Go-Ahead gamifies PCI compliance with security league table

Automated security analysis can provide reams of up-to-the-minute data on the status of an organisation’s IT infrastructure.

 Go-Ahead gamifies PCI compliance with security league table

Automated security analysis can provide reams of up-to-the-minute data on the status of an organisation’s IT infrastructure.

But having all that data does not necessarily translate to better security. It needs to be usable, and it needs to be presented in a way that promotes best practice.

As UK travel operator Go-Ahead Group found last year, one possible solution is to present the data in a league table, harnessing the competitive nature of employees to drive better security practices.

Go-Ahead is one of the largest travel operators in the country, carrying over a million passengers on its rail and bus networks every year. Because it sells tickets via credit card, the company is regularly audited for compliance with the PCI DSS security standard.

Before 2011, IT and procurement director David Lynch conducted his own internal audits by asking employees whether they were following the rules.

"It was something of a tick-box exercise," he recalls. "I had to trust people to tell me they were following my policies, such as not plugging in USB sticks and other things that were impossible to lock down."

But after an external audit committee challenged Lynch to prove that what employees were saying was true, he knew he needed more direct visibility into the company’s security position. “I needed a way to challenge myself," he says. "If I'm ticking an auditor's box, I want to know that what I'm doing is accurate."

That prompted him to deploy iStorm, a vulnerability management system from PCI DSS security software provider Randomstorm. Go-Ahead uses multiple iStorm network appliances to scan nodes on its network for incorrect configurations on devices or ports that could render it vulnerable to malware or hackers.

But the reports that these devices produce did not make it easy to see which IT teams were upholding security policies, and which were not.

"I went mad after the first year due to having to sift through reports quickly to see who was performing well or badly," he says. "I said that unless we fixed the issue, we wouldn't renew. Where was the value?"

The challenge prompted Randomstorm to suggest the idea of a compiling a monthly league table, which appealed to Lynch as a football fan.

"I've learnt over the years that league tables and colours are good ways of scanning and reviewing lots of information quickly, which my job requires," he says. "Even if you don't like football, people can relate to league tables these days."

Randomstorm developed a league table ranking the IT teams for each of Go-Ahead’s operating units. The company developed an algorithm to calculate a score for each team, based on their adherence to security policy. If a highlighted vulnerability was not patched, or a server was configured incorrectly, the team responsible lost points.

The algorithm that RandomStorm developed takes account of the relative size of each team, and the complexity of the IT systems they look after. It also measures the length and severity of a breach of policy.

"Everybody was worried about the league table initially, and I had to make it clear to directors why some teams could be top one month and bottom the next," explains Lynch.

Since it was deployed in June 2012, the league table has fostered a pro-active approach to security among IT staff, Lynch reports.

“IT teams don't wait to see where they are in the league table; they're building their case and coming to me all the time, which shows focus,” he says.

“It has brought an element of challenge and competition and has given me a massive amount of visibility of what's going on every month.

That, he explains, has given him far greater confidence in the company’s PCI DSS governance. “When auditors come through the door, I can now talk to them about what we do.”

Comments (0)