- Instrumental in achieving compliance under ISO 27001, ISO 20000, and bid for BS 10012
- Key role in Vodafone India achieving PCI DSS compliance; first telco in India to do so
- Strong focus on compliance and benchmarking to constantly improve thresholds
- Regular and rigorous mock drills with CERT-In to keep security on war footing
Vodafone India’s CISO Burgess Cooper believes that his biggest challenge has been in pioneering the interpretation of broad security compliances and standards for the telecom industry in India in general, and his organization in particular. Since the time he joined Vodafone India in 2006, Cooper says that he has been successful in reinvigorating the approach to information security at the company by overhauling the security processes and governance, as well as bringing the framework up to a better managed and optimized level.
Cooper’s involvement brought in more stringent governance and compliance, incorporating international best practices and standards. He is the owner of Vodafone India’s security policy, which is a combination of the best of Vodafone’s global security practices, homegrown wisdom and compliance requirements. His foremost responsibility remains defining Vodafone’s infosec policies, and ensuring that the executive management signs off on these policies.
Cooper reports to the technology director at Vodafone. Management participation and support for information security initiatives at Vodafone are very strong, according to Cooper, and he attributes the many firsts achieved by the company in its industry segment, in terms of security initiatives, to this supportive culture.
Security under Cooper is largely managed in-house, with his team taking care of operations, internal and external compliance, projects, and security strategies and policies. He believes that his greatest accomplishment at Vodafone has been to make people more aware of security. His team conducts regular incentivized programs, such as quizzes, talks and classroom sessions, for employee training and security awareness enhancement.
Under Cooper, Vodafone has been certified for ISO 27001, ISO 20000 (ITIL) and PCI DSS. Vodafone’s BS 10012 compliance initiative is in progress, and Cooper hopes to wrap it up in the next 18 months. Back in August 2010, Vodafone became the first telco in India to achieve PCI DSS compliance. Security at Vodafone is benchmarked within the industry and across other verticals such as banking and IT/ITES as well.
Cooper’s approach is to start with careful interpretation and correct adaptation of each standard to the needs of the business. Next, gap analysis is carried out and any identified gaps are dealt with. Cooper follows this up by getting the team’s efforts audited by an external auditor, after which compliance thresholds are continuously improved.
One of Cooper’s recent success stories has been the implementation of a state-of-the-art SOC in conjunction with an SIEM solution, equipped with event correlation tools for internal and external event monitoring. In addition, Vodafone boasts a secure two-factor authentication solution for all VPN connectivity to the Vodafone network. Cooper’s team also manages dashboards for Vodafone’s wide range of security metrics.
Cooper’s team oversees tight integration of application security into the SDLC framework, based on OWASP standards. Cooper’s security controls are deployed across a multitude of heterogeneous platforms, covering over 6,000 technologically diverse and geographically dispersed elements. His team regularly conducts mock drills and war games under the auspices of CERT-In to maintain optimal levels of preparedness. Cooper says that his motto for security at Vodafone has always been, “The more you sweat in peace, the less you bleed in war.”
This was first published in February 2012