Login
Register
Cybersecurity strategy is influenced by many competing factors from outside as well as within the telco organization. But which ones carry the most weight and why?
How threat intelligence-led risk management is driving security strategy
In June 2023, TM Forum carried out an online survey of CSPs about how they are formulating cybersecurity strategy and putting it into effect for our report Cybersecurity strategies: risk management moves firmly into the telco spotlight. The survey gathered insights from 59 individuals from 40 unique operating companies around the world. Nearly all respondents were at director level and above, with significant knowledge of their company’s approach to cybersecurity. In this extract from the report we look at the factors driving cybersecurity strategy and who influences decisions.
As part of they survey, we asked CSP respondents to rank the most important factors driving telco cybersecurity strategy. As shown in the graphic, the most critical by far is understanding and mitigating risk arising from the cyber threat landscape. It scored 3.5 out of 4.0, with about two thirds of respondents ranking it as their top choice. This reflects the threat posed by change and innovation in the cyber threat ecosystem. It also reflects the importance of an organization being able to rapidly interpret change in terms of risk for the organization – and then adapt to it.
Government regulation is also a significant driver, but only 17% of respondents ranked it as the number-one factor. On one hand this suggests that while compliance with cybersecurity regulations is recognized as critical and non-negotiable, traditional ‘tick-box’ compliance is no more than a minimum baseline for defining telco security strategy.
That said, the much lower score may also imply that most CSPs are not yet feeling the full force of the new wave of cybersecurity regulations set to impact them. Many of these go well beyond tick-box compliance relating to specific products, features or certifications. New regulations are prescribing increasingly detailed processes for how telcos should execute on a wide range of cybersecurity issues.
In many cases, these are processes that regulators have previously addressed with a light touch or not addressed at all, such as more detailed and more stringent requirements relating to incident detection,
Customer demand doesn’t score highly as a driver of telco security strategy because the primary objective is to protect the CSP organization itself – protecting customers is just one aspect of that. Responses to our survey question about security spending reinforce this management, mitigation and reporting in CSPs’ SOCs .
From the perspective of a security team, the ‘customer’ is typically an internal business unit rather than the end customer. However the customer is defined, most just want to buy secure services. Most customers tend not to be very involved in prescribing how they are secured. So, while customers are central to telco security strategy, they’re generally not all that active in directly driving it..
One of the most significant survey findings is illustrated in the graphic to the right, which identifies risk management as the most important factor determining how telco cybersecurity spending is prioritized. More than 60% of respondents identified risk management as one of the two most important factors compared with half who chose regulatory compliance.
An approach driven by risk management denotes a more advanced cybersecurity posture than one that is more compliance driven. Cyber risk management typically forms part of a broader risk management strategy for managing legal, commercial and other types of business risk. Risk management does, nevertheless, overlap with compliance because risk management strategies take account of risk associated with non-compliance.
Crucially, risk management relies on quantifying risk. At a high level, a potential cybersecurity incident that is assessed as having an estimated cost of $100 million, with a 40% chance of happening in any one year, is considered a $40 million-a-year risk. It’s because these types of assessments require such a detailed understanding of one’s own risk exposure and cybersecurity posture – and because such quantifications can generate alarmingly high numbers – that embracing cyber risk management implies a relatively high level of cybersecurity maturity.
Cyber risk management is being explicitly incorporated into some of the new wave of cybersecurity regulations. For example, the EU’s NIS2 Directive specifies that “a culture of risk management, involving risk assessments and the implementation of cybersecurity risk management measures appropriate to the risks faced, should be promoted and developed”.
Such a high profile for cyber risk management in telco security circles is to be expected. That said, it’s important to recognize that embracing it is a journey; it can be adopted in phases.
For example, cyber risk management can be factored into some decisions or all decisions. It can be no more than one factor in decision-making, or it can lead decision-making. Hence the high score in the survey doesn’t necessarily mean a large proportion of CSPs are already at an advanced stage of using cyber risk management as of today.
At 51%, regulatory compliance isn’t that far behind risk management. This reinforces how traditional compliance remains a key factor determining how security spending is prioritized. While compliance is increasingly subordinate to cyber risk management, some telcos may still be more heavily influenced by traditional compliance.
Risk introduced with cloud-native network transformation is likely to increase in importance as CSPs move more support systems applications and network functions to the cloud. The scope for hackers to break out of a Kubernetes container to compromise other containers or the underlying infrastructure is just one example. As Anil Pawar, SVP and Head of Technology, Architecture and Strategy, Rakuten Mobile, puts it: “Cloud native is small decomposed microservices in a software-driven architecture, so security became a huge, huge challenge for us.”
In common with all businesses that are dependent on large investments in operations technology, several stakeholders have input into a telco’s cybersecurity strategy. The weighting of the influence that each has on a scale of 1 to 5, where 1 is little influence and 5 is a lot, is depicted in the graphic below.
Predictably, survey respondents identified the chief security officer (CSO) or chief information security officer (CISO) as holding the most influence over how telco cybersecurity requirements are prioritized, with 56% of respondents rating their influence a 5.
Respondents rated security directors and security architects as exerting greater influence over security requirements than the CEO or board of directors. In many cases, this delta probably does not reflect the relative influence of these stakeholders in terms of prioritization of spending. In some cases, it may reflect respondents addressing prioritization of technical requirements from among competing approaches for executing on priority objectives.
