The evolution of information security at Demica – a view from our CISO

Within the last three months Demica has made some significant changes to the way it manages information security across the company. Our new Chief Information Security Officer (CISO), David Scholefield reflects on the reasons for those changes. He also discusses how he believes that this will help to improve future security operations not only for us but for our customers as well.  

Until June of this year Demica managed security in a way not dissimilar to other scale-up technology led companies: security has been, of course, central to all of our operations both inside the IT function but also more widely across the organisation. These responsibilities have been shared amongst senior members of the management team, including the CISO role which has been undertaken by our highly experienced Chief Technology Officer (CTO). Together, these stakeholders have driven an effective security programme that has resulted in Demica being successfully audited against both the ISO 27001 certification and the ISAE 3402 standard.  This demonstrates our customers that we are managing security effectively, and in a manner that meets their very stringent information security requirements. 

However, times change, and as Demica’s growth trajectory continues, and even accelerates, the decision was made to invest even more effort and focus by creating a fully dedicated security function that can meet the challenges not only of a rapidly growing organisation, but also of an increasingly hostile and dangerous cyber environment.  

In June of this year Demica created a dedicated CISO role and I was fortunate enough to be invited to take up that position and begin the exciting journey of building out a new team to support, expand, and further improve the organisation’s information security efforts. From this point onwards, the company will benefit not only from the skills and experience of the existing security team, but also from a plan to increase the security team headcount significantly so as to meet the new challenges we see ahead. 

Those challenges are complex and constantly growing and include the critical responsibility to protect our customers’ data as well as continuously providing a reliable and secure platform. It also includes the need to keep one step ahead of security compliance needs within an increasingly complex regulatory and technological environment.  

Demica is an agile company with a cutting-edge technology solution, and is quick to adopt new processes and technologies, but this inevitably increases the security risk and needs to be appropriately managed. 

In addition, company growth itself brings challenges in maintaining information security governance, and as teams grow and structures change, the challenge is to scale security processes in support of that growth. At Demica we believe in an ‘all hands’ approach to information security where every person is supported and empowered to work in a manner that protects both the company and our customers. As all areas of the business grow, the challenge is to maintain the dialogue between every employee and the security function to leverage the skills and diligence of every team member rather than to rely solely on a centralised security team.  

At Demica we start from the fundamental view that the assets we are most concerned to protect are those financial and information assets belonging to our customers. Everything else is secondary to this. Of course, there are many other assets we are concerned to protect – and we do – but in a market space that is highly regulated, and where trust is paramount, we understand that protecting our customers’ financial assets and information assets needs to be the strongest guiding principle shaping our information security risk decisions.  

Cyber criminals know the value of these assets too, and the variety of cyber-crimes is growing seemingly daily to a point where we are now in a very dangerous world of sophisticated criminals who can readily understand the potential pay-outs resulting from a successful cyber attack. When considering how to protect our assets, we are mindful of the growth in threat areas such “ransomware”, “extortion”, “spear phishing” attacks enriched by personal data breaches, financial fraud empowered by instant and untraceable money transfer opportunities, and many others. We are also attentive to the growth in nation state cyber attacks for political or financial motives, attacks from pressure groups and politically motivated organisations, and even a growing sophistication in ‘off the shelf’ toolkits available to ‘have a go’ hackers in their bedrooms late at night who may just be trying to show off in front of their hacker friends – a phenomenon that is easy to overlook due to the perceived lack of sophistication of the actors involved, but without appropriate protections in place can result in significant damage and cost. 

Demica’s solution to the challenges of rapid company growth, a complex and constantly changing technology environment, and the increased external threats to the security of our assets and those of our customers, was to appoint a dedicated CISO, grow the security function substantially, and implement a forward-looking and proactive security programme that is strongly supported by senior management. The time is right for us to respond positively and clearly to these challenges by investing in, and development of, our new dedicated security function.  

We look forward to sharing our experiences in undertaking this new phase in our information security journey with all of our current and future customers through our blog, and also through direct cooperation and discussion with all of our partners. 

If you have any questions arising from this post or have any questions about information security at Demica please reach out to the CISO at ciso@demica.com. We look forward to hearing from you.