Intelligent CIO Europe Issue 20 | Page 65

CASE STUDY work in that space as well. The attackers do it and from a defence point of view it makes sense,” he said. “So, if you are mindful of any commercial sensitivities – there are plenty of ways to collaborate and help each other out without tripping up – then it’s really important.” Boda is Chairman of the Cybersecurity Working Group within the World Lottery Association, which is set up around the idea of threat intelligence sharing. Alongside the National Cyber Security Centre (NCSC), he is part of a gambling and gaming sector trust group which is also about threat sharing – something he set up with his former counterpart at William Hill. “Sometimes it’s not just about an IP address you’ve seen or a change in DDoS attacks, it could be that we’re thinking about using a new vendor and you want to have a conversation about ‘well, if you’ve used that vendor already what was your experience with them?’” The vendor – end-user relationship “Sometimes I think there’s a bit of tension there, on both sides,” Boda conceded. “I think it’s a lot about making sure vendors and CISOs and end-users make a conscious effort to take time to understand each other’s perspectives and build relationships with each other. It’s about long-term partnerships, it’s not about transactional things and through that understanding and relationship building, then the whole buy-sell becomes a lot easier.” On selecting vendors There are many vendors offering a multitude of products and solutions. For Boda and his team, the selection process is driven predominantly by the organisation’s three- year information security strategy. If approached by a vendor, Boda says he is open and transparent about their offering not being part of the organisation’s roadmap at that time, but the solutions are given due consideration in a thorough testing phase when the time is right. “If we’re doing a security thing, it means we’re not spending on a commercial thing or www.intelligentcio.com THE NATIONAL LOTTERY CELEBRATES ITS 25TH BIRTHDAY THIS YEAR AND WE’VE JUST PASSED THE £40 BILLION MARK OF MONEY THAT HAS GONE TO CHARITIES AND GOOD CAUSES AS A RESULT OF WHAT WE DO. something else, so it’s really important that when we pass that business case across the table, we can look the CFO, CIO and other stakeholders in the eye and say we genuinely believe that it’s in the best interest of Camelot to be doing it.” The skills shortage Boda believes the private sector has a role to play in helping to combat the ongoing cyberskills shortage, alongside government initiatives. “I think you recruit a team, you don’t recruit individuals, so you have to have a balance of people that do have experience, but you should also be taking people and training them up,” he said. sketch is based around his experience of having his identity stolen when he was younger. “It’s not ramming security down people’s throats, but for that hour they’re thinking about security and at the end of it, I talked about how his experience related practically and what it means for Camelot,” Boda said. “If, hypothetically speaking, The National Lottery contact centre wasn’t carrying out data protection checks properly or if we were socially engineered into giving out information, that means personal information could be compromised. “We really landed those key messages in a much more effective and memorable way.” On what makes a good CISO Camelot also has an internal red team which is used for running simulated attacks against the organisation itself. “If the only time you see bad stuff happening is when bad stuff is actually happening, then you’re probably not going to react to it very well, but if you’re constantly practising that then your judgement calls are going to be better, so we use that red team capability as a core part of our learning and development as a team,” he said. The importance of ongoing training A key part of Camelot’s overall strategy is around building a strong security culture. It’s not just about ‘putting posters up in the canteen’ – it’s about understanding how to create a behavioural change. One recent example involved inviting a comedian to speak during a lunch session. His “Someone who has a good broad range of skillsets, from the commercial business side of things to being able to talk credibly, technically,” Boda said. “It doesn’t mean they need to have a comprehensive understanding of every detail but they need to be able to ask the right, probing questions, draw out the issues and be able to communicate those effectively. “Some CISOs are much better at being able to communicate with the board and bounce ideas around how they’ve done that, or being really good at presenting metrics. “Some are great at challenging their team or vendors and really asking the probing questions. “We’ve all got our strengths and weaknesses, and being able to help each other out is really valuable.” n INTELLIGENTCIO 65