Plainly speaking, Arronis said providers today are providing “static information”, rather than real-time and actionable insights.
“Some offer okay insights, but we really want vendors [and partners] to step up and deliver real value in that space,” he said. “That should be part of that base offering, not just providing me with raw data.”
Slotting into the supply chain
Aside from ongoing issues around the need for appropriate security solutions, Arronis said many partners, both large and small, still struggle to understand where they fit within the supply chain.
“They need to be more aware that they are part of the supply chain of our business,” he explained. “They are part of our eco-system and not a lone player.
“If they fail, then we’re at risk of failing also."
For Arronis, a key component for Serco centres around the nature of the business.
As a business support services company, it relies on third parties, meaning multiple providers could be around the table at any given time, working together to solve a pain point.
“They need to be part of that discussion, so it’s more about understanding that the context has changed and we do need to work together,” he added.
“I do see it as an ecosystem where it’s not just our organisation, it’s really the footprint which includes our third parties and the customer that I am concerned about because if a third party gets compromised, that’s a big issue.”
As the leading security executive of a multi- national services company with contracts from state and federal governments to operate hospitals, prisons, and detention centres, Arronis said the organisation has “unique concerns” to address and certifications to maintain.
“A key theme around change in this space is more due diligence,” Arronis said.
“This means more due diligence across multiple teams. A purchase is now about legal, finance, procurement and IT all being aligned.”
With regards to IT, Arronis said Serco had to “step- up” to ensure the business was across the details also.
“The context change is more to do with the type of things we are buying,” he added. “For example, we may be using Salesforce or an application built on top of Salesforce by a third-party developer.
“What then comes into play are such as data sovereignty, data ownership and data access. It becomes an issue of scrutiny of the cloud service provider.”
This raises questions around where they host data, where data centres are and what happens if the provider fails and leave Serco without a safety net.
“Can I recover my data easily?” he questioned. “Can I port my data from one provider to another?
“Do they have any hidden clauses in their contracts which gives them the right to use data through Facebook and Google?”
In the eyes of Arronis and Serco, ownership of risk is key. Because no matter who provides a product or service, Serco holds the risk.
“All we are doing is outsourcing a service, so we need to understand the risk profile,” he said. “The better we understand the risk profile, the more risk we can take on.”
Partner Perspective - Katana1
By Ross Olgivie, technology and consulting director, Katana1
"We’ve recently upped our engagement with CISOs, and are finding that they are popping up everywhere.
"For two of our bigger customers, we will provide a platform and help them run this platform, then we’ll on-board the different departments of the organisation.
"One is a large telecommunications business, and the other an airline, with the projects opened by certain departments within the organisations.
"As a result, Katana1 forms part of an eco-system with other partners such as Fujitsu, IBM and Telstra. Specific to these cases, Katana1 is the application integrator on the Splunk platform.
"We help on-board every department and workshops to showcase what we can do, while also providing information to the business.
"As a business, we’ve approached cyber security from an analytics standpoint, and have focused on bringing information in from all parts of the customer’s environment.
"Consequently, we understand our place in the all- important provider ecosystem and bring unique skills to the table by working with customers and other partners to solve end-user problems.
"We’re not trying to pass the buck or extend ourselves beyond our capabilities.
"The difference between this and traditional forms of IT deployment is that risk is owned by a single department — in these cases the CISO — who assess and manage risk throughout the organisation, before green lighting the rollout to other departments."