Ray Stanton is the global head of business continuity, security and governance at BT. He also happens to be one of my favourite contacts in the information security industry. Why? Because he’s honest, he’s good at what he does, his relentless dedication to his job is very admirable, and above all, he’s amicable and likes to talk – which is perhaps unsurprising since he works for one of the largest telecommunications services companies in the world.
Taking all of the aforementioned into account, I was surprised when Stanton tells me that those that haven’t worked with him or met him personally sometimes perceive him to be “pretty tight, and pretty tough”. This, he says, is a misunderstanding – “People who work with me know exactly where they stand with me, and they know I support them 110%. I’ve got two ears and one mouth, and I use them in that order”, he says of his management style.
The beginning
Like many information security professionals who I talk to, Stanton’s entrance into the information security industry was almost something of an accident.
Leaving school to join the Forces, Stanton trained in mechanical engineering, electronic communications and as a PT (physical training) instructor. “I spent just under nine years in the Forces before leaving to go to British Aerospace. While doing project engineering there, they said ‘Look, you understand this security stuff, do you want to be our security rep?’ and I said ‘Yeah, go on’”.
From there, Stanton adopted an information security manager’s role. “That evolved into head of information security, and a wider remit with the Airbus group. I was then approached and went to Unisys to use my end-user knowledge and experience for the provider side”.
"We come under attack from the competition – that tells me that we’re being taken seriously" |
After the Forces, Stanton studied for a degree in business studies at UWE. “I’m not good at conventional, classroom learning. Since getting my degree, I’ve continuously worked to keep up my security education, through personal research and networking”.
Although the opportunities weren’t really available at the right point in his career, Stanton holds industry qualifications – like those from (ISC)² and IISP – in “great regard”. They are, he insists, becoming “more mature, more recognised, and I urge everyone starting their career to embrace these qualifications or even get a MSC at Royal Holloway or something like that”.
“There is a lot of value in people doing these courses and exams, and we [at BT] sponsor people for doing them. I also urge people to look at business foundation courses as well. If there is any executive or senior manager in this industry that says they don’t care about this business, then there is something fundamentally wrong. It is essential to learn to articulate business language and understand strategic management and how to drive strategy”.
It’s good to talk
This is the first, but not the last, time in the interview that Stanton emphasises the importance of security people talking the business’ language, or indeed, the importance of simply talking. In fact, Stanton proves himself to be eating his own dog food, so to speak, by his implementation of BT’s slogan ‘It’s good to talk’ in his own career.
“I keep reminding people that it’s good to talk. A lot of people would prefer to send 100 emails instead of picking up a phone and making a quick call. Security people tend to be people who don’t like to talk”, he says. “If you rely on only email or instant messenger communication, inevitably sometimes tension will be turned into conflict. Security people tend to bury their heads and go underground”.
It’s lucky that Stanton likes to talk, because he spends most of an average day on the phone to Asia, America, and in management meetings. “An average day starts with calls to my Asia-Pacific team, and ends with speaking to – and dealing with stuff from – the US and the back end of the world”.
In between, Stanton reserves time for reviewing any BT security incidents, “if there’s something major that requires intervention, I will have been contacted in the night, but those are few and far between”.
“I structure the rest of my day between my commercial discussions on contracts – normally every day I’ve got a meeting with a customer – and my commercial business. Most days, I also have a management call that is either with my direct reports, my senior leadership team, or my line management.”
For Stanton, his working day rarely ends at 5pm. “I then head off to events, or dinners, or whatever I’m doing. My day is normally scheduled from 7am to 7pm, if I’m not going to an event.”
Within that 12-hour day, Stanton builds a two-hour slot into his diary. “If something urgent comes up, then that can take one of those hours. If nothing comes up, well, guess what, I’ve got two hours. This time allows me to stay on top of things – when I go in to see my CEO, my board, they want to know that when Ray Stanton walks in there, he knows what he’s talking about.”
Such intense working hours begs the question, ‘When do you find time for yourself?’. “My general rule is that from 5pm on a Friday I switch off until about 7pm on a Sunday – unless there’s something really important that I’m prepping for or if I’m travelling”, he adds. Although Stanton can’t quite bring himself to turn off his BlackBerry during this time, he is “pretty good at ignoring it”.
"If you don’t demonstrate the value-add, you become a target for cost-cutting exercises, and you take your pain along with everyone else" |
“It is difficult because [even over the weekend] there is always an incident happening. That’s where we, as seniors, have to say ‘that’s what our teams are paid for’. If there is a problem that needs escalating, or a major risk, they’ll communicate it to us. We are the filter that makes sure the right things are going up, and the right things are coming down”.
The recession has at least done Stanton one favour – his travelling has been cut from 50% of his time down to a third. When you travel on this scale, Stanton advises that the key is in making the most of your time. “I use my travel time to stay on top of what is happening in the industry”, he explains.
BT
Stanton has been at BT for six years. From his role at Airbus, he was approached by BT “to bring together the BT security commercial story. Arguably, over time, that’s exactly what I’ve done”.
Stanton’s current position at BT is split into two roles. “One is the executive head of BT’s security capabilities, and the other is head of client and customer services for BT security. These roles comprise the commercial, go-to-market, ownership of customer services, ranging from consumer through to enterprise customers to wholesale – in the areas of business continuity, security and governance. Also, our internal use of security in BT.”
Within these roles, Stanton is responsible for the four chief security officers, supporting BT in its own security and compliance needs. “We deliver all of BT’s [security] requirements through those CSOs”.
Despite the two very different aspects of his job, Stanton insists there are similarities and common skill sets. “We treat BT as a customer, so understanding stakeholder management, understanding its needs, defining what those are. The skill sets that you need specifically are around understanding risk, understanding security, but business skills as well. I need to articulate risk into a business language, and into a business need”.
"I keep reminding people that it’s good to talk. A lot of people would prefer to send 100 emails instead of picking up a phone and making a quick call. Security people tend to be people who don’t like to talk" |
Last year, BT introduced the commercial team into the BT security organisation, further establishing the strong relationship between the two. “We centralised 813 people into one [security] organisation last year, including people who are doing external-facing customer work and BT’s own internal use. It is a unique structure and brings both challenges and fruits to bear”, says Stanton.
The main challenge, he explains, is that it becomes an object of scrutiny. “Suddenly you come together as a big target. If you don’t demonstrate the value-add, you become a target for cost-cutting exercises, and you take your pain along with everyone else.” On the positive side, “you can optimise your resources and your focus”.
Conducting a very big orchestra
When describing how his “fairly small” team of CSOs pull on the resources of other people to deliver, Stanton uses an interesting analogy. “If you think of it like an onion ring, you sit at the centre, you define the requirements, and then, as you peel back, you get the resources to deliver against it, but from the centre, you’re directing it – a bit like the conductor of an orchestra.”
Stanton’s team don’t do man guarding for example, but have contractors that do this and are responsible for delivering it. “The CSOs are all very experienced security professionals with their own expertise. Some are experts in risk, some in information security. They need to be experts in a number of [security skills], but not all of them, because they draw on the rest of the people to deliver it.”
Interestingly, Stanton says that if he was looking to hire a new CSO, he’d look for “an understanding of the industry and at how they’ve applied themselves in the industry. Yes, qualifications are important, but they’d have to be turned into a factual articulation of how they’ve been used.”
That leaves Stanton as the conductor. “The requirement of me is to make sure I ask the right questions. Those questions need to be challenging, and based on good experience and knowledge.”
Stanton himself reports to Mark Hughes, who was appointed to one of BT’s operating boards. “That’s great because I think it’s the first time there has been somebody at board level for security”.
The crown jewels
BT’s biggest security concern, reveals Stanton, is quite simply “securing data whilst maintaining service”. Meeting regulatory compliance is also a challenge within its own right – especially the various standards that exist around the world in all the countries BT operates.
I remind Stanton of the discussion we had four years ago, when he’d explained to me that he was working hard to make people associate BT with information security. Since then, BT have committed to the information security journalist awards (of which Infosecurity writers picked up three this year) and have increased their exposure in the market. Stanton, too, is one of the organisers of the White Hat Ball, further solidifying BT’s place in the industry. But has it all paid off?
“We were rated number one by Data Monitor – that was a review of 1100 customers, which is the key thing for me. It was the customers saying, ‘BT’s good at this’. The analysts now recognise we’re in this place. We come under attack from the competition – that tells me that we’re being taken seriously”.
Stanton attributes this successful ‘stamp’ on the information security space to the acquisition of Bruce Schneier’s Counterpane. “It drove a lot of awareness because everybody said ‘Wow – BT really is here to play in the security space’. I feel very proud of where we are today.”
It’s not just the industry that is starting to take BT seriously though – it’s BT itself. “Despite the fact that we’re not a security company”, BT recently presented security to its investors, on their investor day. “To have security as one of the core areas presented to investors is unique – I don’t know of many organisations that are not infosec organisations having security presence like that.”
Successful acquisition
It’s the successful acquisition of Counterpane that Stanton considers his greatest achievement. Why? Because it challenged his ability to communicate and influence the most senior people in a company, and challenged his perseverance and tenacity.
“I was the sponsor for the acquisition, I found it”, Stanton says, explaining the pressure he was under. “It challenged me on my knowledge base, it pushed my boundaries, educated me. It taught me about mergers and acquisitions.” But it doesn’t end when the contract is signed. “The challenge of integration then begins”.
On the topic of his regrets, Stanton is less convinced. “I have a few, as they say”, he laughs. However, with the exception of finally naming “losing contact with great people” as a regret, Stanton is unable to commit. “That’s not arrogance”, he insists, but I don’t need convincing.
Discussing his as yet unfulfilled ambitions is something that he finds easier. “To complete BT Security as a mature security organisation”, is one of them, he says. “On a personal basis, it’s really difficult, where do I go next?”. He contemplates a career change but is reluctant to commit. “Holding both the commercial role, running a security business that is into the hundreds of millions, and running CSOs as I do, well where do I go next? It’s a question that stumps me right now”.
At the moment, he contends, “I’m happy with what I’m doing. It fulfils me, challenges me. Maybe one day I’ll go on to run a small company or something like that, but I’m really not sure”.
I suggest that perhaps he could move into a role where he has to work less hours. “Maybe”, he shrugs, “but I’d probably complain and get bored!”.