With more than 900 staff, and a production cycle that sees plays staged across three theatres, along with outdoor events, exhibitions and backstage tours, the National Theatre has a demanding audience to please.
But while the quality of its productions is the key to attracting customers, National Theatre bosses are aware that with £18m coming in through online ticket sales each year, processing those transactions securely is vital to maintaining its reputation.
To comply with the payment card industry data security standards (PCI DSS), the National Theatre recently decided to deploy Qualys’ on-demand security suite, QualysGuard.
Previously, the National Theatre had tried to achieve compliance by employing external penetration (pen) testers and auditing companies.
"These firms did quarterly PCI scans, and also yearly pen tests, some internal Wi-Fi scans throughout the building, and also externally around our perimeter," says Richard Bevan, the National Theatre's IT security manager.
“When you examine the amount of man hours QualysGuard saves us in our own manual scans and the cost of hiring external third parties, the return on investment is clear,” he adds.
The National Theatre has about 60 servers, 1,000 networked workstations, its own datacentre and disaster recovery site, and hosts and manages its own web site.
The use of on-demand security systems has made it easier to secure the infrastructure when changes are made. "We tend to do a lot of those," says Bevan.
The system is also used to check the security of its web applications, along with testing third-party code. "For our own peace of mind, we also use web application firewalls," says Bevan.
The National Theatre's IT security team still uses penetration testers to audit the Qualys system and also to check parts of its Wi-Fi network, which is currently used for controlling lighting and sound systems.
"From my point of view, the fact that Qualys is always updating the functionality of the system is another significant plus point, so you're always getting new features," adds Bevan.
And increasingly, the Qualys system is being used to ensure its use of virtualisation technology does not introduce any weak points.