BT's group security director is no techie and has a wealth of commercial experience – a very 21st century CSO? By Paul Fisher.
The word ‘affable' could have been invented for the group security director of BT, Mark Hughes. He is brimful of old-school charm and politesse, undoubtedly still holds the door open for women and, given his Army background, knows which way to pass the port.
And the affability is evident as SC meets him in his corner office at BT's global HQ, a stone's throw from St Paul's Cathedral. It's freezing outside and Hughes has supplemented the central heating with a mini fan-heater, mostly, he says, to thaw himself after cycling to the office – something he does every day.
He has packed a lot into his 40 years. After university (geography, in Leicester), Hughes had a seven-year stint in the Army, serving in the Falklands and Bosnia, retiring with the rank of captain. After that, he had a good grounding in the world of business, ending up as the commercial director for MWB Business Exchange, the serviced office division of property firm MWB Holdings.
In 2002, Hughes joined BT to run a facilities management enterprise. He also managed the contract BT has with Disclosure Scotland, a criminal records service of the Scottish Executive.
It was challenging, he says, as the service had grown quickly. He had to work with BT staff, politicians and civil servants to ensure Disclosure Scotland operated profitably while satisfying the needs of the customers.
Next, he was head of operations in BT's major business sales division, where he embarked on a process of re-engineering the processes for providing services to customers. Impressed, BT management asked him to become the director of security – something of a career switch.
“I was very honoured but had doubts. BT was looking for a change – the role had been held by someone from outside the business and BT was seeking an individual with more commercial experience to reorganise security across the whole organisation. My predecessor had a wealth of experience and to take over his role with this additional remit was daunting,” he says.
In addition to the chief information security officer role, the post covers all aspects of physical security and business continuity. Quite a challenge, especially as – and Hughes readily admits it – he has little in the way of technical training to put beside the abundant commercial experience. Is he then the new face of the C-level security and risk manager that the business so badly needs? Kind of.
“What I did have was technical knowledge of the business and of the products and services we were selling to our customers. And I had a good understanding of the businesses, products and services we were dealing with. But so far as detailed technical security knowledge was concerned – well, very little.
“So that knowledge had to be quickly garnered from those around me, those professionals who are very strong in those particular disciplines,” he says.
Surely it caused some resentment among the incumbent team and his direct reports to have this commercial interloper dabbling in technical and risk management issues? “Not necessarily. My predecessors had come into the business cold, and not been specialists in their own right. I didn't detect any resentment as such, but that still furthered the need to ensure I dealt with and worked with those people who did know what was going on,” he adds.
Teamwork and making the most of the talent of those around you is something that Hughes has mentioned in previous meetings with SC and it peppers the conversation on this occasion. But it is clear he means it. So is this example of letting experts be expert and letting the talents work together the blueprint for the 21st century CSO?
“There's undoubtedly a requirement to have a pretty good working knowledge of the different elements that I look after, and that the CISOs take care of as well. But that has always got to be set in a business context,” Hughes says.
Having an organisation such as BT behind him is something he appreciates. “I'm fortunate that BT takes information security extremely seriously. It's a top table issue. It's not hard for us as a business to understand the consequences and the risks of processing and handling the amount of information that we do. It's a straightforward realisation that it is core to our offering”.
There is now a greater focus on information security, he says, and there is greater scrutiny from the board, but he welcomes that. “It's imperative, so far as we're concerned, that we deliver to our customers what we say we are going to deliver. It's protecting our reputation, but it is also a differentiator,” he says.
However, Hughes is pragmatic enough to know that his role can never provide 100 per cent security or protection, an awareness that is probably the result of coming from a commercial background. He now sees risk as fundamental to what he does on a daily basis. “We need to understand genuinely what the impact is if we don't do anything, and then to use that to cost in what we do. It's never a question of eliminating risk. You can only ever bring it to a level that you deem to be acceptable.
“Once you've got to that level, you can then use that – those deltas between ‘do nothing' and ‘do something' – to justify the investment you need to make to achieve that level of assurance for those products and services. So long as the cost of bringing it down to the level where it only happens every now and again is less than – or indeed, normally quite a lot less than – it happening all the time, then you build a case that works,” he says.
Which is akin to Marks & Spencer and its acceptable losses from shoplifting. Shrinkage is the polite term. “It is indeed. Exactly that, and you have to accept that that's just what happens. So I'm not saying that BT is profligate, in the sense that we don't mind that loads of stuff goes missing. Not a bit of it. It's just that we have to accept, like everyone does, the reality of stuff happening,” he says.
Hughes' operation has expanded from a relatively small 90 headcount to a slightly larger 1200, as the department becomes truly global. That's quite a team, the result of creating a single global security function organisation for both customers and the organisation.
“We're at a point of consolidation, but we've always run a fairly closely-knit, federated type of organisation,” he adds. He's confident about the quality of the people working for him: “I would go so far as to say I've got some of the world's leading experts in their fields. Getting the right people around you, good people around you – and getting the best out of them – is really the trick,” he says.
He suggests that a stint in information security might be a good idea for anyone in any part of the business. This is something that Phil Dunkelberger, CEO of PGP, has also alluded to (SC, December 2008) – that the CEOs of the future are likely to have spent some time in information management.
Hughes recalls his early period in the sales department. “Had I known then what I know now, I would have been a lot stronger for it, because intrinsically, one of our underlying values is about being trusted, a trusted partner.
“I see that what I get up to, in terms of protecting those products and services, and ensuring that they're fit for purpose and that they meet the expectations of our customers, is absolutely essential,” he says.
Hughes unhesitatingly recommends information security as a career choice and hopes the profession will develop to attract all the talents and recognise that security isn't just a technical function but a business function that benefits from new and creative ideas.
“It's a good launch-pad, a great place to be able to see the different aspects of business and how they operate. Good information security people can get a very useful broad-brush approach, and we're beginning to see that in our business now. For many people coming in, their first job is in security and then they move on to more mainstream information or IT-type jobs. Security is becoming fundamental to everything,” he says.
But in the harsh light of the recession, Hughes, like his peers, is likely to be tested during 2009 as never before – how will the recession affect his job and that of those like him? He remains pragmatic and points to some easy wins in terms of cost savings.
“There are four sets of control measures we do: people, process, physical and technology. Some cost more than others, so focusing on those that aren't so investment-heavy, but more about getting people to do the right things, behaviours, compliance – results can be achieved. There are opportunities, although the agenda around people is sometimes more difficult to deal with.”
But it is important. So what value does he put on security awareness and training people? As in other large organisations, the battle is to get the message across to the whole business – in BT's case, all 160,000 of them.
Hughes likes to refer to the workforce as the community. “We need to bring the message to people, to make them understand that it's the right thing to do – and allow them to understand that, as opposed to being told simply that ‘you've got to do this'.
“Our community to me is like a market that consumes what I output, takes it on board and deals with it. And they're not homogenous, they're just like a customer base, they'll behave in different ways, and therefore they need to be looked at as a market and segmented, with different types of messaging to different channels. Technical controls don't work particularly well without good people controls and awareness is pretty core to that,” he adds.
For Hughes, the security function is more than just the company itself – it's a whole “eco-system” involving supply chains and subcontractors, as well as permanent staff and customers. And of course it's another community.
“Everyone who's delivering a service to our customers has a responsibility to be involved. Good security people feed off other good security people and we need that sense of community to share good ideas and best practice,” he says.
BT may well be developing a blueprint for embedding security throughout its business, but however it is done, so long as Hughes is in charge, it is likely to be done diligently – and affably.