The requirement
Although there have yet to be any known instances of ‘cyberterrorism' – politically motivated attacks on elements of the critical national infrastructure – ScottishPower would make a plausible target. It has 3.7 million customers and coverage stretching from the Scottish Lowlands to the US.
Not only is maintaining the integrity of its systems a high priority for the company, the fact that its US subsidiary PacifiCorp is listed in New York means it also has to comply with the US Sarbanes-Oxley Act. But the utilities giant faced a significant barrier: a dearth of security expertise in its IT staff.
"There is something of a lack of experienced IT security workers in Scotland, or at least there was when we took the decision to outsource," says Graeme Agnew, IT security director at ScottishPower. "It would have been very difficult to get the skills and resources required in a small time period, and of course it is hard for a small team to keep up-to-date with all the emerging security threats that are out there."
The solution
To secure its network of more than 1,000 servers, ScottishPower has partnered with Internet infrastructure and services giant VeriSign. But the decision to outsource was not taken lightly: ScottishPower spoke to existing customers of all the providers under consideration. It has also assessed the viability of bringing the services back in-house since the contract was originally signed. "We looked to see if there was a cost benefit to internalising security management, but we find that the key is to maintain the right balance between internal and external resources," says Agnew.
Regulatory issues mean ScottishPower still requires in-house staff to manage the contract. "As VeriSign not only manages the security of our infrastructure but also monitors our operating system logs for fraudulent activities, we had to employ full compliance monitoring on the service they provide," says Agnew.
The benefits
An initial concern with granting the contract to US-based VeriSign, says Agnew, was distance. But VeriSign trumped the local advantage of rival UK-based providers by positioning one of its team at ScottishPower. "VeriSign work very closely with our internal management team," says Agnew.
Although satisfied that the partnership is working well, Agnew believes that outsourcing key functions is not suitable for all companies. One drawback, he says, is a loss of flexibility. Although change management is part of VeriSign’s remit, the degree of separation between the business and its security provisions can slow the time taken to exact significant changes to the IT infrastructure.
"The most important thing to look at when considering an outsourcing contract for security services is whether the culture within your company favours it," he says. "When we made this decision, we had already outsourced some other IT functions so we knew how to deal with it. You have to have people in your company that believe it can work."