2024

Kämppi, Jarno; Saharinen, Karo

Over time, the landscape of Cyberspace surrounding Internet Service Providers (ISPs) has undergone enduring transformations. Notably, mobile networks, integral to contemporary societal infrastructure, consistently encounter evolving cybersecurity threats and risks. ISP processes have adapted with a persistent focus on optimizing network performance and availability, yet the challenges emerge from a laborious and protracted network change management process, hindering the practical automation of network security. Addressing the rightful demand for the highest level of security from mobile network users, our research question probes: "How can we intensify the emphasis on network security and facilitate the automation of network security operations?" To delve into this, we conducted extensive interviews with ISPs globally, affirming the inherent difficulty in automating security operations. The findings categorize challenges into three domains: Security Culture, Operational Processes, and Tools. Cultivating a security culture demands a pivotal commitment to change from top management, coupled with dedicated time and resources. Essential to this is the enhancement of security competence, extending beyond specialists to encompass network engineering staff. Robust network security not only safeguards against threats but significantly influences various business processes. Initiating a secure network requires ISPs to articulate explicit security requirements during the network procurement process, exerting pressure on vendors to fortify systems with a security-by-design approach at the factory. Critical to this is the secure deployment of networks, integrating comprehensive network hardening during the build phase. However, findings indicate a prevalent oversight where network security configuration changes are often neglected or deprioritized in favor of network performance. Achieving a harmonious balance between security and performance necessitates a predefined agreement on a network security configuration baseline. This collaborative effort involves network security specialists and competent network engineers. To effectively monitor and enforce network security configuration, ISPs require automation-enabled tools with the predefined baseline, offering capabilities for monitoring and enforcing network assets. In conclusion, our research emphasizes the imperative need for a paradigm shift in organizational culture, operational processes, and tool utilization to enhance the focus on network security and enable the critical automation of network security operations within the ever-evolving landscape of Cyberspace.