Slow and steady wins the race
For many years, security has been at the foundation of everything we do at Telenor. We strive to meet the same, high standards everywhere we operate. With rapid uptake of new technology and increased digitalisation of society, a structured approach towards cybersecurity is necessary.
Working to improve security and to reduce risk is a similar monumental task that is never completed, but one that requires continuous adaption to an ever-changing threat landscape.
In today’s world it is impossible to have a system that keeps all and any attackers out and at the same time provide an accessible service. While we are still focused on preventing any attacker access to any of our systems, it has become equally important to be able to respond to and recover from an attack.
Security framework
Five years ago Telenor started developing what we call the Telenor Maturity Model, based on Information Security Forum’s Standard of Good Practice for Information Security. With some tweaks made to fit our organisation, this has given us a framework describing adequate security, something that would be applicable to all our business units throughout the global operation.
Once we had the framework, we needed to establish a common governance across Telenor Group to ensure it was implemented and put into operation. This led to the development of the Strategy Execution Programme. Driven by Group headquarters and including all of our core businesses, the Execution Programme now runs year over year with fixed activities every quarter to assess changes in risk, identify the biggest gaps, develop action plans and follow up on execution.
As mentioned, the only constant in working with security is as with most things in life: change. There are changes to the environment we’re set to protect, changes in the threat landscape and changes in risk. It is always a cat-and-mouse game to stay secure, and we need to continuously evolve our Maturity Model, our Execution Programme and our architecture.
Industry best practices
We are always looking to keep the maturity model relevant to the current day, following industry best practices combined with changes in regulatory requirements and emerging threats. In 2020 it was upgraded to match the security controls found in the ISO 27001 standard. In 2021 we added additional controls around securing the telecom network, and the year after we added controls to specifically prevent service fraud. This year we’ve updated the model to reflect the latest version of the ISO standard, and closer integration with our in-house developed risk-based and threat driven Defendable Architecture Framework.
In the next version, updates will be implemented to ensure compliance with the NIS2 directive from the EU, as well as an uplift to crisis management plans and exercises. Geopolitical tension and fake news, hybrid warfare and artificial intelligence (AI) are on everybody’s lips these days and sometimes it can seem overwhelming. It has, however, been proven that working in a structured way over time enables us to improve maturity and to reduce the number of incidents – despite the increase in security risk. We will continue that journey by keeping security at the foundation of everything we do.