Home » Security Leadership » Strategic Planning

Reinventing T-Mobile's Security Function

T-Mobile needed to reinvent its security function, so it recruited a veteran team to shape a new asset protection division. The goal: Inject risk calculations into every business decision.

A chart like that could make someone interviewing for the director of asset protection job flee in fear for the amount of heavy lifting that it implies is to come. Morgan may have known what he wanted, but as Chart 2 makes clear, he didn't actually have half of itâ¬both the business continuity management (BCM) and information security groups needed to be created from scratch. And the other half, safety and asset protection, would have to be redeployedâ¬asset protection coming from accounting and safety transferring from legalâ¬and then suffer through convergence with information security. And speaking of information security, "other than putting it in a box [on the org chart], we didn't know how it would look or how it would take life at all," Porcaro says. In other words, the information security department wasn't even really an idea yet.

Morgan has compared his plan to changing all four tires on a car going 70 mph on a busy highway. But Porcaro didn't flee; despite the quixotic overtones of the job he was applying for, he says he relished the opportunity.

There was one other absurdity: The entire asset protection function itself was moved, from finance and accounting to Morgan's RM&A, where it would sit parallel to other security-related functions such as internal audit and fraud prevention. He was trying to create in RM&A the same gravity he wanted to create within asset protectionâ¬think of asset protection as a planet with moons and RM&A as a solar system with other planets and moons.

Today, a year after Porcaro bought into Morgan's four-bucket vision (Chart 2), T-Mobile's asset protection function, in context, looks like "Chart 3: Enlightenment."

This chart shows that the makeover is not nearly complete, but asset protection has made marked progress in a year. Bringing all these functions closer together on an organization chart also brings them closer together in the world, and Porcaro, Telders and Roberts report that the physical proximity is profoundly effective, especially in the design phase. "We're building processes that have to have the experts from each area in the same room talking," says Telders.

Convergence Visible

Notable, all three executives say, is how much they've converged physical and information security.

Roberts' security services group, which used to be the physical security function called asset protection, now includes responsibilities for both physical and IT security operations. The business continuity management function, created out of whole cloth, also bridges physical and IT security. (BCM is cleverly divided, with a "fire inspector" continuity planning role and a "firefighter" crisis management role.) "The efficiencies you find are amazing," Porcaro says, noting that even in areas he didn't expect convergence to play a role, it has. For example, T-Mobile is building a 24/7 communications center for coordinating emergencies. Having IT and physical security together in the planning and designing phase has helped them see how the two will work together in the center. "Look," Porcaro says, "in a crisisâ¬a network outage, a kidnappingâ¬it doesn't matter, you have to pull on both physical and IT security strings."