David Backley, Westpac's chief information security officer (CISO), told a security conference in Sydney this week the bank last year realigned security responsibilities between the two companies after a series of misunderstandings.
The misunderstandings stemmed from Westpac's 10 year IT services contract with IBM Global Services, signed in 2000, according to Backley.
"We made a small blunder in that. We outsourced all our security to them."
Westpac managed IT security in-house prior to the contract.
Once the contract was signed, "We had one person ... and he was the guardian of security within Westpac in the IT space. That didn't work so well," said Backley.
However resolving arrangements with IBM to bring more control of security in-house was not easy.
"We struggled with IBM to get them to understand what we wanted. They had a contract so they thought they knew what we wanted. And we continued with that battle; and it was a battle, for a while."
Part of the problem was with the human resources themselves.
"One of the other things that may be useful for anyone who's thinking of an outsourcing agreement, the guys who had handled security originally had been pretty difficult to deal with. [They] being security guys and we were trying to deliver budgets.
"But when we outsourced we moved them to an organisation [IBM] they didn't want to work with," said Backley.
Two years after the IT services contract, Westpac formally recognised it lacked control of some IT support and delivery areas. This was affecting IT support to business areas of Westpac too, according to Backley.
The next year Westpac set up its own information security team with governance responsibility.
"We started to work out what it was the bank needed to do and what it was that IBM needed to do.
"I've been across that for the last three years and we now have a very good understanding between Westpac and IBM," he said.
Last year, Backley was appointed CISO and the information security team moved into a more infrastructure-based role.
The final step was to realign the security responsibilities of Westpac and IBM.
Westpac now has two security teams. The bank's team is responsible for security policy and some technical matters, while IBM is responsible for security services.
"Instead of saying 'we do security', we've now created a matrix of security services, and each one of those services has an amount of labour prescribed to it," said Backley.
He explained that with this new mechanism, they had been able to prioritise security services based on current objectives, and redeploy staff as required without costing the bank more money.
"So it was a difficult journey but it has been worthwhile."
