Issue 38 DIGITAL BULLETIN How Nordea Bank stays #1 Inside DevSecOps at global education leader Pearson Transforming the Federal Home Loan Bank of Chicago SECURING EDUCATION FAST FORWARD AUTOMATIC FOR THE PEOPLE
n 26 August 1920, women in the USA gained the constitutional right to the vote. The event marked the end of the beginning of a journey that is far from running its course.
Now extending beyond the shores of the USA, Women’s Equality Day is celebrated on the same date every year. In this issue we ask seven prominent technology leaders to assess the progress that has been achieved, and to consider the challenges that still lie ahead for our industry.
At Digital Bulletin we specialise in taking deep dives into stories of technology transformation at scale, and our
ROMILY BROAD Chief Executive Officer BY VWDA, Norwich, UK No: TO US
rich-media case studies this time are no exception. At major banks on either side of the Atlantic, we find women leading initiatives that are fundamentally changing how they operate, and by extension the affecting the experience of millions of customers.
Meanwhile, VMware’s Karen Worstell tells us she is determined to alter the narrative that sees females comprise just 20% of the global cybersecurity workforce.
As media types, the most impactful actions we ourselves can take are to make sure the many women already leading technology’s charge are as visible as they ought to be.
O
PUBLISHED
Company
11454926 TALK
editorial@digitalbulletin.com business@digitalbulletin.comDIGITAL BULLETIN
Women’s Equality Day 2022 Seven leaders reflect 06 Case study How Nordea Bank is using RPA to stay ahead of the game 14 Cybersecurity VMware’s Karen Worstell on 5G and inclusiveness in tech 30 06 14 30 Contents
Case Study Transforming the Federal Home Loan Bank of Chicago 40 Metaverse 5 4 Case Study How Pearson is securing education for a D2C future 62 GitHub The future of open-source is automated 78 40 5 4 62 Lenovo’s Ken Wong on taking everything everywhere 78
More than 100 years after women in the USA were granted the constitutional right to vote, the struggle continues to secure women equal access to opportunity in technology. Digital Bulletin speaks to seven leaders in their field to reflect on how far we’ve come, and how far we still need to go. EQUALITY 2022
It’s about time to level the score
WOMEN’S
DAY
WOMEN’S EQUALITY DIGITAL BULLETIN6
ISSUE 38 WOMEN’S EQUALITY 7
omen’s Equality Day – marked on 26 August every year - is rooted in the celebration of the day that the 19th Amendment was added to the US Constitution, officially granting American women the right to vote in 1920. Globally, it is now an opportunity to recognise and honour wom en’s suffrage, as well as inspiring a call to action for accelerating women’s equality.
“This Women’s Equality Day seems to have arrived at the perfect time – in England at least - with everyone still riding the high of the Lionesses’ win at the Euros,” says Hugh Scantlebury, CEO & Founder of Aqilla. “Typically considered a male sport, the Lionesses have broken all gender stereotypes and proved that women can score goals and smash glass ceilings! Yet, both on and
off the pitch, women should have equal opportunities.”
Whilst these recent successes for women are evidence of the progress we have made since the ratification of the 19th Amendment, there is still so far to go. According to Fawcett’s 2022 Sex and Power Index, women are still outnum bered by men 2:1 in positions of power and make up just 8% of FTSE 100 CEOs.
As Jen Locklear, Chief People Officer at ConnectWise, notes: “There are more women working in the technology sector than ever before, making some incred ible contributions. With that being said, now is not the time to rest on our laurels. There is still a significant gender bias in the industry with women often expected to meet higher standards, yet still being paid less than their male counterparts.”
Jen Locklear
Hugh Scantlebury
W
WOMEN’S EQUALITY DIGITAL BULLETIN8
“In recent years, the tech industry has made substantial progress toward creating more inclusive, equitable and diverse environments,” agrees Gianna Driver, CHRO at Exabeam. “Representation of women has improved, but work remains to address persistent gaps within the talent pipeline: Promotion rates are not equi table and women continue to lose representation at all levels of the career ladder.”
Time to take action
In order to continue to close the gender gap, and do so in a much shorter timescale than the currently predicted 100-year wait, organisations need to take action now. These don’t have to be huge, expensive and time-consuming
policies – some of the smallest actions can make the biggest impact.
“For women to thrive and advance in the workplace, organisations must provide them with opportunities for continuous
Gianna Driver
ISSUE 38 WOMEN’S EQUALITY 9
learning to develop in-demand skills and competencies, along with access to mentorship and sponsorship programs,” explains Michelle Boockoff-Bajdek, CMO at Skillsoft. “At the same time, allies must step up; call out bias, conscious or unconscious, use their voice to advocate, and take action when and how they can.”
ConnectWise’s Locklear adds: “Organisations should consider what they can do to propel further change, exploring initiatives such as offering additional support for women who are balancing
Oylum Tagmac
Michelle Boockoff-Bajdek
Nicola Kinsella
WOMEN’S EQUALITY DIGITAL BULLETIN10
caring responsibilities alongside their work. Or offering flexible working. Perhaps they could deliver a female-cen tred mentor programme to support women’s career progression. Ensuring the recruitment process is assessed for bias is another important consideration.”
Nicola Kinsella, SVP of Global Marketing at Fluent Commerce, champions ‘remuneration levelling’ to help close gender pay gaps. As she describes, this involves “removing everyone’s details from your system,
allowing you to compare salaries across similar roles in respective regions. This can help with ‘levelling up’ people across roles as well as making sure salaries are comparable with the going rate in the industry.
“Leaders, when you look around at the other women in your places of work, ask yourselves how you can bring them up with you. Make sure you are fostering a culture that is diverse, open and inclusive. As women, especially in a male-dominated industry, it’s important to always speak your mind and be an advocate for the change you want to implement. Don’t wait for equality, but instead fight for it.”
Anais Urlichs
ISSUE 38 WOMEN’S EQUALITY 11
Join the fight for equality
Every year, Women’s Equality Day provides the opportunity for organisations and individuals alike to reflect on what more they could be doing to champion the fight for equality. Providing her advice to women looking to enter the technology workforce, Oylum Tagmac, Senior Direc-
tor, International Partner Management at Commvault, advocates to “believe in yourself, focus on the goal and never give up! It is all about perspectives. I see “I’m possible” rather than impossible. I always tell my daughter about the Pareto law – 80% of results usually come from the 20%. I interpret this as women being
WOMEN’S EQUALITY DIGITAL BULLETIN12
able to have a big impact. We can make a difference to inspire and motivate other female talents! Don’t be scared to make mistakes, there are no failures but only learnings in life so please don’t wait. Whatever your passion is, go all in.”
To conclude, Anais Urlichs, Developer Advocate at Aqua Security, summarises:
“I believe that everyone should take the time to talk to women about the range of opportunities in technology and other male-dominated industries. Women are often overlooked, so I hope this Women’s Equality Day we take a minute to discuss STEM pathways with women from all backgrounds.”
ISSUE 38 WOMEN’S EQUALITY 13
AUTHOR: Romily Broad PROJECT DIRECTOR: Richard Durrant VIDEOGRAPHY: Joe Clarke-Blomfield and Wendy MacKinnon When Nordea Bank decided to use Robotic Process Automation (RPA) in 2015, its motivation was to deliver even better services to its customers while streamlining back-end processes. It was already No. 1 in the region. The decision will help ensure it stays there. AUTOMATICALLY FIRST 14 CASE STUDY DIGITAL BULLETIN
ISSUE 38 NORDEA BANK 15
Maintaining a leadership position in any industry these days is never guaranteed, especially in the increasingly dynamic financial services sector, disrupted as it is by fast-moving competition and shifting rule books at every turn.
Large banks today are exposed to an extraordinary range of pressures. From fintech start-ups and disruptive technolo gies like blockchain and crypto currencies, through to responding to a rapidly evolving regulatory environment and global system shocks ushered in by pandemics, conflicts, and environmental crises.
The effective implementation of bold technology initiatives has become pivotal to banks’ ability to respond to the changing needs of both their customers
and their own people. As well as the delivery of responsive digital services at the front end, transforming internally to reinvent infrastructure, processes, and ways of working has become vital to building a sustainable future and a platform for continued innovation.
Nordea - a 200-year-old bank in one of the most digitally sophisticated parts of the world – is no stranger to digital dynamism; it was delivering online banking services to millions before the turn of the millennium, when most the world was still mailing in cheques. It was around the same time that it took the name ‘Nordea’, a contraction of the words ‘Nordic’ and ‘ideas’.
Fast forward to 2015 and its latest big idea was to embrace Robotic Process
DIGITAL BULLETIN
16 CASE STUDY
Automation (RPA) as a cornerstone of its digital strategy. RPA offered the promise of transforming internal processes, reducing human error, improving staff experience and lowering costs. It would also ultimately help allow the bank to develop layers of added intelligence and AI.
But in seizing that early-mover advan tage, Nordea had to think on its feet.
Customer centric, personally Nordea is a champion and an advocate of investing in technology and in its people to achieve a singular overriding goal: providing a measurably superior experience
for its millions of customers spread across Denmark, Finland, Norway and Sweden.
“We are in one of the techiest parts of the world. We have very well-educated personal customers. Our corporates are competing on the global level, many of them in high-tech. So, what’s expected of us is very much from our customers,” says Ossi Leikola, Head of Operations at Nordea .
As one of the bank’s most senior leaders, Leikola’s remit overlooks all aspects of how the company engages its end users. He’s clear that progressively transforming how the company operates on the inside with advanced technologies is a means
ISSUE 38 NORDEA BANK 17
WHAT’S EXPECTED OF US IS VERY MUCH FROM OUR CUSTOMERS” Ossi Leikola CASE STUDY DIGITAL BULLETIN18
by which it can operate more efficiently, more nimbly, and more rewardingly for its employees. The consequence in turn being better service for its customers.
“What does technology mean for Nordea? It’s definitely one of the key aspects where we want to be the leading bank. We have invested a lot into our mobile bank, which is regarded as the best in the Nordic markets. But we also believe very much in a personal relationship with our customers – that’s why we’re focused on delivering the best omnichannel customer experiences,” he adds.
Nordea’s omnichannel strategy aims to make sure customers can engage with the bank in whatever way they choose –whether it’s mobile, telephone, apps and chat, or in person. But to fully achieve that, systemic change needs to be delivered in-house.
“We need to ensure that the back end is good enough to support that,” says Leikola. “My task is very much to see how we streamline the internal processes. And auto mation, of course, is a key element of that.”
Agnieszka Belowska Goslawska, a 12-year leader of operational
NORDEA BANK ISSUE 38 19
transformation at Nordea, has piloted much of the bank’s journey with RPA. Working from Nordea’s impressive oper ations centre in Poland, she is part of a large, talented team that supports the rest of the bank with advanced IT systems and technical business solutions.
“We as a bank are always driven by customer needs.. Technology and
digitalization have always been part of our backbone, but this is not just about technology – it is to understand how tech nology can be used to make the lives of our customers even better,” she says.
Nordea turned to UK-based RPA pioneer SS&C Blue Prism seven years ago to begin its automation journey, aiming to deliver its benefits in all four main areas
DIGITAL BULLETIN
THE POTENTIAL IS EVERYWHERE” Agnieszka Belowska CASE STUDY 20
In Partnership: SS&C Blue Prism
of its business: personal banking, large corporates and institutions, asset and wealth management, business banking as well as group business support.
SS&C Blue Prism, founded in 2001, was the progenitor of managed process automation and counted large financial-ser vices institutions amongst its earliest and most enthusiastic supporters. It has sustained and grown its pre-eminence in the sector - and built it in many others - as the scope and sophistication of its tools have rapidly evolved.
Roland Adolffson, Enterprise Sales Director for the Nordic region at Blue
Prism, explains that while RPA’s premise is simple, its effects are wholly transformative.
“Automation means stringing together a series of tasks that we as human beings perform on a daily basis but using a digital resource to do the same. That’s where the operational performance comes from – robots don’t make mistakes and work a lot faster. That improves people’s lives in many ways. The mundane, boring tasks go away, which means we as humans can focus on higher value tasks,” he says.
“Nordea was a pioneer in this space and they have been given huge dividends
NORDEA BANK ISSUE 38 21
How do you give your customers a market-leading omni-channel banking experience?
For Nordea, building a unified human and digital workforce across its operations is the answer.
“It doesn’t matter if it’s front middle or back end of the bank: if the process is valid for automation and serves our customers, the potential is everywhere”
Agnieszka Belowska of RPA Centre of Excellence - Nordea
Head
SS&C Blue Prism at Nordea
Agnieska Belowska
What is super unique about Blue Prism - and what was important for our choice - was that it is easy to use. It has frameworks which allow businesspeople to do automation, which is kind of unique. For IT development you need heavyweight developers and years of training. To do robotics in Blue Prism, you do not. At the end of the day, our robotics Centre of Excellence is located on the business end.
Second of all, they’re great at integrations. They may not have all the products we need for our Intelligent Automation, but they make it possible to integrate their platform with those.
We have used Blue Prism Interact as a more recent development. We really wanted robots to interact with human beings to expand end-to-end automation in the mortgage process, keeping humans in the loop. So that has been a fantastic enabler of new opportunities.
Blue Prism Capture has been a huge help for our business analysts and product owners, because that enables us to create the proper documentation for our developers. It is possible, in an automatic
way, to capture screenshots of different steps being done in multiple applications and convert those into common objects in SS&C Blue Prism, decreasing the amount of time developers spend on pure development. Nordea’s core values are about people and collaboration. SS&C Blue Prism have similar values, making it easy to collaborate with them – it’s about how much time we spend together, discussing challenges, and how open they are to our suggestions.
Ossi Leikola
When we first went into robotics around seven or eight years ago, the whole industry was quite new. It was very clear that SS&C Blue Prism was at the edge when it came to the actual technology.
Later on, what has been appreciated is that, as with any partnership, you have the occasional challenges. So it is a question how we handle those in a way where we can both continue with good feelings towards each other. Any partner that we work with needs to know their own stuff and they need to be able to operate with us in a good way. From my point of view, it has been very good.
CASE STUDY DIGITAL BULLETIN
24
from that, in terms of the huge number of hours returned to the bank, along with improved customer satisfaction, improved employee experience, and of course cost savings.”
At Nordea, such automated processes can stretch from single administrative tasks to orchestrating complex, end-to-end processes spanning a wide array of distinct IT systems. In all cases, though, where an RPA robot can shoulder the burden, human beings can claw more time back to spend with customers.
Belowska’s team has now built more than 570 RPA bots. Of those, 380 are currently in production at the bank and together they returned to the bank work hours equivalent to 1,500 full-time employees last year alone.
RPA: Right time, right place
The bots are busy in all areas of the bank’s operations, says Belowska. “It doesn’t matter if it’s the front, middle, or back end of the bank. If these processes are valid for the customers, or if it’s internal administra tion, the potential is everywhere.”
On beginning its automation journey Nordea quickly realised the scale of potential that it represented. According to Belowska, an early obstacle was overcoming the desire to “throw robotics at every single challenge”. A hub-andspoke model operating model, which saw frameworks and standards established
centrally while development occurred in satellite teams across business areas, was eventually replaced with a centralised Centre of Excellence, of which Belowska is the head.
Organising centrally meant Nordea could fully control its standards, avoid duplication of effort, and make sure its RPA activities were business-led and focused on fully end-to-end processes. Nordea’s RPA Centre of Excellence is organised into Agile squads aligned to service lines, who are responsible for ingesting and acting on new ideas from those business areas, as well monitoring bot performance and efficiently decommissioning them when necessary.
Belowska recalls a particular success was achieved when rapidly spooling up
ISSUE 38
NORDEA BANK 25
RPA bots to help administrate instalment free periods for customers at the onset of the COVID-19 pandemic. Nordea was one of the first banks in the world to decide to offer it, and the sudden avalanche of demand required a rapid process transformation to allow the bank’s staff to cope.
“That was one of the fastest imple mentations we had in terms of robotics, because we managed within a month’s time to build a solution which did not exist, to test it and put it in production. It was absolutely awesome. It impacted society positively, and there were a lot of good reflections on it from both customers and the press,” she says.
Nordea has deployed RPA to serve its customers at the front end, too. True to the bank’s vision to become ‘truly digital’ within the next three years, it has
connected RPA bots with customer-facing chatbots to automate and quicken actions based on their requests – from delivering bank statements to making loan applica tions, and more. Belowska says these fully digital services get much higher customer satisfaction scores.
The imposition of ever-greater regu latory demands to protect consumers from financial crime is an area where RPA has had an outsized impact. New Know Your Customer (KYC) processes can involve sifting through vast quan tities of data to provide reporting to authorities. Historically, that was a very manual task.
“We have used RPA quite a bit on our financial crime mitigation,” says Leikola. “So, where we would have needed hundreds of people to do certain tasks, we’ve actually been able to put robotics in there.”
DIGITAL BULLETIN26 CASE STUDY
THE LENS IS CHANGING. ARE LOOKING HOW THEY CAN USE AUTOMATION DRIVE GROWTH”
Jeremy Mackinlay
Transforming for the future
Now mature in its RPA development, Nordea is looking at how it can layer intelli gence atop its automations to take further strides into a fully digital future.
“RPA has helped us with the thinking; the mindset of thinking about our processes - not just how do we automate
a previously manual process, but how do we think of our processes from the point of view of data,” says Leikola.
“More and more, we have human beings helping robots, rather than robots helping human beings. And this has really brought us many insights into our processes.”
ISSUE 38
NORDEA
AT
INTELLIGENT
TO
NORDEA BANK 27
NORDEA WAS A PIONEER IN THIS SPACE AND THEY HAVE BEEN GIVEN HUGE DIVIDENDS FROM THAT” Roland Adolffson CASE STUDY DIGITAL BULLETIN28
Leikola is referring to the new skills and expertise Nordea’s own people are developing to bring about innovative solu tions in service of its customers – ideas that could not have occurred previously. RPA as a catalyst for invention, as well as providing dramatic gains in efficiency.
Jeremy Mackinlay, Global Financial Services lead for SS&C Blue Prism, says ‘intelligent’ RPA has become a key driver of transformation for energetic, custom er-centric organisations like Nordea.
“Intelligent automation is about making data flow through an organisation seamlessly, connecting with different parts of the organisation.
“Any bank has literally hundreds of legacy systems. Take loans processing for example. Intelligent RPA can do things like KYC checking, affordability checking, loan issuance checking, sanctions checking, and at the end of it a human worker may not have had to get involved.
“What I think is really exciting is that we are now reaching a point where we’re looking at how intelligent automation can influence the customer journey. The lens is changing. Nordea are looking at how they can use intelligent automation to drive growth.”
That growth will come from how intelligent automation helps enable Nordea’s own people to change the way they work for the better, leading to customer experiences that are faster, error free, omnichannel, and personal.
Leikola, Belowska and Nordea’s lead ership team are clear that while proactive change management is necessary to overcome initial fears, the benefits are manifold already.
“Our people actually do not see robotics as a threat, they rather see it as an opportunity to do more interesting things,” says Leikola.
Belowska speaks of a “VUCA” world – an acronym for Volatility, Uncertainty, Complexity, Ambiguity – and that leaders like her at Nordea consider it their respon sibility to create an environment where change is not just accepted but cher ished. “What’s valid today will not be valid tomorrow, and that’s okay,” she says.
“As a company working with new tech nologies and automation, Nordea is a very attractive place for talent to come.
“Nordea is not only a very good bank, but it’s also a super nice place to work.”
ISSUE 32 NORDEA BANK 29
SECURING THE
FUTURE With cybercrime on the rise, Karen Worstell, Senior Cybersecurity Strategist at VMware speaks about securing 5G networks and building an inclusive cybersecurity workforce that can successfully take on the industry’s challenges. AUTHOR: Beatriz Valero de Urquía DIGITAL BULLETIN SECURITY 30
ISSUE 38 VMWARE 31
Fifty years ago, personal infor mation was easily kept private. However, the accelerated digitalisation of society means this is no longer the case. Smartphones, computers, website profiles and virtual assistants now hold unprecedented amounts of user’s data, and the same can be said of organisations’ IT systems.
In 2022, the world saw an alarming 105% surge in ransomware cyberattacks, as reported by Fortune. These mainly affected supply chains and caused widespread system downtime, economic loss, and reputational damage for companies worldwide. Despite the increase in cyberthreats, the World Economic Forum’s 2020
Global Risk Report identified the rate of prosecution of these crimes in the US as being as low as 0.05%. In this increasingly risky digital landscape, cybersecu rity has become an absolute essential part of companies’ technology stack.
“We finally are starting to see security as the underpinning that enables us to do so many things, instead of thinking of it as an afterthought,” says Karen Worstell. Worstell is well known in the cybersecurity sector for her roles as CISO for high-profile organisations such as Russell Investments, Microsoft, and AT&T Wireless. Currently, she works as Senior Cybersecurity Strategist for VMware, covering telecom, public sector, smart cities, energy, and technology.
DIGITAL BULLETIN SECURITY 32
As part of her role, Worstell meets with CISOs around the world to gain an “overthe-horizon perspective” on how to avoid burnout in the sector and ensure that the industry is ready for the future.
Life has taken Worstell to many different roles, from Chemistry graduate to chaplain. However, throughout her career, she always came back to cybersecurity.
“I never really left it,” she says. “But I came back into it to work primarily with cybersecurity professionals and to bolster the industry to the extent that I’m able. I was just really thrilled to have a role open for me at VMware, where I can serve as a spokesperson on topics relating to cybersecurity as well as the experience of the cybersecurity profes sional and how to help them stay in the field for the long haul.”
If cybercrime were a nation-state, it would have the 10th largest GDP in the world. Not just that, but the World Economic Forum expects it to become a $5 trillion market within the next few years and, in the first eight months of 2021, enterprises suffered more Zero-Day attacks than in the previous five years combined. In this context, privacy and security have become non-negotiable.
The situation might seem dire, but Worstell has hope on the industry’s ability to turn this crisis into an opportunity. In her view, CISOs are capable of coming
up with approaches to protect the enter prise without hindering it, so can respond to any threats that come their way.
“We need to be very mindful of the way we’re using technology to meet new business opportunities, but to do it in a way that protects that which is entrusted to us by the people that we serve, as well as protect our own infrastructure, so that we know that it’s operating in a way that’s going to be available, and that its integrity is intact,” she says.
“The pandemic really increased our appreciation of what cybersecurity does as an enabler. Cybercrime has just increased dramatically, and we have gotten a wake up call about the serious nature of it. VMware is doing a lot in that
ISSUE 38 VMWARE 33
We finally are starting to see security as the underpinning that enables us to do so many things, instead of thinking of it as an afterthought”
SECURITY DIGITAL BULLETIN34
area, especially as we work with things like the Joint Cyber Defence Collabora tive Community with the Cybersecurity and Infrastructure Security Agency, and other organisations.”
This initiative is part of a US-wide effort to prioritise cybersecurity, as it is increasingly being perceived as both a national security concern and a business necessity. The creation of communities across private and public sector organisations, and the introduction of legislation such as the new White House policy - which requires intelli gence agencies to report cyberattacks within 24 hours - showcases the strides that have been made so far.
Within this new view of cybersecurity, there is one technology that is abso lutely taking centre stage: 5G.
The COVID-pandemic highlighted the importance of 5G infrastructure for rural areas, and the opportunities that highspeeds and low-latencies could power use cases such as remote education, healthcare and public services - all of which have recently been the targets of cyberattacks. In contrast, 5G has security included from its design, which will allow these technologies to address many of the threats faced in today’s 4G/3G/2G networks. These controls include new mutual authentication capabilities, enhanced subscriber identity protection and additional security mechanisms.
“The promise of 5G has the zero-trust model in mind,” Worstell says. “The idea that we have to have enhanced authen tication, that our communications are encrypted end-to-end, those are things that we didn’t enjoy by default prior to 5G, and that will be part of the 5G network.”
“There is so much security engineered into 5G that is an uplift from anything we’ve ever had before. But we have to pay attention to the bigger picture of how we are connecting our devices to it.”
5G has been designed to limit the impact of known threats. However, the adoption of new network technologies always comes alongside the introduc tion of new unknown threats. This is particularly true of 5G, given the vast amount of devices that are expected to be connected to this new network, from hospitals to schools and public transportation services.
5G can unlock unprecedented poten tial, if companies can ensure that it doesn’t become another security liability.
“It reminds me of when we were moving to distributed computing - it was that big of a disruption,” Worstell says. “In those days, the one thing that I heard more than anything else was: ‘We’ve got security covered, we did authentication, we have passwords.’ But it was bigger than that, and the same is true with 5G.
“5G brings all of this capability, but it’s essentially a transport medium.
ISSUE 38 VMWARE 35
We will see the challenges, not so much in the 5G itself, but in the architecture of everything that we put on both ends of 5G. We have edge on one end and, on the other end of the 5G infrastructure, we are going to have billions and billions of new devices and many of them are not built with security in mind. And so, we have to pay attention to a lot of new things in terms of this very expanded technical footprint.”
A future with smart cities is also one with millions of security risks. Eventually, any device capable of connecting to the 5G network will need to be secured. This includes personal computers but also autonomous cars, and even smart metres and traffic lights. Within factories, all IoT devices will need
to be authenticated, and its connections to corporate networks protected, to avoid ransomware attacks.
As cities and factories become more and more connected, computing powers move closer to these data sources - to the edge. Edge computing and 5G are often linked together and so, their security features should be too, if we are to fully take advantage of the capabilities they provide.
“The promise of this highly-distributed environment is something that we’ve actually been talking about in the security community for almost 20 years,” Worstell says. “We recognise that, in order to adapt quickly, our compute has to move closer to the endpoints, where the actual action is taking place. This is something VMware does and I think that’s been
SECURITY DIGITAL BULLETIN36
pretty revolutionary in terms of helping us create a security architecture that doesn’t slow things down. Instead, it enables us.”
VMware’s architecture has solution sets that provide security across all the enterprise, from the far edge and and back into the virtual or on-premise data centres, as well as in the cloud. These security services are built into the various elements of VMware, much like security is built into 5G. In this way, the distributed network allows all people to work from any place and any device, with the knowledge that their work is protected.
Moreover, VMware also works under the “assumption of breach”. This means that it never takes security for granted. Instead, the company has created an integrated environment where you can hunt for risks that might already be inside the system and detect breaches as they happen, or even before they do.
“We look at security as that enabler,” Worstell says. “That holistic approach
to security, it’s built into our workloads, it’s built into our network, it’s built into containers. We have a huge stake in 5G and all of the things relating to that kind of computing model, so VMware has taken extremely seriously to build security that is what I call end-to-end and top-to-bottom.
“What I love about what we’re doing here is that we’re trying to take that pain factor away by making the services something you literally just turn on. Instead of having an intensely difficult time of trying to implement security and making all the pieces work together, we’ve taken that and made it much easier for the end practitioner to implement the security that they need to. And that makes me excited and I think it’s one of the best kept secrets in the industry right now.”
Another huge secret the cybersecurity industry hides is how to enter it. In addition to her role designing cybersecurity strategies, Worstell is also passionate about advocating for the people that make the sector what it is, particularly women. She is a mentor and speaker on
We look at security as that enabler. That holistic approach to security, it’s built into our workloads, it’s built into our network, it’s built into containers”
ISSUE 38 VMWARE 37
topics such as burnout prevention and inclusion in the workplace.
While the technical skills gap continues to widen in 2022, women still comprise only 20% of the global cybersecurity workforce. Worstell is determined to change that.
“In general, tech is still mostly male-dominated,” she says. “And a lot of that has to do with the growth of the internet and how the perceptions were at the time, that high-technology and high-pay equalled white male. There is still systemic inherent bias that women and underrepresented groups all end up dealing with. And, because of this
blueprint being so incredibly pervasive, a lot of women unconsciously absorb a lot of attitudes and biases, and we apply them against ourselves.”
“One common meme you’re going to hear all the time is, ‘You can’t be what you can’t see’. I utterly reject that. But I do think we need to find ways to help women imagine what’s possible, and then have the confidence to go for it, and not take no for an answer. I think that’s the secret to being successful in this industry.”
Worstell considers herself fortunate to have grown up without learned biases regarding what was or wasn’t “feminine”.
We need to find ways to help women imagine what’s possible, and then have the confidence to go for it, and not take no for an answer”
SECURITY DIGITAL BULLETIN38
Her father, a Navy officer, demanded her daughters to be strong, and fight for their dreams, and that’s what she did.
Now, she mentors other women, young and old, to find their way in STEM, and has even created a company to promote diversity in the industry. W Risk Group provides both cybersecu rity consulting and immersive group coaching intensives called MOJO Maker for Women in Tech to help companies retain their female talent, and find more.
“I work with a whole bunch of organisations that are doing an incredibly good job at reaching out to young women, and making the whole cyberse
curity career field accessible to them,” she says. “I would venture that the pipeline is pretty healthy.”
If we are to address the increased threat of cybercrime, organisations need to take care of their talent. Moreover, they can’t afford to disregard the abil ities of half of the population, merely because of their gender. They also can’t take security for granted.
“I’ve always been an optimist,” Worstell says. “But the rise in cyber crime has certainly created a sense among everyone that cybersecurity is no longer an option. It wouldn’t be a prudent business decision to de-priori tise security when it’s clearly so necessary. That’s a big change, and I think that gives us a lot of optimism about what’s possible in the future.
“In spite of the difficulties and in spite of the complexity. I’m very excited about that. I think we’re, we have a chance to try to close that security gap between the technology that we’re deploying and the increasing security threat by treating security holistically across the environment.”
Cybercrime will always exist. However, by ensuring the business and govern ment sectors are aware of the threat, they can ensure their technology stack is secured end-to-end, and have the confidence that they can spot and manage any attacks that come their way.
VMWARE ISSUE 38 39
Fast For ward
FHLBank Chicago
The Federal Home Loan Bank of Chicago began a comprehensive digital transformation program in 2019 and is now primed to supercharge its ability to serve both its community of customers and its talented team. Digital Bulletin speaks to the bank’s technology leaders to find out how it was done and what the future holds.
AUTHOR: Durrant
James Henderson PROJECT DIRECTOR: Richard
VIDEOGRAPHY: Joe Clarke-Blomfield
40 CASE STUDY DIGITAL BULLETIN
ISSUE 38 FHLBANK CHICAGO 41
The days of banking being seen as an ultra-conservative industry are all but over. Technology has disrupted the banking and financial ser vices space, with the landscape almost unrecognizable from just a decade ago. Even the sector’s oldest institutions have had to move with the times to take on the challenge laid down by new market entrants born in the tech era. Banks have spent billions of dollars building infrastruc ture to satisfy the new demands of cus tomers who expect to have digital services available at their fingertips.
The Federal Home Loan Bank of Chicago (FHLBank Chicago) is part of the Federal Home Loan Bank system of 11 institutions that was formed in 1932 as a government sponsored enterprise to support mortgage
lending and community investment. Today, the FHLBanks, as they are known, provide access to billions of dollars in low-cost funding to approximately 6,600 of America’s banks, credit unions, insurance companies, and community development financial institutions.
These banks have become a core part of their communities, enabling many of their members to access funding when other avenues have been closed to them. But like any modern business, the network of banks has had to modernize, with the Chicago branch a shining example of the progress that has been made.
Speaking to Digital Bulletin, Steven Overbeek, FHLBank Chicago’s Senior Vice President, Managing IT Director, says that the bank began its digital transformation
DIGITAL BULLETIN
42 CASE STUDY
journey back in 2019. “We are changing our technology stacks, moving away from Java and traditional .NET into more of a .NET core angular tech stack,” he says. “We’re also starting a modern engineering initiative, which is the bank’s adoption of DevSecOps. We see that as being a multi-year journey which we’ll be working on throughout much of 2023 and 2024 to really bring automation to the bank.”
Eric Geiger, Chief Technology Officer at FHLBank Chicago, says their tech ambi tions are “to be as modern and cutting edge as we can be, while still maintaining an acceptable risk profile for the business”.
“Technology is critically important in the financial sector,” he continues. “Everything that’s happening is based on the movement of cash, the movement of data, and all of that at the back end has huge technical infrastructure running behind it. You cannot move a penny without hitting a number of different solutions.”
The breakneck speed of modern finan cial markets means that having up-to-date information readily available is more important than ever. An organization’s Counterparty Credit Risk System (CCRS) is a prime example as it informs a bank of its risk of suffering a loss because of
Eric Geiger Chief Technology Officer, FHLBank Chicago
ISSUE 38
FHLBANK CHICAGO 43
a failure of another party to meet its obli gations. FHLBank Chicago is a significant mover in the Federal Funds, Reverse Repo and derivatives markets, and needed more timely information on its exposures.
As part of its digital transformation, it was decided that significant investment was needed to rethink the bank’s CCRS, which was originally built in 2007. Previously, employees were managing the institution’s exposures on a spreadsheet, with informa tion entered into the system using batch processing, meaning records would be updated overnight, rather than in real-time.
“The CCRS needed to be addressed,” says Overbeek. “It was very difficult and costly to maintain. It also didn’t have real-time data, so we relied on batch processing to get the data into the system.”
The technology leadership team decided to take its CCRS project to the market and settled on software develop ment consultancy nvisia, which also has a base in Chicago.
“One of the things that really stood out was nvisia’s technical capabilities, their ability to partner with the bank, to help guide us and consult us on some of the best tools and technologies to leverage as we move forward in this space. They were very price competitive, they were very easy to work with and ultimately delivered a great product for the bank,” says Overbeek.
The system has been built with intraday capabilities meaning FHLBank Chicago
Steve Overbeek
CASE STUDY DIGITAL BULLETIN
44
Eric Geiger, Chief Technology Officer, FHLBank Chicago
staff can view up-to-the-minute updates on their positions throughout the day, removing a layer of risk.
“The new system is benefiting the bank as it’s much easier to maintain our source code and rollout changes for our membership. In addition, it’s much more scalable, and we’ve got greater visibility into the overall stability and health of the applica tion,” says Overbeek.
As nvisia was working side-by-side with FHLBank Chicago to rebuild the CCRS, it had to take into account the modernization being undertaken across the bank’s entire IT infrastructure.
Michael O’Malley, Vice President, Manager Member Support Systems at the Federal
There is a chance here to work on technology that is exciting and on projects that you’re not going to see at other banks”
FHLBANK CHICAGO ISSUE 38 45
Home Loan Bank of Chicago, says: “We are one of the very first banks in North America that is on AWS cloud, 100% on the cloud. So nvisia really understood how the cloud works with the different service structures, technology and the coding language that we needed. They really helped us build an app that covered all our bases.”
As part of its work, nvisia’s team worked with their banking counterparts to understand how it saw its technology transfor mation developing over the coming years so that it could produce something that
would stand the test of time. Mindful of the need for environments to be maintained, nvisia introduced Kubernetes on the AWS platform the bank was running as well as Terraform, an open-source infrastructure-as-code software tool. The team leveraged pipelines for the build with the overall goal of helping the bank modernize its tech stack.
Automation was also central to the new system that FHLBank Chicago required, says Overbeek. “Automation is critical for everything that we do within IT, looking at
DIGITAL BULLETIN
CASE STUDY 46
In Partnership: nvisia
the way that we produce our software and looking at more competitive and faster ways to develop a higher quality product for our business partners.
“We’ve done that with our adoption of agile recently, through the adoption of modern engineering technologies, and by leveraging DevSecOps. And it’s really the focus of what we want to do here at the bank to produce a higher quality product through a faster period of time for our business partners and our members.”
The new CCRS is “night and day compared with the old system,” according to Virxhini Gjonzeneli, Executive Vice
President and Group Head, Member
Support and Strategy, FHLBank Chicago.
“It is built on an open architecture. So over time if we decide to make changes or add new types of investments we can do that in this framework. And it is very scalable, it allows us to have all of our exposures in one place where previously we needed to manage it in several different places, including spreadsheets. It also has a system where we can make changes fairly easily.
“So, if we do want to add one of those new products, it will not take a lot of tech nology time to do that. But most of all, it’s much more user-friendly. I can go in there
FHLBANK CHICAGO ISSUE 38 47
and I can see pretty easily what my expo sures are and understand the reporting in a much easier way.”
Such is the success of the project, FHLBank Chicago and nvisia are embarking on a new project that will see the bank’s member portal re-platformed, reveals O’Malley. “This is going to be close to a two-year project for our member’s portal where they carry out all of their transactions, where they can see advances and letters of credit. We’ve just finished discovery on the new project, and they’ve really helped us reimagine how our new portal will look and function. We’re really, really happy with how things are going [with nvisia].”
Building modern infrastructure is central to FHLBank Chicago’s stated ambition to be at the forefront of technology adoption
Virxhini Gjonzeneli
Cedric Thurman
CASE STUDY DIGITAL BULLETIN
50
Diversity, equity, inclusion, and culture at FHLBank Chicago
On FHLBank Chicago’s commitment to diversity, equity, and inclusion, and the bank’s wider commitment to building a thriving culture for its employees and members, Cedric D. Thurman, Executive Vice President, Chief Diversity Officer, and Group Head, Community Investment and Diversity, Equity and Inclusion, tells Digital Bulletin: “Our mission, vision, and how we think about diversity, equity, and inclusion is built upon three pillars. It’s about things we value, which is all perspectives, things we’re committed to be doing, which is really being an industry leader, and how we inspire others, our internal and our external stakeholders, as a result of that.
“Regardless of what you think about diversity, equity, and inclusion, we want to hear from you because that perspec tive helps shape what we do as an organization. We want to be an industry leader, we don’t want to just be a participant in this. We want to show people how you make diversity, equity, and inclusion part of your business strategy.”
Gjonzeneli adds: “Diversity, equity, and inclusion is a huge part of what makes the Federal Home Bank of Chicago, the Federal Home Bank of Chicago. We want to make sure that we are representative of our district, and the two states [Illinois and Wisconsin] that we represent.”
Ashish Tripathy, Senior Vice President, Member Strategy and Solutions, FHLBank Chicago, says the ability to break silos of management to get access to executives across the bank is a key dif ferentiator from other businesses.
“I am able to speak to anybody in the business. I can get access to the senior managers in almost every department and talk about ideas, which is not just my job, and no one tells me why are you thinking beyond the box. I just love the fact that I’m able to think about this business as if I own the business.”
Thurman says that ability to engage with peers and C-level executives gives peo ple a value that is reflected by a low level of turnover compared with the industry average and, in turn, is a key tool in the bank’s recruitment process.
“No organization wants to have high turnover. You really want your people to be here. You want your people to feel like they can add value here. You want them to feel like they can build careers here. That makes it easy to attract talent and add value back to our members, which is really our core mission. If our employ ees are happy here and enjoy what they do every day, that’s going to bring value back to our members.”
ISSUE 38
FHLBANK CHICAGO 51
in the financial sector. As outlined by Geiger, the bank wants to push the boundaries as much as possible within the framework of the financial sector. It also sees burnishing its reputation as a technology innovator as being key to attracting and retaining some of the leading technology talents in Chicago and the surrounding areas.
“Just keeping pace with what’s happening in the industry is standard for us. Our goal is to really make a number of
DIGITAL BULLETIN52 CASE STUDY
fundamental changes each year,” says Geiger. “That means we’re going to keep up with new ways of working with our partners, as well as streamlining the number of platforms we’re working across for the benefit of our members.
“We believe this is a really exciting place to work because we are a small team - there’s only about 500 of us here - where you can make a fundamental change. The voice of the developers and
the architects are critically important here. We listen to these folks and they have the opportunity to influence what our solutions are going to be and how they’re going to be built.
“There is a chance here to work on tech nology that is exciting and on projects that you’re not going to see at other banks. It’s things you’d find at modern fintechs, small, agile teams working with really modern technologies - that is very hard to beat in the financial world.”
Ashish Tripathy
ISSUE 38
FHLBANK CHICAGO 53
Towards the metaverse
Ken Wong, President of Lenovo Solutions & Services Group, answers the most pressing questions on the metaverse.
INTERVIEW: Beatriz Valero de Urquía
DIGITAL BULLETIN METAVERSE 54
ISSUE 38 LENOVO 55
How has Lenovo adapted to the new ways of working brought about by the pandemic?
Even before the pandemic, hybrid working was already starting to gain momentum. But the pandemic accelerated digital transformation by three to four years, and increased the adoption of the hybrid working model, compelling organisations of all sizes, including us, to evolve at an exponential pace. To address the needs of a more decen tralised workforce, we’ve modernised our IT infrastructure to ensure sufficient provisioning of compute power, flexible device management, and to equip employees with remote workstations and desktops, all fenced in with enhanced cyber security defences.
The research commissioned by Lenovo suggests that almost half of employees
(44%) are willing to work in the metaverse. What are the main benefits of this mode of working?
This finding can also be interpreted the other way - that the other half of employees is unwilling or not sure about working in the metaverse. The evolution of the metaverse is and will always be guided by the need to solve real-world problems. Also, adoption only comes with education.
This is just the beginning and most companies working on this are trying to find the sweet spot of creating a work space that employees can fulfil their potential, be their most productive and feel at ease with balancing work with their personal needs. The advantage of the metaverse is creating an immersive working world, and not just “simulating” reality. To realise this, businesses need
DIGITAL BULLETIN METAVERSE 56
to come together and collaborate openly in creating new industry stand ards for the metaverse.
Do you think lockdowns have made people more open to the idea of the metaverse?
Perhaps. The lockdowns have made more people open to hybrid work and more open to new models of working. We’re increasingly seeing businesses look to Lenovo IT solutions to quickly respond to the hybrid workforce needs. The use of VR and AR are already prevalent in some industries. And the metaverse will further influence how these technologies are integrated for everyday use.
Why do you think only 30% of UK working adults are confident that their employers have the expertise to enable a metaverse workplace?
The metaverse is not a ready destina tion that we can head into, it’s an early concept, an anticipated evolution and convergence of devices, applications, transactions, and internet infrastruc ture that’s manifesting first in the world of gaming.
What’s more interesting is when we take a closer look at the results, a broader picture of employers’ readiness to adopt new technologies in general, not just concepts like the metaverse, is
Ken Wong
The evolution of the metaverse is and will always be guided by the need to solve realworld problems”
ISSUE 38 LENOVO 57
revealed. In the UK, almost half (45%) of employees agree that an employer’s speed of adoption of new technology is an indicator of readiness for new technological realities. If employees are on the receiving end of outdated tech, it’s easy to understand the lack of confidence they have in a modern IT infrastructure that can enable new ways of working. We anticipate that this will change, as more companies start adopting as-a-service offerings, enabling them the simplicity and flexibility to adopt new technologies at scale.
computing power, better integrated hardware, and simpler and more
What are some of the challenges that organisations will face when incorporating their workforce into the metaverse? How can organisations make sure that their IT infrastructures are ready for the metaverse? Deploying the metaverse or other emerging workplace technologies comes with complex technological challenges, such as the need for more
flexible IT solutions. The good news is enterprises do not have to invest significantly more capital to achieve this. An as-a-service approach will offer the flexibility, cost efficiency, and scalability to adapt to each company’s unique circum stances. How can as-a-Service solutions power the metaverse? As-a-ser vice solutions help manage time-consuming aspects of device manage ment like provisioning, deploy
ment, day-to-day support, and security management. In the context of a metaverse, this frees businesses up to focus on innovation and launching the right applications for their employees, instead of being caught up with managing what could potentially be a highly complex tech environment.
The metaverse is not a ready destination that we can head into, it’s an early concept, an anticipated evolution and convergence of devices, applications, transactions, and internet infrastructure that’s manifesting first in the world of gaming”
METAVERSE DIGITAL BULLETIN58
Flexible and transparent, our everything-as-a-service suite of solutions enables companies to do exactly this by overcoming equipment ownership and management challenges, reducing over provisioning of resources, and cutting down significantly on capital outlay.
What is Lenovo’s ThinkReality platform?
Lenovo ThinkReality is a flexible extended reality (XR) software platform that also includes hardware and ser vices. For customers somewhere on a journey to the metaverse, Lenovo’s
ThinkReality offers a scalable and streamlined path that enterprises can take on when innovating new XR applications, from concept to production. Businesses can connect existing XR devices and add advanced new devic es as they become available and use the platform to develop and deploy apps and content remotely throughout the enterprise while managing devic es and apps from a single interface. ThinkReality lets customers focus on problem-solving for their metaverse real-estate, by working across diverse hardware and software and providing
METAVERSE DIGITAL BULLETIN60
the technology and insights needed in the new era of immersive computing.
What do you think the workforce of the future will look like?
The world is shifting towards a hybrid and flexible model of “work, learn and connect-from-anywhere”. Collaboration will be seamless and immediate. Hardware, software and system will be more closely integrated. Big data and AI will bring more efficiency, through automation for example. The future workplace is by no means a utopia, but it should enable us to focus
more on innovation and bringing values to life.
Is there anything else you would like to add?
Lenovo is optimistic about the future of the metaverse. The metaverse will foster an exponential increase in the demand for distributed and edge com puting to process and render the mas sive volumes of data required. With our everything-as-a-service offering, we’re well-positioned, together with partners, to shape the development of a metaverse workplace.
ISSUE 38 LENOVO 61
Model behaviour
AUTHOR: Dan Brigham PROJECT DIRECTOR: Richard Durrant VIDEOGRAPHY: Joe Clarke-Blomfield and Wendy MacKinnon Education company Pearson is shifting from a publishing business to an on-demand education provider to the world. As it goes through a digital transformation to achieve this, we speak to its security team to find out how they mitigate risk to help improve the lives of students.
62 CASE STUDY DIGITAL BULLETIN
ISSUE 38 PEARSON 63
The learning ecosystem has shifted.
Even before the pandemic, the trend for digital-first learning was climbing. Now it has escalated. This has dovetailed with a change in how people want to be educated. Workplace and non-academic learning is booming as organisations – and schools and colleges – increasingly see the value in providing access to acquiring new skills across a lifetime of education.
Simply, education is no longer the linear experience it once was, and Pearson is catering for this change.
Pearson creates digital learning products and tools. It brands itself the world’s leading learning company, and it very much backs up that claim: the company has around 20,000 global employees,
and its reach is enormous, providing rich digital content, online resources, qualifi cations, courses, assessments, and data to learners in schools and organisations throughout 200 countries.
Secure education
Education comes with great responsi bility, and with that responsibility comes huge security implications across all of Pearson’s business areas.
Muthu Meyyappan, Global VP of Security Engineering, joined Pearson as in 2017. His role now covers identifying industry trends, engineering tools, and helping development teams and product teams to implement security within Pearson. The landscape five years ago was significantly different to today.
DIGITAL BULLETIN64 CASE STUDY
“When I joined Pearson, we were looking at changing two different areas,” he says.
“One was moving from a fragmented view to an overall centralised view of security and looking at it from a risk perspective, as well as providing tools and services that will improve the security rather than keeping that as a checkbox for compliance reasons. What are the right technologies we need to bring in? What are the right processes we need to bring in? What are the right people we need to bring in?
“The second piece was how do we work with the different teams to understand their needs within Pearson and make sure that they see security as an enabler, not as a cost item. We have done a lot of work in those two areas to look at the risk
in an overall manner, rather than in a very specific area.
“In 2020 we appointed Andy Bird, who came across from Disney, as our new CEO. His direction is to take us from a publishing company to direct to consumer learning company, and technology is at the forefront of that transition. And we are going through that transition now.”
The security threats Pearson faces are twofold. One is familiar to what any software organisation would face, which is a vulnerability or architectural flaw in its system. The other is very specific to Pearson’s core area of content creation and delivery. Securing the content to avoid pirating is a major piece of work, and crucial to Meyyappan’s team.
ISSUE 38 PEARSON 65
Muthu Meyyappan
“The threats we face at Pearson range from curious students trying to test the limitations of our learning tools, through to nation-state-sponsored criminal enter prises, and everything in between,” says Nick Vinson, Director of DevSecOps.
Vinson joined in early 2018 as part of Meyyappan’s drive to set up a security engineering team, full of security engineers with domain-specific knowledge.
The thinking behind this? People who have knowledge and experience in building and managing technologies are simply better placed to secure it. However, Meyyappan and Vinson recognised recruits can’t be experts in all areas.
Therefore, they built a team of subject matter experts across a variety of different fields and got them working together.
This, however, did create some initial challenges. “We started the team from scratch. And the first few months were very challenging because we had to move from that legacy enrollment to ‘how do we operate in a DevSecOps fashion’,” says Meyyappan. “The challenge is, you need to find the right person and the right skills and the right attitude to be part of that DevOps movement to make sure that we can imple ment those jobs.
Within the DevOps area, there are specific domains that are more challenging than others. The way that we approach this is to identify the very specific needs for the different projects, and make sure that the team is integrated as a single collective”
CASE STUDY
DIGITAL BULLETIN66
“Within the DevOps area, there are specific domains that are more challenging than others,” says Meyyappan. “The way that we approach this is to identify the very specific needs for the different projects, and make sure that the team is integrated as a single collective, rather than ‘here is a security team, here is a development team, and here is the operations team.’”
Because central security teams in large organisations struggle to keep up with the sheer volume of security engineering needs of product teams, Pearson has found a logical and efficient way of implementing
effective security: teaching the product teams to be self-sufficient in security. For Vinson, it was also important that the security engineering team was seen as a crucial piece of the cross-functional jigsaw. “It was very important to be part of cross-functional teams in order to actually introduce the required security controls to improve the security posture of those products,” he says. “The way we achieved this was by building trust with the teams with the quality of technical input. We weren’t providing the teams with security requirements which weren’t relevant, and
ISSUE 38 67 PEARSON
we were providing tools which fit their workflows.”
Identifying the threats
A major part of Pearson’s approach to security is threat modelling. A systematic process that allows security teams to iden tify product-specific threats and mitigating countermeasures.
Traditional threat modelling can have significant limitations when used at scale, because the process is manual. Due to the size of Pearson’s operations, it knew that
traditional threat modelling couldn’t keep up with the pace of technological advancements – and therefore the advancements in security threats. So the company took the decision to embrace automation in its threat modelling.
“The problem we wanted to solve was getting a holistic view of security risks across our products, and quantifying those risks in a consistent and accurate way,” says Vinson. “We want to identify security requirements as early on as possible in the software development lifecycle with a view
DIGITAL BULLETIN CASE STUDY 68
IriusRisk came out on top. It had the flexibility for us to define our own custom risk libraries and an API where we could integrate our existing security testing. “The SaaS nature of the platform was attractive as we didn’t need to self-host it. And, with us being a globally distributed team, it fits really well.” Vinson
ISSUE 38 Nick
PEARSON 69
Start Left: Threat Modeling for Secure Application Design
IriusRisk is the industry’s leading threat modeling and
secure design solution in Application Security. With enterprise clients including Fortune 500 banks, payments, and technology providers, it empowers security and development teams to ensure applications have security built-in from the start - using its powerful open and automated threat modeling platform. Whether teams are implementing threat modeling from scratch, or scaling up their existing operations, the IriusRisk approach results in improved speed-to-market, collaboration across security and development teams, and the avoidance of costly security flaws. Benefits of Threat Modeling Threat modeling improves time to market for new products and services Helps Enterprises to remain secure while demonstrating ROI Enables regulatory compliance and full auditing trails and reports Ensures collaboration between systems architects, developers and security teams
www.iriusrisk.com
The problem we wanted to solve was getting a holistic view of security risks across our products, and quantifying those risks in a consistent and accurate way” Nick Vinson
CASE STUDY DIGITAL BULLETIN
72
that remediating them early on is much easier and much less expensive.”
This was easier said than done. In order to create consistency in identifying threats and security controls, a framework was needed. The time burden of manually reviewing security control implementations also needed to be overcome. So Vinson started looking for products with the flex ibility to define a threat modelling frame work and an API that would allow Pearson to integrate their own testing.
Owen John is a Platform Security Lead at Pearson. His primary role is to improve the security posture of the cloud platforms being utilised by Pearson’s product teams. Specifically, that involves identifying a set of security requirements for cloud infra structure and working with the product teams to get those implemented correctly.
“With the high number of development teams we have in Pearson, doing threat modelling manually just won’t scale and wouldn’t work for us,” John says. “The last thing we want to be doing is bombarding product teams with hundreds of tickets, a lot of which might be irrelevant as they are already implemented.
“So what we do want to do is analyse each security countermeasure in advance and make sure it’s relevant. So to help us reach our scalability goals, we’ve developed an automation frame work which allows us to validate these countermeasures and security controls
ISSUE 38
PEARSON 73
automatically by integrating Irius with our third-party tooling.”
Automating threat modelling
The ‘Irius’ John talks about is IriusRisk, the automated threat modelling platform. Pearson chose IriusRisk as its platform of choice in early 2020 when it was looking to automate the threat modelling process to add consistency, reduce man-hours, and scale. It was an ideal partnership from the start.
“We were evaluating other tools in the space,” says Vinson. “And based on our criteria and requirements, IriusRisk came out on top. That was predominantly because it had the flexibility for us to define our own custom risk libraries and an API where we could integrate our existing security testing.
“The SaaS nature of the platform was attractive as we didn’t need to self-host it. And, with us being a globally distributed team, it fits really well.”
An ongoing relationship, IriusRisk’s platform has allowed Pearson to build a framework tailored to its products and tech stacks. This has given Pearson the ability to generate threat models rapidly and accurately. The security requirements are more relevant and effective because they’re project-specific, giving Pearson a more comprehensive view of the risks it is facing.
Introducing risk libraries allows Pearson to consistently measure risks and deliver
quality countermeasures across all of the products that it is threat modelling.
“We maintain our own in-house threat libraries that are based on the public stand ards,” says John. “That’s beneficial because we work very closely with the product teams. We know their tech stack, and we know their working practices, so we can add relevant context to the security countermeasures to aid with implementation.”
“Pearson is a global company,” says Meyyappan. “And we use pretty much
DIGITAL BULLETIN
74 CASE STUDY
any technology you can think of under the sun. So the way that we are using IriusRisk really helps us in the sense that we can go to IriusRisk and say, ‘here are the new technologies, we may need a new control library for this’.
“We are going through this digital trans formation, and looking at more cuttingedge technologies because we want to be a front-runner with these technologies. Partnering with tools and platforms like IriusRisk means we can be innovative
in design, and bring that into the wider security community.”
Looking to the future
As Meyyappan touched on, the future of Pearson is a pathway that leads to them moving from being a publishing company to direct-to-consumer education service provider, in particular via its Pearson+ offering. The eText subscription service allows students to download digital learn ing materials on multiple devices, study
ISSUE 38 PEARSON 75
DIGITAL BULLETIN To help us reach our scalability goals, we’ve developed an automation framework which allows us to validate these countermeasures and security controls automatically by integrating IriusRisk with our third-party tooling” Owen John 76 CASE STUDY
to their own schedule, have access to materials created by over 3,000 experts, and to 1,500 eTexts created and taught by Pearson-approved authors.
Pearson+ Channels, the company’s newest study tool, will allow students to interact with thousands of videos across a range of subjects.
This means that, for the DevSecOps team, the model has changed from building tools for a captive audience of educational institutions, to selling products to the general public – who only pay for those products if they like them.
“We have a number of different products that are very well received in the market,” says Meyyappan. “Now the goal is making it more direct-to-consumer-centric. Pearson+ is the first major D2C product we’ve delivered – we have done D2C in
specific applications before, but not as a global strategy.
“The approach here is making sure that we can create an ecosystem that can go directly to the consumer. That creates challenges from a technology perspective and a security perspective, because you are doing that last-mile delivery now, and you know your customer pretty intimately.”
These developments go hand in hand with the future of threat modelling at Pearson, with the aim to scale the model out across all business divisions and product groups.
“The principle that security is a shared responsibility is something we’re fostering and spreading,” says Vinson. “The future of security in the culture of Pearson is that security is a fundamental aspect of all new products that are developed.”
ISSUE 38 PEARSON 77
AUTOMATING OPEN-SOURCE The future of open-source is automation. Kai Hilton Jones, RVP Field Services, International at GitHub, talks to Digital Bulletin about how developers are leveraging automation to disrupt enterprise. INTERVIEW: Beatriz Valero de Urquía DIGITAL BULLETIN FUTURE 78
ISSUE 38 GITHUB 79
How have you seen attitudes towards automation and the open-source community changed since the beginning of the pandemic?
There is no doubt that COVID-19 has prompted businesses of every shape and size to re-evaluate how work is performed. The pandemic has expe dited digital transformation, as organisations push to innovate as quickly as they possibly can. They are constantly adapting to keep ahead of soaring consumer and customer expectations for digital services, and to fend off the threat of nimble, ambitious startups who are disrupting every sector.
As a result, demand for open-source has surged. The reason is simple: open-source is an enabler of inno vation because it allows developers to build better software, faster. With innovation now at table stakes, there is
Open-source is an enabler of innovation because it allows developers to build better software, faster”
Kai Hilton Jones
even greater emphasis on developing software that can help businesses thrive in a changing and frequently uncertain backdrop. GitHub added more than 16 million users in 2021 alone, and the number of first-time contributors increased markedly last year to more than three million. open-source is pervasive, with 99% of software projects containing an open-source component.
Within the developer community, automation is flourishing. The priority to innovate at pace has brought the way developers work into sharp focus. Auto mation helps teams go faster, at scale. Removing repetitive and mundane
DIGITAL BULLETIN FUTURE 80
tasks not only enables them to develop software more quickly but it can also boost developer happiness. The developer community is roundly embracing automation, and that’s a trend that is only set to intensify.
According to the World Economic Forum, more than 80% of business leaders are planning to speed up work process automation. How will this impact the coding industry? There is virtually no part of the software development process that increased adoption of automation tools won’t positively impact.
Enhanced developer productivity is arguably the most significant benefit. Research has found that using GitHub
Actions, which automates every step of the development workflow, has enabled teams to merge almost twice as many pull requests per day than before. It also increases the number of merged pull requests by 36% and shrinks the time to merge by 33%. Unsurprisingly, this level of productivity gain translates into faster innovation.
But the impact of automation is not confined to efficiency gains. Data shows that increasing uptake of automation gives developers a greater sense of fulfil ment. Stripping out menial tasks from the development process helps teams perform better. Specifically, we found that by removing friction and repeti tive tasks through automation, teams perform 27% better in open-source and
ISSUE 38 GITHUB 81
43% better at work, and developers report higher fulfilment.
How is GitHub embracing automation?
At GitHub, we see the transformative power that automation has for developers and businesses. We are completely committed to delivering the best automation tools that help developers work more effectively and enhance their output. Through actions, we’re able to make it easy for developers to automate all their software workflows, simplifying the develop ment process. We’re able to ingrain
automation into every step. We pride ourselves on delivering tools made for developers by developers, and auto mation will continue to be at the core of everything we do.
We’re also driving the next wave of innovation in automation by harnessing AI to help developers to write code faster and with less work with GitHub Copilot. Currently, in technical preview, GitHub Copilot draws context from the code you’re working on, finishing the lines you start or suggesting entire functions. It’s early days, but we’re at a new frontier of software development.
Within the developer community, automation is flourishing” FUTURE DIGITAL BULLETIN82
Why do you think some people in the open-source community may be reluctant to embrace automation?
Change can be scary. Any technology that disrupts the traditional way of working attracts scrutiny, and understandably so. Integrating new toolsregardless of what they can deliver - into enterprise environments is rarely a small undertaking, requiring careful consideration and analysis.
But far from being apprehensive, businesses should be embracing the transformative potential of automation and its ability to drive innovation and
propel organisations forward. There is so much it can offer. The bottom line is automation isn’t scary, and it is a reality we must embrace.
How can robust code review practices address the decrease in visibility over code caused by the rise of automated solutions?
Code reviews are a critical part of opensource - they always have been, and always will be. One of the many benefits of tapping into a diverse, global community of open-source developers is the ready access to an army of talented and motivated developers ready to cast their eyes over code. In a community based on shared values, developers are moti vated and incentivised to enhance code. Increasingly, code reviews will be auto mated, automatically infusing the power of the community into every project.
How important is due diligence and testing/code scanning to addressing concerns regarding the rise of the public marketplace and the potential for hosting actions with vulnerabilities? Open-source should be viewed as a route to helping organisations boost software security, and testing and code scanning are absolutely fundamental to the open-source philosophy. It’s the only sure-fire route to developing secure software. The beauty of automation is
ISSUE 38 GITHUB 83
that common security and compliance tasks can now be automated, infusing security directly into every step of the development process.
Code scanning features are already built into every pull request on GitHub. Code can be reviewed as it is created, with coding errors and security vulnerabilities automatically flagged and fixed. The upshot is automated code scanning helps ensure vulnerabilities never make it to production in the first place.
What is the best way for developers to shift their security left? Creating secure software does not hap pen through technology alone. It hap pens when software is developed in an organisational culture that prioritises security and breaks down barriers to en sure security is baked into every single stage of the development process - not tacked onto the end.
In a traditional DevOps process, security usually comes at the end as a final box to
FUTURE DIGITAL BULLETIN84
tick before going to production. But when engineering teams and security special ists work in silos, it can cause mistrust and inefficiency. The predictable outcome is the development process either slows down, or the output is sub-optimal. Only by fundamentally changing how the role of security is viewed within an organisation can this cycle be broken.
Implementing a DevSecOps approach - where security is baked into every process - changes the game. At face value it might not look like a radical shift, but it hinges a comprehensive mindset shift that makes security a collective responsibility. It increases transparency, makes problem-solving easier and boosts collaboration. The knock-on impact of shifting security left through a cultural change means organ isations are far better placed to deploy the latest security automation tools and reap the rewards.
Is automation the future of the coding industry? What will it look like 3-5 years from now?
Software development changes at a lightning pace - that’s what makes it so exciting. Automation is just one trend that is set to revolutionise the develop ment landscape. There is almost no limit to the impact it will have, given its ability to both accelerate innovation and posi tively impact the way developers live and
work. In particular, greater adoption of AI tools in the development process de signed to fast track the speed and quali ty of the software will have a transforma tional effect on how developers work.
Where do you see GitHub heading towards in the next five years? We’re 100% focused on deepening the impact of open-source software on global innovation. We’ll stay true to our mission to use our developer-first values to provide developers with the latest tools to continue to change the world through the software they create.
There is virtually no part of the software development process that increased adoption of automation tools won’t positively impact”
ISSUE 38 GITHUB 85
CONTACT US COMMERCIAL ENQUIRIES BUSINESS@DIGITALBULLET.IN EDITORIAL ENQUIRIES EDITORIAL@DIGITALBULLET.INBUSINESS@DIGITALBULLETIN.COM EDITORIAL@DIGITALBULLETIN.COM