Outsourcing IT Security

Expensive Headache or Painful Heartache ?

Andrew McTaggart Senior Manager - IT Security & Change Control

What is the EBRD?

14 12 10 0 2 4 6 8 94 95 96 97 98 99 • International financial institution est. 1991, owned by 60 national and supranational shareholders • Promotes market-based economies in 27 countries in central & eastern Europe and the former Soviet Union • Committed €16.5 bn for 708 projects to date • Capital base of €20 billion

What are the EBRD’s objectives?

To promote:

 Transition to free, market-based economies by supporting private and entrepreneurial initiative  A better investment climate  Good corporate governance at project, corporate and country levels  Environmentally sound and sustainable development

Operational priorities

 Continue to support the creation of sound financial sectors  Develop small and medium-sized enterprises  Promote infrastructure development  Demonstrate ways of restructuring large enterprises  Take an active approach to equity investment  Promote a sound investment climate and stronger institutions

Bank Resources

 Available Headcount – 750 Permanent Staff of which 36 are in IT – 450 Consultants, Contractors and Temps  Singular Resource - Me  Current Activities – IT Security – Business Continuity – Change Control Management

So where do we go

 Recruit staff – Available Headcount  Do nothing - is this realistic – IT Security is the management and negation of risk within the IT environment  Outsource – Tap into external expertise – Consultancy or Service Provision

So why Outsource

• Delivery of service within available headcount • Access to new technology • Access to best practise • Quantifiable cost of IT • Reliable service • Flexible service • Manage risk exposure

How do we Outsource

 Tender - strong pressure to be cost driven upon value (up to 80% in some circumstances)  Selection against a defined set of criteria which can, and probably will, change due to the length of the process  Procurement – The rules that apply to desks and chairs are not applicable for complex IT solutions – We are not buying “Tin”  Need to become transparent

What’s been achieved regarding IT Security

• Firewall administration, support and maintenance • Wide Area Network support • Local Area Network support • Server and Desktop support

Experiences - Headache or Heartache

Internal • Security Policy remains Bank’s property • The Bank retains control of all changes • Change Control – 1 hour ‘impact statement’ • Secure Sign off process • Bank’s IT staff can focus on core application/business issues

Experiences - Headache or Heartache

External  Monthly reporting on service delivery and network utilization  Technical Account Manager – Customer/Support liaison  Firewall monitoring and support provided 24 x 7  End to end VPN service support  Review process every 6 months

What would I change

In an Ideal World • Flexibility with the delivery of service • Standardisation onto a global At the EBRD As the IT Director says “Life at the EBRD is never dull” and this especially applies within IT

Questions

Contact details: e-mail: [email protected]

Phone: +44 20 7338 6704