Outsourcing IT Security Expensive Headache or Painful Heartache

Outsourcing IT Security Expensive Headache or Painful Heartache ? Andrew Mc. Taggart Senior Manager - IT Security & Change Control

What is the EBRD? • • International financial institution est. 1991, owned by 60 national and supranational shareholders Promotes market-based economies in 27 countries in central & eastern Europe and the former Soviet Union Committed € 16. 5 bn for 708 projects to date Capital base of € 20 billion

What are the EBRD’s objectives? To promote: l l Transition to free, market-based economies by supporting private and entrepreneurial initiative A better investment climate Good corporate governance at project, corporate and country levels Environmentally sound and sustainable development

Operational priorities l Continue to support the creation of sound financial sectors l Develop small and medium-sized enterprises l Promote infrastructure development l l l Demonstrate ways of restructuring large enterprises Take an active approach to equity investment Promote a sound investment climate and stronger institutions

Bank Resources l Available Headcount – 750 Permanent Staff of which 36 are in IT – 450 Consultants, Contractors and Temps l Singular Resource - Me l Current Activities – IT Security – Business Continuity – Change Control Management

So where do we go l Recruit staff – l Do nothing - is this realistic – l Available Headcount IT Security is the management and negation of risk within the IT environment Outsource – Tap into external expertise – Consultancy or Service Provision

So why Outsource • Delivery of service within available headcount • Access to new technology • Access to best practise • Quantifiable cost of IT • Reliable service • Flexible service • Manage risk exposure

How do we Outsource l l l Tender - strong pressure to be cost driven upon value (up to 80% in some circumstances) Selection against a defined set of criteria which can, and probably will, change due to the length of the process Procurement – – l The rules that apply to desks and chairs are not applicable for complex IT solutions We are not buying “Tin” Need to become transparent

What’s been achieved regarding IT Security • Firewall administration, support and maintenance • Wide Area Network support • Local Area Network support • Server and Desktop support

Experiences - Headache or Heartache Internal • Security Policy remains Bank’s property • The Bank retains control of all changes • Change Control – 1 hour ‘impact statement’ • Secure Sign off process • Bank’s IT staff can focus on core application/business issues

Experiences - Headache or Heartache External l l Monthly reporting on service delivery and network utilization Technical Account Manager – Customer/Support liaison l Firewall monitoring and support provided 24 x 7 l End to end VPN service support l Review process every 6 months

What would I change In an Ideal World • Flexibility with the delivery of service • Standardisation onto a global At the EBRD As the IT Director says “Life at the EBRD is never dull” and this especially applies within IT

Questions Contact details: e-mail: mctaggaa@ebrd. com Phone: +44 20 7338 6704