Home » Security Leadership » Strategic Planning

Reinventing T-Mobile's Security Function

T-Mobile needed to reinvent its security function, so it recruited a veteran team to shape a new asset protection division. The goal: Inject risk calculations into every business decision.

The asset protection groupâ¬Porcaro's groupâ¬is the heart of the makeover. Asset protection will converge physical and information security and, at the same time, create two new groups, including an information security group and a full business continuity/disaster recovery group. In the past year alone, asset protection has grown from four employees to 18, with several of those new hires having CSO-level experience.

Meanwhile, as it's under construction, asset protection is also being moved to another division, risk management and assurance, to be closer to related functions like audit and investigations. In the end, T-Mobile hopes to have one departmentâ¬risk management and assurance (RM&A)â¬through which all security functions flow.

Porcaro will know T-Mobile has succeeded when it has a fully realized asset protection group with coherent policies across the entire company, which can consistently show its bosses that security reduces risks and increases efficiencies. Porcaro puts the success of the massive effort "ideally" three years away. He says, "It's a stretch goal, if nothing else."

In other words, this is not a tack-a-CSO-onto-the-payroll kind of quick fix to T-Mobile's security needs. The approach "is nice to see," says Dave Kent, CSO of Genzyme who himself put his company's security through a similar years-long overhaul. Kent says T-Mobile's approach goes beyond the typical public relations-style reaction to a highly publicized breach. "What T-Mobile's doing is a comprehensive, strategic approach. You always get acceleration of support [after] an incident, but they don't seem to be just banking on that. That they're going further and tying in all other ancillary functions into a truly converged operation is very impressive."

Indeed, the plan's ambitiousness and uncertainty are what make it worth observingâ¬so that other executive security professionals can see what real fixes look like, and how hard a full team of CSO-level executives must work to implement them. Here's their story of the post-Paris T-Mobile asset protection division.

Before the Reinvention

Porcaro says that to understand T-Mobile's security overhaul, one must understand T-Mobile's itinerant history. In 1994, General Cellular and Pacific Northwest Cellular merged to form Western Wireless. Western Wireless launched VoiceStream Wireless in 1996, which gained about a million customers in five years. In 1999, VoiceStream spun off as its own company and entered what Porcaro calls the Pacman phase. It gobbled up four companiesâ¬Omnipoint, Aerial, Powertel and, later, MobileStarâ¬and also agreed to be acquired by Deutsche Telekom. DT made VoiceStream its mobile phone subsidiary and renamed it T-Mobile. By 2001, T-Mobile had 7 million customers. From there, growth continued through partnerships with companies like AOL, Borders bookstores, Kinko's and Starbucks, and through new services for its phones like messaging, Wi-Fi, Web access and all of the other applications that have made mobile phones a growth business. Today, T-Mobile counts almost 22 million customers.