CIO100 2018 #25: Simon Tong, ASB
Simon Tong embarked on a different career transition when he joined ASB as executive general manager technology innovation and payments.
Prior to this, he was Managing Director at Fairfax Media.
ASB was then going through a transformation codenamed ‘Endeavour’ that was focused on bringing agile practices across the business.
“My immediate challenge was to ensure the transformation would be successful,” he says.
“My experience at Fairfax showed me how quickly organisations could be disrupted and I wanted to ensure ASB had an operating model capable of meeting the challenges ahead.
“I had to quickly come up to speed with the background of the changes, progress to date, and most importantly what were the barriers we needed to overcome to ensure the transformation was successful – all while we needed to deliver to our customer expectations, delivering projects, keeping our systems running and meeting our regulatory obligations,” says Tong.
“I liken it to changing the engines on a 747 mid-flight!”
To get feedback on new ideas, he talked to his team one on one, in town hall sessions and in team meetings. “I made it clear to my crew that I wanted their feedback and encouraged them to come and talk to me.
“In order to further my understanding and to ensure we had the best chance for success we have spent time looking at other organisations that had gone through similar transformations to factor this into our operating model.”
Tong says the transformation programme, now on its second phase, will involve ongoing iterations in order to keep ASB best positioned for the challenge ahead.
“With the experience and learning from my career to date, combined with the fantastic team at ASB, I am confident we can remain ‘one step ahead’ in the future.”
‘Educate, shift-left, tool up’
Today, Tong and his team are immersed in a new ‘way of working’ brought on by the Endeavour programme.
The transformation embraced agile work practices and re-organised traditional IT structures to tribes and squads, aligned to platforms and practices.
Over the last year, he says ASB has invested tens of millions in technology and business related projects, including technology upgrades, compliance, customer experience, innovation and digital initiatives.
As with all organisations, delivering these projects whilst managing cybersecurity threats has been a key challenge.
“During the transformation, it was obvious that traditional information security practices needed to evolve,” he says.
“We needed to support our business and technology to go fast, to help enable amazing customer experiences, while ensuring great security outcomes.”
He says a prime challenge they faced was the traditional view that security is a central team’s responsibility. “To overcome this, we had to inspire everyone to take responsibility for security within their squads.”
“We did this by creating an overarching goal to ‘embed security within teams and maintain a positive security culture’,” he says.
Delivering to this goal would be essential for security to remain relevant and valued within our new ways of working, and ensure that security is seen as everyone’s responsibility, he says.
The team focused on three steps to achieve this:
Educate: Provide people cyber security knowledge, support and foster their desire to really ‘get’ security and take ownership.
Shift-left: “Bake-in” great security at the start of the development lifecycle.
Tool-up: Develop and enhance security tooling, and automate as much as possible, to provide the capabilities and guardrails necessary to go-fast safely.
The team augmented these with activities ranging from ‘Lunch n’ learn sessions’ to penetration testing.
The security people ran a series of interactive conversations about the challenges that the bank faced for their planned approach. “We answered questions, listened to valuable feedback, adapted and evolved,” he says.
They also partnered with a world class provider of secure coding training, with special emphasis on security within DevOps. More than 70 developers and testers completed this intensive two-day hands-on course.
The team introduced Secure Code Warrior, a gamified online security coding training solution and provided it to all developers and testers.
They also designed and ran a ‘Capture the Flag’ competition where eight teams competed to find security bugs and fix them.
They designed and built ‘ScanIT’, a service that provides capabilities for the developers and testers to run sophisticated security tools within a guiding process. Examples include application code security scanning, web application security scanning and platform vulnerability scanning, says Tong.
He says they had significant buy-in from developers, testers, and all critical stakeholders on these programmes.
“We have provided resources, capabilities and insights that enable all of us to do our jobs better, while we have achieved a lot, SecDevOps is a journey focused on continuous improvement.”
Thinking - and acting - like a startup
On the innovation front, Tong says the Innovation Lab team continues to explore possible use cases for emerging technologies. These are done in partnership with their colleagues throughout ASB.
“However, beyond such research and development through the normal project process, there is a need for certain capabilities to be in place so that such insights can be channeled into change,” says Tong.
In order to support genuine innovation relating to key emerging technology trends, he says the team continued to build out their API and microservices environment.
One of the programmes they launched is ‘Unleashing Innovation’ which crowdsources ideas from ASB staff. After issuing a challenge about growing the wealth of our customers and helping them protect their lives and loved ones, we received over 100 ideas, which were peer-voted down to a top 20, he says.
The team also ran a two-day ‘hackfest’ where people from across ASB worked with their technology partners to ‘hack’ up prototypes and test these with customers.
Of the 20 ideas, 12 were selected to present to a panel of external entrepreneurs and investors. Their recommendations allowed for six of the ideas to move into the ‘Upstart’ acceleration programme.
He explains Upstart takes the traditional accelerator model and inverts it.
“Rather than ASB simply passively investing in an external startup accelerator, we empowered those six teams to work out in the startup ecosystem on their ideas for 12 weeks.”
The teams were based at the GridAKL co-working space, where they continued to develop their products, testing with customers, and exploring the pathway to value.
Three of the teams succeeded in making it through the entire 12 weeks and then pitched to a subcommittee of executives for funding to take their ventures into Incubation. These products will be released to customers within the year, says Tong.
He says ‘Unleashing Innovation’ and ‘Upstart’ provide ASB with the ability to genuinely engage with operating as a startup.
“The entire framework deployed at ASB is built around exposing as many people as possible within the company to these new ways of working,” he says.
“This model of encouraging internal entrepreneurial thinking – or ‘intrapreneurship’ – helps with the much larger goal,” he says. And this is about “transforming a 170-year old bank into an organisation that thinks and acts more like technology company that is licensed and trusted to provide financial service.”
“Such a transformation will help with ASB continuing to thrive in a disruptive and fast-moving market, and capabilities such as those learnt through these programmes will have impact beyond the ventures themselves,” says Tong.