WINNER - Best Security Team: William Hill
The William Hill team runs, “A great improvement programme that works directly with end users to build both strategy and culture, this team leads from the front and invests in the training of the security staff to keep them ahead of the game,” according to our judges. Another said: “ Having a security architecture that was innovative enough to feature on Amazon’s This is My Architecture, implementing best practice standard such as ISO27001, and engaging right across the business with multiple security initiatives, including developer, end user, and corporate organisation perspectives, William Hill’s security team shows itself to be innovator, implementer of best practice, and having a security approach that covers the key areas of people, process and technology.” As a result the judges concluded: “This team is clearly dedicated to their task, with clear vision, insight and innovation – exactly what businesses need.”
Following a Hearts & Minds philosophy, the team restructured around a ‘Managed Security Services’ operating model, establishing divisional Head of InfoSec roles ((with a dotted line into the CTO) who have ownership of security within WH’s divisions, allowing the security team to support these divisions delivering on their objectives, while enabling a feedback loop to improve security. This has allowed each channel to benefit from having security front and centre in all decision making and allowed the security team member to build business awareness of the channel hence bridging the gaps and most importantly establishing trust with the business channel leaders.
Examples of best practice include adoption of ISO27001 delivering business enablement through multi-jurisdictional compliance in areas where security is required for regulatory or licencing approval. A SOAR programme brought together business control and sensor data to build a real-time image of potential threats, with auto-response when appropriate. This included the Anti-DDoS Platform presented as part of the AWS ‘This is my Architecture’ series. Annual 40-minute awareness training was replaced by 12x3-minute monthly training sessions, and end-user tools such as LastPass and integrated Report Phishing buttons which have raised awareness and improved the security culture.
Lloyds Banking Enterprise Security Architecture Team
“Operating security at the speed of business can be very challenging and this team - Lloyds Banking Enterprise Security Architecture - have achieved that with a very forward looking strategy embracing topics such as ML/AI and behavioural analysis. This team transformed to enable their business to grow and succeed in a very challenging arena,” said the SC judges, adding, “they have become a bridge between different areas of the business.”
Another judge summed up: “Lloyds Banking Enterprise Security Architecture team communicate across and through Lloyds bank divisions, hierarchies, and functions, having moved away from the ivory tower approach years ago, ensuring that security is front of mind, central to and integrated with Lloyds Bank’s core service offering. Implementing current architecture methodologies, such as Zero Trust, developing security imperatives, with underlying key security concepts, to drive strategy, realised via three year road map activities rather than piecemeal security change – all indicates a mature best in class Enterprise Security Architecture team.”
National Enabling Programmes (NEP)