The twisting journey from the 2017 Telecoms Supply Chain Review to the Telecommunications Security Bill becoming law is finally at an end. Whilst the bill received Royal Assent towards the end of last year, that is not the end of the story – its associated security requirements are yet to be finalised and the Code of Practice is yet to be issued and consulted upon.
Importantly though, that does not mean that the cyber threats addressed by the Telecoms Security Framework will go away during this intervening period. Moreover, with Royal Assent the compounding reality is the prospect of enforcement action and the eye watering penalties associated with non-compliance. In short, network and service providers, if they have not already done so, should treat recent Parliamentary events as a call to action. The extent of the burning platform is indicated by the intent to apply measures proportionally to operators based on their national importance through a tiering scheme.
Long-term significance of the bill
As such, the big question then is what the proposed ‘three bears’ tiering concept will mean to operators:
- Tier 1/(Too hard?): ‘Large national-scale providers will be subject to intensive Ofcom monitoring and oversight’
- Tier 2/(Just Right ?): Medium-sized providers will get more time to implement the security measures and will be subject to ‘some’ Ofcom oversight and monitoring
- Tier 3/(Too soft ?): ‘Small business and micro enterprises’ will need to comply with the law but may only be subject to ‘some limited’ Ofcom oversight
A clue as to who fits in which tier might be found in a Regulatory Policy Committee paper from January this year which stated that there may be between 10 and 20 Tier 1 operators. If operator relative market shares are examined, maybe this number is on the high side. But wherever the division falls, the point is that all network and service providers need to get their house in order.
Perhaps the pattern for is this:
- Tier 1s: should have conducted a compliance gap analysis by now and be acting on findings. Two models appear in this context. Solution design, if not built, should be in flow by now
- Tier 2s: ideally the compliance gap should be at least understood now and a programme to optimally address the new legal requirement should be under consideration
- Tier 3s: perhaps, for resource or other reasons, there is no gap analysis yet and no significant consideration of what compliance attainment means
Remediation is a phrase that often goes with compliance attainment programmes. However, the underlying driver for the Telecoms Security Framework is its transformational intent. This points to three overall approaches to the ‘cyber and supply chain resilience’ compliance journey:
- Lip Service: doing the bare minimum and whether stated or not - hoping for the best. This label can probably be attributed to ‘network only’ remediation initiatives
- Sticking Plaster: following an incremental, additive approach to get to compliance
- Transformation: taking the transformation medicine and gaining all the long term security, cost and reputational/brand benefits
From what we can see across the industry, providers (assuming a view has been established) seem to be taking two approaches to reaching the end state:
- The ‘left to right’ view: here the organisation determines its gap and works gradually, from its current architectural point of view to what it sees as the end state
- The ‘right to left’ view: providers realise that radical change first requires a clear end state vision and work back from that. This model fits more closely with transformational approaches
When an organisation picks its preferred change pattern, there are a range of Input and outcome variables to be considered. These include appetite for operational versus capital expenditure and associated attitudes around cyber and supply chain risk appetite and regulatory sanction exposure. Brand perception and customer promise are the final ingredients of the mix. With strategy being the art of the logistically feasible, having the right people and skills are also a further key determinant of speed, extent and approach to change.
Business leaders can’t afford to prevaricate on their organisations’ regulation strategies. This year, the Code of Practice enforcing this legislation will be issued and is expected to come into force in October and businesses need to be ready. If you are currently going for the ‘sticking plaster only’ approach, are you considering reassessing this? Is it possible that a mid-point strategy will leave you with the worst of both worlds? A transformative agenda is the ideal goal, but you need a strategy to make this possible. We have been working with multiple clients on the Telecommunications Security Framework and would be very interested in entering into a discussion with you on where we see the pitfalls and opportunities being taken.