To embed our video on your website copy and paste the code below:
<iframe src="https://www.youtube.com/embed/nWwvwRHBZQs?modestbranding=1&rel=0" width="970" height="546" frameborder="0" scrolling="auto" allowfullscreen></iframe>
Ray Le Maistre, TelecomTV (00:13):
So we're at Adastral Park; it's BT's center of its R and D operations, and I'm here to talk to Harmeen Mehta. She's Chief Digital and Innovation Officer, BT, Harmeen, thanks so much for taking the time to talk to us today. Good to see you again.
Harmeen Mehta, BT Group (00:28):
Well, good to see you as well, Ray. Absolute pleasure.
Ray Le Maistre, TelecomTV (00:32):
We're going to talk a lot about security, various angles of security today, and want to start by asking should there be a single point of responsibility for security, or should telco software teams share the responsibility around security applications and processes?
Harmeen Mehta, BT Group (00:50):
I think the reality of today is that it has to be fully democratized. I think security is everybody's responsibility in the company, even beyond the software engineers. Security has to be embedded into our design and into our architecture way before, and then obviously embedded into our code as well. It has to be along every step of the way. Two reasons for that very quickly. One of them is that that's how the more digital the world gets, the more reliance we have on, whether it's our apps or websites or channels or any of the applications that we use for doing just our everyday work, the more important embedding that posture is because it's more systems talking to systems than just human talking to systems as well. So that security steel threat needs to flow through in every single transaction, every single service path across the board.
(01:56):
And the second is that the threat actors are also getting smarter. So you don't know, it's not about just conventional DDoS attacks, all that you need to secure organizations against it is against every single micro vulnerability that could inadvertently be created. So I think this is a massive education exercise, and we've been doing it for quite a few years. And I think a large part of our posture security posture depends on the mass actually understanding the need for this and baking that in every single thing that they do and actually starting to think about security from the architecture start.
Ray Le Maistre, TelecomTV (02:42):
Right. Yeah, and we'll get to that in a second because we're also going to talk about the processes you have at BT Digital and how you work. So I want to ask, how mature is the implementation of DevOps at BT? Would you describe BT as a cloud native telco?
Harmeen Mehta, BT Group (03:04):
We are getting to be a cloud native telco. We are on our journey, not fully there yet, but our new platforms are all in the cloud, so that's where we are definitely headed towards. And at the same time, a large part of the thinking is that we want to stick to really solving a lot of big problems, but in very simple manners, driving simplicity in our platform thinking as well. And I think as we do that, that's where the need, it's almost a necessity for us to be cloud native because you're using so many SaaS applications and then some of yours and the interview between that, you couldn't be traversing the internet all the time. So just being far more cloud native actually gives you a lot more gain.
Ray Le Maistre, TelecomTV (03:59):
You mentioned there about how everybody needs to think about security and all the different steps they're taking. How is security being introduced into the DevOps role, especially with the creation of DevSecOps? And what kind of impact does this have on you and your team?
Harmeen Mehta, BT Group (04:17):
So one of the things we've done over the last couple of years is developed and enhanced a large part of our DevOps function and actually bringing a lot of AIOps into our own operations as well. And as we've done that, there is a lot of focus also on zero ops and really seeing that how much we can embed in code itself, including not only the sunny day scenario, but every rainy day scenario and the remediation of that. Because remember, even in a different world, if that was not there, ultimately the humans would take the action, but they would take the action on a system. So now it's just taking it a step further and getting the system to auto detect that this action needs to be taken and where possible actually preventatively rather than just reactively. And as we do that and we get more and more mature in that, the natural extension is into DevSecOps because you have to build, imagine if you build security into that process and layer as well. That's what is the real defense. And actually automating that, because one thing we've realized, and we've seen this from some of the more public attacks that we've heard about in the last several months, is that sometimes it is just about a time to react if the attack is also very powerful. The difference between doing it in milliseconds or doing it in hours is catastrophic. So if the more you want to get to an instant or a near instant response, the more you got to codify this.
Ray Le Maistre, TelecomTV (06:00):
Okay. And of course you've got these processes and workflows now, but where should security be placed within that software development cycle? A lot of DevOps tends to place it at the end of the process, but is there a case for much earlier integration?
Harmeen Mehta, BT Group (06:19):
Yeah, we actually, within digital, our security function is the additional responsibility that our chief architect takes because we want it to be, when you are thinking about what do we do, we are solving a problem, we're thinking about the right architecture, how to solve that problem for our customers or for our businesses. And as we are thinking about that upfront at that time is when we need to think through and say, okay, now how are we going to keep this secure as well? Not at the end right at the beginning.
Ray Le Maistre, TelecomTV (06:54):
Okay. Well that makes a lot of sense. And there's so much development going on around now, security and the threats getting bigger be a lot of people will be happy to hear. I'm sure that these are the kind of processes that BT has taken. So HarmeenRay, thanks very much for joining us today. Pleasure to talk to you.
Harmeen Mehta, BT Group (07:13):
Thank you very much Ray.
So we're at Adastral Park; it's BT's center of its R and D operations, and I'm here to talk to Harmeen Mehta. She's Chief Digital and Innovation Officer, BT, Harmeen, thanks so much for taking the time to talk to us today. Good to see you again.
Harmeen Mehta, BT Group (00:28):
Well, good to see you as well, Ray. Absolute pleasure.
Ray Le Maistre, TelecomTV (00:32):
We're going to talk a lot about security, various angles of security today, and want to start by asking should there be a single point of responsibility for security, or should telco software teams share the responsibility around security applications and processes?
Harmeen Mehta, BT Group (00:50):
I think the reality of today is that it has to be fully democratized. I think security is everybody's responsibility in the company, even beyond the software engineers. Security has to be embedded into our design and into our architecture way before, and then obviously embedded into our code as well. It has to be along every step of the way. Two reasons for that very quickly. One of them is that that's how the more digital the world gets, the more reliance we have on, whether it's our apps or websites or channels or any of the applications that we use for doing just our everyday work, the more important embedding that posture is because it's more systems talking to systems than just human talking to systems as well. So that security steel threat needs to flow through in every single transaction, every single service path across the board.
(01:56):
And the second is that the threat actors are also getting smarter. So you don't know, it's not about just conventional DDoS attacks, all that you need to secure organizations against it is against every single micro vulnerability that could inadvertently be created. So I think this is a massive education exercise, and we've been doing it for quite a few years. And I think a large part of our posture security posture depends on the mass actually understanding the need for this and baking that in every single thing that they do and actually starting to think about security from the architecture start.
Ray Le Maistre, TelecomTV (02:42):
Right. Yeah, and we'll get to that in a second because we're also going to talk about the processes you have at BT Digital and how you work. So I want to ask, how mature is the implementation of DevOps at BT? Would you describe BT as a cloud native telco?
Harmeen Mehta, BT Group (03:04):
We are getting to be a cloud native telco. We are on our journey, not fully there yet, but our new platforms are all in the cloud, so that's where we are definitely headed towards. And at the same time, a large part of the thinking is that we want to stick to really solving a lot of big problems, but in very simple manners, driving simplicity in our platform thinking as well. And I think as we do that, that's where the need, it's almost a necessity for us to be cloud native because you're using so many SaaS applications and then some of yours and the interview between that, you couldn't be traversing the internet all the time. So just being far more cloud native actually gives you a lot more gain.
Ray Le Maistre, TelecomTV (03:59):
You mentioned there about how everybody needs to think about security and all the different steps they're taking. How is security being introduced into the DevOps role, especially with the creation of DevSecOps? And what kind of impact does this have on you and your team?
Harmeen Mehta, BT Group (04:17):
So one of the things we've done over the last couple of years is developed and enhanced a large part of our DevOps function and actually bringing a lot of AIOps into our own operations as well. And as we've done that, there is a lot of focus also on zero ops and really seeing that how much we can embed in code itself, including not only the sunny day scenario, but every rainy day scenario and the remediation of that. Because remember, even in a different world, if that was not there, ultimately the humans would take the action, but they would take the action on a system. So now it's just taking it a step further and getting the system to auto detect that this action needs to be taken and where possible actually preventatively rather than just reactively. And as we do that and we get more and more mature in that, the natural extension is into DevSecOps because you have to build, imagine if you build security into that process and layer as well. That's what is the real defense. And actually automating that, because one thing we've realized, and we've seen this from some of the more public attacks that we've heard about in the last several months, is that sometimes it is just about a time to react if the attack is also very powerful. The difference between doing it in milliseconds or doing it in hours is catastrophic. So if the more you want to get to an instant or a near instant response, the more you got to codify this.
Ray Le Maistre, TelecomTV (06:00):
Okay. And of course you've got these processes and workflows now, but where should security be placed within that software development cycle? A lot of DevOps tends to place it at the end of the process, but is there a case for much earlier integration?
Harmeen Mehta, BT Group (06:19):
Yeah, we actually, within digital, our security function is the additional responsibility that our chief architect takes because we want it to be, when you are thinking about what do we do, we are solving a problem, we're thinking about the right architecture, how to solve that problem for our customers or for our businesses. And as we are thinking about that upfront at that time is when we need to think through and say, okay, now how are we going to keep this secure as well? Not at the end right at the beginning.
Ray Le Maistre, TelecomTV (06:54):
Okay. Well that makes a lot of sense. And there's so much development going on around now, security and the threats getting bigger be a lot of people will be happy to hear. I'm sure that these are the kind of processes that BT has taken. So HarmeenRay, thanks very much for joining us today. Pleasure to talk to you.
Harmeen Mehta, BT Group (07:13):
Thank you very much Ray.
Please note that video transcripts are provided for reference only – content may vary from the published video or contain inaccuracies.
Harmeen Mehta, Chief Digital & Innovation Officer, BT Group
Three years into her tenure as BT’s chief digital and innovation officer, Harmeen Mehta talks to TelecomTV about the role of software development teams in security strategies, the UK telco’s DevOps journey and its approach to DevSecOps.
Recorded September 2024
