Zurich Financial Services had two IT priorities last year: to raise awareness about information security and to improve the operational efficiency of the worldwide business.

Security used to be handled by a small team scattered across its IT departments around the world, which meant it was hard to pool best practice and reach any agreement. All this changed when the company embarked on a huge consolidation initiative that shrunk 20 global CIOs and two datacentres down to one operation. It also slashed IT running costs from £2 billion to about £1bn.

Zurich’s business is to calculate and put a value on risk, so it decided to apply the same logic to its IT department. Now the company doesn’t view security as a matter of optimising firewalls or anti-virus, but a case of risk strategy and risk management. “In 2002, there were virtually no synergies between the different IT shops around the globe,” Stefan Vogt, head of IT risk at Zurich Financial Services said at the Gartner Security Summit last autumn. “By bringing in changes and outsourcing much of the technology, we have been able to drive down cost and achieve greater collaboration between different IT and security teams.”

Outsourcing the day-to-day aspects of security is a key plank to its strategy and the company has outsourcing contracts with CSC, IBM and Equant to manage much of its IT infrastructure.

On the operational efficiency front, Zurich employs a traffic light approach, so that different levels of risk are flagged as green, amber or red, depending on their threats to the business.