In this exclusive article, Editor Becci Knowles talks to Vodafone’s Group Corporate Security & Resilience Director, Norman Heit and Global Head of Resilience Otso Iho about the changing face of security.

While we have seen several corporate security teams rebranding themselves into resilience in recent years, Vodafone has been exercising it for quite some time.

It created its business resilience team 18 months ago, says Norman, “because we wanted to paint a clear picture of what we do and what our value add is.

“We have since been able to demonstrate that we add value internally by protecting the company’s revenue and externally by protecting both our business customers and consumers.”

Vodafone’s business resilience team has already won awards and as my conversation with Norman and Otso gets underway, it’s easy to see why. 

Otso been helping Norman to draft the narrative of geopolitical issues in terms of Vodafone’s crisis response to the war in Ukraine and its implications, as well as many of the US China tensions and the dynamics coming from that. 

Norman explains, “one of the main challenges we face going forward is related to geopolitical environments.

“This can be war, as we are seeing around the globe in multiple places and civil unrest.

“In the broader sense, climate change, as this too has real life consequences in terms of how you drive protection and resilience.”

Citing the example of data centres globally, he says some might suddenly be vulnerable to earthquakes, flooding, drought, heat and so on in places where, previously, that wasn’t one of the main risks. 

Supply chain resilience 

Supply chain disruption is also a big challenge and something that Norman and his team discuss quite intensively, “because in a connected world – and this is true across multiple industries, not just for telecommunications – we rely on the activity of different vendors and the manufacturing environment.” 

In addition to his role at Vodafone, Norman iso a board member for the Transport and Asset Protection Association, which deals with supply chain resilience.

“We speak often about third- party suppliers and subcontractors. Internally, the magnitude and scope of utilising suppliers is ever increasing and through interconnectivity in any business there are dependencies on different components in active ingredients.

“We rely on technology and the resilience of those supply chains to have those components and have them in time from a business continuity perspective. 

“The other thing is that you’re now more and more dependent on subcontractors and/or third- party suppliers who for various reasons, might face security incidents.

“Let’s say they become a victim of cybercrime, or any other organised crime, they might have an insider threat risk, or insider risk in general (one of the biggest concerns for every company) and then we’re always either directly or indirectly impacted, for example, through loss of customer data.” 

Security, or risk or resilience teams must also ensure there are no breaches of human rights in the supply chain.

“There’s a lot of cross functional responsibility that needs to be driven by security professionals nowadays,” says Norman, and stakeholder management is a critical element.

“Previously, any security professional that oversaw crisis management within an organisation focused on having crisis response plans in place, crisis procedure, maybe a crisis committee with predefined contacts and maybe even some predefined scenarios and exercises on top of training.

“What we face now is multiple crises at the same time and permanently.”  

There are two parts to this narrative from a corporate perspective, says Otso: “Over the last 5-7 years the risk environment has become much more varied, and we’ve started to see those multiple crises cropping up at the same time, from Covid to the war in Ukraine, to economic downturn, civil unrest and all kinds of things. 

I think that there has been a gradual frog boiling in the pot sort of scenario.

As an organisation we’ve therefore taken concrete steps to prepare for this new perma crisis world. 

“The second part of the of the conversation,” says Otso, “is more about where we see those threats going in the next 12 to 24 months.

“So, one piece is around how the world has changed how the risk environment has changed and we have tried to adapt to that environment through organisational change and building resilience, improving the way that we’ve built the team and how we work.

“The pain points in the future relate to all the things that we’re talking about in terms of big power dynamics and chipsets and supply chain disruption and geopolitical risk essentially.” 

A paradigm shift 

Interestingly, out of the last four or five bigger incidents that Vodafone has had to deal with, only one was related to cybersecurity.

Norman explains, “5- 10 years ago it probably was the other way around because we come from an era in which there was a lot of fear of becoming a victim of cybercrime.

“Over the last two years, there’s been a paradigm shift back into the physical world due to war. So, when you speak to executives nowadays, or when we exchange among peers, three years ago everyone would be saying, we need to protect our servers, we need to protect the cloud, we must have firewalls in place.” 

Norman says a lot of people now are concerned about the security of their personnel and the physical security of their critical assets when it comes to the risk of being sabotaged.

“For us, that can be base stations where we have arson attacks or where we have battery thefts and then the network goes down, all the way up to data centres or security exchanges.

“If they are being targeted a significant amount of the internet goes down.  

“I think people are starting to realise that this other world is also very vulnerable and in times of war and insecurity, governments especially also realise that they want to strengthen and harden their resilience.

“They want to reduce their dependency on other foreign states for example, so therefore, they are increasingly interested in their critical national infrastructure resilience.

“I think in the future, we will see much more interest, focus and attention on critical national infrastructure, physical security, protection of those assets that serve government and business customers.” 

I ask Norman if he thinks corporations took their eye off the ball because of all the talk about cybersecurity? “Yes, because they must pick their battles and make decisions about where the investment goes, because it’s not unlimited.

“I think we forgot a little bit about where this crime originates from, because it always has a very physical origin, and the criminals will go where they find the least resistance.” 

Are organisation’s going to be able to catch up quickly enough, or is this going to bring with it more crises?  Norman is clear that what we need to do first is elevate the holistic approach to security vulnerabilities and security risk to the same level.

“Cybersecurity and information security has long been discussed at the C suite level.

“It’s not equally the same for business continuity, physical security and other related security topics.

“Physical security doesn’t go without cybersecurity and if we were now to put all our focus on the physical, in five years’ time we would be having the same discussion about cybersecurity.

“The two do not necessarily have to be merged but they must coexist and collaborate so that they benefit from each other. “ 

Convergence: Who’s in charge? 

“I always emphasise that I wouldn’t I personally wouldn’t want to do cybersecurity because I have no expertise in it and equally, I don’t expect a cybersecurity person to have expertise in physical security.

“It’s two different disciplines and nowadays, they are so complex and so demanding that we have dedicated master’s degrees for both,” says Norman. 

Norman likens the cybersecurity expert to a brain surgeon and the person overseeing the convergence project to a GP, who understands that someone has an issue with the brain and then transfers them over to the brain surgeon.

“I think a lot of companies are missing that kind of triaging,” he says. Norman says it is vital that there is someone at C-suite level who understands that there is an end-to-end resilience of the company which he believes covers six topics: financial resilience, people resilience, business resilience, sustainability and technology resilience. 

Norman continues, “you need someone that understands that there are vulnerabilities to a company and that there are also certain critical elements, including intellectual property that must not be compromised, and then understand the different players that are required.

“Ideally you should have someone in our organisation with exposure to several areas to understand the overall situation.

“You should them have expert functions that mitigate a certain risk within your value chain – cybersecurity plays a role, physical security plays a role, crisis management plays a role and so on.

“When it comes to crisis someone at board level needs to know who the experts are and how to involve them. How can we ensure that everybody that plays a role in this orchestra is playing an instrument.” 

Convergence is about operational resilience, which brings together all of these different parts of the business into a whole,” says Otso.

“The core of crisis management generally is that you need to have the different components that contribute to an ability to stay resilient and to react to different threats and crises.” 

“You can achieve operational resilience in silos for their respective responsibility, but you cannot achieve organisational resilience without an overarching programme,” says Norman.

So, what do we call that person that triages? Chief Resilience Officer. 

“We have seen Chief Security Officers and Chief Information Security Officers, but we haven’t seen many Chief Resilience Officers with end -to- end accountability.” 

Norman finishes by saying that this person, “is the conductor of the orchestra” and deserves a seat at the table. 

This article was originally published in the March Edition of SJUK. To read your FREE digital edition, click here.