When the folks at ADVA invited me to speak at their customer symposium in Hamburg earlier this month, I shared HardenStance’s “Cyber security imperatives for telecom operators.” Here are the six imperatives I pointed to then and continue to point to with telco clients:
Embed security in your company’s DNA. Maybe you think telecom operators already do this? Actually, they don’t. Get familiar with the security capability maturity model (SCCM). Just search for the term online. It shows levels of organizational maturity with respect to cyber security on a scale of one to five. Today many government departments, businesses in the finance, defense and some other sectors, rate as a level four or a five. Most telcos rate more like a two or a three. They tend to have excellent processes in place for protecting their networks and their customers against large-scale service disruption. They even have outstanding records at protecting customer data in transit. But there’s more to embedding security in a telco’s DNA than that.
- Do a better job of protecting data. Telcos certainly have an outstanding record of protecting customer data in transit. GSM ushered in a quarter of a century of end-to-end encrypted communications for the mass market throughout the world. But the record in protecting data at rest is nowhere near as impressive. Try searching the name of any one of the telecom operators in your own national market together with the term “data breach.” If that doesn’t work, try a neighboring country. Or any global telecom operator brand. It won’t take long before you find evidence of a telco data breach. Admittedly, you won’t find one with the far-reaching consequences of the breach at Equifax. But we have still had dozens of smaller-scale data breaches in telcos in the last few years. Spurred on by GDPR, telcos need to fix this by improving things like access controls, such as with two-factor authentication, as well as monitoring access to data of both telco company employees and third-party suppliers.
- Pay more attention to integrity. With security still revolving around the three pillars of confidentiality, integrity and availability (CIA), telcos need to pay more attention to integrity nowadays. The connected car might be your least favorite – or perhaps your favorite – example of a next-generation networking use case but, in any case, it serves as a useful illustration. A failure in confidentiality here would mean someone can know where I am or access my data. A failure in availability would mean the vehicle can no longer self-optimize or self-drive. But if you take a Jason Bourne scenario, a failure in integrity might mean a remote attacker stalling my car at speed or driving me straight into on-coming traffic. More likely, a remote attacker might be able to switch on my car’s engine in the middle of the night, switch off all its location tracking functions, and drive it straight off my drive, never to be seen again.
- Monetize security. In the last year, BT has reported security revenues of £500 million. Telefonica has formed the Global Cyber Security Alliance (with Singtel, Etisalat and Softbank); KPN has completed a round of local cyber security acquisitions in the Netherlands; and Deutsche Telekom has opened a new security operations center (SOC) in Bonn, bidding to become “the largest provider of cyber security services in Europe” within a few years. A telco that doesn’t have a monetization strategy for recovering at least some of the cost of building extra security into their networks and services by charging for premium services is almost certainly missing something. This market is also going to see consolidation, by the way. My money is on Deutsche Telekom partnering one of the big US players within two to three years.
- Spend time with enterprise CISOs. There are a lot of expectations being pinned on 5G. People think, say or hope that it’s not just going to be about higher capacity and efficiency fending off a slump in revenues this time round. This time the goal is that new enterprise use cases will drive new incremental revenues. But 5G will be the first “G” launched in the era of intense – and intensifying – cyber security threats. It will also be the first “G” to launch in the GDPR era. Enterprise CISOs will loom very much larger over the 5G procurement process than they have before. Telcos should be seeking them out now. Find out from the enterprise CISO team early on what security they’ll mandate for their network slice, and for their data when it’s stored locally out in the wilds. Or don’t. And develop a business plan for months without them, only for the CISO team to intervene late on and send you right back to the beginning to review basic design principles.
- Support open and transparent testing standards. IT security suffers from a lack of standards in security testing. Take a look at the work of the Anti-Malware Testing Standards Organization (AMTSO) and NetSecOPEN. Anyone who’s anyone in endpoint protection is in AMTSO. Anyone who’s anyone in next-generation firewalls is in NetSecOPEN. Both organizations are driving the creation of standards that will give buyers of IT security products the assurance that the way those products have been tested – or the way the testing of those products has been explained – has industry-wide support rather than being the preferred approach of just one independent test-house. It’s in the self-interest of telcos to support these organizations. As among the biggest beasts in the market one could argue telcos have something of an obligation to engage further too. So far, they haven’t. But they should.
This is a subset of key security priorities for telcos to be getting on with. There are more but these are among the most important.