Ethernet services

Yo, CEO – Is Your Company Secure?

AT&T is trying to get CEOs and directors more engaged in securing their enterprises, and this morning issued a new security report aimed at that specific segment.

This is not the first report from a telecom carrier that tallies the frightening numbers around the level of threats today, and is aimed at improving enterprise network security. Verizon Enterprise Solutions has been doing its Data Breach Investigation Report for years and earlier this year, Level 3 Communications Inc. (NYSE: LVLT) issued a report specifically on botnets. But AT&T Inc. (NYSE: T) says its new Cybersecurity Insights Report is different because of its target audience -- the folks at the top -- and the way it's intended to get companies thinking about security in a new way. (See Verizon Offers Industry-Specific Security Advice and Level 3 Elevates Security With Black Lotus.)

All three carriers -- along with other companies -- are offering managed security services as well, realizing that many enterprises simply aren't equipped with the expertise to do it themselves. Managed security is definitely an area of significant growth -- and competition -- going forward for the telecom industry.

Learn more about network security strategies at our upcoming Carrier Network Security Strategies Event in New York on December 2.

Jon Summers, senior VP of growth platforms, AT&T, tells Light Reading in an interview that while enterprises are increasingly concerned about the growing threats of data breaches, hackers and distributed denial of service attacks, they are still too often seeing security as something for which a small set of experts is responsible. That's a point that Heavy Reading Chief Analyst Patrick Donegan has been making for some time. (See Security Suffers From 'Not My Job' Mentality .)

According to AT&T's research, 75% of companies are not engaging their board of directors in doing risk assessments or understanding the security issues, and carrying out ongoing evaluations of security status.

"We want to elevate this to the boardroom level," he says. "We want to get security in the conversation with the CEO and the board of directors and help them realize the risks they are facing."

My colleague, Dan Jones, effectively summarized some of the stunning statistics from AT&T's report in a story here, but even in the face of those numbers, enterprises are too often stymied in their response by a lack of strategic response, Summers says.

"In some businesses, this is top of mind for the CEO and the board, but in many businesses, it's not," he says. "In more than half of businesses, organizations are not taking the steps necessary to evaluate their information security capabilities and put themselves in a position to respond to high-visibility data breaches."

One key step is for everyone in the company to assume responsibility for security -- from the CEO down to the call-center representative, the product development teams and every group of employees. The right processes need to be in place at each level and everyone needs the proper training, he says.

That's a growing reality in the New IP, when everyone is connected all the time via mobile device or desktop PC, and a growing number of devices are also connected via the Internet of Things.

AT&T's new report lists a number of other actionable items, including the need for constant re-evaluation of security status, as things are changing on a regular basis. That's another area where many companies are weak, Summers notes.

"Our recommendation is that there needs to be a regular standing review by the board to pose and understand the answers to some of these questions" that are raised in the AT&T assessment, he adds.

— Carol Wilson, Editor-at-Large, Light Reading

Phil_Britt 10/19/2015 | 10:46:54 AM
Re: The broader question You're right about it being everyone's job, a theory expressed throughout various security conferences. Sometimes it's executives who don't understand the concept, at other times it's employees, especially if they don't feel they are part of the team.
danielcawrey 10/4/2015 | 2:23:36 PM
Re: The broader question Security should really be part of everyone's job in an organization. I know that's kind of a downer for employees, but it's the reality these days. 

There are so many attack points. Employees in the modern organization need to be cognizant that the viability of an enterprise relies on minimizing security risks. 
DHagar 10/2/2015 | 7:15:48 PM
Re: The broader question mendyk, it appears that also under the umbrella of that pink elephant is the lack of compliance ("78% of employees not following security procedures") and the entire culture.  Without a focus on the accountability for managing the function and for all employees in compliance, there will be problems.

It seems as if there is a failure to truly understand the issue, its beyond procedural.
mendyk 10/1/2015 | 3:03:57 PM
The broader question There are lots of CSPs that could step up their sense of urgency regarding security as well. To steal a line from a well-known baseball cheat, security is the pink elephant in the room.
Sign In