Reinventing T-Mobile's Security Function

T-Mobile needed to reinvent its security function, so it recruited a veteran team to shape a new asset protection division. The goal: Inject risk calculations into every business decision.

1 2 Page 2
Page 2 of 2

Roberts' security services group, which used to be the physical security function called asset protection, now includes responsibilities for both physical and IT security operations. The business continuity management function, created out of whole cloth, also bridges physical and IT security. (BCM is cleverly divided, with a "fire inspector" continuity planning role and a "firefighter" crisis management role.) "The efficiencies you find are amazing," Porcaro says, noting that even in areas he didn't expect convergence to play a role, it has. For example, T-Mobile is building a 24/7 communications center for coordinating emergencies. Having IT and physical security together in the planning and designing phase has helped them see how the two will work together in the center. "Look," Porcaro says, "in a crisisa network outage, a kidnappingit doesn't matter, you have to pull on both physical and IT security strings."

The efficiencies Porcaro and company can create extend beyond the obvious. "Even the RFP process is affected," Roberts says. "The RFP for a single badge access solution is changed based on the fact we've converged and that single badge should now access doors and IT log-ons."

Convergence also helps executives decide when things should not go together, says Jennie Clinton, senior manager of business continuity management. "For example, I once was at a place where they put safety and security operations under business continuity management. But those skill sets are totally different than BCM," Clinton says. "Unless your organization is very mature, it's not going to work, even though the bosses were saying that it was great synergy, that it looked great on paper. There are areas where the function needs to be not converged, and with all of us in the same group, you'll hear firsthand when someone thinks convergence or overlap is a bad idea."

"In security, you're a bit of a one-off, a third wheel. At previous jobs, I reported to facilities, or legal. Youre there, but youre peripheral. Here at T-Mobile were clearly part of the bigger business model. I think were onto a good thing."

Frank Porcaro, director of asset protection

And Telders's information security function, focused on policy and compliance, also demonstrates convergence benefits. Porcaro notes that the group's separation from the CIO and IT was important so that it could set information security policy as an IT outsider. "The goal here is to achieve an objective separation of 'church and state,'" he says.

The progress hasn't been lost on those closest to the asset protection function's development. "Those who've been around get it. Within our team, everyone has bought into the convergence.

"But," Porcaro says, "our challenge is enlightening the rest of the organization."

Underscoring much of the team's conversation, in fact, was a marked wariness. It was a successful first year, yes, but the three refuse to project that success into the future.

"We just had an offsite meeting and I threw something up on the board," says Porcaro, "We can be where we want to be with the asset protection program they've wanted in three years. Trying to get into flying formation is a challenge but it's a stretch goal if nothing else."

"It's doable, but I don't want to blow smoke up anybody's skirt," Telders adds. "It isn't easy."

So far, all three men confirm that the board and top executives have shown good support. At the same time, Porcaro needs that support for at least another three years. That's asking for a lot of patience (and a long investment) from the board and executives. "We have to demonstrate added value; it's a big challenge for us."

That challenge is compounded by the fact that the overarching plan is often interrupted by in-the-moment security issues. They don't stop popping up. The speeding car getting its tires changed must negotiate potholes too. In a perfect world, Porcaro says he'd lock the team in a room for three years and come out when they are done with the project. Instead, the company continues to grow, and major unforeseen events develop. With business continuity and disaster recovery still in development, Katrina hit. Even as T-Mobile's BlackBerry e-mail service grew, a patent infringement lawsuit threatened the very existence of Research In Motion's BlackBerry service. (The suit was recently settled.) "So my only caveat is three years is ideal," Porcaro says. "We'll have to come back and revisit it."

A Subjugation of Egos

A remarkable fact of T-Mobile's new asset protection group is that Morgan and Porcaro were able to recruit so many CSO-level executives who were willing to report to Porcaro, a director, who reports to a vice president, who finally reports to the CFO. New hires Telders and Roberts70-plus years' combined experienceare used to playing at the highest level of major companies. Why would they come into a place where the CFO was several steps up?

All three men say it was the entrepreneurial opportunity, the chance to build a security function from the beginning, that convinced them to join, regardless of titles or altitude on the org chart. "Sure I'd love to be high up there, but liking the job is far more important than liking the title," says Roberts. (He also says, quoting a former Secret Service colleague, "I don't care what you call me, just pay me right.") "When I came out here to interview, I wasn't impressed with the cost of real estate or living, and frankly I was thinking, it's just an interview. But when Frank showed me what they were doing, it totally changed my mind. I thought, 'We could do something great here.'"

"What attracted me personally," adds Telders, "was that what Frank described was the CSO organizational model, even if we don't use that specific title. We all share the belief that this is the right model for corporate America."

"As I interviewed I was being recruited by another company," Porcaro says. "Two things made a difference for me: One, the company seemed prepared to put their money where their mouth is. And two, I got very excited to be part of a bigger risk management organization.

"In security, you're a bit of a one-off, a third wheel," he says. "At previous jobs I reported to facilities, or legal. You're there, but you're peripheral. Here we're clearly part of the bigger business model. I think we're onto a good thing."

Copyright © 2006 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
The 10 most powerful cybersecurity companies