Does your telco have a SOC? That was the most fundamental question raised during the pre-conference training workshop at the WeDo WWUG14 user event, earlier this year. The SOC is a new addition to the family of xOCs. All network operators have a NOC, to monitor their network. Telcos have somewhat adopted the idea of a ROC, which is meant to monitor revenues, though the popularity of the concept may have been constrained by Subex’s decision to trademark the term ‘ROC’. Praesidium, the consulting unit of Mainroad, a sister company to WeDo, now say that telcos will increasingly need a SOC – a Security Operations Centre. So why do telcos need a SOC, and why is this being discussed at a conference for business assurance people?
If a NOC ensures the service is being provided to customers, the ROC ensures these services are generating a financial return to the telco. Complexity is being driven by the convergence of networks and IT, by the increasing sophistication of services, and by the range and power of the devices belonging to end users. This complexity makes security more challenging, and opens more security gaps that might lead to financial loss if left unclosed. These motivations suggest a similar solution to one which has been used before – implement an xOC, to continuously monitor the relevant internal and external intelligence feeds and information sources.
WWUG14 keynote speaker Robert Strickland, former CTO of Leap Wireless and former CIO of T-Mobile US, also talked about RA, fraud and security coming together. Whilst the end consequences might differ, the root causes of security loopholes, fraud weaknesses and revenue leaks will often be connected. This partly explains why a conference of business assurance people is being told about the need to implement a SOC.
However, I am not entirely convinced that the simple trend analysis, and the big bold metaphors and the repeating of established themes, leave any of us knowing what we are talking about, when we talk about the ‘convergence’ of RA, fraud and security, or the need for a SOC. The more operation centres you create, and the more they monitor disparate things, the more you raise the question of whether you could and should implement monitoring in a more holistic fashion. At the same time, saying that RA, fraud and security are converging sounds wonderful, until you wondered what a ‘converged’ practitioner looks like. There is not a single human being alive who is master of every topic that sits under the category of security. What are the chances that we might educate someone to do ‘converged’ RA, fraud and security? In fact, was there not some fundamental disagreement exhibited in this event, because we had a keynote speaker talking about convergence, whilst there was a workshop calling for another, specialized, operations centre to perform different, separate monitoring?
I think the root of this contradiction lies in complexity itself. When dealing with a complex problem, we need a big view that incorporates all aspects, or there is a risk that we misunderstand the problem, and fail to identify some elements of the causes, or some of the consequences that flow from them. This pushes us towards a ‘converged’ view, because we need to see and understand everything at once. However, complexity means an increase in detail, and there is a limit to how much detail any individual human can cope with. So as the volume of detailed information grows, it becomes necessary to create sub-divisions and sub-categories, compartmentalizing information and relying upon ever more narrowly-defined experts to manage each compartment. And that encourages us to establish yet more new, and specialized, teams.
In the past, I have written about ‘the zoom‘, the ability to shift your mental perspective from one where you work at incredibly low levels of detail, to one where you stand right back and see the big picture, to then zoom into detail elsewhere, and so appreciate all the connections. The ability to mentally ‘zoom’ is becoming more and more important, but that does not make it easier for people to master (or for some people to understand the point I am trying to make).
Whilst the call for both a converged view of security with business assurance, and for a SOC, are simultaneously both right, they are simultaneously both wrong. We need an appropriate level of resources to be deployed in managing all risks faced by telcos, and those resources may need to increase if risk profiles deteriorate. But we also need to understand the limits in coordinating resources. Efficiency degrades with scale, and eventually we reach a point where no amount of resources will help us to monitor more effectively, because the organization is unable to prioritize and to make the right decisions.
To put it another way, more monitoring is a viable strategy if there is a sensible limit to how much more monitoring is needed. But endless monitoring just leads to wasted resources – things are monitored for no good reason – whilst creating a logjam for decision-makers when nobody is able to prioritize the conflicting messages from all the data being monitored by different people around the business. So one strategy to deal with increasing complexity is not just to trumpet the mitigation of risks – in ways that specialist suppliers usually do – but to actively reduce complexity, by being less complex! And that might involve resisting the temptation to keep adding new technology to an already overly complicated architecture, aggressively decommissioning technology and services of declining importance, and splitting the telco into separate businesses.
Business assurance practitioners should welcome the convergence with security, but they would be wise to fear it too. It is true that the root causes of security exploits, frauds and leaks will be increasingly intertwined. But business assurance practitioners will not be able to rise to the challenge by taking the same happy-go-lucky, few-days-here-and-there, scam-training-but-who-cares-as-long-as-the-certificate-has-the-right-words-on-it, learn-by-trial-and-error approach to education that they have taken before. It was never fit for purpose, but we got away with it because nobody expected more, and nobody did better. However, this lax attitude to education would prove disastrous if applied to the coming challenges in security. Somebody needs to invest in people, to raise their knowledge and skill levels to the standard necessary to deal with the converged challenges of business assurance and security – and we know that privately-owned telcos tend to be lousy at making this kind of investment in their people.
Governments have realized the significance of the shortfall in private enterprise, and increasingly they are taking the lead by investing in cybersecurity, which includes a crucial investment in educating people. But these governments will rightly focus taxpayer’s money on the more narrow dimensions of security, and not on the broader and related commercial challenges concerning fraud and loss. If business assurance practitioners do not find a way to improve their education, the convergence of business assurance with security might prove to be nothing like a marriage of equal partners; it will be the takeover of business assurance by highly-trained security professionals.