How Standard Life's security shake-up supported digital transformation

Senior security specialist Colin Keltie explains how a new approach to security enabled Standard Life to dump useless digital assets

Colin Keltie has worked in IT at Standard Life for more than 18 years, and he's found that the biggest problem in organisations when it comes to cyber security is an obsession to contain a single cyber threat.

Boards, c-suites, and DevOps teams all have different perspectives on what that cyber threat really is, whether it is about data leakage or an insider threat. And, much of the time, there is a fixation on a 'silver bullet' solution that will solve all of the cyber security issues - without paying any attention to what the problem is that the business should be trying to solve.

"I've seen technology being invested in as if it is like a broken car: once it's fixed it'll work. So you'll have stakeholders investing multi-million pounds on solutions and then stop and pull back from it," says Keltie, who was a senior security specialist at Standard Life's cyber response unit, and is now an independent consultant.

Much of the time, such a solution can take so long to deliver that its efficacy can disappear.

"DDoS is a great example of this. We had a focus a few years ago on on-premise layer 2, 3 and 4 DDoS solutions. A lot of money was invested on putting some tin on the floor and, before you know it, you've got layer 7 DDoS and then you have mass volumetric attacks and massively distributed attacks that overwhelmed the solutions we put in," says Keltie.

So, in many respects, he shifted from the technology space and into what he calls the process and continual investment space. The aim? To help reshape the way the organisation thinks about how it delivers and supports all its digital assets. But was that move welcomed by the business?

"No, it required a lot of tough conversations," he says.

Nearly six years ago, Standard Life was attempting to evolve into a digital organisation, he continues. The transition would take 18 months, and Keltie and his team would support the delivery of this transformation.

The intention was to turn Standard Life into an organisation producing digital assets, which would either be revenue generating or assist in speeding up the business in some shape or form, says Keltie.

"From a distance we saw a production line of digital commodity in a completely different way to anything that had been done in infrastructure, legacy, technical or other parts of the organisation. So we put firewalls in. Of course, you don't just buy a firewall and that's it, it's got a life cycle so you have to continually revise and look at the code base and check for vulnerabilities," says Keltie.

On the infrastructure side, the security team became more embedded with how this was managed but, according to Keltie, the digital side of the organisation took over.

"They said that the business needed agility, DevOps and 'disruptive innovation'," he adds.

Instead, Keltie believes the company ended up with a "churn machine" producing elements of digital that weren't useful.

How Standard Life's security shake-up supported digital transformation

Senior security specialist Colin Keltie explains how a new approach to security enabled Standard Life to dump useless digital assets

"I was tasked with building a cyber response function and putting together a Security Operations Centre, so I looked into WAF (web application firewall) protection and, because we had our footprint with F5 Networks, I started planning how I would start to deploy this," he says.

"I had a naïve vision that if I switch it on we'd see a lot of the ‘baddies' trying to penetrate with nasty code being turned away and it'd be great. But the minute I switched it on there was more noise from inside from this effluent stream of digital stuff that we'd been producing for years, and some bad practices: code injection techniques that were legitimised into the structure of gold-star applications, for example," he says.

This simple act of switching on a piece of technology demonstrated how the business was operating. Keltie believes it's a stage of digital transformation that every organisation will stumble into. He calls it the "digital adolescence phase".

"It really made the organisation think about how it develops and delivers digital offerings to the business and made people ask questions about what is important. What is vulnerable and what are we concerned about, whether it be fraud or customer data?"

Celebrity hack culture

But it wasn't just the switching on of a WAF that made the organisation stand up and take notice. According to Keltie, Standard Life took notice because of the publicity that other security breaches have been getting in the mainstream media.

"It really takes something to be on The One Show or have a TV series about it for people to start paying attention - the TalkTalk's and the Ashley Maddison's that everyone knows about.

"Because it's been brought that far into the public consciousness, you have people who are utterly disinterested in technology, but who are asking technologists what this is really about and what we need to do," he says.

Meanwhile, he believes that the new EU General Data Protection Regulation (GDPR) has also made companies actually take some action to ensure they are more secure against cyber threats. But what would Keltie advise organisations to do from the outset?

"When I talk to stakeholders in any business I say, dial it right back. Examine your business and what your core assets are, whether they are digital, intellectual property or people. Try to cluster all your valued objects to determine what their value is and then how badly it could go wrong if somebody could get at them - and how they could get at them," he says.

"That's always the first step: What is the value? What are the real risks and the cost to the business and, then, you can find out what the potential solutions are, whether it's technology or a process.

"Only once you've gone through all of that can you determine how to deploy the solution, how long it's going to take, how effective it's going to be and what your 'plan B' is," he adds.

Naturally, he is also keen to warn those who are looking for the next silver bullet bit of technology or code that there is no such thing - hackers will always be looking for new ways in.

"As soon as one bit is bullet-proof, you just walk around the side; even if it's something ‘end-to-end' there are still ways of extracting [whatever the criminal wants]".