Camelot is the licensed operator of the UK’s National Lottery. David Boda – Group Head of Information Security – Camelot, tells us how he approaches cybersecurity challenges to ensure the organisation stays cybersecure and maintains its integrity.
Camelot has been the licensed operator of The National Lottery since its launch in 1994. The company is made up of around 750 employees.
David Boda has been Group Head of Information Security for more than three years and is tasked with overseeing all aspects of information security.
He says of the role: “We run our own Security Operations Centre (SOC) so it’s quite a nice environment to work in because we do most things in-house.
“Because the lottery is heavily dependent on integrity there’s a lot of buy-in from the business for what we are trying to achieve, as well as from the wider stakeholder community.
“The National Lottery celebrates its 25th this year and we’ve just passed the £40bn mark of money that has gone to charities and good causes as a result of what we do. That’s also one of the reasons I like working here – it’s not just about being a commercial organisation, it’s about giving back.”
At Camelot, all aspects of security are relevant but there is a strong focus on integrity.
“People need to have confidence that if they play a game, they know they’ve got a fair chance of winning,” Boda said.
“We spend a lot of time trying to threat model that out and understand how we can come up with the right answers to give all of our stakeholders the assurance they need – whether it’s regulators, the public playing the games or other stakeholders.
“Around 60% of UK adults currently play National Lottery games. So that’s a large proportion of the UK adult population coming into contact with one of our products at some point, whether it’s a Scratchcard, online IWG or a EuroMillions or Lotto ticket.”
The day to day job
Boda makes a point of checking his emails just once a day, preferring face to face interaction with his team and the wider business stakeholders.
This, he says, is a better way of finding out what the real challenges are, instead of attempting to filter through emails.
“I try to balance it to make sure I’m in the office enough but obviously there is quite a lot of external engagement with suppliers, partners and peers in the industry,” he said.
Threat sharing and collaboration
“I place quite a big emphasis on the value of threat intelligence sharing so we do a lot of work in that space as well. The attackers do it and from a defence point of view it makes sense,” he said.
“So if you are mindful of any commercial sensitivities – there are plenty of ways to collaborate and help each other out without tripping up – then it’s really important.”
Boda is Chairman of the Cybersecurity Working Group within the World Lottery Association, which is set up around the idea of threat intelligence sharing.
Alongside the National Cyber Security Centre (NCSC), he’s also part of a gambling and gaming sector trust group which is also about threat sharing – something he set up with his former counterpart at William Hill.
“Sometimes it’s not just about an IP address you’ve seen or a change in DDoS attacks, it could be that we’re thinking about using a new vendor and you want to have a conversation about ‘well, if you’ve used that vendor already what was your experience with them?’”
The vendor – end user relationship
“Sometimes I think there’s a bit of tension there, on both sides,” Boda concedes. “I think it’s a lot about making sure vendors and CISOs and end users make a conscious effort to take time to understand each other’s perspectives and build relationships with each other. It’s about long-term partnerships, it’s not about transactional things and, through that understanding and relationship building, then the whole buy-sell becomes a lot easier.”
On selecting vendors
There are many vendors offering a multitude of products and solutions. For Boda and his team, the selection process is driven predominantly by the organisation’s three-year information security strategy.
If approached by a vendor, Boda says he is open and transparent about their offering not being part of the organisation’s roadmap at that time, but the solutions are given due consideration in a thorough testing phase when the time is right.
“If we’re doing a security thing, it means we’re not spending on a commercial thing or something else, so it’s really important that, when we pass that business case across the table, we can look the CFO, CIO and other stakeholders in the eye and say we genuinely believe that it’s in the best interest of Camelot to be doing that.”
The skills shortage
Boda believes the private sector has a role to play in helping to combat the ongoing cyberskills shortage, alongside government initiatives.
“I think you recruit a team, you don’t recruit individuals, so you have to have a balance of people that do have experience, but you should also be taking people and training them up,” he said.
Camelot also has an internal red team which is used for running simulated attacks against the organisation itself.
“If the only time you see bad stuff happening is when bad stuff is actually happening, then you’re probably not going to react to it very well but if you’re constantly practising that then your judgement calls are going to be better, so we use that red team capability as a core part of our learning and development as a team,” he said.
The importance of ongoing training
A key part of Camelot’s overall strategy is around building a strong security culture. It’s not just about ‘putting posters up in the canteen’ – it’s about understanding how to create a behavioural change.
One recent example involved inviting a comedian to speak during a lunch session. His sketch is based around his experience of having his identity stolen when he was younger.
“It’s not ramming security down people’s throats, but for that hour they’re thinking about security and, at the end of it, I talked about how his experience related practically and what it means for Camelot,” Boda said.
“If, hypothetically speaking, The National Lottery contact centre wasn’t carrying out data protection checks properly or if we were socially engineered into giving out information, that means personal information could be compromised.
“We really landed those key messages in a much more effective and memorable way.”
On what makes a good CISO
“Someone who has got a good broad range of skillsets, from the commercial business side of things to being able to talk credibly, technically,” Boda states.
“It doesn’t mean they need to have a comprehensive understanding of every detail but they need to be able to ask the right, probing questions, draw out the issues and be able to communicate those effectively.
“Some CISOs are much better at being able to communicate with the board and bounce ideas around how they’ve done that, or being really good at presenting metrics. Some are great at challenging their team or vendors and really asking the probing questions.
“We’ve all got our strengths and weaknesses, and being able to help each other out is really valuable.”