Richard Orme, CTO of the Photobox Group (Photobox, Moonpig, Hofmann, posterXXL), discussed with CIO UK the cybersecurity pressures involved when handling the billions of photos uploaded by their customers.
"Consumer trust is at the heart of everything that we do," said Orme. "Our customers upload extremely dear and precious memories to us, so we are always looking to improve the way that we work in a security context."
At the Photobox Group, the Chief Information Security Officer (CISO) position is regarded as a pivotal role. "We went out and hired a guy called Dinis Cruz, who's our CISO, who is an active member in the security community right now," said Orme. "He hosts a lot of meetups, he's regarded as a thought leader in this space. We sort of gave him a blank piece of paper, and said, "Okay. If you were going to take a look of everything we do, how should we rethink the way we do security?"
Orme discussed how changing attitudes towards cybersecurity is a company-wide exercise. "It's not so much a question of what tools can we buy to help us? It's how do we change as an organisation? How do we change our culture?"
"That's where Dinis, our CISO, has been very strong," said Orme. "He'll sit with the engineering teams and educate them, and he'll create challenges for them. He'll commit code with them. So he really talks their language, and they respond to that massively. Instead of seeing security as something that they have to do, they now see it as an interesting problem to solve. Like with any engineering team, if you can give them a problem to solve, then they're at their happiest."
Orme said that while cybersecurity was previously something to be checked off a list at the end of the development process, this approach has changed. "We now bring those ideas and that thought process in right at the very beginning of our product development lifecycle," he said. "So customer security concerns are baked into every piece of software engineering that we do from the off. All of our datasets are encrypted. We are encrypting data at rest and in motion. We've worked with a number of different suppliers in the market, so we now actually have another couple of AI-driven devices that are continually scanning our networks."