All news stories

Compliance – A brick wall, built at taxpayers expense, to restrict competition in the public sector marketplace

The requirement for standards compliance distorts the competitive landscape for public sector ICT. I want to explain how this works in a bit more detail here using information security as an example, as it is one of the systemic reasons why the oligopoly came into being.

Each public authority that wants to buy an IT system has to ensure that the information held on it is appropriately secure, given the sensitivity of the information concerned. The definitions of these security standards are created centrally by the Cabinet Office, and handily described as the Government Security Classifications. They are updated regularly to reflect changes to the types of threat that exist, and changes to the technology systems being used.

Complying with these security standards requires the public authority to conduct a risk assessment, and then implement a series of procedures, controls and systems changes to meet them. The Pan-Government Accreditor then periodically checks these systems to ensure that the standards are actually being applied. So far, so sensible. However, lets think about how this works in practice with a hypothetical local government buyer: Borsetshire Council

In 2003: Borsetshire Council lets a contract for data centre hosting to Supplier A. Supplier A had to meet the Security Standards (2003) in order to win the contract, at considerable risk to itself.

In 2004: The Cabinet Office updates the security standards and issues Security Standards (2004). Supplier A requires a change control to upgrade their service to meet the new standards, which Borsetshire Council pays for.

In 2006: The security standards are updated again. Supplier A requires a change control to upgrade. Borsetshire Council pays for it.
…and so on. In all, the government protective marking scheme and/or the supporting security standards and guidance have been updated at least once every 18 months for the last 10 years.
In 2014: Borsetshire Council would like to retender for its data centre services. In line with CCS advice, it includes all compliance to all current security and quality standards in its tender document. Private sector specialist Supplier B would very much like to bid, but finds to its shock that, in order to be considered, it has to upgrade its data centre to meet the current Security Standard (2014). Supplier B has two problems:

  • they have to meet these standards in advance – with no guarantee of revenue. If they invest and fail to win the bid, then the money will have been wasted.
  • they are at a significant cost disadvantage in the competition, since they will have to include the cost of upgrading to the standards in their price. But Supplier A does not, since Borsetshire have already paid them for this via change control.

To be fair to Supplier A, it had to face exactly the same problems when it won the original contract way back in 2003. It will feel perfectly justified in using its status as a “Compliant Provider” as a differentiator when bidding for work.

However, the effect of this cycle is that over time, the incremental cost of standards compliance reinforces the position of the incumbent, Supplier A, against any non-public sector competitor. Their only real threat are the other public sector ICT providers, who have similarly had a competitive moat built around their businesses.

The government has an obligation to protect the information that it gathers and processes, so it can and should expect its suppliers to do the same. However, there are two elements of information security:

  1. The cost of actually being secure
  2. The cost of demonstrating that you are secure

A company can operate systems and processes that are secure for a given level of information (say, the maintenance and processing of financial transactions). You might expect that this standard of security would be common across most private and public sector customers. After all, your financial transactions are, for most people, of equivalent sensitivity to their social security records. The cost of this security is an intrinsic part of the overhead involved in delivering the service, and would be paid equally between public and private sector customers.

However, in the public sector it is not sufficient to be secure, you have to demonstrate that you are secure as well. The compliance process is prescriptive, and requires a range of audits, documentation and evidence to prove that the system is being operated according to an agreed set of standards. It costs a great deal of money. Typically, it adds 20-30% to the ongoing cost of delivering the service.

This is a premium that the public sector pays (and a premium that restricts access to the market for new entrants), even though the underlying service may be no more secure than the one used to process your credit card payments.

Think of it as a brick wall, built at taxpayers expense, whose effect is to restrict the ability of new entrants into the marketplace, and protect the commercial interests of the incumbent.