Vodafone security CTO: ‘High-profile data breaches are becoming the new norm’

6 Oct 2017

Vodafone building, Germany. Image: M Dogan/Shutterstock

Andrzej Kawalec, CTO of Vodafone Enterprise Security Services, says infosec readiness and resilience is the only answer in the face of high-profile data breaches.

Andrzej Kawalec is CTO and head of strategy and innovation at Vodafone Enterprise Security Services.

Prior to this, he was chief technologist for Hewlett-Packard Enterprise’s Enterprise Security Services group.

‘The way we see it, organisations that can respond and recover the fastest and build this cyber-resilience are the ones that will be able to manage their risk most effectively’

Kawalec spent 15 years at some of the world’s largest IT companies, including Compaq, Digital and Siemens, and has worked in board-level positions across the public and private sectors to help define and promote information strategies. Kawalec has degrees in international business and German from Ottawa and Bradford Universities.

In recent weeks, Kawalec presided over a Vodafone report that indicated that tightening up cybersecurity is actually helping businesses embark on new innovation journeys and to seize new opportunities.

Are firms getting better at cybersecurity or are they becoming more opportunistic as digital transformation opens new horizons?

I think there is an interesting link between those two concepts. The motivation for the research is that we are all very used to traditional security reports that count up the number of attacks over the last six to nine months and tell us how many more incidents have occurred and how many more data records have been stolen. And whilst that is really important and we recognise that, one of the things we realised is that very few people are looking forward to seeing the changes in behaviour: what are decision-makers doing? How is that affecting what people do?

The conclusion we drew was that not only are people who are the early adopters of technology (whether cloud, IoT or mobile) finding new ways of working and leading the way, but they are taking greater benefit from security. But this was one of the first times we were able to quantify a meaningful, tangible business benefit.

Andrzej Kawalec, CTO of Vodafone Enterprise Security Services. Image: Vodafone

Would you say businesses are realising a return on their cybersecurity investments?

The age-old difficult question has always been: what has been the return on investment on cybersecurity projects? Because if you do it right, ideally, nothing happens.

That’s where we’ve been stuck for many years as an industry, but now we are starting to see business benefits around faster time to market, about the security enabling employee productivity, increasing customer loyalty, all the way to being able to charge a price premium for enhanced security.

Early adopters of technology are absolutely able to drive the benefits of security. But, in the same breadth, there are now tangible benefits both from time to market, from an employee perspective, and a customer loyalty perspective if they are doing this stuff right.

And that is often wrapped up in the brand reputation envelope. But when we dug down into it, there is a list of tangible financial benefits.

As a telecoms giant with a lot of traditional infrastructure as well building future infrastructure, do you look at infosec through a telecoms lens or an enterprise lens?

I look at it through the enterprise lens but all of those aspects are hugely bundled into that. I need to be able to embrace that total digital challenge that our customers have. Every time they need to collect data that is fixed or mobile, every time they store data, every time they use it in a new use case like IoT – that’s the point we have to understand the security challenge. This enables us to devise the security services that help address that data-centic side of the strategy that I think people are moving towards.

The remit is the end-to-end digital challenge for our customers seen through the enterprise lens, and it encompasses every piece of that whether it’s a mobile phone, cloud storage or an exciting new IoT use case.

Security breaches are increasing. Is this something we will have to live with or will we get to a point where security will ever be sorted out? Will it always be a game of cat and mouse?

I think there’s this transition that people are going on, where they are moving away from expecting attacks to more of a state of cyber-readiness and cyber-resilience. That readiness and resilience state is really one that allows us to deal with constant and multiple attacks.

One of the things that is not going to change is the fact that we are facing a relentless and dynamic threat environment. The adversaries will continue to try and target weaknesses in our operating systems, our people, our processes and our technologies, all with the aim of gaining value from the data that we hold and our customers hold. That is one of those mega trends is not going to go away.

Because of this the volume and variety of attacks is actually intensifying and, as such, we will continue to see major breaches every week. Large companies and small companies will continue to face that very relentless and dynamic threat environment.

And, because of that, they need to change their mindset away from just protecting but enabling their businesses to thrive in a world where they are constantly under attack.

Another aspect is not just defending against attacks but how you respond in the minutes and hours following a major sophisticated breach. How you communicate, deal with customers, their data, the press, regulation, and how do you recover quickly and get back to your normal operations.

It is key that you don’t become an organisation paralysed by these events. The way we see it, organisations that can respond and recover the fastest and build this cyber-resilience are the ones that will be able to manage their risk most effectively.

That threat environment is not going to go away.

How has Vodafone changed its own internal structures to be more agile in the face of a completely changing attack surface?

The most important step we take is to be ‘secure by design’. That is, building security into all of our core foundational products, the mobile network, our connectivity, the cloud offerings we deliver, the very secure nature of our IoT network.

Having that enhanced level of security on top of core products has been very important to us.

There is and continues to be the need of maintaining that core vigilance where we monitor, detect and respond in real time to threats that appear on our network and for our customers as well.

Want stories like this and more direct to your inbox? Sign up for Tech Trends, Silicon Republic’s weekly digest of need-to-know tech news.

Vodafone building, Germany. Image: M Dogan/Shutterstock

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years