The Telco industry is currently going through a digital wave. There are more investments in technology and the strategy is shifting towards digitisation.
We are seeing trends such as use of data analytics to gain competitive advantage, integrations with third parties such as banks and SACCOs, use of bots in customer service, vendor portals for raising purchase orders and payments, end to end automation of business processes, Robotics Process Automation (RPA), blockchain to combat fraud and Artificial Intelligence and machine learning to increase business process efficiencies. The focus on digitisation by Telcos comes with a lot of potential risks and opportunities.
At the heart of the business is the need to balance the interest of various stakeholders (customers, investors and regulators) to build and sustain trust. This comes with a significant cost investment. From our interaction with various CIOs and CEOs, one of the most significant risks they face today is Cybersecurity.
The Cybersecurity budget is on the increase annually without a corresponding increase in detection of Cybersecurity related incidents. This is due to the complexity of systems and the increasing interconnectivity of business systems as well as the sophisticated nature of attacks.
We are also seeing increased Artificial Intelligence cyberattacks through the use of cyberbots.
A question you may ask is - how do you protect yourselves and comply with regulations? Perhaps, the question you should be asking is - how do you make intelligent investments with the risks your business faces? There is a need to ask yourself key questions like – What are my priority business risks? What are my critical information assets? What is important to a cyber-attacker? How would a cyber-attacker attempt to breach my system?
As Telco businesses continue to place high demand on the bottom line, Cybersecurity discussions are sometimes relegated as a middle management Key Performance Indicator (KPI) as opposed to the top agenda item during board room discussions. Most of these discussions have taken a ‘top down’ approach, which can be reactive in nature. Our interactions with different Telcos across the region reveal that the following drivers do influence such discussions:
Regulation
There is an increased focus by regulators on Cybersecurity. The recent Central Bank of Kenya guidance on Cybersecurity requires all payment service providers (including Telcos offering mobile money services) to have a comprehensive information security program and strategy which they are expected to comply with and report on annually. Maintaining confidence and trust are at the heart of this.
Your Cybersecurity program should not be focused or driven by regulatory requirements only. You must ensure that your business critical assets are identified, risks evaluated and you have a Cybersecurity program that addresses them.
Role of the Chief Information Security Officer (CISO)
With Cybersecurity risks on the rise, there is an increased and prominent role for CISOs. CISOs now have direct reporting lines to CEOs with dotted reporting lines to the Chief Information Officer (CIO) and Chief Risk Officer (CRO). However, the decision on reporting lines should be based on the organisation’s risk appetite, security maturity and strategy. CISOs should have more business focused responsibilities and should at a minimum be a member of the senior management team.
Cybersecurity is an enterprise risk-wide issue and should be treated as such. Your CISO shouldn’t just be someone with a security focus/background but must be well vast in corporate governance and risk management.
Digitisation
As organisations aim to use data to gain competitive advantage, they need to ensure they have robust data privacy and security governance frameworks and controls. Integrations with third party systems and clients as well as use of portals introduces several risks into the IT environment.
Telcos need to ensure that third parties granted access to their IT environment comply and adhere to the highest security standards and also comply with the security policies of the Telco.
Third party security
Cloud services are being used for storage of critical business processes and functions and this is on the increase. A lot of businesses in the Telco industry also have key assets managed or provided by third party service providers. More focus should be on the security capabilities of these providers as well as monitoring and testing of third party systems.
So, back to the fundamental questions – How do you manage your Cybersecurity risk?
Understanding of business risks has traditionally not considered Cybersecurity risk. We have seen the industry taking a positive trajectory in dealing with this aspect. A number of Telcos have started to embrace Cybersecurity risk management frameworks (albeit at different maturity levels).
We have also seen a shift towards implementation of Cybersecurity incidence response and incidence management initiatives, which is one of the commonly used approach in dealing with Cybersecurity incidents in a structured manner.
In summary:
- Identify your business critical assets and put in the right strategy to secure them.
- Threat intelligence and active monitoring are key to managing Cybersecurity threats
- Stop focusing on tools and controls only - security governance is key.
Share with your networks
Follow PwC Kenya on social media
and share with your networks
Read the next article
Financial self sustenance for NPOs: Some of the tax and legal perplexities