• United States



by Dave Gradijan

Australian Bank Blunders IT Security in Outsourcing Deal

Aug 07, 20064 mins
CSO and CISOData and Information Security

Westpac Bank has admitted that IT security has been the one casualty of its 10-year, 4.3 billion Australian dollars (US$3.3 billion) IT outsourcing deal with IBM GSA that was inked in 2000.

Admitting that Westpac made a “small blunder” by outsourcing security as part of the massive outsourcing contract, Westpac’s chief information security officer and CIO of enterprise services, David Blackley, said the bank has struggled to get security, and especially staffing levels, back on track.

Blackley likened the scenario to a struggle and said outsourcing employees was the most difficult element of the deal.

Under the contract, which covered infrastructure, desktop, e-business, mainframe, mid-range and telecoms, about 1,000 of the bank’s IT staff were transferred to IBM.

Blackley said the bank is only now getting the pendulum to stand still a little and getting better traction in shifting security labor without it costing the bank.

“In 2000, when we outsourced to IBM Global Services over 10 years, we made a small blunder in that we outsourced the security team and we were left with one person in-house who now works for the National Australia Bank; he was the guardian of information security at Westpac,” Blackley said.

“This didn’t work so well as we struggled to get IBM to understand, so the battle continued for a while.

“The guys we initially had in our security team had been difficult to deal with, but when we outsourced they were moved to an organization they did not want to work for, so they went from an internal group that was difficult to work with to an external contract, which was impossible.”

As a result, he said Westpac created a small, embryonic security team to assess, with IBM GSA, what was required at the bank.

Blackley said that over the past three years, the bank and IBM GSA have been able to get the mix right.

He said the relationship has worked and now has a good understanding of what is required from the Westpac security team, which is basically policy, some technology and policy policing, with IBM GSA providing services.

Today, Blackley said Westpac has created a matrix of security services, each with a specified amount of prescribed labor—a mechanism Backley says has taken the bank on a different journey by providing “much better traction.”

Although rumors had been circulating for years about the bank’s in-house IT security problems since outsourcing to IBM, Westpac had remained tight-lipped, choosing not to respond to repeated inquiries in the time since the deal was signed.

It is the first time Westpac has provided a frank assessment of some of the challenges of outsourcing security, which was delivered at the IT Security Summit in Sydney last week.

Blackley also used his presentation to push the notion of customers adopting a single, trusted identity for banking services, saying it’s a worthwhile concept that may take years to get final agreement.

“We will start to see sporadic, two-factor identification and sporadic, company-based smartcards moving towards a singular community of financial services; it takes time to get people to opt in,” Blackley said.

“We have always lived with financial losses and fraud in banking as it is a risk you take, but what worries us is reputation damage—not just to Westpac as a bank or the NAB, but damage to the entire financial services industry.

“If cybercrime and other forms of fraud erode trust, where will we go? We do not want a loss of confidence in new banking channels,” he said.

IBM declined to comment for this story.

By Michael Crawford, Computerworld Australia

Keep checking in at our Security Feed for updated news coverage.