Case study

Information security transformation supports company growth

Due to changing market trends and the influx of new digital disruptors, our client - one of the world's largest insurance and financial services providers - needed to introduce a new approach to information security to remain competitive in the digital age.


The situation

In order to affect this change and modernise their cyber security, the Catapult team was chosen due to our deep technical knowledge and background in transformation. Our experience reassured the client as it demonstrated we had both the strategic perspective but more importantly, the technical capability to get the job done.

The first issue discovered showed security was an afterthought and was being left to the end of the Software Development Life Cycle (SDLC), which caused long delays in delivering features to market.

Not only this but inconsistent services across each security unit, including different policies, methodologies and a lack of collaboration and knowledge sharing due to siloed teams, caused their approach to be misaligned with all strategic direction which impacted cross-business unit deliveries.

We also discovered our client, working across global markets, needed a scalable set of security services to deliver on their strategic objectives. Due to limited resource, a small number of technical security specialists and low-levels of automation in security architecture, made this almost impossible to do, preventing strategic initiatives such as Cloud adoption.

The solution

Installed as interim CISO, Catapult sat above the federated teams within the business units and worked with their different security heads to define a new operating model. This included a big shift towards automated testing, making the dev teams accountable for security and catering for it throughout the whole SDLC, ensuring designs, test strategies and architecture were all secure.

We then worked with a product team to develop capabilities for automated testing to meet security auditor requirements, which was incorporated into their secure CD pipeline, including DAST, SAST, RAST, and infrastructure and configuration testing. This was successfully implemented once, then the working model was then copied and adopted across all other teams.

Team performance was further improved by introducing a Community of Practice. This helped change the culture, helping to create an environment where collaboration and knowledge sharing could thrive and siloed thinking banished, to make the business go faster. The culture change was further enabled by implementing a planning and collaboration platform, which ensured standardised strategies and process could be recreated, repeated and scaled with great efficiency.

A single security framework (NIST - National Institute of Standards and Technology) was agreed upon, which had to be adopted across the business units, with a periodic review set up for existing process against the NIST framework. This would help identify deltas, levels of maturity, skill gaps and areas of under investment which would be addressed through a new operating model (including Concept 2 Market and SDLC process) and an organisational design aligned to DevOps ways of working.

Our client was keen to get the benefits of using the Cloud but wanted to ensure it would be secure. This was achieved by provisioning an Azure environment with appropriate controls around customer data via Infrastructure as Code (IaC). For extra security a Cloud access solution was put in place that included virus scanning of file downloads and email attachments with built-in DLP.

The results

By introducing automation of control and governance throughout the SDLC, fewer manual checks and interventions in their three-line defence approach were needed, helping to remove existing bottlenecks and speed up the frequency of deployments and allowing people to move to higher value work.

Introducing a Community of Practice improved continuous learning and encouraged collaboration. This also helped improve employee satisfaction and increased interactions with security practitioners, resulting in more robust ways in fixing issues due to crowdsourced problem solving and innovative thinking. In the first three months, £200k of savings were identified through automation of only four security controls.

Standardisation on a single set of policies and procedures allowed the client to easily demonstrate regulatory compliance, such as implementing a single password policy, creating an additional benefit of reducing password reset overheads.

By designing and implementing a new operating model, teams developed agile ways of working and made decisions quicker through clear accountability. For example, a new IOS app took only months to implement, which previously would have taken years.

The new operating model facilitated the creation, support and the maintenance of a set of security services (IDAM, monitoring and pen testing) that could be utilised by the global business units.

Case Studies

    Automation drives reduction in software testing errors

    Catapult was engaged to help a multinational telecoms firm transform a large-scale telco stack (30-50 systems, 1500 developers, and 300 manual testers) from a traditional waterfall development model – where software testing is done at the end of the process – to a continuous delivery model. ...

    Read story

    Digitalising the UKSR

    As part of the Maritime Coastguard Agency's goal to become the best performing and fastest growing international flag, they decided to digitalise the UK Ship Register to reduce internal administration and enhance the Customer Experience (CX). Catapult took an agile approach supported by Atlassian to ...

    Read story

    Digitalising the Beacon Register - Alpha

    The UK Maritime and Coastguard (MCA) enhanced emergency beacon registration and management. Automation, mobile-friendly service, and data validation improved user experience, cut costs by £300,000 annually, and enabled efficient search and rescue operations. ...

    Read story

    Atlassian Consolidation for Zoopla

    Zoopla, a major UK property website with 40M monthly visitors, excelled and expanded by acquiring companies like PSG, Alto, Jupix, MoveIt, all using Atlassian tools. To streamline collaboration, cut costs, and maintain efficiency, they sought to unify multiple Jira and Confluence instances. ...

    Read story

    Bringing DevOps and ITIL together at Harvey Nichols

    Harvey Nichols, a UK luxury department store chain, maintains exceptional customer experiences in-store and online. Focusing on aligning DevOps and ITIL, they aim to swiftly address customer inquiries and issues by harmonizing their development and operations teams, ensuring high IT standards for a ...

    Read story

    Observability for a Fund Manager

    A UK based private fund manager with ~40 people in IT and 300+ people managing a fund of ~£22bn had developed a core platform to support their business. This platform had monitoring in place but the client was getting recurring incidents and their time to resolve (MTTR) was high. ...

    Read story