Royal Mail cautious over outsourced security

The Royal Mail warned on Thursday of the pitfalls of outsourcing IT security.

Speaking at the InfoSecurity Europe exhibition in London, the director of information security for Royal Mail, David Lacey, said although outsourcing IT had cut costs dramatically at his firm, there were several potential downfalls.

"We had a major price improvement," said Lacey, co-founder of the security think tank the Jericho Forum. "We definitely slashed IT costs by getting low-cost deals. We wanted to get more access to skills and our expectation was that we would. But that has not been as much as we expected."

The Royal Mail signed a £1.5bn contract with outsourcing company CSC and telecoms giant BT in 2002 for the management of its general IT services.

Lacey said that raising the level of security at the same time as negotiating with outsourcers could actually lead to higher costs.

"Don't aim to upgrade the security level — the outsourcer will come in and do due diligence, and put a price on the table. If you put things on [a network] that you don't use, there will be a heavy cost."

Lacey told delegates to be wary of contract negotiations and to read all documents carefully.

"Relationship management is what it's all about," he said. "We should be telling the outsourcer our problems and letting them work out the solutions. Although the contract is important is important in a dispute, very few people read it," Lacey claimed.

The Royal Mail sold some of its IT assets to CSC to help cover the cost of the contract, Lacey added.