Convergence of Assurance and Security

Listeners to our last podcast may have picked up on the panel’s views on whether revenue assurance should merge with fraud management. My worry when responding to this question is that it encourages an answer that is already behind the curve. There is also an increasing need to effectively respond to the relationship between fraud and security threats. Many attacks on security will have a financial motive. There has been an exponential increase in the scale of the security challenge, driven by the rise of smartphones, the cloud, and increasingly sophisticated products like mobile money. So framing questions about the relationship between revenue assurance and fraud management might distract us from adequately dealing with the links between fraud management and security. Too much focus on delivering synergies between fraud management and RA could divert attention from aspects of security that do not fit well with a traditional data analytic approach to revenue assurance. With that in mind, I recommend this excellent interview of Mark Johnson by Dan Baker for the Black Swan Journal. Mark brilliantly argues for the convergence of cybersecurity and business assurance, highlighting that threats are both internal and external, that the assets threatened are both internal and external, and that accidental error and omission is also a vital enabler for fraud. As Mark put it:

Revenue assurance and fraud vendors rarely pay any attention to cyber security, and I don‘t think they fully recognize just how far convergence is going to push things — how hard it’s going to be to make a distinction between different types of security incident. We need to get beyond the silos and look at the total picture.

A good example: many fraud cases involve changes to rules or activating accounts on a platform somewhere. So the revenue assurance guy will reconcile and find 5.3 million people activated on the HLR, when the billing system says there should only be 5.25 million. But what’s often never explored are the platform security and cyber security issues that may be the root causes of those particular issues. They often just focus on the revenue leakage and the reconciliation rather than the true root cause.

Likewise, the cyber security guys focus on authentication, access rights, and data classification, but don‘t seem to address the question: what are the revenue assurance implications of these cyber breaches? So a stronger business case needs to be built to understand the end-to-end issues, root causes, and costs. And I think they are really missing a trick there.

Mark Johnson has an unusual talent for ‘blue sky’ analysis of emerging threats, not least because he can step back from the telecoms experience and draw on his experience of law enforcement and financial services. And Dan Baker is a thorough researcher with an independent frame of mind; his excellent report on business assurance is available via talkRA. Based on his recent output, my guess is that Dan is already doing the groundwork for future reports that bridge the gap between revenue assurance, fraud management, and security. I have only one reason to hesitate when suggesting you should read their interview – it is so good, I have nothing useful to add! I admit to being jealous of how well they make the argument for breaking down silos. My hope is we will one day look back at this interview, and consider it a starting point for the movement to integrate cybersecurity with business assurance. Given the explosion of risks faced by telcos, connecting security to assurance is not a choice, but a necessity.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.