Businesses need to stop thinking of cybersecurity as an IT function and think of it as an ongoing activity such as accounting, the head of CenturyLink's security services says.

In an interview with Light Reading the day after he'd hosted a CenturyLink Inc. (NYSE: CTL) Cybersecurity Summit in Monroe, La., Bill Bradley, the SVP of cyber engineering and technology services, admits he and others in the field are frustrated by the continuing need to get businesses to update their security efforts and take them more seriously. Given the way data breaches dominate the headlines, it's hard to fathom why businesses of any size that are networked don't realize security is a priority. And what business isn't networked these days?

But as Bradley himself recently experienced, many business folks aren't doing things as simple as changing passwords regularly or updating their systems from the default settings. At a recent speaking appearance, he asked the audience how many people had passwords that were at least two years old.

"At least 40% of the audience raised their hands, and they were the honest ones," he says. When Bradley pushed the same question to five years, "a substantial number of people still raised their hands."

He believes this is driven by the false sense of security company executives get when they invest in security infrastructure.

"They are thinking about it like you once thought about your IT budget," Bradley says. "You'd make an investment and then you would expect that to have a life of a certain number of years before you would need to refresh. But that refresh cycle -- people got very comfortable with. I don't think that is the right model for security."

Instead, the security model should be much more in line with how businesses view accounting -- as an ongoing effort.

"In an accounting-type model, you have an ongoing effort if you are a business," he says. "You have to get accounting reports out every month, every quarter, every year. But it doesn't just end there, you have to have an external audit and you have to do that every year, and it's something people take very seriously."

Don't get left in the dark by a DDoS attack -- learn best practices to strengthen the security of your network. Join us in Austin at the fourth-annual Big Communications Event. BCE brings you face-to-face with hundreds of speakers and thousands of industry thought leaders. There's still time to register and communications service providers get in free.

If that same level of attention was paid to security, Bradley notes, then many common breaches would be prevented, because much of today's activity depends on accessing networks through unprotected devices such as sensors or home automation gear, or easily prevented things such as email phishing.

Like most other telecom network operators, CenturyLink has made managed security services a major focus in recent years, including acquiring netAura last year and using that technology and talent to develop its own portal as well as add significant consulting expertise. The portal, which CenturyLink was showing off earlier this year to folks at the RSA conference, enables a more intelligent and proactive response to security threats, Bradley says. (See CenturyLink Powers Up Managed Security.)

"It's a proprietary portal that sits on top of those [network] systems, aggregates that data and allows customers to run sophisticated reports that allows them to make more informed decisions," he says. "That gives you real transparency into what is going on in your network."

CenturyLink will also provide the expertise to businesses, particularly midsized and smaller, that don't have the people and processes to make the technology work, Bradley says. But in providing a full service security system, the company doesn’t encourage business customers to just sit back and enjoy the ride.

"We don't recommend they take that 100% [of responsibility for security] from anyone," he says. "They have to be actively engaged in defending their own systems and company themselves. But we can provide a significant part of that service to them."

And like every other person in the managed security services arena that I know, Bradley says much still must be done to educate businesses and make them smarter about security, in no small part because those who are waging cyber warfare are incredibly smart, and as the recent Wikileaks efforts have shown, more than willing to share what they find with each other to get smarter.

— Carol Wilson, Editor-at-Large, Light Reading