Telco Risk: No Longer a Free Ride

Change is Coming

The recent flurry of activity around IR35 preparedness shows that the Government is not averse to imposing industry structural change when it sees the need. The UK telecoms sector is only months away from the largest regulatory driven change since the deregulation(1) following BT’s 1984 privatisation. And, it strikes me that not all the right people are talking about it.

The Telecoms Supply Chain Review(2) identified security challenges facing the sector including the specific need for sustainable supply chain diversity. The use of Huawei in 5G network build is probably the most prominent case study in this regard. Less attention seems to have been paid to the review’s additional call for ‘incentivisation’ of good behaviours given belief that security risks are currently borne by Government and not industry(3).

Remembering that 5G covers both mobile and fixed/broadband networks, future UK economic performance is intertwined not only on how well 5G technology(4) and supply chain risks are tackled, but also how vulnerabilities around “national capability to operate networks” are addressed. In a breathtakingly frank summary of the situation as “20 years of policy and market failure”(5), the National Cyber Security Centre (NCSC) and other government bodies observe that operators who have followed good security practice have put themselves at commercial disadvantage.

The Coming Era

Incentivisation is coming via a new security framework comprising of the Telecoms Security Requirements, a supporting Legislative Framework with increased Ofcom enforcement powers and, National security backstop powers for government(6). This powerful mix will enforce compliance in procurement and contract management, assurance testing and on-going verification. Additional controls are also being imposed on High Risk Vendors posing a material security risk to network resilience. Although media reporting tends to focus on the procurement aspect of this framework, it is significant that its scope extends into the design, build and operate phases of the technology lifecycle.

Call to Action

When things go wrong in the oil or aerospace industries, events like Deepwater(7) and Boeing’s 737 Max situation(8) bring culture, behaviours and practice devastatingly back into perspective. It took tragic disasters such as those at Hatfield, Potters Bar and Ladbroke Grove(9) to re-engender a safety culture in rail after the cost-cutting excesses of privatisation and de-regulation. Risk and safety themed conversations heard every day in the oil and aerospace sectors just do not figure in the telecommunications domain (and for that matter in the broader IT/Internet/Media space). Telco sees itself as a profit-first rather than resilience-first entity. But now, coronavirus is challenging established orthodoxies around the cost/benefit of offshoring some functions. In advocating their continued involvement in 5G deployment Huawei points out that the Covid19 crisis has seen a 50% plus growth in UK data use(10); national dependency on both fixed and mobile broadband is growing. This situation may be amplified by changed working patterns in the post-virus world. Moreover, in a few years 5G will be instrumental to autonomous vehicles and all sorts of safety dependant use cases. The time has come for everyone in the telecoms industry, not just security and regulatory compliance specialists to think of themselves as part of a critical, risk-oriented industry.

Its Transformational

With a nod to NPS(11) and a grudging acknowledgement of regulation such as GDPR, time to market and cost reduction remain the over-riding factors in telecoms investment decision making. Discussions with regulators are understood to be on-going but publication dates for the new security regulations are not far away. My feeling is that debate is still considered primarily as a security community matter. For each tranche of regulation, implications will take time to permeate outside of the security organisation into the wider enterprise, but ultimately the effect will be transformational; operators will be forced to look and behave differently. Mindsets will prioritise quality and right first time will take precedence over tactical expediency; cost of risk features in all thinking. Transformational change is never easy and especially due to the fixed deadlines, execution will need to be multi-disciplinary, properly designed and well planned. Although technology aspects are the most frequently written about, the real challenge is going to be how some operational functions are brought back onshore and how design and other capabilities will be re-invented within the organisation. Redefining culture and delivering business and operating model change figure prominently in the evolution. Risk driven thinking will need to emerge and perhaps banking provides a model for some aspects of this.

Getting Ready

Established and new providers face fixed implementation timelines to ready for a new world where cross-functional engagement is essential, resilience is vital, and risk and its costs are no longer ignorable. From experience, working with a partner can provide the best way of unlocking the competing organisational forces that makes delivering regulatory or transformational change difficult.

As a first step, Ken Jones of NTT DATA Impact would be delighted get your views and to talk to about how your organisation can accelerate its preparedness for the rapidly approaching new era. To pre-empt your question; why NTT DATA? We think the answer is obvious: rooted in the telco heritage of our Japanese parent, NTT DATA is a trusted global innovator and with our multi-industry and disciplinary expertise we deliver precisely the technology, transformation and business innovation needed to grasp the opportunities and challenges of the new environment. In the UK, we make a difference for operators across the telecommunications sector and bring relevant experience from our work in regulated industries like Insurance and Banking. As such, Ken recently led a 5G security evaluation project where we leveraged network architecture expertise from another NTT DATA European operating company and our sister company, NTT Security. Shortly after this he worked on a risk reduction programme for a well-known bank.

1. Communications Liberalisation in the UK - Key Elements, History & Benefits,  Department of Trade & Industry, March 2001
2. Telecoms Supply Chain Review, Department for Digital, Culture, Media & Sport, July 2019,
3. Ibid 1.13
4. Key technology risks: Management, signalling and orchestration/virtualisation plane vulnerabilities and factors such as the associated ability to delineate core and access networks
5. Quotation picked up from industry forum discussion - but derivable from NCSC blog - ‘The future of telcoms in the UK’
6. Security analysis for the UK telecoms sector, National Cyber Security Centre, January 2020
7. BP estimates its total costs for the Deepwater Horizon spill at $65 billion (https://www.maritime-executive.com/article/bp-s-deepwater-horizon-costs-reach-65-billion accessed 13 April 2020),
8. Boeing puts cost of 737 Max crashes at $19bn, (https://www.theguardian.com/business/2020/jan/29/boeing-puts-cost-of-737-max-crashes-at-19bn-as-it-slumps-to-annual-loss accessed 13 April 20
9. See: https://en.wikipedia.org/wiki/List_of_rail_accidents_in_the_United_Kingdom#1995_onwards:_Post-privatisation and links to dedicated pages to each quoted accident
10. Gordon Corera, (BBC News) Coronavirus: Huawei urges UK not to make 5G U-turn after pandemic (BBC  <https://www.bbc.co.uk/news/technology-52189281> accessed 30 April 2020
11. Net Promoter Score