Our blog

Rethinking the risk with Thierry Huts: security in business transformation


16 September 2016

Global Services

Blogs by author: Global Services, We’re a leading global business communications provider


Realising your organisation’s digital possible requires several building blocks and capabilities. The network is a key component and without the cloud digital transformation isn’t even possible.

Another important pillar in your journey to realising your digital possible is security. There is a de facto gap between the reality and preparedness regarding cybercrime on one hand, and the capabilities and skills many organisations require on the other. This is also one of the findings of the recent report BT issued in cooperation with KPMG “Taking the Offensive — Disrupting Cyber Crime“; it is necessary to rethink the risk and take a holistic and increasingly intelligent and pro-active approach.

So let’s disrupt cybercrime and look at the crucial role, evolutions and solutions in cybersecurity, that will allow us to reap the benefits of the digital possible in a secure way. Unfortunately, still all too often security measures are considered (too) late. Time for action.

Security by design

We talk with Thierry Huts, responsible for BT’s Security portfolio in the Benelux. His standpoint is clear:  “Security is part of our DNA at BT and embedded in everything we do. Your digital transformation efforts can only thrive and accelerate thanks to that view and our offering.”

Thierry, can you start by telling us more about your views regarding security in a Cloud of Clouds context?

Thierry Huts: If you look at the full picture of our Cloud of Clouds vision, you see several important elements. There are the BT Compute solutions that bring in the data centres and a flexible, scalable, reliable IT platform in the cloud; there is the network that connects everything and added the various cloud services and enterprise applications, like UC, and Contact Centre solutions, on top of it all.

What you also see is that security is a transparent and embedded part of all these connections and interactions – we see it is an intrinsic part of the cloud-of-clouds infrastructure, that should not compromise performance or user experience. Most organisations are aware that they need to secure their services, network and data but it really needs to be an inherent part of really everything they do – security by design.

While traditional perimeters continue to exist in many companies, there is a definite change as we move to a perimeter-of-everything.

The 5 aspects of security and the cloud

Thierry Huts: If you look deeper at what we bring to the cloud of clouds from a security perspective; we focus on five areas.

1. Protecting the customer’s perimeter

The first is the fact that you need to protect the perimeter of the customer. That’s the more traditional offering and approach that remains important. It’s the protection of the place from where the customer goes to the Cloud of Clouds.

2. Cloud-based solutions

We offer a range of specific cloud-based solutions. Think about the security in the cloud possibilities we have to protect against DDoS (Distributed Denial of Service) attacks or to protect web, mail and other Internet based traffic from within the cloud.

3. Endpoint protection

A third aspect of cloud security is endpoint protection. As these endpoints aren’t just part of the internal network, but are also directly connected to the Internet and the cloud applications, they pose another security challenge .

4. Embedded security

Security should not be limited to a specific point, i.e. perimeter, cloud, application etc. It should be embedded in the end-to-end design of your network (from local LAN, across the network to where your cloud applications reside). This is why security is embedded in all IT/Network services we offer to the business. Security is a part of our DNA, and it starts with the network itself. Our network is a shared infrastructure for multiple customers. So they must be securely implemented and maintained. Our compute services that are offered from within the cloud need to be secure. The same goes for UC applications and any other applications we provide.

5. Monitoring, intelligence and pro-active security

Last but not least, and this is the most important of all in the context of our security proposition, is the monitoring of everything I just mentioned. This includes the monitoring of our own services, security services, network services, UC services, etc. That’s the Cyber Security and Security Threat Intelligence portfolio where we proactively and pre-emptively tackle possible attacks on our cloud solutions or equipment of our customers and of ourselves. This is done in monitoring logs and includes proactive intelligence in order to identify an attack before it actually takes place.

A holistic security approach matters

How important is it to have this embedded and holistic approach to the cloud?

Thierry Huts: It matters a lot. The benefit of offering security in the cloud itself is that you keep the malware and the bad guys further away from your network and your internal infrastructure.

Monitoring is an integral part of this and this in combination with the pro-active intelligence that’s evolving fastest. In recent years a lot has been invested in point solutions, in firewalls, IDS, possibly mail security, web security and so on but to see the global picture and look at the security exposure of customers is relatively new, yet growing fast.

A final point to mention in the holistic perspective is consultancy. Because it is vital that companies  know their own risk and threat exposure, we can offer consultancy or trainings to customers to enable them to recognise and identify such risks. This is based on risk assessments and a range of other services we offer and that we mentioned in the “rethink the risk” blog a short while ago.

The transformational role of the CISO

In an interview with their CISO Chris Hodson, which we will soon publish here, Zscaler said that the main challenge for a CISO today is visibility. Thoughts?

Thierry Huts: There are several challenges for CISOs and visibility certainly is a key one. Others we found in new research are dealing with a changing threat landscape driven by digitalization – like mobile security – and creating new business opportunities, including updating out-dated inflexible working processes. Last but certainly not least there are the new legislation and regulatory requirements. Think about the new European General Data Protection Regulation for which companies need to adhere to specific security controls, for instance.

Taking the Offensive — Disrupting Cyber Crime – get the recent report BT issued in cooperation with KPMG

Taking the Offensive — Disrupting Cyber Crime – get the recent report BT issued in cooperation with KPMG

However, visibility is indeed important and it is clearly tackled in our Cloud of Clouds security. The thing with security is that it’s always a bit of a specific discussion. Everyone knows and says they need it but at the same time they want to feel the impact of it as little as possible. So what we continuously consider in our security services is the impact on performance and user-friendliness. A definite example are the mobile devices where we need to be careful and use tools which keep the data secure but don’t limit the functionality for the users.

Security needs to be driven from the business. Executives need to be aware that we need security and that it’s as much a business need and driver as it is a topic for IT. But on the other hand, security cannot incapacitate the business. Here lies a definite role for the CISO: to create that transparency for the business.

As a service provider we most of all make sure that the infrastructure which the customer uses, whether it’s BT infrastructure or that of third parties, is secured – and that it can do what it needs to do in a transparent and safe way. So indeed; a security approach that allows the organisation to focus on its business.

And that is the power of BT: to take the concerns away that aren’t directly about the business itself and offer them as much as possible managed services to do so.

Executives need to be aware that we need security and that it’s as much a business need and driver as it is a topic for IT.

Compliance and risk awareness: the drivers of security

You referred to the GDPR [the new European General Data Protection Regulation act]. How is compliance becoming more important?

Thierry Huts: Most of the time when I talk about security in my presentations I have a slide with main drivers of security whereby I point out two things. The first one is compliancy. And then you indeed talk about that European regulation which is now added. But also about regulations regarding the fact you operate in a specific region, or because you operate within a certain industry (with HIPA, Basel II etc. as examples). Yet moreover: because you also want to be compliant with a specific standard such as ISO27000. So, indeed – compliancy is one big driver for me.

Secondly, there is the risk awareness. That is harder. With the compliance piece it is much more straightforward since you simply have to comply. There are rules. Compare it with soccer: you have 11 players in the field and not 12, period.

With risk awareness you need to be aware about the risks you run when you DON’t do something. For instance when you don’t implement security controls. And that is the very specific thing about security. Making the business case around it is relatively difficult. Although very likely and becoming more likely every day, no one, for instance, can guarantee that when you don’t implement security controls or monitoring, you will be successfully attacked within 3 weeks.

With other implementations, like UC, you can make a business case around the cost savings of telepresence or network convergence and you build a business case, defining that you will gain back costs within a certain timeframe. With security you always talk about a sort of “risk and chance” calculation. What is the possibility something will happen? What could be the impact on the business? How does that potential impact weigh against the costs to implement security measures?

Unfortunately this sometimes leads to a view that security is a cost centre, while it is in fact a critical enabler of digital business.

Prioritising your risks: the CIA approach

Risk analysis also looks at the type of applications and how mission-critical they are. How would you say that companies have to start looking at closing their security gaps and prioritization, in general?

Thierry Huts: What is often overlooked is the piece of consultancy I mentioned before and which we view as an intrinsic part of our security portfolio. It’s that stage where we look at where the crown jewels are, as we call it. What and where are our critical assets and the most valuable information? Where are the very critical processes that could stop my business from running when the Confidentiality, Integrity and Availability (CIA) of my data is compromised.

These are the mission critical processes, systems, applications and data that need to be protected as much as possible and with the highest priority. This is in my view always the basis you need to start from. . They define which security controls need to be implemented to make sure that this CIA level of data is guaranteed. Unfortunately this is a step that is often skipped when companies just begin to implement security controls without really knowing what exactly they are protecting/securing and why. Yet it’s clearly becoming more important as we can see in the demand regarding consultancy.

The security perimeter of everything and the role of partnerships

It’s been going on since a long time: the security perimeter is eroding or is it simple changing and becoming omni-present?

Thierry Huts: In reality the perimeter continues to exist. We have our Cloud of Clouds infrastructure where we put a perimeter around the Internet so to speak. But most often your applications and data run in a data centre, and to access them you still have a defined perimeter where you will typically put firewalls.

What we obviously see happening for many years now is that people are more and more mobile. They take their laptop, smartphone or tablet out of the traditional office perimeter. These contain critical business information that needs to be protected. Today the perimeter is a bit everywhere.  If you look at Internet of Things, the perimeter is reaching, in some cases, to the individual user across the road, increasing the vulnerability. The more you connect things and the more things you equip with code, the higher the chance that there is a vulnerability somewhere in it which can be exploited and thus needs to be secured.

So, while traditional perimeters continue to exist in many companies, there is a definite change as we move to a ‘perimeter-of-everything’.

In this regard Zscaler is a very important partner for us as they really fit into our Cloud of Clouds approach in which we see that we build our connections not only via MPLS but also over the Internet. Private data gets secured via VPN and the applications or data in the public cloud we can directly access it because the security control that Zscaler offers sits in the cloud. This allows us to offload that security control to Zscaler. Moreover, if we look at own networks; our next generation network will increasingly use Internet and it’s also easier to directly offload these security controls to solutions in the cloud. Zscaler is a typical example of this.

If you limit your security controls to antivirus, antispam and a firewall you will always come a bit too late.

Acting today: the shift from defense to offense – pro-active security

Thanks Thierry for your insights. One last word of advice to the readers for defining their security roadmap? ?

Thierry Huts: I would focus on the move of security controls to the more pre-emptive and pro-active dimension of security. I now and then compare it with what we also see today with overall physical security challenges for our society. You can increase the presence of police forces and the military; but in the end you need to invest more in intelligence to understand and see where attackers come from, what drives them to do what they do. Gather intelligence, seek for deviations in behaviour, and put controls in place to be able to act pro-actively – before bad things happen. This can also be done in an IT network.

If you limit your security controls to antivirus, antispam and a firewall you will always come a bit too late. We see that more and more companies which are really occupied with security, invest in a pro-active approach. They work with companies like BT to gather intelligence, analyse and monitor which attacks they can possibly expect, why they are a target, in which way they can be targeted (for instance DDoS, malware, ransomware etc.) and determine how they can effectively protect themselves against it in the best possible way.

Join the discussion on Twitter #DigitalPossible.

You can connect with Thierry on LinkedIn or in our BT Let’s Talk Linkedin Group.

This interview is conducted at the occasion of the BT Cloud Summit 2016 in The Netherlands on October 12, 2016. Impressions from the event.