Like the rest of the industry, the pandemic has radically changed our daily operations, and it is really important we acknowledge the high cost of the crisis to many individuals and the wider society. From a customer perspective, there is less cash being spent, fewer branch visits, and much more online activity, as well as a big uptick in requirements for payment holidays, loan holidays, and requests for government schemes. We have as many colleagues as possible working from home, but we also have a proportion of staff who cannot work from home. With many of our colleagues self-isolating, this has meant that some colleagues who are able to staff the branches and call centers have had to learn new skills very quickly to be able to keep serving customers’ evolving needs. In cybersecurity, we have learned to stand up processes to assess new risks (like wide scale remote working) and implement new controls to mitigate them in a remarkably short span of time. We do not see this situation resolving itself in the short term, at least until there is a widely available vaccine or other scientific breakthrough. We must continue to cross-skill our employees into new areas to be more agile and adaptable to the changing landscape.
People-Centred Transformation
Luckily, we are well-positioned to do just that. As our CEO António Horta-Osório articulated in his speech at the Sibos conference last fall, our current strategic plan is squarely focused on investing in our talent to arm them for the future. Lloyds is a 325 year-old institution, but over recent years we have begun to invest more and more in the technologies we will need to thrive in a digital world. We are now the UK’s largest digital bank, with 13.4 million digital banking customers. As António says, “At Lloyds we believe machines should do the ordinary, to enable people to do the extraordinary.”
The Pandemic as Accelerator
While we are still very much on this transformation journey, having this mindset already established within the firm set us up for a quick response to the COVID-19 crisis where we’d already started to increase digitization and underscored the need for it on some of our legacy systems. For example, we’d already begun to introduce automation and robotics in our identity and access management systems over the last 18 months which has helped us tremendously during this time, and now we’re going to apply those learnings to other areas of cybersecurity.
There is no doubt that COVID-19 served as an accelerator to our digital transformation. We are now reflecting on the learnings we can take away from this time and consider what we might do differently and what the new normal may look like, so that we can be even better prepared for the next challenge and increase our operational resilience. For example, if we had implemented some of the programmes we have already designed and developed such as our strategic authentication programme, we may have been able to realise some of the benefits sooner.
Upskilling the Cybersecurity Workforce
What is certain is that the future will bring even more upskilling and cross-skilling of our colleagues, in many different areas. For example, in the past, typically branch staff would be highly specialised as customer service reps, tellers, general advisors, and mortgage and small business advisors. In the future, we see more people performing multiple functions, even taking calls from customers outside of the branch so we can best utilise their general banking knowledge.
Cybersecurity is also a key area where we are looking to build capability across the firm. Key areas of focus for us include:
- Cloud: I believe everyone will move to the cloud; it is no longer a choice, but a given. However, up until recently, cloud providers had not always adjusted to serve the needs of enterprise-scale firms, especially large financial services firms with our regulatory requirements. That has changed, and now security standards have improved to the point where we feel we can utilise the cloud’s excellent functionality. But because it is so new, we have a programme to skill up our team at every level, to increase the numbers of colleagues skilled in application security, and to cross-skill our developers in cybersecurity as well.
- Security operations: Our security operations centers (SOCs), will fundamentally change. Today they are still very focused on on-premise, but we are looking to move towards a hybrid model, where we will be automating everything that we can to free up our teams to focus on higher-value activities. We are just starting on this road, but I do believe that the look and feel of a SOC will change in the next two years.
- Supplier assurance: We have seen that third parties, especially those who are not regulated, may be more susceptible to ransomware and other types of cyber threats, and this could become a business issue for us. We need a robust assurance model, so we are investing heavily in our business teams to ensure there are enough cyber skills to understand the cyber risk and posture of our key suppliers. We would love to see more collaboration across the industry on standardizing cybersecurity standards for third parties so that suppliers could go through one very detailed assessment process that all firms could then rely on.
