Bupa A/NZ has undergone a significant security transformation program that touched all security domains and was part of a global capability uplift pursued by the health insurer.
Head of cyber security Jonathan Milton told ServiceNow’s Knowledge 2021 conference that the company embarked on the transformation in 2019, and has had new systems bedded down for between six and 12 months.
“Our security transformation was really looking to mature our security posture across our ‘identify’, ‘protect’, ‘detect’, ‘recover’ and ‘respond’ security domains,” Milton said.
“By investing in our people, our process and our technology capabilities, we sought to raise the waterline of our ability to manage these threats in line with our risk appetite.”
Milton was the director of the A/NZ transformation prior to his current role.
He said the transformation impacted all aspects of IT security at Bupa, including risk management, data loss prevention, intrusion detection and prevention, vulnerability management (which Bupa calls ‘cyber hygiene’), SIEM, rapid response and forensics, recovery capabilities.
Along with the deployment of new technology platforms, the transformation was accompanied by a substantial change program, particularly around stakeholder engagement.
This aimed to understand the needs of different stakeholder groups, from the board and executives to business units, and to assist those groups in reducing their own risk profiles.
“That really helped us get a seat at the table when we're talking about closing those front doors and getting that cyber hygiene to something within risk appetite,” Milton said.
On the technology front, Bupa deployed vulnerability response and security incident response modules from ServiceNow, as well as Tenable products.
Milton said deploying ServiceNow modules was seen as attractive because they could be integrated with and “talk to the rest of the technology estate and security platforms” in the company’s environment.
It already used Service Now for IT service management and configuration management, and
“It was also [about] the products that ServiceNow indicated that they would have integrations and APIs with across our security platform,” Milton said.
Milton said that the ServiceNow vulnerability response and incident response modules are also collecting “data points for us to understand the system so that we can then continuously improve” it.
He added that the uplift had enabled Bupa to mitigate the threat of malicious or accidental compromise to customer data or disruption to service delivery.