Home » Security Leadership » Strategic Planning

Reinventing T-Mobile's Security Function

T-Mobile needed to reinvent its security function, so it recruited a veteran team to shape a new asset protection division. The goal: Inject risk calculations into every business decision.

In this arrangement, security was literally all over the map, with pieces under legal, accounting, the CIOâ¬and pieces missing. Such distributed security might work in mature organizations where security is an entrenched value, but it's hard to make it work at a rapidly growing company where security hasn't been fully developed, and where companies with different values are constantly being absorbed. Roberts says he had seen it before, when he worked at another telecom company where information security was in IT, business continuity reported to finance and "safety was out of the ballpark. The company lost cohesion and I wanted back into an environment with cohesion, because that's how you're effective, when you're near each other working hand in hand," he says.

More than anything though, when security is distributed, an organization lacks a real central focal point or leader.

Morgan's idea was to make asset protection the security function's much-needed focal point. It made sense to use asset protection because it was a more general security group compared with, say, investigations and audit, which have far more specific duties. Asset protection also already included the physical security function.

But focusing on asset protection meant elevating the function and bringing nonphysical security functions into the fold. Morgan's plan would reduce risk by unifying policies and procedures, and also create efficiencies by reducing redundant efforts in different divisions. For example, why not combine access control to buildings with access control to network assets? A project like that (T-Mobile is still working on this) can work only if the physical and IT security teams are working together under the same boss.

Unifying the security front also served as a preemptive response to increasing regulatory pressures. "The [Federal Communications Commission], payment card industry, privacy [regulations], both at the federal and state level, all of this is coming at us and we need to be able to deal with it in a cohesive manner," says Telders. Another way to say this is, if you're going to get audited, best to be audited once in one place. Having security spread all over also increases the likelihood that audits will turn up less-than-best practices, since it's harder to control security and apply policy when security is distributed.

With the focal point created, Morgan needed a leader. He recruited Porcaro. "The buckets were pretty well-defined when I interviewed," he says. "Mike had a pretty clear sense of what he saw under the asset protection umbrella." And what he saw is displayed in "Chart 2: Renaissance."