HSMs in banks - A case for a multi-sourcing strategy for critical tech infrastructure

Supply chain optimization has been one of the primary ways to squeeze a bit more efficiency out of a business process for some time now. Over time, companies have perfected various such strategies like Just in time inventory management and co-locating vendors in the same industrial park as themselves. However, an excessive push towards supply chain and vendor optimization has increased risks as the logical conclusion of such unabated cost optimization is often a single sourcing strategy.

This single sourcing strategy is not unique to just manufacturing though. The same vendor strategy is often applied in the service sector to get the same benefits. Companies enter into contracts with just one vendor to provide a service across their global footprint. It’s not uncommon to find a single global vendor handling IT support everywhere and another single vendor handling travel and logistics, and then another single vendor for hardware or software and so on.

However, this strategy of single source procurement highlighted above is not without its risks. This is true for both important supply chain linkages as well as critical vendor services. Many companies treat procurement as a function where the goal is to minimize the cost of procurement. While cost is obviously an important factor, every operational and financial decision should take the risk component into account as well.

This risk traditionally used to be restricted in scope, but today the biggest risk perhaps is the reputational damage that may result from a security breach or fraud. Such disasters can be hard to recover from.

So at the end of the day, the question to be asked is this: What procurement strategy can give you the best return while restricting risk to a level that you are comfortable with?

Building a deeper procurement capability

If we look at the Hardware Security Module (HSM) market in particular, it is currently dominated by very few players following some recent consolidation. In such a scenario, it might make sense for large organizations which rely on HSMs, like banks for example, to have some built in flexibility in terms of their hardware sourcing strategy.

The multi sourcing strategy to vendor risk management requires this flexibility to be built into the procurement process. Since the vendor qualification process can be long and tedious for organizations with a global footprint, it might make sense to get the ball rolling sooner rather than later from a vendor risk management perspective.

In addition to the vendor risk management benefits, a multi sourcing strategy also ensures cost competitiveness, better service levels and access to diversified pools of industry experience. The disadvantage of such a strategy is of course the additional time and cost of vendor qualification and having two disparate systems in operation. Whether the benefits of the strategy outweigh the costs is a decision that each business has to make based on its unique circumstances.

The compromise between vendor independence and cost consolidation

Multi sourcing also has disadvantages. Managing the inventory on multiple vendors increases costs. Also key management becomes problematic. In particular when HSMs of smaller niche vendors are deployed which lack APIs and provenly reliable integration with the key management systems. Smaller vendors also add to the risk of organisational insecurity, including a potential lack of sufficient and timely emergency support or the simple risk of the vendor’s disappearance from the market.

The global HSM market is in a strong process of consolidation. Small players are disappearing. The leading top 3 are consolidating their head margin through an M&A strategy, incorporating relevant followers or niche players and rounding up their portfolio.

The current consolidation of HSM vendors in the global market, blended with banks striving for cost efficient and reliable processes has led to the emergence of a dual sourcing strategy, where banks preferably source from the top 3 vendors, preferably 2-3 parallel solutions.

The banks reach crypto-agility through key management systems which are able to handle the major HSMs and allow to switch from one system to the other within an acceptable time delay. The introduction of a crypto abstraction layer (middleware) between HSMs and applications gives an additional means to manage multiple HSMs and allows for accelerated migration from one HSM to another.


Banks are in a dilemma over maximized vendor-independence, limited inventory and procedural costs as well as minimized recovery times in cases of incidents. A dual sourcing policy emerges as the silver bullet out of that dilemma.

Blog post by Paul Abraham

To find more press releases related with below topics, click on one of the keywords:

How can we help you?

Talk to one of our specialists and find out how Utimaco can support you today.
You have selected two different types of downloads, so you need to submit different forms which you can select via the two tabs.

Your download request(s):

    By submitting below form you will receive links for your selected downloads.

    Your download request(s):

      For this type of documents, your e-mail address needs to be verified. You will receive the links for your selected downloads via e-mail after submitting below form.





      Download via e-mail