Vodafone 2024 Annual Report

49 Vodafone Group Plc Annual Report 2024

Strategic report



Other information

We augment our internal capabilities where necessary with third-party specialist technical expertise, such as digital forensics, red teaming and penetration testing. We use specialist resources to perform testing of our telecommunications networks. We also use qualified external resources to help during the implementation of change and improvement projects. Our scale means we benefit from global collaboration, technology sharing and deep expertise, and ultimately have greater visibility of emerging threats. An example would be our global security operations centre which takes inputs and telemetry from all the markets where we operate. Cyber security function Team Responsibilities Governance, – Cyber risk framework and management across the Group. – Define and track adoption of controls and – Define cyber strategy aligned to technology and Company strategies. – Products, services and internal systems are secure by design. Cyber Prevent: – Engineer, deliver and operate global security platforms, driving continuous improvement Cyber Defence: – Perform threat intelligence & security testing. Detect events and attacks through 24/7 monitoring. – Respond to events and incidents to minimise the impact to business and customers. Local Market Teams: Risk and Control: procedures, and measure effectiveness. – Identify and reduce supplier cyber risk Strategy and Secure by Design: – Responsible for managing and embedding cyber security in our local markets, including meeting local cyber regulatory and compliance requirements. Our approach to cyber security is summarised in the following diagram and the accompanying video linked below. In the video, cyber security experts from across teams in the cyber security function explain our approach across the lifecycle: identify, protect, detect, respond, recover and govern. Scan or click to watch our cyber security experts summarise our approach to cyber security: investors.vodafone.com/videos

The Chief Technology Officer has been at Vodafone since 2009. During that time he has held positions in Vodafone Business Product Management and Technology, has been UK CTO and since 2021 the Chief Digital & Information Officer leading an integrated Europe-wide technology team. Within the cyber security organisation, led by the CTAS Director, we have heads of global cyber security functions, local markets and regional cyber security leaders. This global leadership team is responsible for directing, managing and reducing cyber risk across Vodafone. Market and regional cyber security leaders are also part of their local management teams, with a dotted matrix reporting line to local chief information officers. The CTAS Director has led cyber security in Vodafone since 2015. Prior to joining Vodafone, the CTAS Director was chief security officer at a large UK bank, after previously holding security and technology audit leadership roles in financial services and the UK postal service. The CTAS Director is an independent advisor for a large UK retail company, a member of the UK Cabinet Office National Cyber Advisory Board and holds several other industry advisory and committee roles. Our broader cyber leadership team has significant cyber security and technology risk experience across business sectors including telecommunications, financial services and professional services. The cyber security leadership team reviews detailed metrics monthly covering security controls status, updates about the threat landscape, and specific key risk indicators (‘KRIs’) for our most important controls. Examples of KRIs include results of independent network testing by third parties, vulnerability management, patching, hardening and endpoint security status, and incident metrics. Internal reporting provides a detailed view of progress and risk reduction. If markets are consistently not achieving targets, they are expected to have plans in place to recover. Quarterly summary management reporting is provided to the technology leadership team and Executive Committee. This is supplemented by monthly control status reports which track targets and are discussed in regular meetings with local market leadership teams. The top level Cyber and Information Security policy is approved annually by the CTO. To provide functional governance, we have a quarterly Cyber Risk Council meeting, chaired by the Head of Cyber Governance Risk and Control, and attended by the CTAS Director, the CTAS leadership team and cyber security leaders from each market. The meeting reviews and approves detailed cyber policies and standards, monitors cyber risk and threat, and oversees key strategic programmes. Cyber security risk is also reported to and monitored by more senior committees including the Technology and Audit and Risk Committee, chaired by Internal Audit and the Vodafone Group Risk and Compliance committee, chaired by the Chief Financial Officer (‘CFO’). The CTAS Director attends both of those committees to provide updates as required. Board The Board Audit and Risk Committee (‘ARC’) is the responsible committee for the oversight of risks from cyber security threats. The Committee receives updates from Internal Audit throughout the year. The Line of Sight report documents the risk tolerance, risk position and mitigating actions for each principal risk of the company, including cyber threat. This is presented and reviewed annually. In addition, the Committee reviews cyber risk based on a paper and presentation from the CTO and CTAS Director. The report collates the data that covers all local markets’ security status. The paper also typically includes threat landscape, incidents, security position, residual risk, strategy and programme progress across the Company. The most recent update was provided in March 2024. The Chair of the Board’s Audit and Risk Committee is the Senior Independent Director of the Board. A former CEO at a UK financial services company, he has significant experience of overseeing technology and cyber issues.

Chief Technology Officer

Cyber Security, Technology Assurance and Strategy Director

Local Markets

Central Functions Strategy & Secure by Design Cyber Prevent

Second Line of Defence Cyber Governance, Risk & Control Technology Assurance


UK Other Europe


Cyber Defence

Governance Management

The Chief Technology Officer (‘CTO’) and Chief Network Officer are the Executive Committee members accountable for managing the risks associated with cyber threats and information security. The Cyber Security, Technology Assurance and Technology Strategy (‘CTAS’) Director is responsible for managing and overseeing cyber security across Vodafone and reports to the Chief Technology Officer.

Powered by