The Google Vulnerability Analytics (GVA) project has been built on Google Cloud Platform (GCP) in the Cyber Security department.

Outcome

The goal of the platform is to provide a vulnerability management service to internal users and business stakeholders, and to digitally transform the value stream and align to the organisational cloud first strategy.

Solution

The platform scans internal and external data sources, and consolidates all vulnerability data into a central data store.

Users

Then, the data scientists and analysts can analyse and triage all vulnerability data, create reporting and remediate accordingly. It also gives the users an ability to apply analytics and machine learning models to the data to identify potential issues, and the senior stakeholders to make informed decisions to keep the bank secure.

Team

I led a cross-functinal team consisting of data, security and DevOps engineers. Starting with the team formation through to defining and agreeing team charter, ways of working we kicked off the product development in an agile fashion.

Users of the future platform have been key to correctly design the platform so that they benefit and spend their time on delivering value to their customers rather than on manual activities.
Therefore, I led user identification and stakeholder mapping to effectively engage with all relevant user/stakeholder groups and satisfy their needs.

As an agile team we have used Scrum to allow us plan our platform work effectively and we run it in a 2 week timebox. I have facilitated all agile ceremonies including daily stand-ups, sprint planning, retrospectives and demo for the stakeholders/users.

I have also supported the Cloud Centre of Excellence including DevOps and Agile principles and ways of working that I’ve been actively sharing within the Agile community.

Achievements

Our key achievement has been knowledge transfer and sharing everything we know about DevOps and Agile ways of working. Embracing the DevOps culture and co-creating the new innovative solution and processes with the users and business stakeholders has been crucial for our project success!

Despite the technology innovations and shifting priorities, the result is a secure, highly automated data pipeline in the ‘live’ environment which enables users to spend more time working on the analysis and less on data management. And this is what the platform users are doing and the new technology has enabled the users to deliver better outcomes.

The DevOps mindset has helped us succeed and follow the industry best practice whenever possible but also staying pragmatic and balancing the technology choices with the organisational security standards and governance contributed to creating processes tailored to our context and the users’ needs.

Putting users at the heart of everything we do and designing the user-centred platform has proven our DevOps solution is fit for purpose, defined by the user needs and tested by the users.

We also took a security-centred approach and involved security and governance at the early stage of the platform development. This was essential to understand the limitations dictated by the organisation and the finance sector in general. Knowing the limitations, we understood how to go faster in the finance sector and what processes we need to have in order to achieve that.

In addition, as we have rolled out the MVP of the security platform, we have helped the business identify all vulnerability data and we continue resolving all security weaknesses. We have entirely eliminated all critical and high vulnerabilities to 0% but more importantly, we have reduced a potential risk or threat to the organisation which is a much bigger achievement!