CASE STUDY
work in that space as well. The attackers do
it and from a defence point of view it makes
sense,” he said.
“So, if you are mindful of any commercial
sensitivities – there are plenty of ways to
collaborate and help each other out without
tripping up – then it’s really important.”
Boda is Chairman of the Cybersecurity
Working Group within the World Lottery
Association, which is set up around the idea
of threat intelligence sharing.
Alongside the National Cyber Security Centre
(NCSC), he is part of a gambling and gaming
sector trust group which is also about threat
sharing – something he set up with his
former counterpart at William Hill.
“Sometimes it’s not just about an IP address
you’ve seen or a change in DDoS attacks,
it could be that we’re thinking about using
a new vendor and you want to have a
conversation about ‘well, if you’ve used that
vendor already what was your experience
with them?’”
The vendor – end-user relationship
“Sometimes I think there’s a bit of tension
there, on both sides,” Boda conceded. “I
think it’s a lot about making sure vendors
and CISOs and end-users make a conscious
effort to take time to understand each
other’s perspectives and build relationships
with each other. It’s about long-term
partnerships, it’s not about transactional
things and through that understanding and
relationship building, then the whole buy-sell
becomes a lot easier.”
On selecting vendors
There are many vendors offering a multitude
of products and solutions. For Boda and
his team, the selection process is driven
predominantly by the organisation’s three-
year information security strategy.
If approached by a vendor, Boda says
he is open and transparent about their
offering not being part of the organisation’s
roadmap at that time, but the solutions
are given due consideration in a thorough
testing phase when the time is right. “If
we’re doing a security thing, it means we’re
not spending on a commercial thing or
www.intelligentcio.com
THE NATIONAL LOTTERY CELEBRATES
ITS 25TH BIRTHDAY THIS YEAR AND
WE’VE JUST PASSED THE £40 BILLION
MARK OF MONEY THAT HAS GONE TO
CHARITIES AND GOOD CAUSES AS A
RESULT OF WHAT WE DO.
something else, so it’s really important that
when we pass that business case across the
table, we can look the CFO, CIO and other
stakeholders in the eye and say we genuinely
believe that it’s in the best interest of
Camelot to be doing it.”
The skills shortage
Boda believes the private sector has a role
to play in helping to combat the ongoing
cyberskills shortage, alongside
government initiatives.
“I think you recruit a team, you don’t recruit
individuals, so you have to have a balance
of people that do have experience, but you
should also be taking people and training
them up,” he said.
sketch is based around his experience of having
his identity stolen when he was younger.
“It’s not ramming security down people’s
throats, but for that hour they’re thinking
about security and at the end of it, I talked
about how his experience related practically
and what it means for Camelot,” Boda said.
“If, hypothetically speaking, The National
Lottery contact centre wasn’t carrying
out data protection checks properly or if
we were socially engineered into giving
out information, that means personal
information could be compromised.
“We really landed those key messages in a
much more effective and memorable way.”
On what makes a good CISO
Camelot also has an internal red team which
is used for running simulated attacks against
the organisation itself.
“If the only time you see bad stuff
happening is when bad stuff is actually
happening, then you’re probably not
going to react to it very well, but if you’re
constantly practising that then your
judgement calls are going to be better, so we
use that red team capability as a core part
of our learning and development as a team,”
he said.
The importance of ongoing training
A key part of Camelot’s overall strategy is
around building a strong security culture.
It’s not just about ‘putting posters up in the
canteen’ – it’s about understanding how to
create a behavioural change.
One recent example involved inviting a
comedian to speak during a lunch session. His
“Someone who has a good broad range
of skillsets, from the commercial business
side of things to being able to talk credibly,
technically,” Boda said.
“It doesn’t mean they need to have a
comprehensive understanding of every detail
but they need to be able to ask the right,
probing questions, draw out the issues and
be able to communicate those effectively.
“Some CISOs are much better at being able
to communicate with the board and bounce
ideas around how they’ve done that, or
being really good at presenting metrics.
“Some are great at challenging their
team or vendors and really asking the
probing questions.
“We’ve all got our strengths and weaknesses,
and being able to help each other out is
really valuable.” n
INTELLIGENTCIO
65