BT Americas’ Security Chief: Security is No Longer Just an IT Problem, It’s a Major Board Room Concern

In the 21st century, data security has grown to become one of industry’s enduring problems.  Security concerns have moved far beyond the IT sphere because mobile, IT, and cloud communications are so integral to the global economy now.

Trouble is, security is a highly complex domain that requires special knowledge and a highly organized approach to identify an organization’s risks and chart a course to excellence.

But help is on the way from Jason Cook, the regional Chief Information Security Officer for BT Americas, whose security team widely advises enterprises and telecoms alike.  And we’re delighted to interview Jason and get his deep perspective on security issues.

On a day-to-day basis, Jason is responsible for BT’s security practice in the Americas.  Jason’s team is also one of the premier consulting organizations focused on data security for enterprises and telecoms in the Americas.

You’re going to thoroughly enjoy reading his clear explanation of six key motivators that are driving increased awareness — and fear — of falling behind in security protection.

	Dan Baker, Editor, Black Swan Journal: Jason, it would great if you could give us a quick backgrounder on BT’s role in security?

Jason Cook: Sure, Dan.  BT — as you well know — is a very global company.  A few years ago we completely revisited our security posture.  In that process, we stood up the security enterprise organization that is responsible for our internal security.

BT is ranked by outsider experts as the sixth largest shifter of data across networks.  We are easily seeing 50% of the internet traffic on the network.  Any way you look at it, we have a kind of “ring side seat” to security threats worldwide.

Of course, our heritage was UK-owned government.  BT was privatized in 1984.  And we have always protected Her Majesty’s government on many levels, across all continents.  Even here in the US, people don’t realize that we are part of the critical infrastructure in the US.

Now my responsibility here at BT Americas is specifically to address security needs across the Americas: Latin America, the U.S. and Canada.

	And what kind of customers do you primarily serve?

Many of our customers are multi-national corporations, FTSE 100 and Fortune 500 profile global customers.  We also collaborate with other carriers whose networks we touch from a wholesale or policing standpoint.

On the enterprise side, these are the big customers you would expect to see in the consumer package goods place, pharmaceuticals, finance sectors, in particular.  And the services we offer them are a mix of detection capabilities, monitoring visibility capabilities, cyber capabilities, and wrapped around that is our professional services and consulting.

Depending on how you read us globally, we are viewed as one of the largest security managed services players.  Our global practice currently employs 2,500 people.  In fact, we are now recruiting an additional 900 people — and the focus is no longer on bringing in experienced people from the street.  Actually, security veterans are very scarce these days.  That’s why we’re searching the colleges, universities, and other sources to hire the next wave of security practitioners we want to grow.

	Can you give us a feel for the key security issues you look for as you consult with enterprises and comms providers?

Dan, I think it would be fruitful if I walked you and your readers through the key motivators driving greater vigilance in data security:

The Six Key Motivators in Data Security Protection

1. Brand Protection
   
   Top of the list in terms of getting management’s attention is brand protection.
   
   In the last two or three years there have been significant security hits at big brand firms.  All of those breaches have made people think, “Hang on there, security is no longer just an IT problem.  This actually impacts our brand: brand recognition is majorly impacted.  It is costing us millions to recover just the brand piece.”
2. Mergers & Acquisitions
   
   Another big vulnerability point is around mergers and acquisitions. Traditionally when two large corporations merged, they looked at things like the customer base, ecosystem synergies, and the like — the focus has been purely on a commercial level.
   
   But what has not been adequately appreciated is: when you merge, you are opening up a very formal backdoor to another organization’s environment.  You are suddenly taking in this unknown entity and that creates a significant gap in security.
   
   More often, the main organizational differences are around culture.  But as you drill down into the people, processes, accountability and the technology that the merged company has chosen to invest in, the merger plan hasn’t really covered the security risk profile.  Security is a complete after-thought.
   
   I can’t give you names, but I’m aware of many acquisitions that were completely stalled at the last moment when people suddenly realized the security posture risks.  In several cases, they had to invest a lot more than anticipated to secure an acquisition.
3. Internet of Things
   
   The Internet of Things is another trend that’s having a big impact.  The connected IoT car shows why security is so critical in IoT.
   
   If you look at the whole design process of a car, safety is obviously critical.  Some of the main car manufacturers have recently had to do very expensive recalls because of security problems.
   
   So you have to ask yourself: if cars are increasingly connectable and WiFi enabled, why are these security issues cropping up?  Why have there been very expensive recalls?  It’s because, for too long a time, security was considered an afterthought — not part of the full process of building cars.
   
   Now Tesla, coming from a different heritage, has built security into their designs.  So when Tesla has had the same issues, it’s often an overnight patch update they push out to their vehicles.
   
   So it’s going to be very costly for many car companies to adjust since they basically need to reverse engineer the cars they produced in the last 5 to 6 years.
4. The Move to the Cloud
   
   BT firmly believes that the future of business is cloud enabled — we call it “cloud of clouds”.
   
   So why are organizations moving to the cloud?  Usually to save costs, but also business agility, the fact that they need to communicate with an ecosystem.
   
   But of course, you can’t go to the cloud if you’re not secure.  Fortunately, people are discovering that the cloud is inherently more secure than the current environment — it’s just that the security issues there are different.
   
   The big change is that the security perimeter has completely changed.  It is no longer about having a firewall at the data center.
   
   The cloud has awakened us to the fact that the perimeter is really you — your own identity and access.  You and I use devices in a very different way than we have traditionally.  So what’s needed is a different kind of perimeter altogether — one that’s built around identity and access management.  That’s critical moving forward.
   
   We still need to be careful as we navigate in the cloud, but the next thing is figuring out who you are, what you are doing, what you have access to, data borders, data sovereignty, all of those issues.  And how can we use biometrics and other techniques to validate that you are indeed who you say you are?
5. The Insider Threat
   
   Another side of the security problem is the “insider threat” And here I would broaden the definition of insider threat a bit because that’s not always a malicious insider.  Part of that is people not complying or not understanding the dangers of what they are doing.
   
   Actually many organizations hesitate to enforce data security too strongly — they don’t want the security team to be seen as always saying “No” — which of course drives more and more shadow IT.
   
   To counter that, one of the key principles we stress is “good hygiene”.  For instance many people are lax about passwords and that leaves people open to be exploited.
   
   Yes, there’s a small percentage of people who want to find the “crown jewels” of a company and sell that information.  But more often than not, the insider threat is people just opting to not follow security.
   
   As a result, security is so lax that anyone can come in and take advantage.
   
   We recommend organizations take it to a personal level.  For instance, you can ask employees: “What are you doing to secure your online passwords in your social media or your bank applications?” That usually gets people thinking, “Hang on a minute — forget about my day job — what about the security dangers to me, personally?”
   
   So if you educate people to protect themselves and their family, pretty soon they start applying those principles in the workplace.  This is why many organizations with internal threats work closely with the HR department.
   
   
6. Third Party Ecosystems
   
   Finally, a very serious security blind spot is the vendors an organization uses.
   
   Many assume that whoever their ecosystem partners are, those partners are secure or manage well what they are responsible for.  But that’s a very big leap in faith.  And recent security breaches impacting highly reputable companies such as Target were perfect examples of where that assumption failed.
   
   So how many organizations BT works with — either enterprises or other carriers — have actually reviewed this dependency?  How many have measured the risks they have on their third party ecosystem?  How many make a condition of connecting some proof that the potential partner is secure?  The answer is: very, very few.
   
   

So these are six key security motivators we are seeing at BT

	Jason, your points are splendid and easy to follow.  Thank you.  Lots of detailed information here for people to digest and apply.  I wonder in closing if you could discuss the typical subjects you cover when BT does a full security consulting assessment for an enterprise or telecom?

Sure, Dan.  The key outcome of our consulting is to instruct on how to properly implement data security planning.

Often we find a company’s plan is poorly constructed.  It is usually out of date, by a year or two.  And in this environment, that’s extremely out of date.

We advise them to continuously review their plan — and that plan is not a one-time thing at all.  It should be part of the way you run your business.  So, one of the first questions we ask board members or the leadership of any organization is: “Are you doing your monthly or quarterly security risk assessment?”

What is assessment all about?  It is not about the technologies.  It’s about: have you identified your crown jewels — your critical portfolio, your critical people, assets, locations.

And after that, have you quantified the impact of losing those crown jewels?  How are you managing it?  Because, what’s the point of having a security capability if you don’t know how to protect it?

Certainly the brand protection issue provides sufficient shock reaction to get people’s attention.

And more often, the problems are not about your critical IVR, customer records, and your own organization’s people’s records per se.  The key security weakness is usually around how that information travels through your organization.  That’s what you need to understand.

Where is my data right now?  Does it stay within the borders?  Who can see my data?  When and where is it encrypted?  What’s the data retention policy?

So these are the things that typically come out of a full security assessment.  And out of that comes education that enables you to reassess the technology you are using, your ecosystem of partners, and many other things.

What’s surprising is that the organizations we deal with may be very strong on some stuff, but quite light in other areas.