their security policies compare with those of their competitors’. The need to compare policies may be especially great at a time when the security market still is fragmented and when companies are unsure about the risks they face and the kind and level of investment needed to mitigate those risks.

The IDC survey found that the absence of good metrics was one of the factors inhibiting the growth of security markets in Europe. Vendors who want to be competitive in this market must be able to do the metrics right. Getting the metrics right also will allow vendors to give clients the business justification they need to invest in security. Companies are beginning to understand that information security is no longer just a matter of defense but requires a policy that balances the risks and benefits of e-business. Companies will feel much more comfortable making new investments in information security once they know how to achieve that balance.

Kim Valois is the director for CSC’s Global Information Services in Australia.

Mats Vikström is the director of CSC’s Global Information Services for Europe, the Middle East and Africa.

Related Information:

Contact Us and Let Our Experience Help You Produce Results.

Read about CSC’s information security offerings and outsourcing offerings.

Visit CSC’s Information Security Center of Excellence.

Uncover CSC’s recommendations for improving information security.