IT suppliers and government dispute costs of IT security

Plans to introduce mandatory security improvements across government have become mired in contractual disputes with IT suppliers that do not want to carry the cost. Full story on homepage. 

Government, understandably, wants improvements to IT security after the loss of two CDs at HM Revenue and Customs.

But IT suppliers, understandably, say it’ll cost extra.

Several of the outsourcing suppliers have the government over a barrel: their contracts cannot, in practice, be terminated over a dispute related to extra costs of IT security; and third party companies cannot easily bolt on extra security to another supplier’s systems.

Ross Cattell, head of enterprise risk at Deloitte, saidsuppliers felt unfairly criticised by the government. “Suppliersare saying, ‘Gold standard is not what you asked for when yououtsourced. If you want that, you have to pay more.’

“It is difficult for government departments which are trying toraise the information assurance standards,” he said.

Sureyya Cansoy, associate director of suppliers’ body Intellect,said suppliers are doing all they can to assist the government.

“It should be done in such a way that it doesn’t burdensuppliers unnecessarily and that any changes to contracts are doneunder the commercial arrangements already agreed,” she said.

“Butwe’ve not really tackled it yet.”


Government data security hobbled by cost dispute –

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

There is nothing in the Data Handling Review which from a security perspective when related to sensitive information is not 'common sense'. What is surprising is that when the contracts were intially agreed and the types of data were specified that would need to be processed, transported and stored no one realised that such 'common sense' security measures would be necessary.

To be honest, 'no one realised' is a bit of a misnomer. At fault here are both the customer and the supplier. The customer for not doing the appropriate amount of due diligence in terms of determining what security measures would need to be in place for the data they were responsible for and the supplier (who are all lets face it "supposed" to be IT Professionals and acting in an advisory capacity as supplier) for not suggesting that such security measures might be warranted for the data.

It boils down largely to a lack of security professionals from both sides being involved on such projects from day one. All too often, the security guys are not consulted until the testing stage or worse still, after 'go-live'. And even after all the data losses and other security mistakes that have occurred in the last couple of years across both Government and private sectors, this *still* happens.

The solution could be relatively simple. Send both sides to an organisation akin to ACAS and thrash out an agreeable way of paying for the security improvements between themselves. After all, both sides are at fault and this would seem to be the most fair and equitable way to resolve the situation.

It might also mean some sort of progress finally being made!

I agree that the security measures the Gov't now wants and needs - as per the Data Handling Review after the HMRC lost CDs - are common sense.

But common sense doesn't always come into IT contracts because of cost: the customer wants the system, and data handling procedures, to cost as little as possible; and any supplier that costs security at anything above the minimum specification probably won't get the contract.

It may be that both sides know what's needed. But they both turn a blind eye for commercial reasons.

I suspect it's s only when Government agencies and departments systematically cease choosing the lowest bidder that suppliers will have the confidence to bid a gold-standard of IT security and handling procedures.