In order to affect this change and modernise their cyber security, the Catapult team was chosen due to our deep technical knowledge and background in transformation. Our experience reassured the client as it demonstrated we had both the strategic perspective but more importantly, the technical capability to get the job done.
The first issue discovered showed security was an afterthought and was being left to the end of the Software Development Life Cycle (SDLC), which caused long delays in delivering features to market.
Not only this but inconsistent services across each security unit, including different policies, methodologies and a lack of collaboration and knowledge sharing due to siloed teams, caused their approach to be misaligned with all strategic direction which impacted cross-business unit deliveries.
We also discovered our client, working across global markets, needed a scalable set of security services to deliver on their strategic objectives. Due to limited resource, a small number of technical security specialists and low-levels of automation in security architecture, made this almost impossible to do, preventing strategic initiatives such as Cloud adoption.
Installed as interim CISO, Catapult sat above the federated teams within the business units and worked with their different security heads to define a new operating model. This included a big shift towards automated testing, making the dev teams accountable for security and catering for it throughout the whole SDLC, ensuring designs, test strategies and architecture were all secure.
We then worked with a product team to develop capabilities for automated testing to meet security auditor requirements, which was incorporated into their secure CD pipeline, including DAST, SAST, RAST, and infrastructure and configuration testing. This was successfully implemented once, then the working model was then copied and adopted across all other teams.
Team performance was further improved by introducing a Community of Practice. This helped change the culture, helping to create an environment where collaboration and knowledge sharing could thrive and siloed thinking banished, to make the business go faster. The culture change was further enabled by implementing a planning and collaboration platform, which ensured standardised strategies and process could be recreated, repeated and scaled with great efficiency.
A single security framework (NIST - National Institute of Standards and Technology) was agreed upon, which had to be adopted across the business units, with a periodic review set up for existing process against the NIST framework. This would help identify deltas, levels of maturity, skill gaps and areas of under investment which would be addressed through a new operating model (including Concept 2 Market and SDLC process) and an organisational design aligned to DevOps ways of working.
Our client was keen to get the benefits of using the Cloud but wanted to ensure it would be secure. This was achieved by provisioning an Azure environment with appropriate controls around customer data via Infrastructure as Code (IaC). For extra security a Cloud access solution was put in place that included virus scanning of file downloads and email attachments with built-in DLP.
By introducing automation of control and governance throughout the SDLC, fewer manual checks and interventions in their three-line defence approach were needed, helping to remove existing bottlenecks and speed up the frequency of deployments and allowing people to move to higher value work.
Introducing a Community of Practice improved continuous learning and encouraged collaboration. This also helped improve employee satisfaction and increased interactions with security practitioners, resulting in more robust ways in fixing issues due to crowdsourced problem solving and innovative thinking. In the first three months, £200k of savings were identified through automation of only four security controls.
Standardisation on a single set of policies and procedures allowed the client to easily demonstrate regulatory compliance, such as implementing a single password policy, creating an additional benefit of reducing password reset overheads.
By designing and implementing a new operating model, teams developed agile ways of working and made decisions quicker through clear accountability. For example, a new IOS app took only months to implement, which previously would have taken years.
The new operating model facilitated the creation, support and the maintenance of a set of security services (IDAM, monitoring and pen testing) that could be utilised by the global business units.