Former Chief Technology Officer
Lloyds Banking Group
Andy’s 20-year career in the Cybersecurity industry began with Microsoft, starting as a senior solution architect. As the CTO of Zurich Insurance later in his career he was instrumental in renegotiation of Zurich’s largest IT deal across the group with a contract value of hundreds of millions of dollars.This eventually led to his role as CTO Lloyds Development Capital where he leveraged his knowledge and experience in IT to achieve clear operational efficiency improvements through market leading initiatives such as Automation, Machine Learning, AI and Cloud.
Section 1: Current Cyber Security Trends and Challenges
1.1. What is your organizations approach to cyber security?
As a provider, we’re seeing a massive uptake in cybersecurity requirements. And it’s quite specific actually. Spending in cybersecurity, across all industries is increasing dramatically, because people are doing things differently, over the last couple of years. If you take COVID out of the equation, technology and the use of technology is diversifying massively across every industry. In summary, a lot more people could be potentially attacked using a cyber-attack method and using threat actors. So, cybersecurity is becoming a lot more prevalent across every industry.
If you bring COVID into the equation, you’re seeing lots of people working outside of the office in very diversified, remote environments. They’re working from home; they could be working from coffee shops. They could be working pretty much anywhere these days. And enabling of things like video conferencing across the board is fantastic, but it also provides quite an increased amount of risk for every business, and the particular people working for that business.
As a provider, we’re receiving a lot of requests to be able to help with answers around that. How can we protect our people better? How can we vet and get intelligence around the threat landscape? What’s actually happening that our clients don’t know about?
We’re also seeing a big increase in what’s called SOCS, security operation center services. Predominantly that is being able to monitor and provide assessment services for potential cyber threats on an organization’s technology and be able to proactively respond to those.
The stance organizations are taking are changing and being more proactive, investing money and protect the business better, because cybersecurity is not just a technology problem. It’s a business challenge. So, it needs to be addressed at the board level and everybody in the business needs to be aware of it.
Our customers are now coming to us for cyber security solutions, but also, requiring training and awareness across the business.
1.2. How are cybersecurity operations structured in your business?
At Lloyds Development Capital, Lloyds Banking Group, I was the portfolio CTO, where I looked after technology and cybersecurity across businesses that Lloyds invested in.
Across those businesses, they all have various different challenges, and some of them have had potential cyber challenges. But there is an increased, awareness of cybersecurity across the whole portfolio of companies.
We have to take this seriously. We have to invest money, time and effort in looking at how to protect ourselves, the different portfolio companies, the end customers, the end suppliers and partners of those companies. It’s not just protecting Lloyds Banking Group, it’s actually protecting the whole ecosystem around those companies.
I saw a big uptake in cyber security due diligence, before my ex-employer invested in a company, include a cyber security assessment as part of the diligence. It’s not just technology, it’s not just focusing on financial and commercial and legal diligence now, it’s also includes cybersecurity.
Then on the sale of those companies, you’re also seeing potential buyers wanting to conduct the same assessments, or very similar assessments to get a clear view of how well these companies are protected.
During the investment into various companies, these companies and Lloyds itself is actually wanting to spend time, effort and money, making sure these companies are protected.
People are generally wanting to increase their awareness of cybersecurity. People are aware, they’re not really up to scratch with what they need to do, and there are potentially big gaping holes in cybersecurity, and something needs to be done to protect their business.
A lot of work in my former company was all around education. It was at the board or at the executive level saying actually, this is a business challenge not just a technology problem. This is something that the board, stakeholders of the business, all the way down through every level of the organization should be aware of and should have a good understanding of how to protect themselves and the business. I saw a lot of investment go into awareness training, SOC services and penetration testing, as a buyer.
1.3. What are the current cybersecurity priorities?
Specific challenges around financial services depend on which area of financial services you operate in. If you look at investment, private equity, then the priorities are all about protecting their investment. Previously, they would be spending money on commercial lines or business insurance. They will be making sure that the physical security of their buildings is secure. But not a lot really happened around the people within the business, or the technology in the business.
Now, there is a big push to equalize that, to make sure that they can protect every aspect of their investment, including business, process, people, but now including technology. So, there’s a big push to protect the overall investment for two reasons. One is they don’t want the investment to devalue during the investment. The second thing is they want to be able to maximize the exit value or the sale value of that investment, which they can’t do if they’ve got cyber and technology problems.
If you look at traditional retail banking, it’s the integration and the interface for the customers, being able to maintain that customer experience. We’ve seen quite a lot of widely publicized, around the world, outages within global banks. Now, quite a few of them are actually related to cyber challenges, cyber-attacks, although not publicly announced.
In terms of the retail side of things, they do need to protect that experience. So, it’s not actually making the user experience better. That’s a different aspect of the business. But it’s actually being able to protect that, so they don’t have outages and they can provide a consistent experience.
If you look at wealth management and high net worth banking, it’s all about the value-add for those clients. There are elements of social engineering here, because it’s not straight cybersecurity. Wealth management companies need to be showing that they can add value to their clients, where they’re not just going to take their money, give them a bit of interest and hand it back. They need to be able to provide additional services on top of that.
I have observed quite a large uptake in social engineering protection. Being able to advise and help their high-net-worth clients in protecting themselves and their businesses around cybersecurity, social awareness, being clever on social media. It can even go as far as employee and counter surveillance techniques, which a lot of people think is ludicrous. However, if you think about the individuals the wealth management businesses target and interact with, it’s actually very much front and foremost for them.
In general, across all banking financial services institutions, you’ve got transactions and integrations. So, these businesses have to integrate with many clients; many suppliers; many partners and even other banks, potential competitors. They need to make sure that all of those integration points and all of those transaction points with external parties are secure as well.
I’m seeing a massive increase in spending to be able to protect these points, because a lot of banks have legacy systems in place. Not all of them have modern technology across every single aspect of the technology landscape. They need to spend money while they transform that, protecting that heritage estate. I’m also seeing a trend in protecting the old as well as transforming the new.
1.4. What are your current cybersecurity challenges?
I think the simple answer in one word is diversification. So, with COVID-19, people are working differently, they’re working very differently to how they did in 2019. It’s not all about protecting a group of people in one location anymore. It’s protecting a group of people in many locations.
So that has vastly changed the way that businesses have to look at cyber and business security. That is massive, basically, massive. And one can’t underestimate the amount of time in terms of investment that businesses should and sometimes do take to train and make their people aware.
It’s not necessarily about sticking loads of servers in a server room and protecting that server room now, because people are working differently. That data is on laptops, tablets, phones, et cetera, that are now not in the office, they’re traveling a lot or they’re at home. And the home environment is not as secure as a secure business premise typically. So, they have to look at a very much diversified attack vector. So potential ways that they could be attacked for their business.
In terms of cloud, that’s really an extension of what I was just saying is that if you go back 10, 15 years, everything was in a business or a service provider’s data center. Now, everything is in multiple data centers, across public and private cloud. It might not even be in the same country, depending on your business needs.
So, for cloud, I’m seeing two things become very prevalent. One is being able to supplement public cloud provider security. Amazon, Microsoft essentially will provide a layer of security. People are looking for additional security, such security operations center, SOC services, manage, detect and response services, as well as regular application testing on top of what those clouds can provide.
And in addition to that, they’re actually looking at encryption. Encryption is absolutely key. I think a lot of people would be surprised about how data is not actually that well encrypted in transit or in storage. The niche aspect is its security first, but I think every business should treat security first, and should look at making sure that their data, their information, wherever it is, whether it’s stored on a laptop, or whether it’s stored in a hybrid cloud somewhere, it should absolutely be fully encrypted and verified that that encryption works.
Section 2: Post COVID Strategies and Outlook
2.1. Have there been changes in the CS landscape during the pandemic?
I think it follows business strategies. There’s a lot of language being used within the UK, and across the world, that we are facing a new normal, people are not going to work in the same way that they did in 2019. The world is a different place, whether that’s worse or better, that’s for each person to decide.
But I think virtually every single business is going to operate slightly differently. To that end, a change and an evolve in cybersecurity strategy falls off the back of that. So, it’s not going to be the same old, where we just patch our servers, lock the business and ensure a clear desk policy. Things are very different now.
Moving forward, we’re going to see a big increase in cyber security attacks. A lot of criminals and malicious people trying to attack businesses, because it’s easier than breaking into a building, and they can do it fairly anonymously. The rate of being able to get away with the crime is slightly higher than you physically break in somewhere.
I think we’re going to see a lot more people trying to attack businesses. And as a result, and hopefully proactively, we’re going to see a lot more businesses increase their cybersecurity budget. Whether it’s penetration testing, whether it’s management, detection and response services, developing the ability to proactively monitor their estate. Or whether it’s awareness. So, making sure that their people are aware that the world’s changed and what that means for them, in terms of cybersecurity.
If you wrap all that together, that’s essentially a very much different cybersecurity strategy than what we had a couple of years ago. If you look at it from a financial perspective, the financial implications of a cybersecurity attack are much greater these days, and it’s a real problem.
We will also see an increase in spending across the board, regardless of industry. I think every single industry will see an increase in cybersecurity spending in 2021, 2022 and it will probably increase as we move forward.
Also, if you put COVID to one side, technology advancements, like machine learning, AI, robotic process automation, those technologies are increasing, and the use of those is increasing massively. So, with the use of that, that sounds great, because you can have a very robust antivirus scanner, for example, using artificial intelligence to be able to look for virus patterns, for example.
But it also means that the attackers can use the same technologies to make themselves attack more efficiently and more effectively. So that’s going to create a circular increase in spending across the board over the next couple of years.
2.2. What has been the impact of these key changes or key developments since COVID started on your business or on the financial industry?
It’s actually very hard to estimate those, Accenture has done analysis of this in their cybersecurity spending report, where they did show a dramatic increase. I think they were talking something like 39 trillion of US dollars of spend across cybersecurity or across the world. It’s huge.
I’ve typically seen an increase of around 400% in terms of cybersecurity spending as a result of coronavirus. Now, that is specific to financial services and specific to the types of businesses I’ve worked with.
2.3. Have you seen change in the customer or client CS attitudes since COVID began?
Not in terms of cybersecurity. A lot of people want to interact with banks and with financial services in different ways now. They don’t want to necessarily have to go to a branch to meet with a mortgage advisor. They want to do that over the phone. They want to do that in video meetings, et cetera. So, the change of customer attitude isn’t really around cybersecurity, but it’s around interacting in different ways with those businesses.
2.4. What are the learnings that are going to stay with us for the longer term?
I think for me, firstly, people will continue to work differently into the future, and we need to be able to proactively protect them while they do that. And the second thing is, technology such as artificial intelligence, machine learning is increasing dramatically.
And as a result, the cybersecurity industry and the clients of the cybersecurity industry need to also take into account these technologies and utilize them in protecting businesses. So, it is more learning, it would be use new technologies as we move forward and accept and support that people work differently now.
2.5. What new risks are you now preparing for in the post-COVID world?
I think it pretty much aligns to the learnings and what we want to do in the future, in terms of cybersecurity around people are working differently and the technology has advanced and will continue to advance. I think it’s much of the same thing. If we need to prepare and protect against those risks, we should take the learnings from COVID and just implement all of those.