People think of cyber security measures as a necessary evil. Worse, many CEOs of enterprises think that information security is not part of the digital transformation journey that they’re on.
And that, says Mark Hughes, CEO of BT Security, is surprising. Those first two sentences are from him too, quoting many of the senior executives he works with as the person who is not only responsible for all aspects of BT’s security – cyber and physical – but also runs the operation selling security services to others.
“So we’ve produced a practical guide to help CEOs. They think they’re immune to attacks. This leads to a state of denial. Either that or they’re overwhelmed by the issue.”
But then they are urged to do something about it. “Sadly, once they have done something, this leads to a false sense of security,” says Hughes, who’s had his current role for four years. Before that he spent eight years as group security director of BT Global Services.
So he knows the security business. And he knows the mistakes people make. Some executives just don’t think their companies will be targeted.
“Often there’s a knee-jerk reaction, and that leads to a haphazard approach driven by sheer fear. Executives need to take a step back. Unfortunately some organisations don’t have anyone responsible or accountable.”
So companies appoint a chief information security officer (CISO – which Hughes pronounces “see-so”). That’s not always perfect. “CISOs tend to regard themselves as separate from the organisation. You need to get the whole organisation fired up. You need to make sure the CISO is working with the rest of the organisation.”
David Ferbrache, technical director at the cyber security practice of KPMG, with which BT produced its report, chips in that the appointment of a CISO can give a false confidence. “It can be a very lonely post.” One of the challenges is that companies set up “a lot of processes and that gives a compliance mentality”.
As a result, “people slavishly follow the processes and you lose your agility”. He adds: “You can see organisations setting themselves up for a failure.”
Hughes emphasises that companies need to set up the right culture to protect security. “It’s a hard lesson, and it doesn’t happen overnight.” Attacks do, though. We’re in a world where ransomware and data breaches are pretty likely. Ferbrache says a better attitude is to ask: “What will really cause my business to fail?”
The issue is changing because of the advent of cloud services. Some companies no longer have their own IT systems: everything is in the cloud, and that means a very different model is needed for security.
“There can be some catastrophic risks,” says Hughes. “But sometimes a good response is not a technical response. You have to think how the CEO and the C-suite will respond.”
The BT/KPMG guide is designed to aid companies to come to terms with the threats and “make decisions about where they are”, he says. “The environment changes so rapidly – and an organisation changes what it’s doing.” The leadership team “needs to understand it’s not as fixed as it may be. In true leadership, the ability of the organisation to be flexible is key.”
Hughes has a team of 3,000 people around the world, responsible for security in BT’s activities in 180 countries. He’s responsible for Openreach, its wholesale last-mile copper and fibre operation and for the consumer business. “I’m responsible for the networks and the physical infrastructure. And I’m responsible for taking those solutions to the market, with customers in enterprise and the public sector.”
He adds: “We’re running projects for entire countries.” Which countries? He smiles: “I can’t say. Client confidentiality.”
His team has to vet and approve all vendors that sell security-related products to BT. “We work through what is most important, sifting through the suppliers. This challenge has not yet settled down. People are still jockeying for position. The cyber area is much less mature [than vendors in other sectors].”
And not only security products, but network equipment and software also go through the scrutiny of Hughes’s operation. They are not just looking for security issues, but for security and stability of supply – and diversity of supply. “I wouldn’t want an all-Cisco network as much as I wouldn’t want an all-Huawei network,” he says.
“For all equipment we look at in-life management. Who’s accessing it> How is it being upgraded and patched? We need to ensure we have the right wrap and controls round it. We’re not going to do business with them if we don’t think it is right.”
As an aside, here’s a story from a dozen years ago, when BT was taking the first steps towards an all-IP network. The company identified its key suppliers that would help it deliver that goal. Missing from the list was a UK company, Marconi, and a North American company, Nortel.
Very senior executives in BT at the time – they have left now – hinted at the reasons for the omission. In one case, research and development didn’t match global standards; in the other, it was clear that there was deep concern about financial stability.
Marconi effectively collapsed, its remains to be absorbed by Ericsson. And the prediction about Nortel was right, though it took four years for it to die.
Back to Hughes and the present day. BT itself faces threats because of its huge global operation. But, he says, it’s good for BT: its security business is growing at 20% a year, “compared with the whole market, which is growing at about 8%”. The split between internal work for BT and work for external customers is about 50-50, he says, but he points out that the team has the ability to flex according to circumstances.
Some other telcos are in a similar market, he says, pointing to Deutsche Telekom’s T-Systems and NTT. “But there are things we’ve done that traditional competitors aren’t doing.”
The company is quick to spot new threats – such as the recent WannaCry attack. “We have a massive DNS estate, so we saw it quickly. With Petya, the routes in were different,” he says.
“My biggest concern is that our organisation can respond in the right manner. Our response times have come down hugely – literally minutes, or milliseconds in the case of a DDoS [distributed denial of service] attack.”
One of the services the company has to protect is its BT Sport operation, which provides live coverage of football and many other sports in competition with satellite and cable broadcasters. “If tools don’t kick in in milliseconds there are huge problems.”
Are football matches really at risk to cyber threats? Yes, because these can be caused by criminals with connections to the betting world. “And sometimes people also want to steal our content.”
The long-term answer to cyber threats? Virtualisation, says Hughes – perhaps surprisingly. Though the issues still need to be understood and worked through, he appears to feel that virtualisation will make it easier to control threats, because it will do away with physical equipment.
Ferbrache agrees: “Virtualisation is a godsend, because it moves everything away from the legacy IT estate.” He points out that there is a lot of legacy equipment about, and not just in the telecoms industry. “Look at industrial control systems. Some of them are quaint. But they’re performing well, and they’re never switched off.”
But these days such systems – many of which control utilities – tend to be connected to enterprise IT systems. “How do you provide a firewall?” he wonders, adding: “Legacy IT is a massive headache – banks, for example.”
The BT security business that Hughes runs shares information with its counterparts, he says. “I regard information sharing to be most useful, to understand what has gone on. I spend a lot of time doing that.”
Does that mean he shares information with heads of security in other large telcos worldwide? Of course, he says, name-dropping Jean-Luc Chataignon, chief IT and network security officer for Orange, and Chandra McMahon, Verizon’s chief information security officer. Phone conversations are frequent.
His unit also includes so-called “ethical hacking teams”, that try to penetrate BT’s systems, testing physical vulnerability as well as its susceptibility to cyber attacks. “I have a good team of people,” he says.
The process is called “red-teaming”: the red team represents the enemy. “The blue team are the defenders.” They work together, so that vulnerabilities that the red team finds are passed on, and at the same time the blue team tries to spot penetration attempts. “Are we learning any lessons?”
But at the heart of the problem – to return to Hughes’s first point – is that “people don’t think anyone will have a go at them. They’re affronted by the thought.”
They need to adjust their ideas to recognise that there are people out there who want to do damage to organisations, for a variety of reasons.
Indeed, points out Ferbrache, the attackers often have their own business plans and their ideas for what’s a good return on investment. That can be a better way to get a CEO of an enterprise to see why they’re being threatened: “Try to understand them as businesses,” he says.