Information security issues are multiplying as security threats are on the rise and operators are moving into new services and technologies that bring with them additional vulnerabilities. In this article we explore the information security issues operators are facing, but also how operators can turn these into an opportunity for differentiating themselves in the market and even generating new revenues.
Also published as article in Global Telecoms Business International Carrier Guide 2012
Operators need to accumulate security expertise quickly. Their business faces a series of challenges as network technology shifts to an all-IP environment which, because it is more widely understood, has more potential for security breach. We’ve seen the need for operators to have the right people when they move into such projects. Moving to all-IP networks, operators recognise they are moving from an environment that requires high-end, niche knowledge that’s not freely available to anyone to a situation in which knowledge is dispersed across the entire IT network population — including the malicious part. It comes down to finding the right resources to put the right controls into your network.
Next to that we also see that mobile operators in particular are still struggling with offering broadband services which changes who has access to their networks and therefore also requires additional security measures. That’s a risk that fixed line operators have already addressed some time ago with their broadband networks well segregated, so mobile operators should have a good look at how fixed line players have solved that problem.
It’s not just a shift to technologies and services that amplifies the security risk. Recently the industry has experienced a serious increase in the volume of threats. We’re moving into an era where there are more cyber threats. The hacktivism of groups like Anonymous and the increase of malicious hacks that focus on accessing private data to commit fraud or just sell on is increasing. There is even the idea of government-stimulated hacking with some governments now openly admitting they have cyber warfare teams as part of their secret service or military. And if you want to spy on something, why not start with an operator – they have heaps of data for criminals to exploit. Furthermore, telecoms is also seen as critical infrastructure, interfering with it could bring a lot of damage to communications and all the regulating than regulated. Every country has, for example, its own privacy legislation and you need to comply with that. Operators are becoming more and more aware of reputational risk, though. Not to minimise the importance of privacy legislation, but some of the fines operators can get won’t keep the CEO awake – the fact that an incident or a fine gets publicised will, because it may result in huge churn and failure to attract new customers.
That potential for security breaches to inflict damage to the business means that security is high on operators’ agendas not because of regulation alone. In a lot of operators the C-level has become really aware of the increased security risks and the need to protect its own reputation by addressing customer expectations of providing or protecting their data and services and PCs and mobile equipment. The industry is self-regulating because of that, although in certain countries regulators are pushing towards certification or at least have security assessments done by independent auditors, such as in India.
However, we are also seeing more and more operators opting voluntarily for certification; especially for services rendered in the enterprise market. These certifications can act as differentiators or fulfil the trust requirement that many companies and organisations have when choosing professional telecoms services, especially in cloud, hosting and SaaS or similar services. ISO 27001 is currently the most prevailing certification chosen by operators, but towards the future we also expect to see more ISAE 3402 SOC 2 (Service Organisation Controls) report.
Security as a differentiator
Security therefore could become a means by which an operator can differentiate its propositions. To do that, operators must build upon their foundation as a trusted provider of communications and associate themselves in customers’ minds as natural providers of security services. Security and privacy are one of the areas that people are uncertain about. Maybe customers don’t yet realise the importance of security but as they do — often when incidents happen — the demand may suddenly be huge and many customers will want to change to a trusted telecoms provider.
Perception is also a crucial factor. Acting as a trusted provider also implies that your own internal use of personal customer information is perceived as trusted. Operators have a lot of information on their clients or have potential access to it and they can use it to improve the services they provide to their customer. But can they use it without people thinking their privacy is compromised? Can you use that information to push over new services to customers? For example, knowing which hotspot a user is on and which device they are using is great but can it be used to improve services or push new ones?
Another aspect with regard to perception is that operators should also be aware that they might be blamed for security incidents outside of their control, such as malware on smartphones or unsolicited text messages. So becoming that trusted operator will also mean that you will need to think about helping customers addressing those risks.
Beyond simple communications, many enterprise specific services, such as machine-to-machine or cloud-based services, are critically dependent on security. If users don’t feel their critical applications and data are secure they simply won’t adopt them. With cloud services, for example, it is certain that operators will need to show and even prove they are secure because customers will have a lot of questions they need to have answered before they entrust anything critical to the cloud.
However, there are two dimensions to security within operator. A first dimension, which we haven’t addressed yet, is their internal security in terms of protecting the customer data they hold and their own operations and the customer data from security incidents and the other lies in becoming the provider of security services to their customers. Operators could become the providers of security as a service, particularly in the enterprise market. It has the potential to open up new sources of revenue from them and have benefits in terms of increasing user loyalty and reducing churn. A trusted provider that delivers a demonstrably secure service is clearly differentiated from one that doesn’t and operators are starting to assemble the expertise and resources they need to do this effectively.
We’ve seen a number of operators acquire managed services companies that already had security managed services solutions or even acquire specific security firms. In many cases, operators have acquired a smaller firm to offer services to the lower end of the market. The higher end will often be well served by the existing security managed service providers.” There are exceptions, though. Verizon for example, has a huge offering in managed security services. In addition to acquisitions, operators might also cooperate or go into partnership with existing vendors of security services and offer them on top of cloud services.
Operators must prove their readiness
As operators seek to become recognised as providers of security services and solutions could they be over-reaching in their hunger to access new sources of revenue and become value-added service providers beyond their traditional infrastructure role? Not necessarily, it’s not a case of over-reaching if they put all the systems and expertise in place in advance and can prove their readiness to provide such services. The way in which operators become recognised will depend on the strategy they choose, especially in the enterprise market.
Operators will also need to choose their markets carefully to avoid having to assume responsibility for things they can’t control, or avoid picking battles they can’t win in the large enterprise sector. “If you want to offer security as a service, for sure there is a market out there but probably not for consumers without having secure handsets.
That’s what the telecoms industry will seek to find out as it brings managed security services to market.