To put some perspective on The Royal Mail as a business, it currently has 200,000 employees, collects, processes and delivers 82 million items to 27 million addresses per day and has been providing the UK with a postal service for 360 years! Is it possible for an organisation of this size control its information security?
I recently met Royal Mail’s Director of Information Security, David Lacey, to discuss measures taken by the organisation to minimise lapses in their security structure. He describes the Royal Mails information security prior to his appointment 6 years ago as expensive and fragmented. ‘Lots of individuals doing good work but not collectively harnessing, not working together on standardising what they did. Lots of holes and it was very inconsistent and expensive to manage.’ Compare that to present day, Lacey claims their system is ‘benchmarked as probably one of the best in the industry, we have far fewer (Security) staff than any other organisation of a comparable size and yet our security is extremely effective.’
They achieved this with the implementation of BS 7799, a much misunderstood standard. David was involved in the creation of BS 7799 during his 10 years managing Shell’s Information Security and understandably, is very protective over the standard. ‘BS 7799 is a unique standard, based on the work of many people, and all of the controls were tried out in the field with companies like Shell a long time before it was published’. So it was based on actual best practises and reviewed and updated by a wide variety of people keen ensure it was ‘real, achievable and worked’. People often mistake BS 7799 as a management system relating only to IT but it is much more than that and stretches across organisations infrastructures from accounts to HR to IT and beyond. When starting out David and his team set clear objectives, ‘To meet or exceed the expectations of all our clients, customers and partners and we should provide physical assurance of that and we should also aim to demonstrate assurance to our in-house customers to make sure our managers and staff have full confidence in Royal Mail’.
David feels these objectives have been met and the implementation of BS 7799 helped them focus internally as well as send a clear indication to all external clients of their commitment to service and assurance via third party auditing. As yet, BS 7799 has not been rolled out across the entire Royal Mail network but ultimately it will. At present only 40,000 Royal Mail employees are pc users, in the future the majority of the 200,000 employees will either use pc’s or smart cards which their BS 7799 scope will need to be broadened to cover. David is also keen to develop an architecture and supporting infrastructure for a completely open network with no boundaries. Whether this is possible remains to be seen.
On to the difficult subject of letters going missing, David explains that incidents like this unfortunately cannot be ruled out 100% but the key is to minimise them; ‘because of BS 7799 we have very comprehensive incident reporting and response processes, so every month I know everything that goes on in the previous month and I can look at the number of thefts or viruses, and I can look at that and say can we manage that down? We’ve been managing down those numbers for the past year and I think we probably have some of the lowest incidences of virus outbreaks and thefts in the UK. Often what you read in the newspapers and what you experience yourself are two different things. Supposing we managed to cut our fraud by 90% the newspapers would probably say we had fraud levels of 10%, but that does concentrate our minds, it sets us a challenge and we like to respond to that.’
The Royal Mail faces the same risks as anyone else, they need to protect against increasing threats, viruses and hackers and increasing exposure at the same time. As the perimeter fences around Royal Mail come down and they move increasing towards a virtual rather than paper driven business they need to ensure a realistic information security structure is firmly in place, ‘and that is what BS 7799 gives you, you don’t focus your security just on one point in the infrastructure, you have a whole raft of controls’ enabling you to adopt a wider perspective.
So, why did Royal Mail choose DNV as their third party Certification Body? The answer lies back in the days of ‘Consignia’. The Royal Mail were looking to expand globally, ‘words like Royal don’t work, and also Post Office doesn’t work internationally’ so a branding project was born along with the objective: to choose a name that would work internationally, that sounded futuristic, modern, had something to do with the business (Consignment) and sounded slightly prestigious. Personally I feel Consignia fitted the objective, unfortunately we are a nation of traditionalists, we like what we know, by killing off ‘Royal Mail’ they were throwing away 350 years worth of history, an entire brand and service. Consignia never really got off the ground and the Royal Mail decided to stay focused on the UK market. Yet during the creation stages of an internationally branded Royal Mail the security management team required a Certification Body able to provide them with global coverage, DNV fitted the bill. ‘We are glad we chose DNV, we found them a very good partner, very professional’.
A few years ago there was much talk of bike couriers amongst others posing as real threats to the Royal Mail, this gossip appears to have died down, but how threatened do they feel today as a business? ‘Competition is something we are responding to, we love competition, we want it, we don’t have a problem with it at all, it’s a challenge. I think peoples expectations of what is going to happen in the future are often coloured by hype curves, people over estimate what will happen in the next two years and underestimate what will happen in the long term, so people expect things that are changing in the market place to have immediate impact but they don’t, they take several years to filter through, so we take a long term view of this, we know it’s a very big challenge for us we have to respond to it and we have to make sure we continue to maintain our markets as best we can. We welcome competition, our chairman and CEO are looking forward to competing, they are very competitive people and that’s what it is all about, the whole board are all competitive!’
David is certainly an intriguing man and with 20 years experience his loyalties clearly lie with information security past present and future, but away from the office how does he get his kicks? David is involved with the Royal Society and Chatham House and founded the Jericho Forum, ensuring informed public debate on key issues around privacy and security and focusing on developing future management systems for business to business open networking. His hobbies include fly-fishing for trout in North West Sunderland, travel and collecting antique silver from the Sultanate of Oman but what sticks out most are his musical talents. A Jazz pianist and guitarist, in his youth he was a professional musician and has performed everywhere from small nightclubs to the Edinburgh Festival, but not being a lover of the limelight he much prefers to play for personal pleasure rather than entertainment for others.
When interviewing David, his passion for his chosen career path is glaringly obvious, an avid Royal Mail supporter who is dedicated to making their business as secure as possible. It would be a great shame to see such an established symbol of Great Britain damaged through negative media reporting or a rushed privatisation push; at the end of the day, unless we turn to robots for postal workers there will always be an element of human error, what matters is that security incidents are kept to a minimum – something that is clearly a priority for the Royal Mail.
(Article by Amy Pettit)
