By Sean Robson
NME spoke to Ray Stanton, global head of BT's business continuity, security and governance (BCSG) capability, on the threats of the future and how enterprises can prepare themselves adequately.
With threats on the increase, enterprise security has never been more important in the Middle East. NME spoke to Ray Stanton, global head of BT's business continuity, security and governance (BCSG) capability, on the threats of the future and how enterprises can prepare themselves adequately.
What are the biggest risks facing enterprise infrastructure in the Middle East?
The risks that we are seeing in the region are particularly surrounding business continuity. This is illustrated by the fact that last year there were issues with cabling, and the internet was down for a while.
We are not going to roll out very many new services, and instead what we are doing is to improve our current services and make them more efficient.
The fact is that a lot of the SMB markets here are open to general business continuity issues. It's a real threat. We need to extend our thinking into how organisations, be they a large or a small enterprise, deal with that.
When you consider this region you notice that for the large part it's made up of many big conglomerates and lots of very small companies. It's those small companies that could find themselves in trouble.
How do enterprises in the Middle East measure up in terms of awareness of the global risks they are facing, and preparedness for the same?
I think that the good thing about the region is that there is a growing awareness. This has to do in part with a lot of external companies coming into the region and basing themselves in the GCC.
For instance, in the Bahrain Financial Centre you have a lot of international organisations that have set up their base. And, because they have seen the risks around the world, they are asking what is being done about these risks.
So what you are seeing is a promulgation of experience and knowledge in the region, and questions on how things are being dealt with.
The easiest way to see this awareness in action is through the customer requests we receive, and what we are seeing is that, as they ask for managed infrastructure or a local area network service, they are all asking for them to have capabilities around security and business continuity.
The last 18 months has seen a definite acceleration in requests around what we are doing concerning the issues of security and business continuity.
What obstacles does the region face when it comes to implementing comprehensive security measures?
The obstacles we face here are not specific to the region, and are instead a general problem in terms of adoption across the world.
The problem is being able to demonstrate the value of the service, because the thing with security and business continuity is that it is an investment or insurance policy that you never want to cash in.
It is money that you are effectively investing, but then struggle to demonstrate a quantifiable return on investment from.
When things are going well, how do you measure whether all the security policies you have put in place are correct? The core adoption problem is being able to articulate the investment that has been made in clear business terms.
The credit crisis is another obstacle as everyone is being asked to do fewer projects with less money, but with increased productivity. It is a tough situation where people are being asked to do more, with much less. Security and business continuity are now challenging for a share of an already under pressure IT budget. This is all taking place in the midst of businesses' looking to make savings and cut cost. What trends have you seen over the last year when it comes to the security space?
A key trend, which is driving security, is virtualisation. Virtualisation is driving the challenges of ensuring security around applications, and infrastructure. It's the new trend, which is causing us more problems because in truth, how do you ensure security in a virtualised environment?
The other one is a trend that has been growing consistantly and is one we are all aware of, the problem of identity theft and management. We are still seeing more and more of that emerge, and we certainly won't see it disappear over the next couple of years.
Interestingly, at the half year point we were up on our forecast. However, in the second half of the year we are going to see this slowdown, and people will be more careful about where they place their contracts.
The last trend, which goes hand in hand with that, is the ever-increasing need to manage compliance through the technology and auditing controls that are in place.
Considering the crisis, how can enterprises make the most of their existing security investments? How can they cut costs on security, while still effectively defending themselves against threats?
This is exactly the question I am being asked with increasing regularity by CIOs and risk officers. What you need to do is first ask, what are the business priorities? The key thing here is to ask what these priorities are over the coming months, and the coming year, and synchronise the investment in security to be in line with those business critical priorities.
Now you have to still maintain certain compliance requirements and so you take on those things where you need to meet regulation and legislation because those are things you simply cannot get away with or ignore.
What you can get away with is saying, how do we defer certain parts of those programmes, thereby doing less but achieving more? And, it's really important to do that. But it remains critical that this is all aligned to what you are being asked to deliver.
What is the point in investing millions of dirhams in some spectacular new technology, if you are not going to actually be delivering on a business project that makes use of it.
One thing people are going to have to be honest with themselves about is whether a project is simply a pet project. We have been through this whole process ourselves, internally at BT, and I have performed the same process with a number of my clients.
I ask them, what are you being asked to deliver? What is your requirement from a regulation and legislation perspective? And what do you need to reduce to help support that?
There is no point in stamping your feet like a petulant child and saying, I want, I want. If the business does not have the money to invest, you need to go ahead and face senior management and say here are the ten priorities.
Of those, we have funding for three. Are you, as the board and the business, prepared to accept the risk on the seven we are not going to do? If they say yes, and you have given them the opportunity to make an informed decision, then that is ok.
By how much has BT's managed security services revenue grown from the last year?
Of the business I am responsible for, over 64% is related to managed security services, and I have witnessed 30% growth in that business. Across the world and in this region, we are seeing more opportunities because people are seeing the value of these services.
In terms of managed security, I am consistently seeing growth, and in this region I am receiving a lot of requests for both partnerships, because of the expertise BT brings in this space and for direct customer requirements for contracts.
BT has increased investment in this region over this year. Do you think your growth is going to continue next year with the crisis? And how much more are you planning to invest over the coming year?
Interestingly, at the half year point we were up on our forecast. However, in the second half of the year we are going to see this slowdown and people will be more careful about where they place their contracts.Truth is, I think everybody knows that there is a slowdown coming, but estimating the amount is the part nobody really knows.
The trouble is we are seeing different business issues and different slowdowns in different parts of the world. I don't think that anyone is able to predict what the effect will be. I think we all know that we will come out of it, but what the impact will be for all businesses? I just don't know.
We will continue to invest in the region as it is in line with the business growth, and in line with our overall strategy. There are also other ways to support a region as you grow it, and so we have been saying that we have leverage and access to global resources.
This is a strong region, and I think BT has become much stronger here over the last year in terms of becoming an important player in the market.
Is BT planning on firing, or putting in place a hiring freeze in the region, in response to this financial crisis?
We just recently made an announcement that we would be losing 10,000 heads globally. BT is a 160,000 person company and of that number around 50,000 are contractors and third parties.
On an annual basis, our normal attrition rate is 7,000 people. So what we are doing is to say as a company we are replacing the contractors. So people within BT will be re-skilled, given the opportunity to take new roles on and replace contractors or third party activity. This is a really good way of utilising people available in the company and not getting rid of core knowledge and skills.
The majority of this will be UK-based, and at this stage I do not know how this will affect our people in the region.
What growth are you predicting for BT in the coming fiscal year?
We are busy trying to do that right now. We have, however, not completed our business planning for next year, partly because it's in flux.
How do you expect the crisis to affect BT's revenues globally and in the region?
It is not clear and, to be honest, its not appropriate for me to try and comment. I can say though, that I believe economies and markets are still in such a state of flux that I do not think anyone wants to put their hand up and say, we are going to make 5% or we are going to make 10%.
What additional security services is BT planning to roll out in the year to come?
We are not going to roll out very many new services, and instead what we are doing is to improve our current services and make them more efficient. We have a very comprehensive kitbag of services already, and it's about making sure we consolidate them.
There is nothing new coming around the corner that we have not anticipated, or that we do not have the capabilities to handle. It's not simply about launching new services, but instead about launching services in regions, when we may already have had that particular service available elsewhere.
That's particularly what we are doing in this region, where what we are talking about is professional services and the business continuity side of things.
It is interesting that the distribution seems to be weighted at the high and low ends of the scale, in terms of business sizes. But either way, awareness of the risks to infrastructure across all sizes, and even at all levels in the organization, seems to be key. I believe this points to a need for a "personalized" risk management approach. It is not antithetical to have good security and cut costs. You just need a long-term approach. Scott Wright http://www.streetwise-security-zone.com