BT’s new boy is ready for action

If you have been watching the television recently, you might have seen some very expensive advertisements extolling the benefits of the networked economy. And who do they come from? Not IBM or HP, both of whom are also spending big money on TV ads, but good old BT.

This ambitious awareness campaign is designed to support new moves within the organisation to transform itself into a major world player in the provision of IT services. As one part of that transformation, BT has identified IT security as a key sector of the marketplace and created what it calls the One BT Security Practice.

To lead the initiative, the company headhunted Ray Stanton from Unisys and gave him the task of pulling the various strands of the business into a coherent security operation.

This is both a logical and a strange choice. It is logical because Stanton has already proved himself by building security businesses in both British Aerospace and Unisys. It is strange because, as those who know him will testify, he is an outspoken individual whose style does not fit easily into a large corporate structure.

He will need to display impressive diplomatic skills to do this job, however. His role is to tease out all the security-based work being carried out by BT around the world, and integrate it into a fully-fledged security practice.

"My challenge is to pull together all the disparate programmes we have got into one co-ordinated security practice and service line, across all our business units – wholesale, retail and global services," he says with no hint of fear in his voice.

The role covers all client-facing services, as well as providing security services to BT internally.

"This is very much a global business – putting in place an organisation that will allow us to develop each country and each region within a consistent framework, set of offerings and capabilities."

He has spent his first weeks in the job discovering where the security expertise lies within his company. "I have been both pleased and disappointed," he says. "They have a lot of experience – for example, they're already providing capabilities and offerings to numerous clients, ranging from banks such as Barclays, through to the NHS project, where we are supplying all the security around that.

"While they have those capabilities, they are not clearly focused and clearly joined together so that we get best leverage out of it. We have had organic growth in all the different business units. We have not had one co-ordinated programme with proper oversight, which is what I am providing.

"So we are taking all that activity and putting it all under one umbrella. That organisation will then be replicated at the country and regional level.

BT has long operated as a global business, of course, so part of Stanton's job is to create a consistent delivery of service across every region. His initial focus is on ten countries – the UK, France, Germany, Italy, Spain, the Netherlands, Belgium, the US, Malaysia and Australia.

"My job is to pull together all the resources into one core business, and to put a simple organisation in place so they all come together and understand what they are supposed to do – so they all have the same focus and the same strategy."

The global market is huge, but as Stanton points out, no one company has a dominant share at the moment. BT's own slice is worth around £200 million, and he naturally reckons he can grow that fairly quickly, at the same time turning BT into "the go-to security services provider".

He is convinced BT has all the right components to create this, but he does not underestimate the task of shifting them all around into a more coherent whole. Fortunately, he has board-level support for what he needs to do.

"The company has just launched its ICT campaign on a global basis, showing BT as part of the new digital networked economy. One of the key three things to establish BT in that space is security. That is recognised at board level and they have put the investment in. Hence my appointment."

He concedes that, at the moment, BT is considered a weak player in the systems integration business, and part of his role is to change that.

"That is the vision. Do we have the resources? Yes. Are we co-ordinating them? Yes. Have we got investment? Yes, which is pleasing. Is it going to be hard work? Yes. Is it going to take a while to get there?"

He continues: "The fact is, there are a lot of fiefdoms and good empires that have been built. So what we're doing is to show them that, as one corporate operation, we can be even better.

"We can make more of an impact on the market, and provide good knowledge transfer, good skills transfer and good career paths for people."

The point about career paths is one that is close to his heart. Stanton's commitment to the development of information security as a noble profession goes way beyond doing his job.

He has worked closely with organisations such as ISC2, ISACA and SANS to bring up standards of training and professionalism. He lectures regularly at Royal Holloway College on information security. He is on the board of the Information Security Forum. He runs an informal group of like-minded people who meet regularly to chew over information security problems. And he seems to socialise mainly with other security professionals.

"I love my industry and I want to be part of it for a long time," he says. "I love it because it is so diverse – ranging from business issues to investigations to the national critical infrastructure.

"No one day is the same. No part of business is not affected by information security. It is an area that matters. The challenge for most people is getting the rest of the business to accept and agree that it matters to them."

He concedes that BT has no career path for security people at the moment, with their functions so fragmented. But with the creation of the security practice, he says he will be able to mould his staff and provide them with the range of skills they need to do the job properly.

And this goes well beyond knowing about firewalls and viruses. In his view, all information security practitioners need a broader understanding of the business they are working in, and he is scathing about the general level of expertise in the industry.

"Show me ten people who can articulate what makes up a security business plan – from the profit and loss to how it fits into the whole business – and I'll be gobsmacked (particularly in the UK)."

As part of his plan to build well-rounded consultants with good career prospects, he plans to make sure they all have the right business training. This way, they will be able to communicate security to the main board (or the main board of customers) in terms they can understand.

He believes that much of the attention currently given to security is just lip-service forced on companies by new corporate governance rules, such as Sarbanes-Oxley and Basel II.

"A few people in the industry have got the mix right [between technology and business], people I respect a lot. Paul Dorey of BP, for instance, can talk about technology, but he can talk about business as well. BP can understand how security integrates into their business and their business strategy. Paul Wood of Union Bank of Switzerland is also someone who can relay that message effectively.

"But there are not many of them. It is incumbent upon us as the senior people in the industry – the old lags, if you like – to move us further up the value chain internally, and make sure the board recognises the value of security to the business. But my overriding concern is that many of us don't have that ability to talk business. We still revert to talking about technology.

"In BT, I hope that I'll educate people how to work with the business, and how to show that business protection is an enabler to business."

In the end, he says, security has to be seen as a positive influence on the bottom line. This might come from protecting a company's reputation or brand, or by enabling new forms of business, such as a secure supply chain or e-trading. In the public sector, as with the NHS, it underpins the efficient management of patient records.

This ability to communicate security matters clearly is a key skill, he says. Security staff have to be able to explain risks and benefits in business terms to the board. "We need to drive that message home," he says. "My concern is that we don't have enough people who can talk that language."

"One of the things I have done at BT is to make sure every person in the security practice will have education and training in business, policy, basic IT security, and business impact analysis."

He's obviously at the start of a major project, but it is one he relishes.

"I am enjoying the challenge and the high visibility. But with that high visibility comes the possibility for a spectacular fall. So I am acutely aware that there are a lot of eyes watching what's going on."

Ray Stanton will chair the SC Conference, taking place in London, October 20-21. For details, go to www.westcoast.com/conference