Email a colleague    

July 2016

BT Americas’ Security Chief: Security is No Longer Just an IT Problem, It’s a Major Board Room Concern

BT Americas’ Security Chief: Security is No Longer Just an IT Problem, It’s a Major Board Room Concern

In the 21st century, data security has grown to become one of industry’s enduring problems.  Security concerns have moved far beyond the IT sphere because mobile, IT, and cloud communications are so integral to the global economy now.

Trouble is, security is a highly complex domain that requires special knowledge and a highly organized approach to identify an organization’s risks and chart a course to excellence.

But help is on the way from Jason Cook, the regional Chief Information Security Officer for BT Americas, whose security team widely advises enterprises and telecoms alike.  And we’re delighted to interview Jason and get his deep perspective on security issues.

On a day-to-day basis, Jason is responsible for BT’s security practice in the Americas.  Jason’s team is also one of the premier consulting organizations focused on data security for enterprises and telecoms in the Americas.

You’re going to thoroughly enjoy reading his clear explanation of six key motivators that are driving increased awareness — and fear — of falling behind in security protection.

Dan Baker, Editor, Black Swan Journal: Jason, it would great if you could give us a quick backgrounder on BT’s role in security?

Jason Cook: Sure, Dan.  BT — as you well know — is a very global company.  A few years ago we completely revisited our security posture.  In that process, we stood up the security enterprise organization that is responsible for our internal security.

BT is ranked by outsider experts as the sixth largest shifter of data across networks.  We are easily seeing 50% of the internet traffic on the network.  Any way you look at it, we have a kind of “ring side seat” to security threats worldwide.

Of course, our heritage was UK-owned government.  BT was privatized in 1984.  And we have always protected Her Majesty’s government on many levels, across all continents.  Even here in the US, people don’t realize that we are part of the critical infrastructure in the US.

Now my responsibility here at BT Americas is specifically to address security needs across the Americas: Latin America, the U.S. and Canada.

And what kind of customers do you primarily serve?

Many of our customers are multi-national corporations, FTSE 100 and Fortune 500 profile global customers.  We also collaborate with other carriers whose networks we touch from a wholesale or policing standpoint.

On the enterprise side, these are the big customers you would expect to see in the consumer package goods place, pharmaceuticals, finance sectors, in particular.  And the services we offer them are a mix of detection capabilities, monitoring visibility capabilities, cyber capabilities, and wrapped around that is our professional services and consulting.

Depending on how you read us globally, we are viewed as one of the largest security managed services players.  Our global practice currently employs 2,500 people.  In fact, we are now recruiting an additional 900 people — and the focus is no longer on bringing in experienced people from the street.  Actually, security veterans are very scarce these days.  That’s why we’re searching the colleges, universities, and other sources to hire the next wave of security practitioners we want to grow.

Can you give us a feel for the key security issues you look for as you consult with enterprises and comms providers?

Dan, I think it would be fruitful if I walked you and your readers through the key motivators driving greater vigilance in data security:

The Six Key Motivators in Data Security Protection

  1. Brand Protection

    Top of the list in terms of getting management’s attention is brand protection.

    In the last two or three years there have been significant security hits at big brand firms.  All of those breaches have made people think, “Hang on there, security is no longer just an IT problem.  This actually impacts our brand: brand recognition is majorly impacted.  It is costing us millions to recover just the brand piece.”
  2. Mergers & Acquisitions

    Another big vulnerability point is around mergers and acquisitions. Traditionally when two large corporations merged, they looked at things like the customer base, ecosystem synergies, and the like — the focus has been purely on a commercial level.

    But what has not been adequately appreciated is: when you merge, you are opening up a very formal backdoor to another organization’s environment.  You are suddenly taking in this unknown entity and that creates a significant gap in security.

    More often, the main organizational differences are around culture.  But as you drill down into the people, processes, accountability and the technology that the merged company has chosen to invest in, the merger plan hasn’t really covered the security risk profile.  Security is a complete after-thought.

    I can’t give you names, but I’m aware of many acquisitions that were completely stalled at the last moment when people suddenly realized the security posture risks.  In several cases, they had to invest a lot more than anticipated to secure an acquisition.
  3. Internet of Things

    The Internet of Things is another trend that’s having a big impact.  The connected IoT car shows why security is so critical in IoT.

    If you look at the whole design process of a car, safety is obviously critical.  Some of the main car manufacturers have recently had to do very expensive recalls because of security problems.

    So you have to ask yourself: if cars are increasingly connectable and WiFi enabled, why are these security issues cropping up?  Why have there been very expensive recalls?  It’s because, for too long a time, security was considered an afterthought — not part of the full process of building cars.

    Now Tesla, coming from a different heritage, has built security into their designs.  So when Tesla has had the same issues, it’s often an overnight patch update they push out to their vehicles.

    So it’s going to be very costly for many car companies to adjust since they basically need to reverse engineer the cars they produced in the last 5 to 6 years.
  4. The Move to the Cloud

    BT firmly believes that the future of business is cloud enabled — we call it “cloud of clouds”.

    So why are organizations moving to the cloud?  Usually to save costs, but also business agility, the fact that they need to communicate with an ecosystem.

    But of course, you can’t go to the cloud if you’re not secure.  Fortunately, people are discovering that the cloud is inherently more secure than the current environment — it’s just that the security issues there are different.

    The big change is that the security perimeter has completely changed.  It is no longer about having a firewall at the data center.

    The cloud has awakened us to the fact that the perimeter is really you — your own identity and access.  You and I use devices in a very different way than we have traditionally.  So what’s needed is a different kind of perimeter altogether — one that’s built around identity and access management.  That’s critical moving forward.

    We still need to be careful as we navigate in the cloud, but the next thing is figuring out who you are, what you are doing, what you have access to, data borders, data sovereignty, all of those issues.  And how can we use biometrics and other techniques to validate that you are indeed who you say you are?
  5. The Insider Threat

    Another side of the security problem is the “insider threat” And here I would broaden the definition of insider threat a bit because that’s not always a malicious insider.  Part of that is people not complying or not understanding the dangers of what they are doing.

    Actually many organizations hesitate to enforce data security too strongly — they don’t want the security team to be seen as always saying “No” — which of course drives more and more shadow IT.

    To counter that, one of the key principles we stress is “good hygiene”.  For instance many people are lax about passwords and that leaves people open to be exploited.

    Yes, there’s a small percentage of people who want to find the “crown jewels” of a company and sell that information.  But more often than not, the insider threat is people just opting to not follow security.

    As a result, security is so lax that anyone can come in and take advantage.

    We recommend organizations take it to a personal level.  For instance, you can ask employees: “What are you doing to secure your online passwords in your social media or your bank applications?” That usually gets people thinking, “Hang on a minute — forget about my day job — what about the security dangers to me, personally?”

    So if you educate people to protect themselves and their family, pretty soon they start applying those principles in the workplace.  This is why many organizations with internal threats work closely with the HR department.

  6. Third Party Ecosystems

    Finally, a very serious security blind spot is the vendors an organization uses.

    Many assume that whoever their ecosystem partners are, those partners are secure or manage well what they are responsible for.  But that’s a very big leap in faith.  And recent security breaches impacting highly reputable companies such as Target were perfect examples of where that assumption failed.

    So how many organizations BT works with — either enterprises or other carriers — have actually reviewed this dependency?  How many have measured the risks they have on their third party ecosystem?  How many make a condition of connecting some proof that the potential partner is secure?  The answer is: very, very few.

So these are six key security motivators we are seeing at BT

Jason, your points are splendid and easy to follow.  Thank you.  Lots of detailed information here for people to digest and apply.  I wonder in closing if you could discuss the typical subjects you cover when BT does a full security consulting assessment for an enterprise or telecom?

Sure, Dan.  The key outcome of our consulting is to instruct on how to properly implement data security planning.

Often we find a company’s plan is poorly constructed.  It is usually out of date, by a year or two.  And in this environment, that’s extremely out of date.

We advise them to continuously review their plan — and that plan is not a one-time thing at all.  It should be part of the way you run your business.  So, one of the first questions we ask board members or the leadership of any organization is: “Are you doing your monthly or quarterly security risk assessment?”

What is assessment all about?  It is not about the technologies.  It’s about: have you identified your crown jewels — your critical portfolio, your critical people, assets, locations.

And after that, have you quantified the impact of losing those crown jewels?  How are you managing it?  Because, what’s the point of having a security capability if you don’t know how to protect it?

Certainly the brand protection issue provides sufficient shock reaction to get people’s attention.

And more often, the problems are not about your critical IVR, customer records, and your own organization’s people’s records per se.  The key security weakness is usually around how that information travels through your organization.  That’s what you need to understand.

Where is my data right now?  Does it stay within the borders?  Who can see my data?  When and where is it encrypted?  What’s the data retention policy?

So these are the things that typically come out of a full security assessment.  And out of that comes education that enables you to reassess the technology you are using, your ecosystem of partners, and many other things.

What’s surprising is that the organizations we deal with may be very strong on some stuff, but quite light in other areas.

Copyright 2016 Black Swan Telecom Journal


About the Expert

Jason Cook

Jason Cook

Jason is the Chief Information Security Officer for BT in the Americas.  He runs the regional security practice, ensuring that BT consistently maintains high standards for its own security and is responsible for portfolio, partners, and operations.

Jason previously served as Chief Architect/CTO for BT Americas, and the organization he led included service design and transformation teams.  He was responsible for delivering solutions for more than 7,000 of BT’s global customers across the company’s lines of business.  His twenty-plus years with BT have given him technical and leadership experience in infrastructure, architecture, development, customer service and extensive experience working with customers and vendors.

Related Stories

Related Articles

  • Taking the Fraud Fight Directly to the Enterprise PBX: An Automated Service Does Deep Dives of PBX Data by Arnd Baranowski — Analyzing the call patterns and hacking attempts of fraud-pumping PBX machines is a new line of fraud detection.  Now a new line of enterprise fraud managed service is focused on that principle.
  • BT Americas Security Chief: Security is No Longer Just an IT Problem, It’s a Major Board Room Concern interview with Jason Cook — A global expert on security explains six key motivators that are driving enterprises and telecoms to strengthen their security protection.
  • Webinar: From Wholesale Settlement  to Global Partner Management by Dan Baker — A 40 minute webinar providing a sweeping view of the challenges and opportunities service providers face as they try to manage a far more complex wholesale and partnering scene.
  • Nine Simple Strategies for Protecting an Operator or MVNO from Telecom Fraud interview with Jim Bolzenius — An expert in telecom fraud management explains essential strategies for aiming a carrier’s or MVNO’s fraud prevention program in the right direction.
  • A Sweeping 239-Page Research Report on Fraud Management Solutions & Strategies by Dan Baker — TRI has released a comprehensive  analyst report on fraud management solutions.  The study is based on interviews with three dozen leading FM consultants and solution experts.  Download the free Executive Summary.
  • Protecting 900+ MVNOs around the Globe from IRSF Fraud Pirates interview with Colin Yates — Telecom fraudsters are seeking a new, more vulnerable path to riches.  Their target: 900+ MVNOs around the globe who generally own no mobile networks, but sell mobile service virtually.  This interview with a fraud control expert explains what steps MVNOs must take to protect themselves from IRSF fraud.
  • Solution Vendor & Integrator Partnering: The Key to Enabling an Operator to Meet its Strategic Goals interview with Kirill Rechter — Working with strategic partners is an essential component to the success of any on-going billing project.  In this interview, a billing vendor CEO explains how a software vendor, systems integrator and service provider can best work together to drive the service provider’s business strategy.
  • CABS Revenue Assurance: How Rural LECs can Recover $284 Million in Revenue Shortfalls interview with Kelly Cannon & Darrell Merschak — Independent rural LECs in the U.S. still rely on the AMA/EMI billing formats for CABS billing, even as that format has proven to be highly inaccurate as a source of inter-carrier records.  This interview includes an analysis and discussion of revenue recovery techniques ILECs can use by leveraging SS7 probes.  Also discussed are billing strategies, traffic dumping threats, and the possible fallout from the FCC’s bill-and-keep mandate.
  • Make Business Assurance Progress Every Day: How to Set Goals, Automate, and Energize Your Team interview with Kathleen Romano — Business assurance (BA) skills have wide applicability outside the revenue assurance and fraud mangement domains.  In this article, a telecom executive explains how she’s applying her BA skills in the Payments area.  In addition to discussing the key operational challenges in Payments, the interview also provides keen insights on setting goals in business assurance, leading a team, and making critical decisions.
  • Make Business Assurance Progress Every Day: How to Set Goals, Automate, and Energize Your Team interview with Kathleen Romano — Business assurance (BA) skills have wide applicability outside the revenue assurance and fraud mangement domains.  In this article, a telecom executive explains how she’s applying her BA skills in the Payments area.  In addition to discussing the key operational challenges in Payments, the interview also provides keen insights on setting goals in business assurance, leading a team, and making critical decisions.
  • Partners in Carrier Management: The Success Story Behind T-Mobile’s Fiber Rollout in Wireless Backhaul interview with Bryan Fleming — Wireless backhaul is the unsung hero of the smartphone’s success.  This interview with T-Mobile’s carrier management architect for backhaul reveals the behind the scenes game plan for one of the most ambitious wireless interconnect programs ever.  You’ll learn about: the reasons for adopting a full-scale fiber strategy; the challenge of finding carrier partners; the clever techniques T-Mobile used to simplify and cut costs; advice on building great relationships with suppliers; and the key role that analytics, assurance, and visualization software played.
  • Revenue Assurance: The Magical Market Cap Multiplier by Van Howard & Curtis Mills — Many operators today consider revenue assurance yesterday’s opportunity.  But this article shows why significant revenue and cost leakage can still go undetected, even in companies with dedicated RA departments.  Also discussed are the benefits of a broader or more “forensic” approach to revenue assurance, an approach that boosts the bottom line regardless of the automated tools already in place.
  • Telecom Merger Juggling Act: How to Convert the Back Office and Keep Customers and Investors Happy at the Same Time interview with Alan Burgess & Curtis Mills — Billing and OSS conversions as the result of a merger are a risky activity as evidenced by famous cases at Fairpoint and Hawaiian Telcom.  This article offers advice on how to head off problems by monitoring key operations checkpoints, asking the right questions, and leading with a proven conversion methodology.
  • PwC on the Business of Revenue Assurance Consulting & Mentoring interview with Tim Banks & Dan Stevens — Revenue assurance consulting firms offer a broad range of services to clients these days.  The article explains the practice of mentoring RA mangers and providing a CFO with visibility on the status of an operator’s business controls.  Perspective is also offered on the value of RA software and the opportunity to broaden the RA practice scope.
  • Is Your Company Penny-Smart and Dollar-Foolish in Auditor Productivity? by Peter Yelle — Operators who fail to automate their invoice reconciliation process could be seriously undermining the morale and efficiency of their most valuable auditors.  This article explains the many subtle ways that manual auditing process can cost operators money.  Also presented is an analysis of the typical returns achieved by CSPs with mature cost assurance programs.
  • An Automated Self-Audit Approach to Telecom Cost Assurance interview with Jim Buttafuoco — What’s the value of an automated approach to invoice validation?  This article explains the power of the SaaS model where the vendor supplies the data-processing expertise, relieves the operator of tedious manual work and boosts auditor productivity so more money is saved.