While it was a Prussian general who said it first, Mike Tyson said it best: “Everyone has a plan until they get punched in the mouth.” Incident simulations, war games and tabletop exercises can go a long way to prepare the business and security teams for the worst, but there’s nothing like a trial by fire.
As part of its proactive approach to defense, UK-based BT allows its red teams to attack live systems without informing the rest of the business or the blue team defending it. These live exercises test the real-world abilities of both teams and inform the company’s defenses going forward.
BT’s Cytadel: Defense in-depth informed by risk
BT’s roots go back to the 1846 founding of the Electric Telegraph Company, and today operates multiple business units across the world. The company offers consumer services such as fixed-line, broadband, mobile services and television subscriptions and offers IT consulting and services for commercial customers.
Les Anderson, BT’s Group CISO, joined the company in 2014 from GCHQ and is keen that security makes an effort to understand and connect with the business to protect it without blocking the goals of business. “Enabling the business to succeed safely is the ethos,” says Anderson. “The business is here to provide service and features to consumers, which then generates profit. That’s why we can afford to have a security organization in the first place.”
BT’s defense-in-depth strategy internally is called Cytadel. Anderson explains that the strategy is based on the idea that traditional citadels are surrounded by walls, ditches, high areas, ground surveillance and moats. If a single element fails, levels of protection are in place. “What we’ve got here is defense-in-depth, as opposed to just a very high brick wall. If that one single brick wall fails, then everything falls, so this is about frustrating, and denying, and delaying bad things happening.”
Anderson is responsible for ensuring protections are in place for the physical estate, logical IT estate, and the people estate across the entire company. When he joined BT, the company had a traditional compliance cybersecurity regime. He was tasked with driving change and adopting a data justified, risk-based approach. “There’s many companies I think don’t do risk categorization. They have oodles of policy that they don’t link to those risks, and then nobody pays any attention to the policies,” he says. “They’re often unimplementable as well as so they’re ignored. Unless a policy is justified by a risk, burn the policy, because otherwise, what is it doing?”
“We consider holistically all that could happen to a service, a feature, a system. BT Sport, for example, it’s a great consumer service to offer,” says Anderson. “Imagine, then, if you want a badge of honor and try to take down a Premier League match. So, we’ve had to consider the risks of DDoS, for example, and we’ve invested heavily in anti-DDoS capability to ensure that that can’t happen.”