The Royal Mint’s diversification means all change for IT and security

It’s a new era for The Royal Mint, Britain’s oldest recognised company and the official maker of UK coins.

Six months have passed since the death of Queen Elizabeth II, but that’s not all that’s changed at an institution established back in 886 AD. More recently, The Royal Mint has evolved its business model in the face of declining cash usage, from its core business of coins and metal manufacturing through to bullion trading, a new consumer business and jewellery line, as well as tentative steps into digital gold and recycling e-waste.

It makes a challenging proposition for Rich Hobbs, The Royal Mint’s group technology director, tasked with not only supporting business transformation, in areas as wide-ranging as e-commerce, CRM and data analytics, but also ensuring cybersecurity isn’t forgotten at a time Royal establishments are seen as fair game for newly-minted cybercriminal groups.

The Queen’s death brings e-commerce innovation

Hobbs joined The Royal Mint in January 2020, bringing 20 years of experience from financial services, where he worked for Barclays Bank, Barclaycard, Lloyds Banking Group and Admiral Insurance.

Now as group technology director at The Royal Mint, a limited company wholly owned by HM Treasury, Hobbs has looked to transform the technology landscape, modernise cybersecurity, and grow the IT function amid the organisation becoming, in his words, “more of a suite of businesses”.

The technology team has grown from 25 to 60 people over the last three years, with Hobbs now supported by heads of development, data, operations and digital performance, as well as a CISO and head of delivery. He says that IT remains largely in-house across helpdesk, data analytics, cybersecurity and development, bar small pockets of outsourced capability for software development and testing, and suggests that business growth hasn’t been the only challenge—not least in the days after Queen Elizabeth II’s death last September.

Hobbs says a hive of activity kicked off, noting new projects to redesign the website, for content delivery, and greater web resilience and security. The Royal Mint also had to prepare for the launch of the King Charles III coin.

“As a function, I brought together a core team and we started addressing the immediate needs,” he says. “Starting with the website, we needed to build new content and elevate existing content to reflect the event, which included a number of new web pages being built. As our link to the monarchy is extremely strong, we quickly recognised the need to ensure our website was prepared for the considerable interest from the public globally. We needed to scale up our platform and make sure customers still received the great experience they were used to.”

Cybersecurity threats require business language lift

This heightened business demand, along with the Royal moniker, does, however, come with risks. In the aftermath of the Queen’s death, Hobbs says there was a surge in website visits and online transactions—with up to 40 transactions a minute in an 18-hour period. An unfortunate by-product was a variety of cyberattacks.

“Our attack surface is huge,” says Hobbs. “Our [network] perimeter is scanned 30,000 a day.” This he attributes to the ‘Royal’ name, press coverage of new collector coins, and cybercriminals looking to disrupt service through DDoS attacks.

Hobbs has nonetheless looked to modernise security by communicating with the board and raising the business risk, working hand-in-hand on aligning tech and security objectives with CISO Rich Fowler.

The Royal Mint now sees cybersecurity as a competitive advantage over its competitors, boldly proclaiming its intention to be the most secure mint in the world. Yet Hobbs admits there was a degree of fortune about the timing.

“We’ve been lucky that our transformation of cyber happened with digital transformation, so the last two years we’ve talked a lot to the board about technology,” he says, adding that even as a non-executive member (he reports to head of supply chain), he’s been to the boardroom approximately 50 times during this period.

“We’ve had to lift the language,” he adds. “[Members of the board] don’t care only about the technology. What they need to make sure is that the system is up and running—and it’s delivering for our customers.”

To land his message about cybersecurity, Hobbs said there was a focus on transparency and business language in the boardroom.

“We simply took away the technical detail and focused on a single goal that our executive team could buy into,” he says. “We used a security scorecard benchmark and said we could become the most secure global mint.” They then reported back on the score’s movement of the score, going from68 to 98 in a year based on 10 core security metrics provided by securityscorecard.com, with 100 meaning there were no vulnerabilities on the visible attack surface.

“At each release point, or vulnerability fix, we noted the score change and then reported it and its causes,” he adds. “For example, we undertook a three-week vulnerability hackathon where all operations resources were allocated to cyber tickets. The responding improvement in score outlined two critical levers we could pull to improve our score: increased visibility of vulnerabilities allows for better prioritisation, and focused resource over a short period of time can make real-world improvements.

“It made further discussions with the exec more black and white without the need for more detailed, technical discussions.”

Talent pipeline starts with valued university partnerships

Staff attraction and retention have been similarly challenging, especially in Llantrisant, southeast Wales, where The Royal Mint is based.

The firm is competing with Lloyds Bank and local start-ups for tech talent, but Hobbs attributes his growing team to robust professional development pathways, workplace flexibility and an expanding footprint at the local university. He’s also realistic that IT team members may one day move on.

“We’re really strong in accreditation, so every member of the technology team has an individual career path,” he says. “And included in that is, what accreditations do you want? How do they benefit you? How do they benefit the business? And if there’s a point in two or three years where someone says, ‘I don’t think you can give me anything more here’, then I’ll happily help you find something else.”

To develop this strong talent pipeline, The Royal Mint has partnered with the University of South Wales and the National Cyber Security Academy, while working with the Network 75 scheme on technical apprenticeships. Three of the team—two cyber engineers and a risk manager—were hired directly from the University in their third years, prior to graduation.

“We work closely with the University of South Wales, National Cyber Security Academy, and support them in a number of ways,” says Hobbs. “We undertake project and dissertation support, guest sessions with students, and also provide case study scenarios for assessments. In return, we get the opportunity to scout for talent among their undergraduate population and perhaps beat the competition to the punch when recruiting.”

The future is about modernisation and experimentation

The future, says Hobbs, is about continuing to strengthen the firm’s cybersecurity posture, enhance the e-commerce experience, migrate the server stack to Microsoft Azure, and continue inroads with its new data strategy and ERP implementation.

He says nothing is being held back yet despite cost-of-living pressures and recession, with experimentation underway on VR training, and leveraging AI and digital twin technology to digitise manufacturing processes. “We’ve made huge strides in all aspects, from strategic planning, tactical implementations, recruitment, technology enablement and engagement with the business that it’s really hard to not be overambitious with our plans for the next year,” says Hobbs. “We’re now in a position to stabilise these huge improvements and start to scale activity.”