Why cybersecurity risk management is high on CSPs’ agenda

Traditional tick-box regulatory compliance is being subordinated to broader risk management frameworks as the lodestar guiding CSP cybersecurity strategies. This is the most striking finding from a new TM Forum report based on a survey of CSPs – “Cybersecurity strategies: risk management moves firmly into the telco spotlight.”

In it most simplified form, cyber risk management is a framework for arriving at robust assessments of the potential costs – however they are defined – that rise from specific cybersecurity incidents, and combining each one with the probability of that incident occurring to arrive at a quantifiable annualized risk. So an incident that is assessed as having a potential cost of $100 million, with a 40% chance of happening in any one year, is considered a $40 million-a-year risk. Cybersecurity investment choices are then driven by those assessments.

Cyber risk management is a subset of a broader risk management framework for managing legal, commercial as well as other types of business risk. The risk associated with being non-compliant with government-mandated cybersecurity regulations becomes a subset of cyber risk management.

While some telco boards and management teams are showing leadership in their own right in adopting cyber risk management frameworks, the more common driver is the global trend towards more stringent cybersecurity regulations of the telecoms sector and other critical industries. Take the EU’s NIS2 Directive, with which telcos with EU-based operations will have to comply. Article 77 of the Directive mandates that “a culture of risk management, involving risk assessments and the implementation of cybersecurity risk-management measures appropriate to the risks faced, should be promoted and developed.”

While the compelling survey evidence of CSPs looking to adopt these principles is encouraging, there should be no doubt as to the scale of the challenge involved in executing on a cyber risk management framework to a high standard. For example, a second key finding from the TM Forum survey is the high priority CSPs place on ensuring that cybersecurity strategy is increasingly threat intelligence-led.

This is as it should be. But most CSPs are a long way from being able to use threat intelligence well enough to support cyber risk management to a high standard. Normalization of the way many cyber threats to telecom networks are labelled and described is still in its infancy. The same is true of the formats in which information about telecom cyber threats is stored. There are wide variations among CSPs in different countries, those in the same country, and even within different departments in the same CSP organization.

Moreover, being cyber threat intelligence-led means much more than just being highly sensitized to what cyber threat actors are up to. It also requires highly accurate mapping of that threat landscape to the specific vulnerabilities within the organization’s own internal environment. That, in turn, requires extensive visibility, continuous monitoring for cyber threats to be able to detect and report them, and a highly developed ability to map the capabilities of the organization’s security stack to mitigate the latest threats. These are capabilities that are lacking in most CSPs today – especially in the case of their operational technology, their telecoms networks.

A risk management approach is certainly the right way forward for CSPs. But it requires substantial changes in the way people, processes and technologies are deployed in day-to-day cybersecurity operations.