There can’t be many people in BT with as wide a job description as Mark Hughes (pictured).
The Security CEO is responsible for the UK-based operator’s own security as well as the provision of security-based services to all of BT’s consumer and enterprise customers.
The former means he has to ensure thousands of network devices, switches and servers, 10,000 buildings and 140,000 staff around the world are secure; the latter means serving the needs of the millions of business customers and retail subscribers who rely on the company.
It’s a tall order, and Hughes has 3,000 staff to help him achieve it.
Speaking to journalists at the launch of a cyber security report BT has published with KPMG, Hughes says he splits his time equally between these two disparate parts of the job.
But he adds: “My first thought is always going to be that BT is secure.”
Hughes claims the operator has not suffered any “major” breaches on his watch and sidesteps a question on whether it is just a matter of time before it does.
“I think we have a comprehensive view of what’s going on,” he responds. “We take it extremely seriously… we have to be ever vigilant.”
But notably, he adds a caveat: “We run a massive estate.”
The report he is promoting, ‘The cyber security journey – from denial to opportunity’, notes in its executive summary that the chances of a business or an individual becoming a victim of cyber crime have never been greater.
It warns businesses not to view technology as a silver bullet and says companies need to focus on getting security basics right, including training all staff in, and making sure every employee takes some responsibility for, cyber security.
It is a message that BT is heeding itself. Hughes says one of the most important things he has implemented is “constant red teaming”.
To the uninitiated, a red team is a group of ethical hackers charged with attacking BT defences to search for vulnerabilities.
In contrast, the job of a blue team is to defend against attacks.
Hughes says he has brought together “a gang of my very best people to try and test our defences in a very aggressive way”.
BT’s red teams can work together for months at a time, meaning they are “quite a hefty but essential overhead to maintain”, according to Hughes.
He looks to run a minimum of four to eight red teams per year.
BT is constantly on the lookout for talent in this area, whether that means hiring graduates or retraining staff at the operator’s own cyber academy.
Hughes is coy when he asked whether any former hackers have been hired.
“I have to be open to everyone,” he says, before backtracking to note that BT “does not compete for seasoned cyber professionals”.
The Protect BT Security Practice has over 500 staff, including 100 ethical hackers.
BT is the largest private cyber security employer of in the UK, Hughes notes.
The CEO says his biggest challenge is trying to reduce response times to threats, the ability to flex in Hughes’ words.
He says response times have come down “hugely” over the last few years.
In the case of distributed denial-of-service (DDoS) attacks, such as the one that affected Deutsche Telekom in 2016, Hughes says BT’s response times are down to milliseconds.
“We’re continually looking to improve [response times], we have to be ever better,” Hughes says.
Things are complicated by the sheer number of different risks associated with the different parts of BT’s business.
Take the relatively new BT Sport arm, which Hughes says receives “a lot” of hacking attempts, particularly when there are big sporting events.
“If tools don’t kick in in milliseconds then that’s a huge problem in broadcasting terms,” Hughes says.
Another key area the CEO is focused on is information sharing.
BT works with the UK government’s National Cyber Security Centre, which provides advice to businesses, among many others, says Hughes.
“Creating partnerships is as much about understanding where others are and what’s going on so I can iterate that into our defences,” he explains.
Hughes says banks are the benchmark when it comes to cyber defence.
Interestingly, they are also a key customer vertical for BT.
Hughes quotes figures that the overall security market is set to reach $90 billion in 2020.
With BT’s own sales of security services up 20 percent year-on-year, he says the future is bright.
Given the operator is even challenging the likes of defence giant Lockheed Martin to provide cyber security capabilities for nation states – Hughes won’t reveal which ones but says BT is already offering the service to “big countries” – there appears much to be excited about.
All the man with the endless to-do list has to do is try and keep BT safe from catastrophes that are befalling an increasing number of corporates.