- „One of the core purposes of SSI (Self Sovereign Identity) is to give the individual complete control over their data.“
- „We are all responsible for the establishment of „Technology for good” in the DNA of companies and organizations.”
- „What we need is a simple machine-readable and most of all customer-centric approach to identity data.“
- „Blockchain is no longer a hype but being adopted by enterprises for solutions that add value to their customers.“
- „The opportunity to assert a new Data Protection model can be core to a company’s USP.“
Monique Morrow starts her career in Silicon Valley in the 1980s. Her initial plan is to become a diplomat and she studies French, Geography and European History at Sorbonne and the San José State University. Her own curiosity upsets those plans when she sees the upswing in Silicon Valley: „Oh my god, I have to be part of this!”
She starts as a network engineer at AMD, obtains several IT certificates in Silicon Valley and earns a Master degree in digital currencies. After that, she goes to Cisco to become their Chief Technology Officer. From the time in Silicon Valley, she holds 14 US-american and international patents, all related to digitalization, networks, internet of things, cyber security and safe handling of data. She earns 26 international awards, among which are the Global Citizen Award and the Business Worldwide Magazine Award. According to Forbes, she is among the 50 most important women in the tech industry.
After 17 years she leaves Cisco, „because it became too comfy“ there. Today, her chosen home is Zürich, Switzerland where she works as Sr. Architect, Emerging Technologies at Syniverse. Also, she is President and Co-Founder of the The Humanized Internet, a Swiss-based non-profit focused on digital identity and ethics in technology. Their mission is to give those one billion people that are unable to prove their identity an „indestructible” one using data.
What started as „I have to be part of this” has become a vision: to fit technology to the needs of society, not the other way round. During the Vodafone eleVation DIGITAL DAYS, Monique Morrow speaks about cyber security and the chances that companies have in order to increase trust by improving data security. Our interview here is a preview of what Morrow has to say.
Vodafone mobile Security
Ransomware, Phishing, Smishing oder APT-Angriffe: Die möglichen Bedrohungen im IT-Umfeld sind sowohl was mobile als auch stationäre Geräte angeht, nicht zu unterschätzen.
Unser vierteljährlich erscheinendes eBook „Cyber Insights” liefert Ihnen alle neuesten Erkenntnisse und Innovationen zum Thema mobile Sicherheit.
Mrs Morrow, technology and especially the Silicon Valley IT scene used to be male-dominated in the 1980s. How did you manage to take root there and even get to the top of one of the most prestigious IT companies in the world?
Indeed it was, and to a certain extent the industry remains male dominated. I started out as a network engineer at AMD and really became curious about distributed networking and the Internet overall. My career is a series of pivots. Cisco during that period was fundamentally a start up at Menlo Park, California. I believed strongly that multi-protocol routing was going to shape the future of networking. Cisco was in the position to do so. One aspect in this discussion is that timing is everything. It was simply the right time to pivot technically and from a business perspective. Cisco worked with me to test and understand its technology when I was at AMD. Further, I had super male mentors who inspired me do more.
What has shaped you most during your time at Cisco?
Cisco provided me with opportunities to learn about all aspects of its business from research to sales and to services. The most important tenet has always been co-creating with customers and partners. It’s the notion of truly walking in the shoes of your customers, partners and developing a strategic relationship rather than a transactional one. I find that this fact is certainly relevant in my current position at Syniverse as its first Senior Distinguished Architect in Emerging Technologies.
After 17 years, Cisco became „too comfy“ for you. What exactly drove you to leave Cisco?
Remember my earlier comment about timing. It was the right to go deeper into the non-profit and start-up communities. It was during this period that I went on to study blockchain and earn my third Masters Degree in 2019. Someone in the entertainment industry once told me: „If you don’t write your own script, a script will be written for you and you may not like it.“ I departed Cisco to write my own script. The journey continues to be enriching! Cisco is a great company and I am grateful for the opportunities I had during my time at Cisco. Now I am at Syniverse which is exciting; and, I continue my engagement at the Humanized Internet.
Video: YouTube / Collision Conference
How did you come up with the idea of an „indestructible identity“ for all mankind? What spurs you on and what is this all about?
Identity is complex, cultural and contextual. We have multiple identities. One very basic aspect is the loss of identity and citizenship of the individual frequently caused by the circumstances of migration. On the other hand, we could lose our papers via natural disasters and other catastrophes beyond our control. Self Sovereign Identity or SSI means that the citizen has control over his/her own data.
Self Sovereign Identity is foundational to other services and businesses beyond national borders. It empowers the individual having control over his/her data independently of nationality and place of residence or business. It can help, first of all, to establish citizenship of the person of his/her state of origin. Without this, the regime of statelessness would apply in certain cases, with the consequence that almost no rights are granted to the person, nor diplomatic protection, etc. For example „In x we Trust and Why“ provokes various discussions as to the polarities we are experiencing between, privacy, perceived loss of control, security and ethics. Rather than deprecating to what could be a dystopian narrative there are emerging technologies such as Self Sovereign Identity that have the potential to empower the individual to assert control of his/her identity selectively.
The Internet of Trust and Self-Sovereign Identity are no longer ethereal monikers but very real. The thesis is that you are the center of this data and identity universe that includes of course the Internet. I often speak about a portable digital lockbox what describes these concepts. Think about it, if you had minutes to leave, what would you take with you ?
What technical and society-related difficulties did you face so far? Which of these are harder to overcome?
This is a very hard problem to solve. Sir Tim Berners-Lee has proposed the creation of „Personal Online Data Stores“ or PODs that provide individuals with the capability to manage their own data. This is why SSI, PODs and portable digital lockboxes are steps in the right direction. Services and solutions are being developed now with SSI by enterprises which is promising.
Do we risk losing our humanity by being so technology-dominated?
The answer is that the human must always be in the loop. I always assert that technology has no agency. However, we must understand the intended use of an application and potential for abuse. It’s all abput a balanced view. We all have an opportunity to embed „Tech for Good“ in our corporate and organizational DNA.
Doesn’t the protection of one’s personal data contradict the idea of a completely digital identity?
These concepts both intersect nicely as SSI puts the individual in the center. Specifically, the individual can „selectively share“ what he /she/they wants to share. We have to change the thinking. So „who what“ is protecting my personal data? What does the data governance model look like? Other than a notification „Sorry your data was accidentally leaked to a third party“ I think we need to flip the discussion here and assess the benefits of an SSI model such that accountability can be shared. Remember we have multiple identities.
Credentialling is low hanging fruit in this space. We see organizations like W3C and the Decentralized Identity Foundation providing use cases and solutions. For example, my Masters Degree in Blockchain not only is credentialed as should be expected but can be referenced on the blockchain in the event the university should no longer exist. Think about your work experience being credentiallied in a similar way should your company go out of business, there is a digital reference, e.g. via blockchain. The possibilities are tremendous; and we are on the cusp of tectonic shifts in thinking and acting.
With regards to cyber security: Who will be responsible for the protection of this very personal data?
Short answer, the individual must be. I go back to the need for SSI with selective disclosure and the need for a Data Governance Model that includes differential privacy and shared accountability. This space is evolving as our data is spread across various slio’d organizations. Data Security and Data Privacy go hand in hand. From a corporate perspective, Privacy by Design and Privacy Engineering must commence from the beginning for any application/solution development. This modus operandi is more than a compliance check e.g. GDPR but an integral part of the development process. Forcing customers to read long legal documentation of „how their data is used“ prior to a service delivery is arcane. We need an easy machine readable approach which must integrate the customer as part of this process. Enterprises must prove that Personal Identifiable Data [PII] and Metadata are either never exposed; never integrated into a solution and cannot ever be correlated to an individual. As an ecosystem, we must collectively address these issues together with the customer.
Let’s move away from personal to company data. In the IoT sector, how can companies be sure that their data is safe in the virtual cloud? Isn’t it better to save data on-premise, i.e. on own servers in own, trusted networks?
The short answer here is that this issue will be an ecosystem play. What is trust? Think reliability in functionality such that if a network goes down for some reason the service continues without the customer knowing of an outage. Perhaps the approach is hybrid e.g. both on and off prem in so far that a data governance model is understood and accepted by all parties including the customer. This is an opportunity for all.
Catchword Blockchain: So far, most of us have heard about it yet only in the context of cryptocurrencies like Bitcoin. In which way can companies use blockchain mechanisms to secure their own, but also their customers’ data?
We need to take a step back in terms of understanding the use of blockchain and for what purpose. Personal data never goes on the blockchain. Companies have been developing solutions specific to supply chain, for example proof of source like Track and Trace solutions for pharma, food and so on. Another example is Blockchain for Wholesale Settlement or BWR amongst carriers, solutions providers. When referring to so called „permissioned“ blockchain, the organizations are known with an implied trust. Permissionless examples include Bitcoin and Ethereum. I think we are evolving to a hybrid that specifically evolves toward decentralized-distributed models. Smart contracts apply the business logic for execution of these blockchain solutions. Here is the point, blockchain is no longer hype but being adopted by enterprises for solutions that add value to their customers. The promise of blockchain is in distributed service automation and optimization. The use of cryptographic primitives can further enhance security in this space.
Video: YouTube / Manuel Stagars
How can cyber security become a company’s USP? Is there an advantage for younger companies over the established? Are there relevant differences depending on the sector?
The time is now, by defining a data governance model that does not rely on legal prose often not understood by the customer. It’s about integrating the concepts I have already shared like SSI, Privacy By Design, Privacy Engineering and most important keepin the customer active in these discussions. The opportunity to assert a new Data Protection model can be core to a company’s USP. Whether a company is a start up/new or well established, this space is ripe for new data protection solutions that put the customer in the center.
By the way: I represent my company in the World Economic Forum Data Policy Council, 2020-2021.
How can companies protect their data and their networks effectively in a globally-acting world? What are three key points that you encourage companies to follow for an effective backup and security strategy?
The world is intertwined especially for global companies. Three most important points:
- Understand the potential for data leakage across your ecosystem
- Prove the applications of Privacy by Design and Privacy by Design across your ecosystem and include the customer in this process
- Provide a constant assessment of threat vulnerabilities, cyber attack surfaces across your ecosystem and mechanisms to address them
Mrs Morrow, thank you for your time.
There is a German version of this interview available as well: Interview with Monique Morrow in German language.