Why the board needs to look again at cyber security

The telecoms industry has had a long relationship with cyber security. Many operators not only practice cyber security within their own organisations, protecting critical data and national infrastructure, but many also supply cyber services to other firms.

Guest author

August 22, 2016

5 Min Read
Why the board needs to look again at cyber security

From time to time, Telecoms.com invites third party experts to discuss the biggest challenges facing the telecoms sector today. In this post, Alan Nunn, Telecoms Subject Matter Expert at CGI assesses the impact of new cyber security regulation in the sector.

The telecoms industry has had a long relationship with cyber security. Many operators not only practice cyber security within their own organisations, protecting critical data and national infrastructure, but many also supply cyber services to other firms.

Despite this heritage and an undoubtedly high level of cyber security understanding in the sector CGI’s recent research found that, telecoms, of all business sectors was presently at highest risk. The Centre for Business and Economic Research who we worked with, based this conclusion on a model, which assessed relative risk based on the potential severity and likelihood of an attack. With the telecoms industry holding data valued at an average of £42 million and 52% of C-level executives surveyed believing their firm will suffer a breach over the next 12 months, the risk is all too apparent today.

Why is the telecoms sector vulnerable?

With such knowledge and experience within the sector why are telecoms firms at risk today? Well, in my view it has a lot to do with the pace of change in the industry. Along with constant technology change, we’ve seen large numbers of mergers and acquisitions over recent years. That level of change makes business continuity of any description a challenge. Multiple, siloed and often legacy IT estates need to be brought together and there is inevitably a period of co-running systems. This places increased strain on the cyber security function that already has to cope with securing networks that are becoming increasingly ‘open’.

However, cyber security certainly isn’t an issue for the IT team alone. In our view, cyber security is best considered an enterprise risk and as such board level governance focused on assigning appropriate resources to mitigate that risk is also critical. From our research we identified that, in this respect, the telecoms industry is perhaps suffering from a skills shortage. In fact, just 29% of telecoms board members surveyed believed their board had a high level of cyber security expertise. And please do keep in mind this is a self-assessment by the C-level leaders themselves. When thinking about why this might be in an industry otherwise awash with expertise it might reflect the increasing value placed on financial and accounting boardroom talent over recent years. After all in a maturing market such skills are needed to facilitate consolidation.

Evolving regulation

Regulators have responded to the cyber security threat, particularly across Europe. The General Data Protection Regulation (GDPR), recently passed into law following work in the European Commission, includes the potential to fine firms up to 4% of global revenues for mishandling customer data. This level of fine should focus attention from even the most senior leadership team. Where the business case for cyber security investment was once hard to justify we envision a raft of approvals for new investment in skills and technology over coming years.

What’s often less discussed in terms of the GDPR is the expansion of data now covered by regulation. Of particular note for the telecoms industry is the inclusion of IP addresses, cookies and Radio Frequency Identification (RFID) tags. Treating this type of data as ‘sensitive personal information’ is going to pose challenges for many. This requirement is likely to be particularly onerous for those operators looking to the Internet of Things as a means to support new service offerings and business models.

Similarly, the European Commission also agreed the Network and Information Services Directive (NISD) which is expected to be passed into law in August 2016. The headline requirement is for ‘operators of essential services’ must now take ‘appropriate security measures’ and notify serious incidents to national authorities. In other words, firms must now disclose cyber security breaches. In the telecoms sector public disclosure has already existed for sometime but the NSID expands this requirement to other critical service providers in banking, health and digital infrastructure. These changes will drive deeper collaboration between telecom service providers and their customers both to detect and report breaches.

Next steps

Set against this regulatory backdrop it’s time for many firms to take a step back and ask if existing cyber security governance is fit for purpose. At CGI we have developed a seven-step methodology for boards seeking to do just this:

  • Appoint a senior executive at board level, with the right competency, to be responsible for cyber security with the authority and know-how to address the risks

  • Include cyber security on every board agenda, reporting on: risk to the business, nature of sensitive data and mitigation progress at a minimum

  • Treat cyber security as a company-wide business risk and assess as you would with other key business risks, encouraging a discussion about risk appetite, risk avoidance, risk mitigation and cyber security insurance at all stages of a programme

  • Ensure that the company understands the rapidly developing legal landscape that applies to cyber risk, including the emerging European legislation in the form of the general data protection regulation (GDPR) and the Network and Information Security Directive (NISD).

  • Get specialist expertise to advise and inform the board, whether from internal teams or external advisors

  • Set a programme of work to manage cyber risk, allowing a realistic time and budget

  • Demand improved security from your IT suppliers, including products, systems and services

Some of the above might seem relatively obvious but in our experience many firms still treat cyber security as a technical issue, rather than a business risk. As such, the number of boards giving it the senior sponsorship they might to issues such as a competitive threat or broader technological disruption remains relatively low. The GDPR and NISD are opportunities to change this situation.

Alan-Nunn-150x150.jpgAlan is responsible for defining and developing capabilities within CGI and with partners to support clients in the telecoms industry in the UK. With over 28 years’ experience in the industry, Alan has a breadth of experience in the telecoms sector. Prior to joining CGI, Alan has held a diverse range of technology roles, most recently as Technology Strategy Director in the BT Business CIO team, responsible for planning IT solutions to meet business needs.

 

Read more about:

Discussion
Subscribe and receive the latest news from the industry.
Join 56,000+ members. Yes it's completely free.

You May Also Like