CSC has taken its first steps towards establishing cloud-based information security services for sharing threat information between its public and private sector clients.
The IT outsourcer is in discussions with an unnamed state government agency in a move expected to improve visibility of advanced persistent threats and other security issues.
According to CSC’s cybersecurity services director Lawrence Ostle, the service could bypass organisational politics that hindered security in federated organisations like governments.
He highlighted a NSW Audit Office report last October that found that agencies were not properly implementing the state government’s policy on the Security of Electronic Information.
The office said at least two thirds of agencies had not complied with the policy and the State Government did not effectively monitor agencies’ progress towards compliance and certification (pdf).
“In a non-federated organisation there’s generally a direct line of sight so the [chief information officer] can tap someone over the shoulder and say, ‘you’ve got to do this’,” Ostle said.
“In federated organisations like governments, various organisational units tend to have disparate technology and [executives] don’t have the visibility to make decisions.
“We’re dealing with people here. If [the units] feel they’ve been cast adrift by the mother ship [under a federated model], then they may just go their own way and be different.”
CSC hoped to pull together data from diverse asset and information management systems to provide a single, centralised, web-based view of an organisation.
It hoped to implement the system for the unnamed Australian state government agency by the middle of next year so it might demonstrate the system and potentially attract other agencies.
The “end game”, Ostle said, would be a cross-government “super-feed” of information about “threats in the wild” – much like that used by security software vendors.
“Symantec, McAfee, RSA are fantastic security vendors but at the end of the day, they have an agenda,” he said.
He said CSC would take a “step above what Symantec do", providing agencies with visibility and advice on IT governance, risks and compliance.
Although general information about threats would be shared, CSC would be careful to not to share any information about the impact of those threats beyond the agency involved.
“The fact that they lost data wouldn’t be shared,” he said, explaining that should be dealt with in accordance with organisations’ incidence management plans.
The service targeted Australian government agencies and would be based on similar cross-government initiatives in the US with CSC’s public sector clients.
A separate private sector service would likely kick off in months, Ostle said.