Security partnerships best practice for preserving product trust: iSelect

When managing a business based mainly on trust and reputation, Australia's iSelect believes it is best practice to partner with a security vendor rather than tackling threats internally.
Written by Asha Barbaschow, Contributor

After growing from one product category to ten, Australian online services comparison provider iSelect has spent the last 15 years expanding its service offerings for customers, leaving little time to secure its environment.

According to Samil Nevruz, manager of Group Network and Infrastructure at iSelect, trying to individually secure applications and servers within a company is nothing more than a headache for administrators, as it is a task that is too large to tackle without a partner.

"When you have such a fast growth, obviously parts don't get as much attention, and we knew that security was one of those ones," Nevruz told ZDNet.

"We were trying to individually secure every single application and every single server, but once the number of businesses grew and the number of applications grew, it became an administrator's headache for us to manage all of these systems individually."

Nevruz said it was simply not a feasible growth strategy for iSelect to manage security requirements itself, so the company decentralised its security systems and set out to partner with a vendor.

iSelect offers Australians personalised comparison and advice across a range of insurance, utilities, and personal finance products. Its business is mostly conducted online, with phone contact the only other interaction iSelect has with its customers.

"The reality is that our web environment, where the majority of our customers come through, is a 24/7 environment. We can't afford to have a 24/7 -- which is at least three shifts a day -- security team to sit and monitor literally millions of logs entries," he said.

Nevruz explained that with a web-based environment also comes the need to look after every aspect of a web server. He said that despite it not being a security system, a web server's logs need to be explored with a fine-tooth comb to find potentially illegal attempts at entry, noting that it also holds a huge amount of data that needs to be processed 24/7.

"To build a team like that was going to cost us quite a significant amount of money, and it's not even easy to find people with those skill sets in the Australian market," he said. "Especially with the web application firewall we chose, we struggled to find experts to come and work for us, and that's why we realised that instead of us trying to learn this stuff, we should call an expert."

After six months of searching, iSelect chose SecureWorks to manage its entire security scope.

"At the end of the day, unlike some other companies, say, Sony, they can survive because they build a product. Just because Sony got hacked, you're not going to throw away your Sony TV, but with us, we don't have a product, we are a comparison site, our relationship with customers is solely based on trust," Nevruz said.

"If our name goes into the media for all the wrong reasons, they'll all abandon us on the spot. They can buy from another company or the partners we work with directly."

iSelect's main focus is on ensuring it creates the best customer experience through its website or contact centre, with Nevruz saying that now the company's infrastructure team is free to focus on the work they were originally hired for, and can use all of their attention on building or improving applications.

"With our estimations, that's pretty much half a million dollars worth of savings just in utilising our current team members' time more effectively and efficiently," he said.

"All of our information is in a digital environment; it is beyond critical -- it is everything.

"As the information is kept there, it would just be disastrous, catastrophic if any of that customer information was stolen from iSelect."

Speaking of the partnership with iSelect, Simon Ractliffe, director and general manager South Asia Pacific for SecureWorks, said there is a recognition among organisations that they must now rely on a security vendor instead of tackling the monolithic task themselves.

"We've seen that increase in awareness, but what we've also seen is an increasing maturity from organisations," Ractliffe said.

"iSelect is so mission critical that if they have down time, then they actually lose business. It's quite different from, say, a Bunnings, where if their website goes offline, folks will either go to the store or wait until that site comes back again.

"That's certainly not the case with iSelect."

Ractliffe said that what he has enjoyed about the engagement with iSelect was the organisation's clear understanding that reputation is absolutely critical, which meant ensuring that its clients had great trust in its brand.

To iSelect, the ongoing relationship with SecureWorks has been the most important element to the partnership, with Nevruz noting that over the past two years that they have been working together, he has been dealing with just one SecureWorks team member.

"After seven or eight months, the SecureWorks engineer knew our applications just as good as our software developers who developed them in the first place," he said.

"It gives you so much confidence that the guy out there knows exactly the applications, so if something at four in the morning when we are all sleeping goes wrong, you know that they are going to make the best decision -- it makes a huge difference.

"Security is an ongoing fight."

Editorial standards