Companies that outsource the management of their information systems must retain accountability for the safety of corporate information, said Sean Reuben, country manager for Global Security Solutions (GSS) for Computer Sciences Corporation`s (NYSE:CSC) operations in SA.
Reuben was speaking about outsourcing information security at the Information Systems Audit and Control Association (ISACA) SA 2005 conference held at Fourways, outside Johannesburg.
"The security outsourcing service provider is a steward of the client`s security policy and implements measures to meet this. But it is important to understand that risk-management decisions are always made by the client and need to be signed off by its appropriate security organisation," said Reuben.
"Reducing costs of managing IT security, while attractive, is not the primary driver for outsourcing," he added. "Research in the US has shown that while 15% of the companies that choose to outsource their security cite cost savings as the reason, the key driver is the need for the improved expertise and best practice it brings to their environment."
Today, most businesses realise they cannot attract and retain those skills in-house because it is not their core focus.
The outsourcing firm adds value to the business because managing information security is its core competence and, to remain in business, it needs to subscribe to international best practice. Being able to reach back into skills, knowledge bases and methodologies from global professional communities is included in the expertise shared with clients.
Consistency of service delivery; regular skills refreshment; placement of expertise, as and when it is needed; and continuity of service to agreed service levels add value to the business by relieving it of the day-to-day operations of the IT security organisation.
Reuben stated that businesses do not lose control of their organisation`s security if they outsource. However, to ensure security levels meet business objectives, a collaborative working relationship must be established with the service provider.
Reuben said key requirements for this successful relationship include clearly defined roles and responsibilities for all stakeholders, business retention of accountability for information security, as well as responsibility for driving remediation and corrective actions for third-parties.
"Outsourcing security presents challenges, but these can be overcome by applying sound principles during the decision-making process and creating a close working relationship between the business and the service provider," he said.
Share
CSC offers the South African market a wide range of services, including systems integration, application and infrastructure outsourcing, and business process outsourcing, as well as financial services solutions.
In SA, CSC also provides business process outsourcing (BPO) services to manage the policy processing and administration for its US and UK financial services customers who include banking, short-term insurance, and life and pensions providers.
A leading IT services provider, CSC adds value through its collaborative approach to delivering fast, reliable and flexible solutions. CSC opened its doors in SA in November 1999 and today has offices in Johannesburg, Cape Town and Richards Bay. For more information, contact 021 529 6500 or 011 612 5400.
CSC
Founded in 1959, Computer Sciences Corporation (CSC) is a leading global IT services company. CSC`s mission is to provide customers in industry and government with solutions crafted to meet their specific challenges and enable them to profit from the advanced use of technology.
With approximately 78 000 employees, CSC provides innovative solutions for customers around the world by applying leading technologies and CSC`s own advanced capabilities. These include systems design and integration; IT and business process outsourcing; applications software development; Web and application hosting; and management consulting. Headquartered in El Segundo, California, CSC reported revenue of $14.3 billion for the 12 months ended 1 July 2005.
For more information, visit the company`s Web site at www.csc.com.
Editorial contacts