ESISS: sharing information security expertise

ESISS graphic

Universities reap the benefits when information security expertise is shared ‘by the sector for the sector’, reports Dr Andrew Rothwell of Loughborough University’s Centre for Global Sourcing and Services. He talks to Matthew Cook, Ian Griffiths and Peter Darby about the Education Shared Information Security Service (ESISS) as a shared service.

AR: How did ESISS start?

The Education Shared Information Security Service (ESISS) started as a pilot in 2009 and became self-sufficient within a year. ESISS was a pilot project of the East Midlands Metropolitan Area Network (EMMAN) which was founded as a cooperative of eight universities in the 1990s to deliver and develop Janet connectivity as a shared service

AR: What are the main features of ESISS as a shared service?

ESISS provides a shared service that no one of the participating institutions could provide on its own, so there are clear benefits from collaboration. To succeed as a shared service, the service needed to be an area where there was no competitive advantage to be lost, and it also needed to be a relatively scarce and singular resource in an area that was seen as highly specialised.

Networking and information security seemed to be the ideal field in which to pursue these aims, especially as information security is increasingly a ‘must-have’ for organisations, including universities.

This sort of work requires ‘penetration testing’ of an organisation’s security infrastructure to be done by an external organisation. This lends itself to collaboration between institutions and reinforces the notion that the shared service is ‘by the sector for the sector’.

ESISS is best described as a shared service of a specialist skill, where organisations ‘join the club’ and pay a subscription instead of buying the service.

AR: Any particular challenges?

One challenge in setting up ESISS as a shared service was to demonstrate that it didn’t benefit from any favourable treatment even though it was ‘by the sector for the sector’. The team had to fulfil all the procurement rules, and found that these were often different for every single institution.

Not only that, the process of closing a contract from the identification of opportunity to point of sale could often take 18 months irrespective of the value of the order. Institutions could be very slow to make decisions, and were often subject to external influences such as auditors.

AR: How was ESISS funded initially, and how will funding be sustained?

The ESISS feasibility project was initially funded by the Higher Education Funding Council, and the subsequent pilot was jointly funded by HEFCE and EMMAN. EMMAN selected Loughborough University as the successful bidder to host the technical elements of the shared service.

The pilot, in 2009, started well, and the service was self-sufficient within a year – this was perceived to be a pre-requisite for success. Funding was by subscription from the eight universities, which included funding to cover the shared service. The new organisation signalled a change of attitude for the education sector, towards a more commercial orientation. Thus one of the guiding principles was that making money from the collaborative venture, for improving services to the members, was not seen as a problem in the longer term. ESISS is now open to every eligible institution in the whole country.

AR: What does the future hold for ESISS?

EMMAN’s anchor tenant was Janet (UK) which accounted for some 70% of EMMAN’s income. As time moved on, Janet (UK) came to the conclusion that they wanted to be closer to their customers in the sector, no longer working through EMMAN which had come to be perceived as the service provider. The EMMAN board decided that the organisation could not continue as an entity in its existing form, but did want the ESISS service to continue for the sector. Accordingly, Janet (UK) was chosen as the home in which ESISS would continue to thrive and ESISS transferred from EMMAN to Janet (UK) on 1 August 2013.

Key learning points

  • A shared service that is financially viable right from the outset is more likely to succeed.
  • A shared service that is based on high-level specialist and technical skills that are difficult for an individual institution to provide, gives a strong rationale for institutions to buy into it.
  • The shared service is likely to be more palatable to institutions when the specialist and technical skills are in an area unrelated to competitive advantage but nonetheless essential.
  • The energy and commitment of key individuals with a strong profile in the sector are crucial in making a shared service succeed. 

Report: Dr Andrew Rothwell of Loughborough University’s Centre for Global Sourcing and Services.