Specialised outsourcing contracts with multiple vendors may be more effective than long-term, all-encompassing deals of yore, according to AMP's head of IT risk and security John O'Driscoll.
Although the superannuation and insurance firm has spent more than 17 years in partnership with CSC, O'Driscoll urged CeBIT Australia's IT security conference attendees this week to consider shorter, more specific contracts.
He highlighted security, business continuity and outsourcing as three key areas of focus for the company's IT risk and security team.
As a financial services company, AMP's outsourcing deals were subject to Australian Prudential Regulatory Authority (APRA) guidelines.
APRA recommended (pdf) that outsourcing contracts include scope, review provisions, business continuity management, confidentiality, privacy and security of information.
O'Driscoll said companies risked the confidentiality of customer and corporate data, outsourcer failures, and dysfunctional processes and controls over long agreements.
Noting that "you often get what you pay for, and cheap is not always the best", O'Driscoll said companies should conduct thorough due diligence to reduce the risk of appointing inappropriate outsourcers.
"Contract management people need to make sure [requirements are] built into contracts from day one, and questions are asked again in refresh cycles," he told conference attendees.
While whole-of-business outsourcing contracts might be simpler to manage and cheaper due to economies of scale, it was "rare that one vendor is good or best practice at everything", he said.
Those all-encompassing IT contracts typically spanned long periods - AMP's original contract with CSC was for ten years - and missed "competitive tension between suppliers", O'Driscoll said.
Meanwhile, agreements with multiple outsourcers with certain core capabilities may make it easier for an enterprise to terminate and change vendors, thus prompting the outsourcers to improve.
O'Driscoll reported to AMP's head of shared services, who in turn reported to the company's CIO.
Like other speakers at the conference, he noted that compliance was merely one part of risk management.
AMP's IT security revolved around five key principles: a layered, in-depth defensive approach; access by least privilege; security by design; simplification of security policies and measures; and the understanding that risks should be reduced "to an acceptable level" and not eliminated.
Communication strategies were also important, O'Driscoll said, highlighting AMP's staff education portal, strict guidelines about customer and corporate data, and mandatory training regimes.