7
Culture, training and awareness
Vodafone Group Plc Cyber Security Factsheet 2024
Introduction
Strategy
Risk management
Our operating model
Threats and incidents
Compliance
Operating model continued
Governance Management
The CTAS Director has led cyber security in Vodafone since 2015. Prior to joining Vodafone, the CTAS Director was chief security officer at a large UK bank, after previously holding security and technology audit leadership roles in financial services and the UK postal service. The CTAS Director is an independent advisor for a large UK retail company, a member of the UK Cabinet Office National Cyber Advisory Board and holds several other industry advisory and committee roles. Our broader cyber leadership team has significant cyber security and technology risk experience across business sectors including telecommunications, financial services and professional services. The cyber security leadership team reviews detailed metrics monthly covering security controls status, updates about the threat landscape, and specific key risk indicators (‘KRIs’) for our most important controls. Examples of KRIs include results of independent network testing by third parties, vulnerability management, patching, hardening and endpoint security status, and incident metrics. Internal reporting provides a detailed view of progress and risk reduction. If markets are consistently not achieving targets, they are expected to have plans in place to recover. Quarterly summary management reporting is provided to the technology leadership team and Executive Committee. This is supplemented by monthly control status reports which track targets and are discussed in regular meetings with local market leadership teams. The top level Cyber and Information Security policy is approved annually by the CTO. To provide functional governance, we have a quarterly Cyber Risk Council meeting, chaired by the Head of Cyber Governance Risk and Control, and attended by the CTAS Director, the CTAS leadership team and cyber security leaders from each market. The meeting reviews and approves detailed cyber policies and standards, monitors cyber risk and threat, and oversees key strategic programmes. Cyber security risk is also reported to and monitored by more senior committees including the Technology and Audit and Risk Committee, chaired by Internal Audit and the Vodafone Group Risk and Compliance committee, chaired by the Chief Financial Officer (‘CFO’). The CTAS Director attends both of those committees to provide updates as required.
Board The Board Audit and Risk Committee (‘ARC’) is the responsible committee for the oversight of risks from cyber security threats. The Committee receives updates from Internal Audit throughout the year. The Line of Sight report documents the risk tolerance, risk position and mitigating actions for each principal risk of the company, including cyber threat. This is presented and reviewed annually. In addition, the Committee reviews cyber risk based on a paper and presentation from the CTO and CTAS Director. The report collates the data that covers all local markets’ security status. The paper also typically includes threat landscape, incidents, security position, residual risk, strategy and programme progress across the Company. The most recent update was provided in March 2024. The Chair of the Board’s Audit and Risk Committee is the Senior Independent Director of the Board. A former CEO at a UK financial services company, he has significant experience of overseeing technology and cyber issues.
The Chief Technology Officer (‘CTO’) and Chief Network Officer are the Executive Committee members accountable for managing the risks associated with cyber threats and information security. The Cyber Security, Technology Assurance and Technology Strategy (‘CTAS’) Director is responsible for managing and overseeing cyber security across Vodafone and reports to the Chief Technology Officer. The Chief Technology Officer has been at Vodafone since 2009. During that time he has held positions in Vodafone Business Product Management and Technology, has been UK CTO and since 2021 the Chief Digital & Information Officer leading an integrated Europe-wide technology team. Within the cyber security organisation, led by the CTAS Director, we have heads of global cyber security functions, local markets and regional cyber security leaders. This global leadership team is responsible for directing, managing and reducing cyber risk across Vodafone. Market and regional cyber security leaders are also part of their local management teams, with a dotted matrix reporting line to local chief information officers.
Click to read more about the Audit and Risk Committee’s oversight of cyber security on pages 89 to 94 of our FY24 Annual Report: vodafone.com/ar2024 Click or scan to watch our Chair talk about the importance of cyber security during a Board site visit: investors.vodafone.com/videos Scan or click to watch the chair of the Audit and Risk Committee talk about cyber security: investors.vodafone.com/videos
Chief Technology Officer
Cyber Security, Technology Assurance and Strategy Director
Local Market Heads of Cyber
Central Functions Cyber Strategy & Secure by Design Cyber Prevent
Second Line of Defence Cyber Governance, Risk & Control Technology Assurance
Germany
UK Other Europe
Africa
Cyber Defence
Powered by FlippingBook