The NRMA traces its heritage back to 1920 and for the last 100 years has been focussed on keeping Australians moving.
It’s a focus unswayed even by the pandemic.
NRMA has resilience woven through its DNA; and has in recent years substantially enhanced its digital resilience, implementing robust technology foundations with performance and security front and centre.
Chris Swadling is the Senior Manager of Infrastructure at NRMA. He says his team’s role is; “To make sure that our systems are secure, functioning, and performing so that our people can best serve our members and customers.”
It’s a typically laconic response that NRMA members are familiar with – the sort of ‘I’m just doing my job’ comment you might expect from a Roadside Service Patrolman rescuing you and your family from a cold rainy night stuck on a freeway hard-shoulder.
The NRMA Group today though extends far beyond roadside assistance and includes businesses such as Thrifty Australia and New Zealand, My Fast Ferry, Fantasea and Australian Tourist Park Management. The organisation employs around 4,000 people in 150 locations and Chris and his team of Engineers manage the infrastructure that supports them.
According to Mark McLean, managing director of Quorum, which is a member of the Cloud Collective; “ It’s been a privilege to work with NRMA, to really understand the challenges that the organisation faces, and then together to blueprint and deliver a digital foundation that meets today’s needs and also evergreens NRMA for the future.”
Working with the Cloud Collective, NRMA has benefited from a Microsoft 365 E5 licence which delivers a slew of additional security and data governance features for the organisation. Microsoft caught up with Chris to find out how.
Microsoft (MS): What were you looking for from Microsoft 365?
Chris Swadling (CS): Our board and senior leaders are continually looking for us to improve our security posture to protect our members, customers and brand. We’ve got a well known and trusted brand. We don’t ever want to compromise the loyalty and trust that comes along with that.
We were primarily looking at ways to improve our security, compliance and data governance posture across the Group. We want to continuously improve security controls without impacting the ability of our people to work and collaborate. Some of the things we’ve prototyped or have implemented include PIM & PAM – Privileged Identity Management and Privileged Access Management; Advanced Threat Protection, End-Point Detection and Response (EDR), Cloud App Security, Azure Information Protection (AIP), and also the big one that everyone wants, Conditional Access and Multi Factor Authentication (MFA).
We are also piloting Azure Sentinel.
MS: How long did this take?
CS: From initial conversations to where we are now is about six months. It never really stops though. We’re continually working to improve and deliver.
We’ve rolled out Teams for better Collaboration – that took us two weeks – and we’ve earmarked using it for Enterprise Voice in the future.
MS: How has this increased security affected users?
CS: The transition has been relatively seamless for the end-users, our staff. The main changes for them are registering for things like MFA, getting used to tagging mail and documents correctly. For the most part, the beauty of all of this stuff is that it’s largely transparent to the end-user. What it does for us as a technology team is that it gives us more visibility into what’s going on, across the organisation and the option to implement controls more rapidly. There’s also a lot of automation/autonomy in these toolsets so that takes some pressure off the team.
MS: Have you been able to measure the impact?
CS: We used Microsoft Secure Score as the baseline and to show improvements as we went along. I believe we compare favourably or are in front of most similar size organisations. We definitely can see that we’ve made improvements but also know there is a long way to go.
MS: How have your digital foundations helped you navigate the pandemic?
CS: Some of it was implemented prior, and a lot of it has been implemented since. Prior to COVID, we only had a small percentage of staff that accessed our systems remotely. Post-COVID, nearly everyone now works remotely. That means a large increase in exposure and there are more vectors for attack. We’ve worked with Cloud Collective and used things like Conditional Access and MFA in front of our VPN technology to help further secure the increasingly distributed team.
We’ve implemented Azure Proxy in front of the platform that’s used by our contact centres. That gives us Conditional Access, MFA and visibility of what’s going on there too.
We have also rolled out Windows 10.
MS: Do you think this new way of working will persist?
CS: Yes. Our new mantra is ‘work is a thing you do, not a place you go’. We’ve been looking at flexible work arrangements and have initiatives in the pipeline to hopefully unlock new labour markets, regional areas for instance, providing opportunities for people would come work with us. We’ve had to bring initiatives forward and the Cloud Collective Team were happy to facilitate, extremely helpful and flexible in the delivery of the project.
The goal for us long term is to move away from reliance on our physical locations and networks and move to an identity-centric model, where our people can do what they need to do from where they want to on any devices they would like. Ensuring we have the appropriate security in place is key to us achieving this.
MS: How fast did you transition to remote working?
CS: I’ve got a team of superstars! The week that COVID hit there were maybe 50 people a day working from home. And then after COVID, nearly everybody was working from home within a week. Mainly this was our contact centres, back-office staff and central functions like Finance and Technology. Our frontline employees are still there helping people every day.
And in another typically laconic note, Chris concludes that; “It’s been both a challenging and interesting past six months. It feels like we’ve done more in the last six than we did in the 12 before that. It’s been exciting.”
This case study was also featured in the media: