Monique Morrow on Humanizing the Internet Through Trust and Transparency

Jeff Kavanaugh: Welcome to this episode of the Knowledge Institute, where we talk with experts on business trends, deconstruct main ideas, and share their insights. Today I'm very happy to be joined by Monique Morrow, President at the VETRI Foundation. We are talking today on humanizing the internet through trust and transparency. Welcome, Monique.

Monique Morrow: It's a pleasure to be here.

Jeff Kavanaugh: Before we get started, we'd love to know more about your background. Can you help our listeners understand your story?

Monique Morrow: Sure. I have a technology background, started in semiconductor industry. Everything was about the network. Went into work for Swisscom in that space and I'm just going to fast forward into Cisco into that space for 16, 17 beautiful years, including years hybrided abroad. So I can't express and amplify more and further what the value of the network is. And with that we can go into other areas that bring value.

Jeff Kavanaugh: You mentioned being at Cisco several years. If you could even go back a little farther though. What first got you interested in the network and into telecom?

Monique Morrow: So that would probably be around the mid-'80s which I'm dating myself. When we were talking about punch cards and everything else, there was a little company called Cisco that had just received venture capital from Sequoia. Working for a semiconductor company, we were expanding our manufacturing sites through other locations, not only including in the United States, but also abroad. And the network was proving to be much, much more pivotal. So it was during that time where I found that multiprotocol routing was going to be very, very key.

Jeff Kavanaugh: Were you in Europe at the time?

Monique Morrow: No, I was in Sunnyvale, California.

Jeff Kavanaugh: So you have a unique perspective because you've seen the development of the network both in US, Europe, where I believe you reside today, as well as time in Asia.

Monique Morrow: That's correct.

Jeff Kavanaugh: Could you maybe contrast the differences between the three regions and how they've embraced or followed the trajectory of the network?

Monique Morrow: Well that's really an interesting question. Yeah. I mean, being in the middle of Silicon Valley, so all was sort of the epicenter at that particular time so there was a tremendous growth in the value of the network. Bear in mind, I'm talking about the mid-'80s and I saw that change that was occurring but occurring also in architecture, so mainframes to client server architecture to multiprotocol routing. We saw that in Silicon Valley.

Monique Morrow: When I moved to Europe, when I moved specifically to Switzerland to work for a company whose customer was the Swiss PTT at the time, you're talking 1990, and there, there was more of a look at what is happening in the United States, the sort of like trying to adopt a bit of what the United States had been doing. But again, it was really kind of changing that mindset to again bring in the value of the network itself. Now you had to be neutral, because at this time I wasn't working for Cisco or any of these other networking companies, but I saw value in what they were doing. So you had to sort of bring in forth the opportunity and particularly Cisco was one that I actually amplified during that period of time.

Monique Morrow: If we fast forward to Asia, wow, you're talking scale. I mean scale to whatever it is that we had to do. We had to ... The thing throughout this evolution was to bring about a service provider mindset within a company, not an enterprise mindset, but a service provider, because the network always has to be up. If it fails, you make front page news, and this is something that I always had to express, too, within the company. When I went to Asia, I was representing Cisco. I was working for Cisco in the region and there you're talking about massive scale, millions and millions of subscribers, especially just take a customer like various service provider customers in China or various service provider customers in India. That scale is massive, and so certainly you couldn't have an enterprise-centric architecture.

Monique Morrow: So the network had to be scalable, it had to be secure, and the other notion is that you really had to make sure, toward the end, you had to look at what would be open source. And that is sort of a, I would say, controversial issue, because when I was at Cisco, we made a lot of money off of complexity and now people were asking for simplicity and how do you hide that simplicity, which is a art, yet allow for scale, yet allow for security, and then of course we saw movements toward open source and that was something that was very, very interesting from a perspective of a customer, a company that was really much in the space of routing and switching.

Jeff Kavanaugh: And of course we had some commonality there during the Cisco years. We were talking about that a few minutes ago. Can you maybe comment, so I was there, at least familiar with the transition from very hardware-centric to software and maybe how you handled that or some of the interesting challenges that brought out.

Monique Morrow: Yeah, sure. And that's an important issue. I mean, at the time, everything was pulling as much as you can value through your hardware. And then of course as I moved across the company I was their first CTO in services, and services at the time, 20,000 person company, it's an institution, it's a company in its own right. You had to look at now what were solutions going to look like. There was also an internal discussion about how we were going to deal with software, how we were going to deal with bringing value through software, and what were solutions going to be. But there still was, in the background, yes but everything has to pull in ... You want to pull some value in through some of that hardware. As you start to promote more software and services tandentially, you were still going to pull that hardware, and I think that's the polarity that the companies like, these wonderful networking companies have been going through, is how do they manage that.

Monique Morrow: In fact, we still have to, if you look at the internet and you look at which companies are operating on the internet and with what routers, you have to care about the hardware at the end of the day. So let's not poo-poo that in a way that it's just going to be about software. But it is the balance. And I think where we started to face problems was when people were looking at open flow. Do you remember out of Stanford and people were looking at what does commoditization look like and when do you actually cannibalize internally to grow your young? All of these painful discussions that we were having as a company and as an organization, because people were very used to a certain way of operating and developing. And then came in the questions about what does agile look like and agile organizations and how fast is fast?

Monique Morrow: What you found, you had other entrants into this market. What was a service provider? Is Facebook a service provider? Is Google a for service provider? And the answer is yes, they are. So we were now having these really heartburn moments about defining our own identity, especially if I talk about my time Cisco. And the customers, the thing of it is is customers, they wanted bug free, fairly much bug-free software and hardware, which you're not going to have 100% bug free. But the thing of it is is that you had customers who would say, "We're guilty, too, because we're pushing you on timelines and time to market." When you're looking at releasing very quickly, what is the balance that you have? The worst thing is that, as I said before, making front page news because of a terrible bug that may have impacted the safety of an organization.

Jeff Kavanaugh: You'd mentioned that you got your start in Sunnyvale in the Bay Area. Let's be specific, Silicon Valley, and as a woman in the '90s growing up through tech, that had to have its challenges in that bro culture. Any interesting stories that you can share or maybe not want to but you could share?

Monique Morrow: Of course. I mean, look, I was in the most conservative market, semiconductor. I will say this, my best coaches have always been men. So I'm going to say that. And primarily because there were no women at the time. So let's just say that all up front. However, what I found is the thinking about gravitating toward problem solutions, trying to resolve problems because technology has no agency. So if you're actually in one room and you're trying to solve for a problem, it becomes very interesting in terms of the discussion and approaches. So yes, many time I was the woman in the room.

Monique Morrow: However, it got more interesting when I was in Europe, in Switzerland, because now I have to give you the background. Switzerland had voted for women to have the right to vote in 1971 and the last canton that held out was around 1994. I entered Switzerland in 1990 and I'm sort of like this unindentifiable object. You're not only foreign, but we can tolerate you a little bit. I mean, I got away with some of the things in terms of being able to be provocative. Many times, many times we would be in a room like this where I'm the only woman and it would be, "Who's going to write the protocol or the minutes," and they would look at me, or, "Who's going to get the coffee." And I said, "Well guys, let's just agree to one thing. Whoever sets up the meeting, or we can round robin. That's one thing. And the other thing, we can all get our own cups of coffee." I mean, but because that was what they were used to.

Monique Morrow: It was more of a, just take a step back, and these are the sort of the cultural nuances. I think that I do believe the times are changing and have been changing. I believe it's harder for women entrepreneurs and startups. I think they are judged in a different way, perhaps a little more harsher than our male counterparts. And I think if you have, it's been told, I've had one colleague who said she would send her CTO to do the pitch, because they looked at him as in a different way. So I think we need to change that a little bit. And as I said before, being a technologist is also about curiosity. But the fact that we're talking about this issue in the 21st century leaves me with deep concern, because one person actually told me it will take a generation for that to all change. And I'm thinking, I don't think so. I think it's got to go faster. And in some countries they are. In some countries it's a no-brainer, it's just that in some other countries that people are struggling with this particular issue.

Jeff Kavanaugh: Well I wanted to ask because you again, have the unique perspective of being a leader, an executive on multiple continents. So you're able to compare and contrast. Getting a little more specific on the issue of trust and transparency against this backdrop of the network and its evolution, how have you seen, just call it the conventional wisdom or thought about trust, evolve over the last decade or two?

Monique Morrow: By the breaches that I see everyday, millions and millions and millions of ... Especially if we're talking about internet of things, so if we're talking about anything, if I say Capital One, the breaches are happening and so this is about how do we actually ingrain the component of trust within organizations such that ... It takes years and years to build and it takes a minute to just destroy. And so your brands get destroyed. And so this gets into this polarity between cybersecurity and privacy. I think that trust is extremely important in this day and age. Even myself, I will tell you that I am a VIP customer in a carrier in Switzerland and my data was handed over accidentally to a third party, one of the 1,500 partners that the carrier works with. It wasn't enough that the CEO's data was also compromised, but it was my data. It was sent over and you get an SMS and it says, "Well sorry you were affected but it's okay." Well it's not okay. There's arrogance in that kind of an exchange. This is the example.

Monique Morrow: You want to look at everything that is centralized is my thesis. Everything that's hyper-centralized is going to be apt to be hacked or to be broken. Why? Because of the value of the data that you see there. Some people are looking at modalities of decentralization in several types of forms of, especially if we look at identity, and self sovereign identity becomes very interesting.

Jeff Kavanaugh: A lot there. You mentioned polarity. It's an interesting juxtaposition of something you normally see in science, so I'll throw another word at you, this idea of being asymmetric, because you said it takes years, decades, to build your brand. It can be destroyed instantly. So how do companies deal with that asymmetric nature of the cost, the reward, and just having to defend against it?

Monique Morrow: Well I think ... Some of the companies, what's happening is now is creating, from my perspective, is creating a mindset of trust in itself, which is associated with some form of security. I spoke with the chairman of a board of a grid company, electrical grid company, and at the board level they spent a half a day just on cybersecurity. They want to know what are the possible attack vectors. They want to create this mindset of security within the company. It's not just a CSO, it's everybody has to have that or be be cognizant of it, where are we, what kinds of penetration testing are being done or attack vectors. Those the examples and I think we should be concentrating, especially if we're talking about things.

Monique Morrow: And so trust as a mindset, I think what is happening now is that people are once your trust has been broken, they have to look at how do you climb out of that? That's a hard question to respond to, because they have to come back and say, "We lost your trust today." But if you're the millions of people affected by Capital One, what do you do? Or any of these types of examples, what do you do? And so I think this is where people are looking for other opportunities to be responsible also for their data.

Jeff Kavanaugh: Taking more of an optimistic view on it, because there's a lot we could do, I think, on the negative side of it, in a world where there are a lot of breaches and like you said, you're now you think of a company's name, you think about the latest breach, is there upside or is there possibility for companies to now have maybe a competitive differentiator if they show they're not only trustworthy, that they're investing a lot for people's trust?

Monique Morrow: Absolutely. I mean absolutely. I think going back just to the example of Cisco, one of the things that they've done or tried to do or, I mean, these are examples that I have touted. They gamified it. For example, they created something like a jujitsu program that everybody had to be a minimum green belt. If you were going the technical route, are you going to admin route, if you were a black belt, you were doing research and they were touting that because it would say, "This is an example of everybody's responsibility," and they would actually have exercises.

Monique Morrow: You wouldn't know it, so you could have a social engineering attack that was engineered by the company leads or wherever to just to see where you were at. I think doing that is a really, really cool opportunity, I think, to create that level of value in examples. I do believe that it would be great for companies and organizations or even countries to think about assessment centers. Where are you in your testing and vulnerabilities, et cetera? That's bringing value. A lot of small and medium businesses don't know where to go, yet they're the most vulnerable. There's some cool opportunities in this space and I think that would be super.

Jeff Kavanaugh: Once again, you are listening to the Knowledge Institute, where we talk with experts on business trends, deconstruct main ideas, and share their insights. We are here with Monique Morrow, President at the VETRI Foundation, and talking about humanizing the internet through trust and transparency. Monique, how do companies actually go about thinking through the internet of things and all these devices and bring your own device and how has that changed from just the old idea of the centralized systems that you secured to all these things on the edge?

Monique Morrow: Well this is where we have to be so cognizant of what security can look like, because the stakes are higher, especially with when we're talking about 5G and so on, and especially if we're talking about consumer types of devices. We need to be very cognizant of what does safety look like, so it's all about safety, in my opinion. For example, one of the things is, especially if you are wearing something that's wearable, like an insulin pump, think about what would be the probabilities of somebody hacking that, which has happened. How do you prevent that? It's about safety in these devices and being able to communicate what is safe. This becomes really, really key. And I have a quote here, I mean there were cyber attacks on IOT, is a Forbes article, that surged 300%, and this is millions of reported claims.

Monique Morrow: So that does bring the opportunity, but it also says that in a connected society, where we're super hyper-connected, we need to be very cognizant of the safety. If we're creating devices, what does safety look like, and to be able to communicate safety in a way that the consumer or the enterprise understands it. And by the way, I would always consider doing things like penetration testing and vulnerability testing within the enterprise itself or within other organizations itself. I actually hosted a Swiss cybersecurity days this past February and we had, there's a whole opportunity in business around ethical hacking. It was a 21-year-old girl who actually hacked a car within five minutes. And she did that to prove a point. And then I said, "Why did you do that?" She said, "To prove a point about how safe is safe or unsafe."

Monique Morrow: So those are those types of opportunities when you're talking about vehicle to vehicle communications. We talked about a zero day scenario, and the zero day scenario is one day you wake up and the mobile phone critical infrastructure is attacked, the trains aren't working, and planes are falling out of the sky. Now you may think, okay, this is really dystopian, but these are scenarios that were discussed at that conference. You have to look at what does aircraft safety look like? There's an Aircraft Safety Institute for Research in Switzerland to look at aircraft safety and standards. It's not about what you're bringing in, it's other stuff. It's wireless. It's communications. So on one hand, I'm very excited about the promise, the promise, especially when dealing with augmented reality of these technologies. On the other hand, it's also about, because we're so hyper-connected, to come in with a security mindset.

Jeff Kavanaugh: One of my favorite words is duality, because you got to think about more than one, just call it two things simultaneously. Not necessarily opposing, but certainly they're just different. And you'd mentioned before about security versus privacy. Can you comment on the balance and how companies or governments make decisions about balancing those two things?

Monique Morrow: I always say privacy by design. So let's just start out with that. I mean we've seen a lot of great privacy by design kinds of issues, and we have standards around the space, so I think anything that is attributed to you, to an IP address, to your telephone number and I can read it or your social security number, it's not private. There, we have to think about what is what is considered private? This is where, now I'm going to get geeky, zero-knowledge proofs come in. Then if you look up an organization called ckproof.org, what you're finding out, and by the way, zero-knowledge proof is, it's been in the academic world for years, but now you're starting to see industries adopting it. There's an Israeli company called Qadit, Q-A-D-I-T, that actually is using zero-knowledge proofs to create what they call a privacy internet layer.

Monique Morrow: It means that I have a secret but I can't share that secret with you. It's a lot of cryptography. But it basically, it goes along the lines of questions like I think you're between the ages of 25 and whatever and those types of questions. There are standards around zero-knowledge proofing and credentialing, which is the verifying institution. W3C is another one that's in this space on credentialing. This whole notion of using these types of technologies have been emerging for the past several years. In fact, if you're looking at identity, it's for many years. And so lots of conferences have been occurring in the Bay Area.

Monique Morrow: A lot of that is to make sure that your data is anonymized. If we look at Europe, if we look at Germany, you have the whole GDPR, the private regulation, data regulation issues that you have to adhere to as a company is a hash data. And how can you prove a hash is not data? It's not enough to say I encrypt, you have to look at where your proofs are coming in, and so those become an ... And by the way, if you can accomplish some level of privacy in Europe that is difficult and strict, GDPR is probably one that you can look at adopting, but the thing of it is these were adopted by judges and legal systems and people were looking, "Okay where's the technology behind it?" How do you prove to a judge it really isn't data of data of data of data. It's fun. It's opportunities, in my opinion.

Jeff Kavanaugh: Yeah they're duality related, but a little bit different is for a company that's trying to serve, sell to, and serve a customer base, this idea of their safety versus their user experience, because all those layers of security can really get in the way of getting stuff done. And so what is the balance or any advice that you'd have to companies trying to think about that trade off?

Monique Morrow: It's funny because I actually spoke about that because it is very key. You do not want to take away from the user experience. So the art is trying to hide a little bit of that complexity and that's very difficult without sacrificing the user experience. The user wants to be able to use your product in such a way that it is easy to use yet safe. And so do not expect a user to read, or a customer to read, 30 or 40 or 50 pages of regulation. Maybe you and I would sit down and read the regulation. They're not going to, they just want to, "Just get me in. Let me in. I want to ..." I think it's incumbent, there are now legal cases looking at, "Hey wait a minute, you shouldn't be doing that." The customer has no right yet to actually, he or she wants that service. The service is immediate and yet you're obliging this customer to read all of this legalese.

Jeff Kavanaugh: Or at least scroll down as fast as you can to the little thing comes active.

Monique Morrow: And say, "I agree. I consent." Now, people want a little bit simplicity and that art, and I think that's an opportunity for us in the industry, is to make it simple to read, yet, and I realize the companies want to protect themselves with all the legality, but customers want to use your product in a way that it's safe, but don't expect them to read all throughout all of these materials.

Jeff Kavanaugh: Just like you mention these potentially dystopian scenarios with airplanes falling out of the sky, what about services like 23andMe, that people can go in and you're talking about security at a whole other level. Any other thoughts, or is it just the same kind of general guidelines?

Monique Morrow: An interesting question, especially around personalized medicine, which is where you're going, but somebody's holding your data. You don't know how that data is used.

Jeff Kavanaugh: Well, not just personalized medicine. I'm also thinking in the future if somebody really had it in for you, you play with a few chromosomes and they could design a disease.

Monique Morrow: I think people are, I think there are examples right now of designer babies happening as we speak. I mean, there was an example, I think they were trying to do this in China or somewhere.

Jeff Kavanaugh: Or even if they, let's say, have it in for you and they decided to play around with something that will affect you.

Monique Morrow: Yeah. I don't believe in sharing that level of data to anybody, what is personalized. But I do believe that if you're going to deal with personalized medicine or in its fashion because it's becoming cheaper, you have to make sure you control where that data is going and, and that's a simple ... Your question goes to control to some extent. If you look at the source of 23andMe, I mean, Sergey Brin had been supporting his ex-wife in this space. Why? Because he has a 50% chance of getting Parkinson's disease, as I understand it, and so he wants to be able to target a cure for that. So there's reason to say, okay, I need to target a cure, but I don't want anybody messing with my chromosomes or whatever in such a way that it becomes very, very vastly dystopian.

Monique Morrow: It gets worse, because in this kind of space what will happen is to say, well look, you have about a 50% chance of having some disease, therefore we can't hire you, therefore your premiums are going to go higher or whatever. So those are the types of things that we have to be extremely careful about. Now in Estonia, there has been movement to basically say, I trust this doctor but I don't trust this doctor. I don't want my data sent to that doctor, where a patient has the right to do that.

Monique Morrow: But again, it's like you should be in the middle of this Copernican revolution or evolution or whatever, a universe, to be able to determine and control, selectively disclose, that I will emphasize, selectively disclose where your data is going to go to. We look at some of the examples that are being used today and the potential, we assume that companies, organizations can self-govern. We have seen cases where that is not the case and then of course we have to look at where there's abuse at least at the government level, where people want to know, want to be able to create superhumans.

Monique Morrow: I was actually in an UN event and we we were talking about the future and it was very provocative. It used to be, "Hey look I want my driver's license because I want a car." Now what we can imagine is that kids will say, "I want brain a extender. I want that, daddy and mommy, I want my brain extended," and so people are going to be looking at that. What would teaching look like? What would that be? These are the scenarios people have been talking about.

Jeff Kavanaugh: There is a divergence and convergence. I think we're diverging right now, which is great. Again, it gets you thinking. Converging a little bit, bringing it back, what are some trends, you mentioned one possible, but what are some trends that that you see coming in the area of security and trust?

Monique Morrow: I think people are going to pay more attention to what they do at the chip level. I think a lot of that is going to be what kinds of designs will you create at the hardware level because the first abusers of the data that you're trying to protect are the actual characters, miscreant characters, and then we'll go down to the machine level. So I see some promise there. I see people are going down to making sure at least areas at hardware is tightened in software. So you see the knobs looking at what the tightening could be and that's the kind of the promise I do see and I do want to express that and emphasize that it's all about safety at the end of the day. So there is definitely a a look at what is tamper-proof, what is tamper-less, how can you detect, for example, it's been tampered, a device has been tampered. Lots of forward thinking in that particular space.

Monique Morrow: The other area that I think we should be paying attention to is chatbots. You have miscreant characters trying to actually conscript chatbots to actually infect your network, especially when you're looking at a bot and how a chatbot is. People are looking at real time communications or near real time communications and they have to be able to determine is this a human or not a human or an or an aspect of a human or is it a chatbot, a chatbot do you trust? Because we're talking about trust at this point in time. And then of course what's really cool is recognizing patterns of the way devices behave. You can actually start determining patterns, especially on manufacturing floors such that if they do diverge, whether it's temperature drops or whatever, you will have a series of analytics pointed to you and you can actually look and determine what the deltas were and where the sources.

Jeff Kavanaugh: What can business leaders do to help with trust and secure going forward, this pie in the sky, but over the next year or two, what are the kind of things they can put in place?

Monique Morrow: They have to have a mindset. It starts at the board level. People are looking at dashboards, how vulnerable is our equipment? Have we been actually doing some vulnerability testing? You can gamify it through the employee examples that I gave, who's a green belt, and keep constantly doing that. You can actually start looking at the social engineering attacks. The mindset is the CSO can only do so much, and in ensuring a mindset of trust and ensuring a mindset of security and values is really, really important, and being to gamify it is really great. I think that those are the examples I think are very, very critical and these are opportunities at the end of the day.

Jeff Kavanaugh: To wrap it up, obviously you've got tremendous background and perspective. Who has been a major influence for you and and how?

Monique Morrow: I think in the space that we're talking about, I like the book Surveillance Capitalism by Shoshana Zuboff. It's about four or 500 pages of research in this space about how people are metadata of metadata of metadata. It's worth a read, and I think what Shoshana Zuboff has done, it's really been provocative in this particular space of how data is used or misused and I think she would be an example of somebody who's really affected my mindset.

Jeff Kavanaugh: Lastly, how can people find you online?

Monique Morrow: My mail is morrow@vetri.global. They can send me a mail or they can send me a ping via LinkedIn.

Jeff Kavanaugh: Everyone can find details on our show notes and transcripts at infosys.com/iki in our podcast section. Monique, thank you very much for your time and a very interesting discussion. Everyone, you've been listening to the Knowledge Institute, where we talk with experts on business trends, deconstruct main ideas, and share their insights. Thanks for our producer, Catherine Burdette and the entire Knowledge Institute team. Until next time, keep learning and keep sharing.