by Thomas Macaulay

Bank of England CIO Robert Elsey sets cyber security challenge

05 Jun 2018
Financial Services IndustrySecurity Software

Bank of England CIO Robert Elsey plays a central role in protecting the UK’s financial sector. Elsey runs a cyber security division that protects around £575 billion sterling payments and securities every day, helps to track all bank notes in circulation and secures £140 billion of gold deposits in the vault.

The Bank’s unique challenges are intensified by a nationwide digital skills gap, which led Elsey to a novel way to boost the bank’s defences: a face-to-face cyber security competition that tests the skills of 30 of untapped talents in the UK to identify the next-generation of experts.

The 30 best applicants earn an invitation to the iconic building on Threadneedle Street that has been the Bank of England’s home since 1734. They then compete in teams on a series of banking-themed tasks developed by the Bank’s security team to simulate the experience of working at a leading financial institution. The competitors combat and contain a cyber attack by planning and improving security architecture, educate staff on the threats and carry out a forensic investigation of the attack.

The event helps the Bank attract talent from diverse backgrounds and show them that technology careers are more varied than they might imagine.

“It starts to show the different qualities you need,” says Elsey. “It’s not just coding anymore. There’s everything from business case history to the climate and sponsoring initiatives. We’ve got people from all kinds of different backgrounds now working in technology and it’s making it a much better place.”

The competition combines technical challenges with tests of broader skills. An exercise inspired by Dragons Den requires teams to improve a network design by spending a £1 million budget on a cyber security shopping list, while a pitching competition invites them to present their ideas for a phishing awareness training programme.

“What was nice is that those people that did get involved through a less technical setting could flex their skills in different areas, and could appreciate why it would attract different people in the future,” says Elsey.

New sources of cyber security talent

The top 10 performers in the challenge will then attend three-day masterclass in November, and the top performers earn an interview for a role on the Bank of England’s security team.

Elsey hopes they will inject some youth into an aging workforce. Only 12% of the cyber security workforce is under the age of 35, while 53% of it is over 45, according to the Center for Cyber Safety and Education’s Global Information Security Workforce Study. This could create new dangers as more experts reach retirements.

“We try to avoid and weed out those who are in the industry,” says Elsey. “We’re looking for more of the younger students who are interested, or people who are thinking about moving into cyber security.”

Their efforts paid off. Around 60% of the competitors were in secondary or further education, while two-thirds were participating in their first event involving Cyber Security Challenge UK, the non-profit organisation that arranged the competition with the Bank.

“It was more about raising awareness that it’s not just people who can code that go to these competitions and add value,” says Elsey. “In fact, some of our big success stories are people who did mathematics, who hadn’t considered technology and coding before, but actually, as mathematicians, they’re data scientists and they’re analysts.

“Those types of individuals fit in really well with that kind of inquisitive mindset…Where we have done very well in the bank in trying to attract good, diverse employee base is by trying to look in those pockets of people that wouldn’t normally think about it, but when they’re in it, they love it”.

Analytics at the Bank of England

Cyber security is just one of Elsey’s responsibilities. He oversees all aspects of technology and programme delivery across the Bank of England, from critical applications such as real-time gross settlement and gold inventory management to data analytics platforms.

His 600-person tech team helps the financial services sector to transfer trillions of pounds in payment transactions every year, set interest rates and supervise around 1,700 banks, credit unions, insurers and major investment firms.

“We have 140 billion in gold here, so we manage all of the inventory for that,” explains Elsey. “We do £570 billion worth of transactions per day, gross estimate, so our systems are extremely critical to the financial sector.”

The Bank also runs HR systems that manage 1,000 supervisors who inspect financial institutions on a daily basis, a variety of critical trading and payments systems, and data analytics tools that detect economic patterns and help determine interest rates.

“We are an analytical institute,” says Elsey. “We take in large quantities of data. The MPC [Monetary Policy Committee] is, driven through economics, doing analysis providing statistical information. But like any other organisation that has quite a lot of operations, we also have reporting and analytics to support our organisation around everything from the payment transactions that are going through to how our systems are running all the way through the organisation.”

Analytics also plays a growing role in cyber security. Central banks are now being targeted by organised crime groups and state actors, forcing the banks to boost their detection response capability. Big data analytics helps them process the millions of new events they ingest every day and identify signs of unusual behaviour that improve detection and response.

“As those threat actors have changed, you can’t have just preventative basis,” says Elsey. “You really need to analyse the information and be able to understand your network, which is why we’re seeing such an increase in the type of skills that we have in that area.”