Who is the customer?
Howden Group Holdings is a leading international insurance group, with employee ownership at its heart. Founded in 1994, it comprises Howden Broking, the international insurance broker and underwriting business DUAL, one of the world’s largest MGAs.
Howden Group Holdings’ businesses operate in 45 countries across Europe, Africa, Asia, the Middle East, Latin America, the USA, Australia and New Zealand, employing over 11,000 people and handling over $17bn of premium on behalf of clients.
The challenge
As an organisation that prides itself on digital leadership and innovation, Howden works hard to ensure its data and IT systems are secure, amid an increasingly sophisticated cyber security threat landscape. It has been ramping up cybersecurity investment for many years, developing a robust set of controls to safeguard the wealth of critical data handled by the company.
Due to its acquisitive strategy, Howden has an increasing number of companies and offices all over the world. This presents a challenge in maintaining visibility of the overall cyber security risk relevant to each of its global subsidiaries. While its central group office is responsible for individually assessing cyber maturity across each of its brands, this presented scalability challenges as more businesses were added to the group.
To improve visibility of the cyber posture of its entire organisation, Howden wished to implement a robust, structured, and consistent way of assessing each individual site to better understand its risk profile, and to develop a strategy for improvement where required. It engaged Telstra Purple to help establish a baseline of desired cyber resilience and work with each site to help them become more secure.
Telstra Purple’s UK-based team provided Howden with the care and attention associated with a niche consultancy, but with the size, scale and expertise of a global organisation.
The solution
Telstra Purple worked closely with Howden to develop a unique security framework based on the internationally recognised ISO27001 standard, but modified using other security principles to meet the needs of the organisation. This was entirely unique to Howden, accounting for the organisation’s specific structure, needs, and industry-specific priorities to create one, repeatable assessment.
Armed with this new assessment framework, a group consisting of Howden’s IT team and Telstra’s Security Advisory personnel began visiting a number of Howden offices around the world, where they engaged with both Executive Leadership and Security Operations on the ground. They used the agreed framework to assess risk and, where appropriate, build an actionable plan for improvement.
As these engagements were all completed by the same Telstra Purple team, the consultants ensured that each assessment was delivered in exactly the same way across all its separate businesses. The team gained the trust of each brand through positive engagements, offering helpful and actionable advice and fundamentally becoming a trusted partner and a true extension of Howden’s own Security division.
“The engagements with Telstra Purple have been very collaborative. I like that it’s a pragmatic standard of engagement, it’s not really a traditional consulting-type relationship, it’s more of a partnership,” says John Whitfield, Head of Global Operations & Infrastructure and Group CISO at Howden. “I needed a team of consultants that would work closely with us and offer practical support to help us achieve our goals. I got that from Telstra, and it’s been a good ongoing relationship.”
After producing detailed assessment reports, the Howden IT team works closely with each site to remediate any vulnerabilities and implement the technical solutions and controls to build resilience. That involves regular meetings to address identified risks in priority order, which is an ongoing process of improvement. This is incredibly useful for some subsidiaries, who have limited IT personnel on the ground to help them manage remediation.
Whilst the COVID Pandemic interrupted the physical aspect of these interactions, Telstra Purple and Howden quickly shifted the program to digital channels without missing a beat. By moving to virtual consultation and remote workshops, the team continued to accelerate the program, despite obvious uncertainty in the first few months of 2020.
Now in its 3rd year, Howden and Telstra Purple have carried out a significant number of assessments all over the world. As the company continues to grow through additional acquisitions, the assessments proactively expand to account for new sites, ensuring Howden never loses visibility over its total cyber risk profile.
“
The engagements with Telstra Purple have been very collaborativeJohn Whitfield
Head of Global Operations & Infrastructure and Group CISO at Howden
Benefits and outcomes
As part of the Telstra Purple’s bespoke framework, each of Howden’s sites is assigned a baseline ‘cyber maturity score’, as well as a target that the parent company expects them to reach. This gives Howden complete visibility over the maturity of its various subsidiaries and offices, with a tailored and actionable plan on how to achieve any required improvements.
A year on from the initial assessment, Telstra Purple re-engages with each site to assess their progress and assign a new score, ensuring they’re receiving the support and expertise they need. Results are presented to the board, so that the leadership team is always up to date with the latest progress that’s being made.
Establishing constant communication has also strengthened the relationships between Howden’s teams around the world. The company has created a centralised contact network where its various international teams can collaborate and share information, establishing more efficient two-way communication between the central IT staff and subsidiary teams.
Through the tireless work of both teams, Howden has been able to bring all of its subsidiaries under a common framework and build on the robust standard that it had initially set. This has reduced their exposure to cyber incidents and provides assurance that their data remains safe and secure, strengthening the organisation for the future.
