How did you end up in your current role, and what attracted you to the industry?
I’ve recently started working in a newly created role as General Counsel, International Products.
Our products are generally developed in the US and then rolled out to our international markets. There was a need to consolidate the international support piece to bring efficiency to the compliance process. If you can identify local regulatory requirements in countries where products are to be delivered during the development process, then it’s much easier to build these requirements into a product as opposed to retrofitting them later. The role previously existed in scattered parts of the organisation, and one of my chief aims has been to bring those parts together in order to create a more unified, cohesive and persuasive presence in the product development process. My team sits between our local markets and the product development teams to ensure the products that we deliver are in regulatory compliance outside of the US.
I joined Verizon in a somewhat exotic, but linear way. I was the first (and only) legal hire for OzEmail back when it started last century. It was bought by a US company called UUNET which was part of the WorldCom Group. Following WorldCom’s US based bankruptcy early this century, the company emerged with MCI, who in turn, were bought by Verizon. The consumer ISP business of OzEmail was sold to iiNET and the enterprise business remains operational today.
I am passionate about technology. I love the way the internet and communication platforms have made it possible to achieve so much in our society. This can be great, and it can be destructive, but it’s always interesting. It’s challenging from a legal and compliance perspective because you’re often working in areas where the regulators haven’t caught up.
I like that this industry is not repetitive; it's fast moving and requires you to predict where the regulators might go – as governments struggle to keep regulations abreast of technology – even with the so-called technology-neutral approaches. This presents a unique opportunity to shape policy rather than just follow it. All of that adds up to an exciting and stimulating career.
What do you see as the biggest threat (for organisations or businesses) and where do they come from?
I am seeing the greatest challenges around regulation and technology. While technology is a real facilitator of an incredible array of outcomes, both good and bad, regulators struggle to keep pace and stay relevant.
When you consider the public voice that comes via social media, coupled with a general tendency to outrage on these platforms, the first instinct of the government is to respond with more regulation. While there is always a balance to be achieved between protection and stimulation, there is no doubt that over-regulation stifles innovation.
There is no question that the consumer needs to be protected, however there are varying targets for the technology and not all need the same protection. Not everyone looks to use technology in the same way. Despite this, regulation often doesn’t discern between the purpose and the target audience of the technology. This lack of distinction in regulation can result in limiting the ability for the full capability and benefit of innovation.
There’s a lot of regulation going on within the Australian telecommunications industry in response to the challenges posed by new technologies. With the rise software-defined networking, unified communications and the emphasis on the cloud, challenges posed include data localisation issues, cross border data flows, and of course, the security issues.
The government’s first thought is to regulate what they feel like they’re losing control. Also, it’s not just one government at issue. Depending on geopolitical climate and current capabilities, government responses and regulations flowing from those responses vary enormously. This is particularly challenging for a global company because of the differences in how governments view technology and how they want to regulate it, what they do with it, who they want to be able to access it, and how they expect industry to assist with their aims in respect of these aims.
For example, law enforcement is a very legitimate function of government, however there are questions around the approaches, reach and impacts of the Access and Assistance Act. How far should governments be able to compel industry to give access to information they want under that Act? The sheer potential scope of this legislation, the lack of consultation in its formulation and the rushed approach overall to its enactment has raised questions and difficulties in terms of compliance for business from the inside out, and trust from the outside in. Australian companies who had great standing in the security space suddenly look less attractive as a provider.
However, this isn’t necessarily all bad; this over-regulation raises opportunities in Australia for companies like Verizon as we work in areas of security, compliance and audit to make sure our customers are protected.
What are we doing wrong that means we’re unable to stop it?
The tendency of the government to regulate first and properly consult second creates uncertainty, even in markets like Australia – affecting innovation and investment decisions. In addition, the balance between solving the problem whilst not affecting all who operate in the sector that is being regulated has yet to be solved. For example, the theory of the government dictating infrastructure architecture in the name of security seems a questionable approach under the Telecommunication Sector Security Reforms (TSSR). The issue isn’t whether carriers and service providers in the telecoms industry want to be operating infrastructure securely — it’s about who is the most expert in determining what that looks like. I don't always think the government knows best about telecommunications infrastructure security. They may have good ideas about how to protect critical infrastructure, but they shouldn’t discount the motivation of large companies to protect their own brand.
For example, Verizon has a lot of skin in the game to achieve the same outcome the government wants, in terms of making sure our networks are protected from threats. This becomes an administrative burden rather than assistance – and does not contribute to the ultimate security profile of Verizon. While I understand the government is doing what they think they need to do to protect the country, the substance of that approach needs further consideration. Certainly, there needs to be a level of cooperation, but the commitment of a provider to its customers should not be dismissed. In addition, when you’re a global corporation, there is the added complexity of operating in an environment when every government is making decisions that affect service delivery in different ways – we need to be able to comply with regulatory restrictions from all countries in which we operate while being able to maintain some core design in our network, for better security and economically efficient outcomes.
The problem is that technology knows no borders and governments know nothing but borders. This leads to a constant clash — or finding a balance — between trust, interference, exchange of information, cooperation, and being mindful of your obligations to protect customer information.
It is quite a complex era, with all levels of participation coming to terms with how to manage technology and innovation that’s exploding everywhere. In addition, it’s difficult to try and control the internet as it is specifically designed to be a leaky boat – every time you plug a hole, another leak springs. At the moment, governments believe it’s their responsibility to make sure they’ve got control of all this technology. This level of regulation, for some companies, is becoming counter-intuitive to the technology working or developing any further. For example, even if you can do something in one country that you can't do in 99 other countries, sometimes it’s necessary to forget about rolling out that technology at all.
A good example is encryption, which is a fundamental feature of most security services. Some countries have strict or extremely vague encryption regulations, which makes it difficult to make a decision on whether that technology can work in that market. When you’re looking at investment decisions, the lack of a clear regulatory landscape is a significant factor because you don't want to spend money launching products and services in a market where the government can change the playing field from one day to the next and scuttle expensive plans.
What security-related behaviour or policy have you observed/changed the most in the past year?
Risk is now a central focus of Verizon, as is compliance – these were always part of the fabric but the attention is now relentless in the face of the growing threats and consequences. We are constantly assessing the threatscape and spending time assessing new laws and regulations in countries we operate to make sure we maintain compliance. We also ensure our local teams are briefed to understand what’s going on in the business to make sure they fulfill their duties as directors in accordance with local requirements.
That’s a change from the past when global companies managed from the “centre-out” and everything was imposed through the silo structure as opposed to real issues faced in the field. The central leadership now recognise the need for directors in other countries to fulfill their obligations, even if it means a departure from the standard practices. There’s a much bigger focus on that in how we speak to the board and we keep the conversation going front-and-centre.
How has the increasing climate of governance and compliance changed your approach to security, and what opportunities and threats does it present for your business?
With the increasing focus on compliance, supply chains, and modern child slavery, amongst other things, we’re cognizant of the need to be able to answer these questions with knowledge and comfort. It is no longer acceptable to turn a blind eye to inputs on the basis of outcomes. This applies not only to us as a responsible corporation but also to us as a service provider. We’re finding that a lot of our customers are asking questions around these issues and are making ethical choices based on the answers.
We have a strong focus on vendor management to check that our suppliers are compliant with these ethical approach requirements and well as other more business practicalities such as solvency and operational integrity. We make sure they’re coming to us because they're the best at what they do and not who they know. One of the pillars of our new Verizon 2.0 approach is Corporate Responsibility. It has always been in the background as one of the things we value and believe in — we have a very strong code of conduct and a credo, accompanied by ongoing training and processes designed to support the code and credo, all underpinned by vigilant ethics and compliance organisations.
From my experience this is a meaningful goal at Verizon. It’s more than lip service or documents for show. Corporate Responsibility encompasses is a real practice not just because of customer expectations but because it’s the right thing to do, not because we are looking for statements we can make on paper but because Verizon sees the real benefit of and the obligation to demonstrating these responsibilities and trying to add positives to the world in the way that we operate.
How has availability of cloud-based services changed the way you deliver your solutions?
The cloud is changing everything. It has mostly changed borders because the cloud has no border. Anybody can reach it if you’ve got the right connection and it’s not private (and sometimes even if it is). That means people can access whatever they want in terms of information, services, ideas, news, technologies, apps, but it poses issues of restriction, risk and protection for business operators and customers alike. For consumers of cloud services there needs to be awareness that this ‘cloud’ service sits in a data centre somewhere and is subject to the regulations of that location, and that may be a totally different regime to the location from where its being accessed.
In addition, although the cloud enables companies to save a lot of money on infrastructure, it nonetheless comes with all sorts of security issues – in terms of protection of data, retention of ownership of that data, accessibility of the data, location of data and sovereignty of that data. For governments, the cloud also poses the toughest questions on these issues and we see regulators globally continue to grapple with the best ways to regulate this technology phenomenon.
This is why cloud services are interesting from a regulatory perspective. When we’re talking about a cloud solution, there are often many pieces that go to making it a secure solution for the customer. These pieces may raise differing regulatory issues depending on the functionality. Identifying these issues and determining the best way to deliver the solution in compliance with requirements from the location it may be accessed, as well as with regard to the requirements imposed in the location of the cloud itself is the challenge. In addition, there may be customers who themselves have bespoke industry regulation regarding cloud usage that need to be catered for by the customer. The customer and Verizon need to work together to identify requirements (customer driven) and then design solutions that satisfy those requirements (Verizon driven).
How has increasing regulation changed your security priorities and those of your customers?
The tendency to over-regulate is happening in all markets. This means more customers are requiring tailored solutions to meet the requirements that apply to their industry. If a customer comes to us with those requirements, we can design a solution to meet their needs. In addition, solutions providers like us are targeting specific verticals that face increased regulation to design for that sector in our offerings. This means our priorities are shaped by the regulation that affects the market and this regulation also provides opportunities for differentiation in offerings.
That’s not to say that Verizon knows all requirements that apply to all industries However, if a customer can articulate those critical requirements, then we can design the right solution. For example, once we know the requirements as to data localisation, or encryption requirements for transport and storage in a customer’s industry, we can assist the customer to meet the regulation. We help customers get to where they need to be with compliance.
Increasing regulation is a double-edged sword – it can be a threat to innovation, but also an opportunity for businesses like ours in helping customers achieve compliance.
Another example is cloud. With everybody trying to do more with less and customers wanting to save where they can, cloud adoption will continue to rise. It really is about efficiency in resources so that you’re running your business as cost effectively as possible. Let’s face it – communications is often one of the big expenses of businesses, especially global businesses. All companies are looking for ways to do things efficiently, securely, and globally. Of course, we can help them with that, but we’re working in an atmosphere of increasing regulation. It makes investment decisions difficult with the prevalence of government intervention and uncertainty around where the government will regulate how that may affect our already established or planned service offerings. Over regulation leads to conservative decision making to ensure that resources are not wasted.
What technologies do you think will most transform security in coming years?
AI and machine learning technologies will most transform security. With the ever-increasing amount of big data in play and the growing complexity involved within corporate ecosystems of communications, partners, online commerce and general operations, it is these technologies that will support the ecosystems in operating securely and achieving expected business outcomes. AI and machine learning are also critical technologies in facilitating new ways of interacting with and managing the online space so that companies can work to results that are only limited by the imagination of innovators and the desire to direct and control of regulators.