Banks and financial services companies should not be afraid of outsourcing key parts of their IT security operations, John Meakin, head of information security at Standard Chartered Bank told Computer Weekly last week.
Meakin said it was a mistake for banks to respond in a "knee-jerk" way by refusing to outsource security simply because it is security.
"We have to do a number of key activities to secure the bank. If we can do those activities better by outsourcing them than by doing them ourselves, the equation says the security of the bank is better. That is the primary decision point for us," he said.
Meakin believes that there are only three key security functions that banks have to retain in house: risk analysis, development of company security policies and the design of the organisation's security architecture.
These functions can only be effectively carried out by people with a thorough understanding of the business goals and objectives of the bank, and cannot be left to technical specialists alone.
"If you wheel in a consultant to write a security policy, you are going to get something generic that only approximates the needs of your business," he said.
"It is quite important to have the security architecture tuned to your business and, more importantly, the way your business will be in a few years time."