©2025 Akamai Technologies
When your business contains elements of financial services, retail, and gaming, you need an agile approach to security that combines in-house resources and third-party solutions. Online trading business CMC Markets is no exception.
In a recent conversation with Akamai, Philip Yeo, Head of Security at CMC Markets, explained how the business combines nonstop vigilance with lightning-fast reactions when a zero-day incident occurs.
He also talks about the role Akamai plays in the protection of the business and how regulators and insurers are responding to the ongoing threat of zero-day attacks.
To read the full conversation, please see the transcript below.
Natalie Billingham: I’m thrilled to be joined by Phil Yeo, who is responsible for security at CMC Markets. Phil, do you want to introduce yourself and tell us a bit more about what you do?
Philip Yeo: Sure, thank you. I’m the Head of Security at CMC Markets. We are a global online retail trading company. From a security side, we’re a bit like retail, because we have lots of end users accessing our services from many different types of devices. We’re also a bit like fintech because we’re regulated like financial services companies. And we’re a bit like gaming in the sense that a lot of the interaction from our users is very time sensitive. A connection drop or disconnection would result in an unhappy experience.
NB: How did you start your journey with Akamai?
PY: CMC Markets has been around for a while and developed its technology, platform, and products in the UK. We now have customers from many countries in Asia and Europe, as well as Australia and Canada. These clients want real-time price streaming and charting and the ability to do intraday trading. The quality of the connection and overall performance is really important to us.
We had an initial implementation of a CDN from another vendor that didn’t go brilliantly. But we did learn that we didn’t want to be dealing with edge networks ourselves. Akamai also came to the table at a time when we were building out our WAF technologies. DDoS and DNS vulnerabilities were also on my agenda. When we looked at Akamai, we saw that we could get the content delivery platform, data center, DDoS protection, Site Shield, and the WAF as a managed service. It was a no-brainer really.
We focused on protecting a couple of products aimed at the UK and Australian markets to begin with. But the way the contract worked, once we did the tricky bits, we could have the Akamai security layer protecting everything. We made it our default policy that everything internet and public facing sits behind Akamai.
The web, marketing, and SEO guys didn’t have a problem because our performance was more consistent and there was a reduction in complaints from our internal customers. That is the best thing from an internal security perspective. When the marketing people and the product people aren’t complaining about security, that’s a win!
Akamai Managed Services also helped us get there. During the monthly adjustments, they showed a clear understanding of our risk profile. Especially when helping us to avoid false positives, which can be a major issue if you end up blocking a legitimate, high-value customer.
NB: When you are thinking about other cybersecurity challenges that the financial industry is facing, what are the things that come to mind?
PY: There are so many things that can go wrong. The ransomware threat is real. We’re trying to stop people getting phished and malware from getting into our environment. Then the regulatory pressure is always there, and the audit regime feels kind of nonstop.
NB: There are some especially rigorous pressures that you face in the world of financial services. Without revealing anything confidential, how do you overcome them?
PY: I think the Zero Trust ideology makes loads of sense. We thought about deploying some kind of privileged access management, but that’s a lot of work and you need more than one solution to achieve it. There are no magic bullets for us. But if anyone knows, please tell me!
Where it is more positive is where there’s a legacy of in-house development and on-premises data centers that need managing. But where we’ve gone through a transformation adopting cloud technologies and a situation where different business units are cranking products out the door as quickly as possible, that presents another security challenge.
How do we up our game if we want excellent security? And how do we do that and not slow down the development lifecycle? There are many things you can build into auto-compliance to enforce governance and security policies across the delivery pipeline. Then we can lay Akamai’s WAF edge platform over the top.
NB: There’s a lot happening all the time. Especially when you straddle so many markets and different businesses. Although you’re in the financial services industry, as you mentioned, you’re close to gaming. How do you deal with high-heat events and spikes in consumer activity?
PY: We’ve had to prioritize capacity because if you’re not online, your clients can go elsewhere. We’ve got some great guys who do capacity monitoring, and they’re looking at the busiest moments of the day, the latency of trades, and the capacity we need. We’ve done a lot of capacity modeling, and then we made sure we got external help with the CDN piece and DDoS protection.
NB: And you mentioned before about people. One of the things that we’ve all seen in the security industry is the challenge of finding good security people. How has Akamai helped you free up internal resources so that you can focus on more of your high-priority projects?
PY: With our previous provider, the question was, who was going to manage the policy on all of the applications? I thought we could do it. But we got to the stage where we were talking about letting dev teams manage some of those policies, and we realized that it wasn’t feasible. That was the tipping point moving us to Kona Site Defender as a managed service, so we don’t have to focus on tweaking stuff.
I’ve looked at outsourcing and managed service providers with my boss quite a lot over the years. You’ve got to find something that’s right for you because you’re trusting other people with your security.
We wanted to find areas where we could outsource or partner with a service provider that adds value, but where we don’t lose the control that we need to stay responsive. If there’s an issue, we want to get people on the phone straightaway.
NB: Yes, that’s often something that we speak about with customers. They want control, services, and customer intimacy. But they also want to retain their own agility and ability to execute. As the security stack becomes more complex and more specialized, that trusted partnership becomes more important.
PY: Absolutely. We’re finding this with some of the other areas we considered for outsourcing. We want to be able to override, deploy, or roll back whenever we want. If we can’t do that, it’s not going to be very comfortable. On the other hand, we don’t have the skills all the way down the stack for all of the products.
NB: That’s good advice. If there are other Akamai customers in the room, what should they be asking of us or any provider to build that trust?
PY: Akamai has global credibility. You had an incident last year and although it impacted us a bit, the way that you owned it, the post-incident write-up, and the overall transparency — there’s a whole load of stuff in place now that shows us you take this seriously. You were feeling the pain there as well.
NB: And when you think about your supplier landscape generally for security, are there particular areas that you focus on?
PY: I’ve been in infosec for 15 years, and the sales rhetoric is sometimes blatantly untrue. You are not going to give 100% protection with zero false positives — that’s just unrealistic. That is not helpful. We need vendors to back up their claims or give us what we need to try and evaluate.
NB: I think it is about finding what’s right for your own business, isn’t it? Since we’re getting into this area of advice, the last couple of years have been a bit unusual in many ways. What have you learned? What advice would you give to your peers?
PY: I’m sure there’s nothing you haven’t heard already! The pace of response is going up. We spoke to one of our insurance brokers about the current state of play, and it was interesting because it sometimes feels like the regulators are saying one thing and standards are saying another. It’s like the insurers are paying out for ransomware attacks and you know they’re paying out. They ask quite pointed questions about our security measures.
One of the things they said they had seen is a massive reduction in the time between a network being compromised and the bad stuff happening. You need to respond more quickly.
You need to detect an intrusion as early as possible when it occurs. And if you can’t action a response within a reasonable amount of time, that’s no good. The time available to limit damage is getting shorter and shorter.
It helps if you can leverage the wisdom of the wider community of clever infosec people. Twitter is helpful here sometimes. Who got hit first? Have you figured it out? Have you got a rule for it? Can I deploy it? Log4J would be a good example of where that was painful. But we had our Akamai WAF in place and got on the phone with you and that gave us some breathing space.
NB: That’s quite a lot to have to handle, isn’t it? Trying to be responsive, particularly on the ransomware side. Especially with the time to respond coming down and insurers breathing down your neck.
PY: And during the pandemic, everyone put in hours and hours and hours. You’re getting up earlier, you're working all day and then people started to realize, “Hang on, there’s a human element to it.” We’re structuring our teams in a way so that they can respond quickly and be on the ball all of the time. But how do we also take steps so that you’re not burning people out?
NB: And how are you going about that?
PY: I keep having those conversations with management. I tell them, “How many times can you get away with a near miss with just a few individuals acting like superheroes?” We want to empower more people, develop people, mentor people, and learn from other people.
NB: That makes sense. If we look to the future, what do you see on the horizon?
PY: The basic mistakes are still happening. There’s no barrier to being a web developer. The mistakes made 30 years ago are still happening. The top end’s getting harder, more complex.
You’re talking about cyber insurance and security, which is strange because in the physical world, you’d think, “Shouldn’t I be worried that I’m going to get robbed and I can’t do anything about it?” But which governments are coming together to change that landscape? Actually, there are lots of tech companies leading, which is interesting. But do you really want your regulations set by tech companies? I don’t know.
NB: Yes, there is a lot of work going on around shaping public policy. And then the regulations between the EU and the UK and the US are different. It is a fascinating area at the moment, given where we are with the war in Ukraine. Are there particular technologies that you’re thinking about using as you look forward?
PY: It depends on what we’re looking at. If I had a greenfield project, I’d start again very differently. I think a lot about Zero Trust, especially microsegmentation. I’m interested in talking about what can be done with serverless workloads as well.
NB: Does anyone in the audience have any questions for Phil?
Audience: In regard to automation and artificial intelligence, how comfortable are you going down the automation route? How deep can it go in your security landscape?
PY: We’re not scared of it at all. We’re talking about heuristic machine learning models that are just mathematical approximations. If you know what you’re using and where you’re using it, then it can be sensible — or not. It depends on the situation. You can have a rigid rule, or you can have a more complicated rule. Pattern matching is good for some situations and a bad idea in others.
What we are doing internally as a business will be proprietary. But we’re looking for vendors where they can go deep and train. We spend hours trying to spot what’s anomalous, and that’s a real help with fault prevention and capacity.
One of my colleagues built a lot of monitoring tools that look for anomalies. We didn’t need classic machine learning models to get far with that. So I think there’s still an element of hype around the technology. But overall, I wouldn’t be scared of a service that uses machine learning.
Audience: You mentioned the way you communicate with others in crisis situations using Twitter. How important do you think this community is going to be in the future, and what do you see as a role for a vendor like Akamai?
PY: Twitter is great. I’m not a particularly prominent user, but I talk to people I know using those channels. I love it when someone finds something like a malicious string that they can share with the rest of the community. You’ve got vendors putting information together, doing what they can. A lot of the security analysts are excellent. They’ve got their finger on the pulse. I want to learn from anyone who’s already solved a problem. From our side, we want to share when there’s anything that would benefit the community.
NB: Phil, thank you for taking the time to talk with us, we really appreciate it.
PY: Thank you.