Home » Security Leadership » Strategic Planning

Reinventing T-Mobile's Security Function

T-Mobile needed to reinvent its security function, so it recruited a veteran team to shape a new asset protection division. The goal: Inject risk calculations into every business decision.

It's the particle physics of such rapid growthâ¬the way all these companies collide and merge, fracture and fuseâ¬that explains how T-Mobile's security arrived at a point where bad things could (and did) happen and where the need for an overhaul became starkly obvious. Companies simply can't apply security policies or technology cohesively across so many companies coming together so quickly when all of those companies come with their own policies and infrastructure.

"The company got so large so quickly," Porcaro says. "Internal and external audits suggested security needed improvement. And not just information security but physical security as well." Internal politics compounded the problem, says security services manager Roberts. He says that before the overhaul (and before he arrived), the asset protection team had an "old-school mentality," and "built barriers." Roberts suggested that the security director took a "my way or no way" attitude to the organization and clashed with the head of the investigations group. It got so bad that the personality clash was codified into the organization, and the two groups were separated and made to report to different bosses.

Mike Morgan was an outside consultant working with T-Mobile at the time. He had designs on how to revamp security at T-Mobile. When the head of T-Mobile's internal audit group left, Morgan stepped into the role, pulled asset protection under his purview and hired Porcaro, with his 30-plus years of experience, as director of asset protection.

Then, Porcaro says, Morgan "gave me the clay and has let me shape it ever since."

Reinvention

In late 2004, after the notorious hacks of T-Mobile and just before Porcaro arrived, the security function was peppered throughout the company.

Asset protection was strictly a physical security function and it reported to the accounting department, below the CFO. Asset protection included a director and a four-person staff. Investigations, which used to report to the same place, instead reported to legal because of the political clashes between asset protection and investigations. Safety, which covers everything from cell tower safety to ergonomics in call centers, also reported to legal. As for information security, it wasn't formally a function yet, just part of IT. It sounds egregious now, but at the time, during the company's hypergrowth spurt, it wasn't so unusual for information security to be just a few hires inside the IT department. You have to remember, Roberts says, "companies were growing so quickly then, people were just trying to get their IT to grow and work, never mind make it secure."