IBM Consulting with HMRC

Performance Improvement in the Public Sector

In the face of increasing external threats, HMRC Executive Committee identified a pressing requirement to invest in security to ensure that HMRC remains safe with these ever-changing threats. The Cyber Tactical Remediation Project (CTRP) and latterly the Enterprise Security Programme (ESP) was established to implement new technologies and practices to improve this strategic risk and better protect HMRC’s citizen, staff and government data. With a complex internal and external supplier landscape and an environment beset with technical debt a collaborative and cooperative ‘rainbow’ team, with IBM selected as the lead delivery partner was needed to reduce HMRC’s strategic risk position.

Given the nature of the evolving external threat landscape and the potential impact on the HMRC operations and citizen data, multiple projects were established under the banner of CTRP. All projects comprised experts from the Civil Service, contingent labour, other government departments, and a network of supplier organisations – operating as one team. These included:

  • Technical remediation streams protecting critical services
  • Security policy writers to deliver fit for purpose policies and procedures
  • Operations improvement to increase the proactive identification of threat actors
  • Networks specialists to protect the external boundaries
  • Enhanced risk analysis and assessment – early identification of threat vectors

ESP delivered a material and demonstrable reduction of cyber risk to HMRC, greatly improving the resilience of the organisation against cyber-attack. The programme delivered an entirely new set of policies and technical standards (which have been shared outside of HMRC by GSEC as examples of good practice), bolstered HMRC’s external network protection, updated servers and applications supporting critical business services, encrypted citizen data, remediated weaknesses in HMRC’s cloud-based environment and deployed new technology capabilities for deployment across the entirety of the complex HMRC IT landscape, all within a reduced budgetary envelope enabled by strict financial and project governance controls.

IBM have successfully supported HMRC to deliver a demonstrable reduction in their cyber risk profile. Delivery risk analysis across ~100 systems and services to identify the required technical remediation themes.

IBM then supported the delivery of key areas such as enhanced encryption at rest and in transit across key business services, deployed critical security patches to >100 systems and services and project managed the deployment of best-in-class anti-phishing tools across ~65,000 users.

ESP reduced HMRC’s strategic Security risk through:

  • Improved understanding of the cyber risk landscape and the HMRC posture
  • Improving IT infrastructure by creating appropriate barriers, preventing attackers traversing the HMRC network during a breach or attack
  • Improving visibility and management of security vulnerabilities and events
  • Streamlining and enhancing cyber risk reporting to support focussed, informed, decision making
  • Updating and hardening critical HMRC services – defending against tens of thousands of vulnerabilities
  • Enhanced encryption of citizen data
  • Producing a new suite of security policies and procedures to support modern agile ways of working
  • Adopting National Cyber Security Centre (NCSC) Active Cyber Defence services.

View the IBM Consulting profile in the MCA Members Directory.