Bank admits to security blunder in outsourcing deal

Westpac Bank has admitted that IT security has been the one casualty of its 10-year, A$4.3 billion (US$3.3 billion) IT outsourcing deal with IBM GSA which was inked in the year 2000.

Admitting that Westpac made a “small blunder” by outsourcing security as part of the massive outsourcing contract, Westpac’s chief information security officer and CIO of enterprise services, David Backley, said the bank has struggled to get security, and especially staffing levels, back on track.

Backley likened the scenario to a struggle and said outsourcing employees was the most difficult element of the deal.

Under the contract, which covered infrastructure, desktop, e-business, mainframe, mid-range, and telecoms, around 1,000 of the bank’s IT staff were transferred to IBM.

Backley said the bank is only now getting the pendulum to stand still a little and getting better traction in shifting security labor without it costing the bank.

“In 2000, when we outsourced to IBM Global Services over 10 years, we made a small blunder in that we outsourced the security team and we were left with one person in-house who now works for the National Australia Bank (NAB); he was the guardian of information security at Westpac,” Backley said.

“This didn’t work so well as we struggled to get IBM to understand, so the battle continued for a while.

“The guys we initially had in our security team had been difficult to deal with; but when we outsourced they were moved to an organization they did not want to work for so they went from an internal group that was difficult to work with to an external contract, which was impossible.”

As a result, he said Westpac created a small, embryonic security team to assess, with IBM GSA, what was required at the bank.

Blackley said over the past three years the bank and IBM GSA have been able to get the mix right.

He said the relationship has worked and now has a good understanding of what is required from the Westpac security team which is basically policy, some technology and policy policing, with IBM GSA providing services.

Today, Blackley said Westpac has created a matrix of security services, each with a specified amount of prescribed labor — a mechanism Backley says has taken the bank on a different journey by providing “much better traction”.

Although rumors had been circulating for years and had reached Computerworld about the bank’s in-house IT security problems since outsourcing to IBM, Westpac had remained tight-lipped, choosing not to respond to repeated enquiries from Computerworld in the time since the deal was signed.

It is the first time Westpac has provided a frank assessment of some of the challenges of outsourcing security which was delivered at the IT Security Summit in Sydney last week.

Backley also used his presentation to push the notion of customers adopting a single, trusted identity for banking services, saying it’s a worthwhile concept that may take years to get final agreement.

“We will start to see sporadic, two-factor identification and sporadic, company-based smartcards moving towards a singular community of financial services; it takes time to get people into the space of co-opetition,” Backley said.

“We have always lived with financial losses and fraud in banking as it is a risk you take, but what worries us is reputation damage, not just to Westpac as a bank or the NAB but damage to the entire financial services industry.

“If cybercrime and other forms of fraud erode trust where will we go? We do not want a loss of confidence in new banking channels.”

IBM declined to comment for this story.