The dramatic uptick in data breaches these last few years, fueled by pandemic-era changes and the rise of remote work, have made consumers even more wary about sharing their data and relinquishing control over their personal information. Increasingly, consumers want to align with businesses that prioritize data privacy and protection and are transparent about how they handle cybersecurity. A PwC global survey found consumers don’t expect perfection when it comes to this effort: Rather, they are seeking clear signs of best practices that include proactively integrating privacy and security into products and services (39%), encrypting all consumer information and company databases (38%) and including security experts in the design of each product (36%). In other words, in today’s modern business era, it’s all about earning customers’ trust.
With that serving as a thematic backdrop, Thomas Tschersich, chief security officer of Deutsche Telekom (the parent company of T-Mobile) and chief technology officer of Telekom Security, recently discussed the new rules of data privacy with me as a guest on the CyberArk Trust Issues podcast. He also shared how the telecommunications giant is reimagining its cybersecurity organization and practices in an embrace of the trust mandate. Here are some excerpts from our discussion, with the entire interview available here:
Q: How are you thinking about approaching data privacy in your role? How is it similar or different from cybersecurity overall?
A: When you compare privacy and security, it’s generally the same, but the motivation is different. Privacy is motivated mainly by a legal perspective for protecting personal information. Cybersecurity is motivated from a risk perspective. The end results are the same; therefore, they fit together perfectly.
The reality is we’re working in a trust business. If we want customers to trust us, we must care about protecting their data. When you can demonstrate that data is in good hands and no one can access it, you establish trust, and the business will grow over time.
Q: What are the unique privacy challenges brought on from the work-from-everywhere era?
A: This is mainly a security challenge — it’s about how to protect data when working in an untrusted environment you can’t control. In the past, we built a fence around our infrastructure, and everything inside the fence was protected. All was good and trustworthy. Then came cloud and distributed services, which introduced a lot of services that need to be trusted but operate outside of the so-called fence. Working from home during the pandemic also meant working outside of that fence.
It’s no longer about building a fence around the infrastructure but about bringing security to identities and to the data itself. It’s now about a Zero Trust approach — don’t trust the underlying infrastructure but protect the data and identities with digital rights management and encryption.
Q: What are the top security considerations when it comes to cellular network infrastructure?
A: It’s not really a question about network infrastructure but more about the usage of such infrastructure … and, for example, how we treat mobile phones. When we talk about protecting mobile phones, it’s typically about a pin number or how to block access. We’re not treating them like computers — there’s no security software on many mobile phones. Yet these phones are idling around the entire day connected to the infrastructure, so they’re a perfect choice for attackers. This is the most underestimated threat, in my view.
Q: Tell us a bit about your company’s Cyber Defense and Security Operations center. What kind of work is going on there?
A: It’s mainly monitoring what happens and modeling threat vectors on a 24/7 basis. There are people working to identify the latest threats and trying to build use cases or detection scenarios. Given the increasing complexity of today’s infrastructure, we need to change to an “assume-breach paradigm” and have the mechanisms in place to detect threats early on. The Cyber Defense Center is the answer using detection, automation and machine learning capabilities.
Q: What is the most challenging aspect of the cybersecurity role?
A: The most challenging part of the role is that security has always been treated as a roadblock. My mission has been to counteract that misperception by changing the behavior of the security organization. We’re not the ones telling others what they can’t do. We’re working very hard on becoming the ones telling others how they can do more things in a secure manner. It’s about transforming the security organization, which was treated as a roadblock, into a helping hand for the business.
Security problems are often of our own making. Take the password, for example. The perfect password typically contains multiple characters, has a certain complexity and has to be changed twice a day. Technically, that constitutes a perfect password. But if you consider the entire process, the result is likely that a user will write the password on a sticky note and keep it on their screen — making it a very weak password because it’s written down. Alternatively, if you only require a six-character password and block the account after the second or third wrong login attempt, you have the same level of security without burdening the customer. You have to see people as customers, not users. That’s the difference in this approach to security, and it results in a different solution. It’s not the perfect technical solution but a more perfect end-to-end solution that matters in the end.
Q: When you hire for such a team, what do you look for?
A: You can spend hours in a job interview talking about technology and someone’s ability to code. For me, however, that doesn’t really matter. You can train people to code. You can train them in technology. What you can’t train them in is attitude. For me, that’s the most important thing. I look for people with the right attitude, with passion and with motivation. That is most valuable factor when choosing people for the team.
For more insights, tune in to the full episode, “Living and Breathing Telecom Trust w/ Thomas Tschersich, CSO of Deutsche Telekom and CTO of Telekom Security,” or listen wherever you get your podcasts.
Editor’s note: This interview has been condensed and edited for length and clarity.