Bank of England: IT and security working in concert
Image: Getty
Share on LinkedIn
Share

Bank of England: IT and security working in concert

Sooraj Shah — September 2018

CIO Rob Elsey and head of IT security Neal Semikin explain why IT security has risen high on the agenda at the UK’s central bank.

Even the most the conservative of organizations is opening up to new ways of working. The 324-year old Bank of England (BoE), the central bank responsible for setting policies around interest rates and banking regulation in the UK, is looking to meet its IT security recruitment aims through non-traditional approaches.

The Bank’s IT leaders will try to keep up with the increasing security threat landscape by boosting IT security skills and recruitment both in-house and in the infosec industry as a whole. This has led it to partner with the government-backed Cyber Security Challenge UK (CSC), a series of national events and educational programs designed to encourage talented individuals to join the UK IT industry.

“The CSC gives people a real feel of what it’s like to work in a key function in tech and understand how it can have such a massive impact on an organization,” says Bank of England CIO Rob Elsey. And the Bank doesn’t limit its intake to those with in-depth technical know-how; there is a “massive opportunity” for people from all kinds of backgrounds and previous career paths to work in technology.
Why the focus on cybersecurity?

Reporting into Elsey, head of IT security Neal Semikin believes that over the past five years the biggest change in security has been that the kinds of sophisticated attacks that only other nation states could launch have now become feasible for criminal gangs to carry out. Another big shift, he says, is that organizations are taking a different approach to security.

“Five to 10 years ago the focus was around protecting an organization by putting defenses everywhere [around it]. That’s evolved. The key thing is how quickly you can detect and respond to a breach — because, inevitably, an organization will be breached at some stage,” says Semikin.

This means the Bank has invested heavily in AI and data analytics to help it detect anomalies on its network, as well as the response mounted by its team to deal with those events as quickly as possible. “It’s about having a holistic approach to security and not making an assumption that you can keep the bad guys out,” he states.

The Bank works with what it calls three lines of defense. The first line is the ‘coalface,’ where it has its security operations center, threat and vulnerability management personnel and architecture solution designers. The second line applies the intelligence and policy perspective, ensuring that what is undertaken at the coalface is being implemented correctly. The third line is internal audit.

“In IT we focus on the coalface and work collaboratively with the CISO office, which looks at policy and intelligence and learning and development,” says Elsey.
The CISO-CIO relationship

The fact that both report into the same executive makes that more of a collaborative approach. “It is about understanding the landscape; the CISO looks at it from a different perspective but that helps inform the work we do. So when we make decisions around investment we consider the business stakeholders and [levels of] risk. But, together with the CISO, we work to ensure investments are aligned to our priorities in the wider industry — looking at what’s happening with the National Cyber Security Centre (NCSC) and other government agencies,” Elsey says.

The emphasis is not to dictate policy but to collaborate on it with all parts of the business. “The old-fashioned way of working with a ‘command and control’ approach simply doesn’t work. Rather, we’re working closer every day,” he adds.

First published September 2018
Share on LinkedIn
Share

    Your choice regarding cookies on this site

    Our website uses cookies for analytical purposes and to give you the best possible experience.

    Click on Accept to agree or Preferences to view and choose your cookie settings.

    This site uses cookies to store information on your computer.

    Some cookies are necessary in order to deliver the best user experience while others provide analytics or allow retargeting in order to display advertisements that are relevant to you.

    For a full list of our cookies and how we use them, please visit our Cookie Policy


    Essential Cookies

    These cookies enable the website to function to the best of its ability and provide the best user experience for you. They can still be disabled via your browser settings.


    Analytical Cookies

    We use analytical cookies such as those used by Google Analytics to give us information about the way our users interact with i-cio.com - this helps us to make improvements to the site to enhance your experience.

    For a full list of analytical cookies and how we use them, visit our Cookie Policy


    Social Media Cookies

    We use cookies that track visits from social media platforms such as Facebook and LinkedIn - these cookies allow us to re-target users with relevant advertisements from i-cio.com.

    For a full list of social media cookies and how we use them, visit our Cookie Policy