I’ve been observing the Telco industry progress on ‘transformation’ and focusing on “security” or “cyber security” immensely for some time now. Recently, I got an opportunity to be a part of the panel at Telecoms forum in the Middle East where participants discussed and debated on the topic ‘Securing the Telco’.
Cybersecurity – Perspective of Technology Leaders
It would be fair to say the importance of the term ‘security’ depends on the role, function or perspective of the Telco presenter or advocate in any given situation. A person in a Cybersecurity Products Director role will, quite naturally, think of ‘security’ in very different terms than Network Architecture or VP of Operations. As a prime example: Telco Network & Technology Executives or VPs who are found to be frequently commenting or reflecting on the Telco network transformation strategy and programs will look upon ‘security’ as a critical ‘posture’ or ‘capability’ of a highly secure, resilient & available future network architecture – a parallel to the long-standing, well-practiced ‘CIA’ triad of information security.
Let’s concentrate on what the technology leaders at Telcos think and feel about ‘security’ as they have the primary influence (as well as holding budgets!) about how Telcos’ business, network & operating models will take shape and evolve in the coming years.
This ‘security OF the Telco network’ continues to be the prime perspective taken on ‘security’ when the topic is specifically concerning transformation initiatives such as SDN/NFV, 5G, Multi Access Edge Computing (MEC), Telco Cloud, Network Slicing and so forth – and the question posed is: how should the Telco ‘secure’ the future, modernised disaggregated network infrastructure that will be powered and controlled by software and embed more intelligent, AI-driven ‘closed loop’ automation than any previous generation of network?
Interestingly, the Telecom regulators seem to be also spending inordinate amounts of their time considering the implication of ‘security’ of the future Telco network infrastructure.
For instance, many regulators across the globe are ‘as one’ with Telcos in focusing much time and raising serious concerns on the ‘security’ of future Telco / Operator 5G mobile networks – including the vendor technologies behind them - whereby they quite reasonably take the view that, on one hand, Telco 5G mobile networks will be critical national infrastructure relied upon by many crucial industry sectors – including banking & finance, energy, transport defense - and mass market consumers. And on the other hand, for the very same reason, 5G networks will be primary targets for nation state-based or sponsored cyberattacks.
This attitude of Telco technology leaders and industry regulators towards Telco ‘security’ is all well and good and even laudable if one views Telcos as a special type of ‘enterprise’ that needs to assiduously defend themselves against cyber threats and attacks - more so than other types of enterprises in other sectors of the economy because Telcos are the ‘connectivity glue’ of national and global economies.
In a different sense, ‘security’ has also been a focal area for national governments and policy makers for quite a while; as an example - the European Union (EU) released a cyber security strategy paper back in 2013 ; more recently, the EU has adopted and issued information security directives that describe cybersecurity frameworks for EU member states to transpose into legislation. In these initiatives, the EU (as well as regulators such as Ofcom in the UK) is taking a broader view of the society-wide and economy-wide impacts of cyber security and cyber threats, rather than a Telco or ICT industry-specific perspective. Having said this, governments and regulators are also directing their energies to develop cyber security policy frameworks for Telcos and other ‘critical infrastructure operators’.
Enhancing Security for Customers
So, all of this does lead to a BIG question - how should Telcos consider ‘security’ in the context of their customers? After all, it is customers that are the ‘lifeblood’ of Telcos. And it is their customers – be they consumers or businesses - that are facing increasing risks and impacts from the worsening cyberattack landscape. One only has to look at the reams of cyber industry research, empirical findings and so on to see the rising risk, threats and damage from cyberattacks and data breaches incurred by businesses.
Surely then, the Telco conversation on ‘security’ needs to pay far more attention to how Telcos can both, secure their own networks / operations AND secure their customers?That is - not just enforce good cyber security and risk practices ‘within’ their networks, operations and IT systems (‘indirect’ security for customers) but provide security and protection ‘over the top’ & ‘through’ their network and connectivity services to their customers (DIRECT security for customers).
It is this important distinction between ‘INDIRECT’ security and ‘DIRECT’ cyber security services for customers – especially the more vulnerable business segment - that I should now like to discuss.
Why Telcos are the logical and natural provider of DIRECT cybersecurity services to business customers?
It might seem obvious, but is often downplayed in these times of ‘digital hype’ on social , cloud , AI in the technology industry, that Telcos and Mobile Operators in every country across the world still maintain a great degree of ‘control’ & fulfill a role of central importance on how consumers & business connect to ‘everything digital’ – the internet, social media, cloud applications and each other ; for businesses that increasingly consume and operate in ‘digital’ space, the degree of reliance on Telcos or Communications Services Providers for digital connectivity remains pivotal.
Since Telcos ARE still the ‘masters of connectivity’ and cyber adversaries predominately attack consumer and business users through these very same Telco-provided connectivity paths to these digital services (example: email, web, social , messaging etc.), it seems only right and proper to suggest Telcos are entitled to be the primary, leading providers of DIRECT security OF their connected, digital customers.
One might now ask: haven’t Telcos always provided security FOR their connected customers? And if so, how well have they done this?
These are interesting questions that deserve a detailed response. To do so, we should look back at the history of Telco security services for their customers and examine the question from the point of view of primary customer segments:
- Consumer /Residential & SOHO
- Small Business / SMB
- Enterprise / Government
Firstly: Consumer & Residential (and SOHO) Customers
Going back a decade and a half to the later 1990’s, when Telco-delivered broadband cable and xDSL internet services came to the fore, a new problem arose that wasn’t evident on ‘dial-up’ ISP services where broadband subscribers were receiving more and more ‘unwanted’ traffic on their ‘always-on’ Internet connectivity services due to mass-delivered spam emails, some with malicious file attachments that contained viruses (executables), or subscribers were taking advantage of higher bandwidth access to use ‘P2P’ file and video sharing services that were ‘havens’ for viruses and malware and subsequent infections of PCs.
Many Telcos responded by offering a solution to this – an anti-spam/anti-virus (AS/AV) desktop software package from a security vendor as an optional ‘add-on’ with the broadband service. This had limited success for the Telcos since it was neither ‘hard-bundled’ with the broadband services and consumers could easily buy their own AV/AS software package from their local PC retailer or buy a PC with an OEM version included.
In later years, from the late 2000’s, when broadband customers saw a markedly increase in new cyber threats from browsing the Internet and visiting infected web sites or downloading malicious content , some Telcos took advantages of new vendor technologies to introduce ‘web filtering’ or ‘clean pipe’ capabilities on broadband services . However, these typically offered very basic security functionality e.g DNS technology to block access to malicious web sites or unwanted content rather than ‘in-line content or proxy inspection’ that could impair broadband download speeds performance and impact customer experience.
Secondly: Small Business/SMB Customers
SMBs from the late 1990s to early/mid 2000’s began to use broadband services to connect their file and web servers to the Internet, inviting the added problem of scanners, hackers and DDOS attacks. Telcos took steps to introduce DDOS protection services integrated within their Internet backbones to address these issues. To combat the problem of email spam for SMBs, Telcos also started to resell cloud-based email security from the likes of Messagelabs (now Symantec) or other new cloud email security vendors (RWC: like FirstWave!).
From the early 2010’s, when Microsoft launched Office365 with hosted email security - Forefront Online Protection for Exchange (now EOP), Telcos began to resell these cloud services, often adopting a channel distribution strategy to ‘publish’ O365 and EOP on their ‘APPS marketplaces’ so that SMB customers could easily search and purchase from growing set of SaaS product offerings. Here the Telco was little more than an online channel partner for the security vendor.
Thirdly: Mid-Size, Enterprise & Government Customers
From the early 2000’s, Telcos were far more focused, active and successful in delivering security services - mainly as managed network security services - to the larger customer segments from mid- size enterprise to larger enterprise and government.
This came about because across the 2000s, the majority of these midsize, enterprise and government customers adopted MPLS IPVPN WAN services for their distributed any-to-any connectivity branch site networks, giving ample opportunities for Telcos to also provide managed firewall solutions & network security services – i.e managed branch & DC gateway firewall, hosted network firewall , MPLS-Internet secure gateway and associated managed security services bundled with MPLS IPVPN and Internet connectivity solutions.
In the last 5+ years, a number of Telcos have expanded their enterprise security service offerings by reselling and ‘solution-selling’ security appliances, cloud-based web security or DDOS protection offerings from security vendors such as Palo Alto Networks, Symantec, Zscaler, Prolexic (now Akamai), Websense (now Forcepoint) or Bluecoat (now Symantec), Zimperium etc . to enterprise and government customers.
These enterprise & government customers also took it upon themselves to purchase a plethora of cyber security appliance technologies in the form of secure mail gateways (SEGs), secure web gateways (SWGs), IDS/IPS, WAFs, Firewalls, etc. to deploy at their enterprise data centre and Internet edges as well End Point Protection/EPP, Mobile Threat Defense/MTD etc. to deploy on their PC and mobile endpoints.
It is a characteristic of the enterprise security technology and services market in the past 5+ years that enterprise spend and deployment of security technologies sourced many vendors have been proliferating, whilst Telcos’ security and MSSP lines of business have extracted a limited proportion of value from this enterprise security market growth - largely around security consulting, integration & security monitoring for security technology solutions – generating very low margins on a ‘labour-heavy’ solution-selling & operating model .
In nearly all scenarios above, the Telco was serving as an enterprise security solutions ‘aggregator’ of 3P security vendor products. The cyber security specialist solutions teams in the Telcos’ enterprise solutions business unit or cyber security product owners usually ‘owned’ the security vendor partnering program initiatives, without network technology & operations group sponsorship or involvement, and the Telco did no genuine integration of the 3P security vendors’ products into Telco portfolio, network, operations or IT systems & processes - though, in certain cases, a Telco MSSP/SOC function may have provided basic managed device security and security monitoring services.
It is also noteworthy that, with a couple of rare exceptions, these security vendors did not offer Telco-specific or Telco- optimized security products or provide Telco integration ‘know-how’ & solution capabilities, rather handled Telco’s as just another ‘MSSP’ under their channel partner programs.
In summary, the Telco and security vendor partner approach to Telco delivery of security solutions TO their customers across security product categories (DNS, Firewall, IDS/IPS, Email , Web, DDOS, Mobile Threat Defense/MTD etc) & customer segments has been piecemeal, fragmented , non-scalable, non-integrated with broader Telco product portfolios, network infra , IT systems/processes or MSSP/SOC service offerings.And it is generally has produced ‘low quality’ revenue growth, with low margins & poor commercial return on investment.
- Only basic broadband security services have typically been delivered to consumer / residential and SOHO customers with limited monetization outcomes and modest NPS outcomes;
- There has been limited commercial success and customer value generation out of simple resale of 3P cloud security provider services to SMBs;
- Some Telcos in the past few years have provided additional mobile threat defense solutions on mobile devices e.g smartphones for mobile customers – typically enterprise & government managed mobile fleets - but these have generated small benefits in general for the Telco;
- The execution model has been on reselling + labour-intensive, low- margin, ProfSvcs-centric consulting & integration of third- party vendor security products to enterprise & government customers, overlaid with a limited set of managed security service (MSSP) offerings, principally offered by the larger Telcos.
Why have Telcos taken this piecemeal approach to ‘security’ services for customers?
There are a few reasons.
One reason is that Telcos did not ‘start life’ providing cyber security services – they were always Telcos! Their core business, network & products were telephony, data, managed network, mobiles, UC&C, DC/Hosting, IP connectivity etc. - not MSSP. They did not have cyber security in their ‘DNA’ and did not build their networks or develop their workforce with cyber security ‘baked -in’.
Some Telcos, ironically, did develop MSSP businesses and Security Operations Centre (SOC) capabilities that originated - not with their customers’ needs or requirements in mind - but out of internal IT teams’ focus on their own Telco enterprise IT and systems security needs and requirements. These Telcos took decisions to adapt and ‘rotate’ these internally-focused cyber security capabilities ‘outwards’ towards their customers.
Other Telcos did not take this ‘organic’ approach – they instead executed an ‘inorganic’ cyber security strategy and acquired MSSP companies / players to attain the cyber security capabilities they needed to deliver managed security services to their enterprise and government customers.
The second reason is linked to the first.
Notwithstanding ‘organic’ MSSP business and SOC capability builds or MSSP ‘acquisitions’ that Telcos may or may not have undertaken, Telcos have in most cases failed to mobilise or ‘stitch together’ the key enabling capabilities across Telcos in relation to security services viz :
- Network & Technology
- Service and Operations (IT/Processes)
and hence have failed to realise the business case to develop a truly scalable integrated Telco – branded & operated security services portfolio that can delivered at scale and monetised profitably into the broader customer segments - especially the very large base of small business / SMB customers present in most markets.
So, that more or less provides a perspective of the Telco track record on delivering security services FOR their customers.
In the next installment of this blog series, I’ll take a deep dive into how Telcos might change their approach to delivering a new generation of truly integrated security services to the major chunk of customers (read SMBs). Stay glued for more! Please feel free to share your views in the comments below.
 E.g Ofcom UK - Telecoms Security Requirements
 E.g Ofcom UK – Telecoms Supply Chain Review
 Net Promoter Score
 E.g Telstra and Zimperium
 Telstra is one example
 Singtel is an example, Verizon is another