“AI allows us to upskill our entire team”
By implementing AI and automation tools in the right way, a significant opportunity arises to drive career growth in security teams, according to Ian Stacey, Group Head of Information Security at Novuna, and Callum Taylor, Cybersecurity Product Owner at Novuna.
In 2022, Hitachi Capital UK PLC, a UK-based financial services company, rebranded to Novuna. In addition to being one of the UK’s largest leasing companies with a fleet of over 110,000 vehicles, Novuna’s areas of expertise include retail point-of-sale finance, personal loans, and business finance. “If you live in the UK and you buy a new sofa or a new kitchen on a loan, you’re very likely to be one of our customers,” Ian says.
Threats & opportunities in AI
“At Novuna, we try to balance our security strategy between defensive and offensive, by using a mix of red teaming, blue teaming, and purple teaming,” Callum says. “One of our current focuses is the rise of AI attacks. Since these attacks are relatively new, our SOC has less insight into the logs, making it more difficult to spot them. We have therefore set up purple team exercises where we simulate AI incidents with Splunk Attack Range, so we can see what those logs look like. Based on those created logs, we can generate alerts for actual AI-generated attacks.”
Novuna’s security team does not have a large headcount, Ian adds. “And over the last four and a half years that I’ve been here, our SOC hasn’t grown. However, we’ve been putting in five times more logs, and have more than fifteen times more use cases and alerts coming in. That’s where my current challenge lies: how can we deploy technology to increase efficiency? AI & automation will be able to solve a big part of that problem. If I can do more with the same number of resources, that’s a real success for the business.”
“AI & automation will be able to solve a big part of that problem. If I can do more with the same number of resources, that’s a real success for the business.” - Ian Stacey
However, efficiency isn’t Ian’s only incentive. “Deploying AI and other tools to take some of the weight of our SOC employees will enrich their working life. Just completing one ticket after the other all day isn’t an exciting job and doesn’t drive career progression and development. Instead, if we tell them that they’ll be doing far fewer tickets, but building automation, building the capabilities instead – that’s infusing. We’ve already upskilled our team over the last four and a half years, and we’ll continue to do so.”
Building resilience
As a UK-based financial services company with over 1.3 million customers, Novuna is regulated by the Financial Conduct Authority (FCA). “What’s really interesting is that the FCA, particularly over the last few years, has started to look more at resilience. This can mainly be seen in payment infrastructure, which is part of critical infrastructure: if one company’s system fails, it can be literally millions of people who might not get their salary, might not be able to pay for their groceries or their rent. The FCA now forces us to think about both the processes we have in place to prevent these issues, and the ability to respond if something actually happens. It enables us to think about the observability part as well. While we’ve prioritized security in the past, the capability is there for us today to spend resources on observability too.”
“While we’ve prioritized security in the past, the capability is there for us today to spend resources on observability too.” - Ian Stacey
“Observability and security come together,” Callum adds. “If there’s an outage, you need to know what’s happening and compare the outreach. Is it linked to a cyber incident? Is it linked to one of your security events? And if it is, we need to work hand in hand with our different teams in collaboration to make sure that as a business, we're able to handle that incident appropriately. Because a lot of businesses will just see an outage and be like, oh, it's nothing to worry about, it's just a service outage. Down the line, they find out they might have had a DDoS attack instead.”
The changing role of CISOs
With the digital world constantly evolving, there's a lot of pressure on CISOs and on the security team. At the same time, the role of security professionals is changing. Whereas security used to be more of an afterthought, it is now increasingly integrated as a pillar of the business strategy.
“As CISOs, we have realized that if we want to get people to include us and engage us, we must give them something back.” – Ian Stacey
“And twenty years ago, there's a reason it was an afterthought because we got in the way, we blocked things,” Ian says. “We were a compliance function. Do you tick all these boxes? No. Then you're not doing it. Now, we have become more of a business-focused commercial value-adding capability. As CISOs, we have realized that if we want to get buy-in, we want to get people to include us and engage us; we must give them something back. We can't be the ones that say no every time. And I think security, as a whole, has changed massively over the last ten years. It's gone from, no, you can't do that, to us asking: what do you want to do? We'll help you to do that. That's a big change that I've seen.”
Collaboration
In the last decade, collaboration has been lacking, Callum says. “Businesses kept to themselves; they didn’t like communicating with competitors. This has now completely changed, and to me, this is key to improving our cybersecurity strategy. We need to check in with other businesses, talk about their automation tools and their security strategies, and learn from them.”
“Collaboration is key to improving our cybersecurity strategy.” – Callum Taylor
“Cyberattacks are always changing and evolving,” Ian says. “We’re constantly trying to close gaps before they appear, and we aim to be proactive. But we need collaboration to do so. At Novuna, we have multiple frameworks, and we have got that pretty much nailed down. We don’t need to collaborate on that as much. But some of the really innovative solutions, you’ll only find out about those through collaboration. I think that's where the real value lies.”