Monique Morrow: A Call to Action on Cybersecurity

Monique Morrow, CTO-Evangelist, New Frontiers Development and Engineering, Cisco, enthusiastically discusses the need for a new cybersecurity dialogue.
Monique Morrow, CTO-Evangelist, New Frontiers Development and Engineering, Cisco, enthusiastically discusses the need for a new cybersecurity dialogue.

The field of cybersecurity is becoming increasingly diversified. As portable technology becomes more accessible, it extends to many different sectors: new advances apply not only to how quickly we can access email and from which locations we can work, but reach as far as the fashion and fitness industries. Strengthening the security and resilience of cyberspace has, therefore, become a crucial mission as technology becomes more pervasive. As we continue to innovate at an exhilarating pace, security and privacy professionals must constantly adapt to new advances.

Monique Morrow, CTO-Evangelist, New Frontiers Development and Engineering, Cisco, enthusiastically discusses the need for a new cybersecurity dialogue: one that will keep up with the expansiveness of technology. Morrow, who started her career in the mid-80s in the semiconductor business, became involved in networking while working with many device physicists and internal circuit designers. “What we were trying to achieve was looking at creating a networking performance environment that would enable the circuit developers. That’s how I got into computing.”

After receiving a Master’s degree in telecommunications management, Morrow become involved in data-design types of activities through other programs. She left the United States and took a position with a Swiss company as a network engineer, “fundamentally looking at how we were going to change the environment of networking.” With this came a new emphasis on security and networking management, which Morrow stresses “are really a bundle!” It was when Morrow became a manager for a “very mixed-and-matched group of people” that her way of thinking changed. Transitioning to a carrier/service provider environment, Morrow became part of the first company to implement multi-protocol label switching, thereby fueling her commitment to security network management.

“Security is now very, very fundamental to what I do architecturally,” Morrow emphasizes. “If I fast-forward, being at Cisco for 15 years in October, I started out not only in the service provider sphere, but went into research and development and started to look at areas around machine-to-machine communications: now it’s the core of our business, the Internet of Things, and Intercloud.” When speaking about career progressions in cybersecurity fields, Morrow urges her staff to visit the operations center to really understand why this space is so vital.

Morrow stresses the need for skilled professionals in the cybersecurity space, as it continues to grow and change. One area, out of many, that needs to be examined, is academia. “What does it mean to have a background [in cybersecurity], if you want to study more, if you want to come out into that space?” She continues, “I think it’s been evolving. When people started out, they happened upon security, and accidentally came into the space.” Qualities that make one a great candidate in the cybersecurity profession, according to Morrow, are “capabilities of learning, and being observant, and probing, and trying to solve problems… I think you’re going to have to have a background that not only suggests that you have some level of computer science, but a kind of multi-disciplinary background.” People who know foreign languages, who have lived abroad, who can see the big picture, often come well-equipped for employment within the space. Prospective employees, according to Morrow, must then experience as much as they can within the diverse realm of cybersecurity: she states, quite adamantly, “They must absolutely get experience. Some people want to get experience as to penetration testing; some people want to get experience at solving and developing even more interesting keys. There is some really good thinking happening in the industry in this space.”

With acquired experience comes a variety of different areas that professionals can choose to explore. “We have areas of research that we have to care about; areas of background that we have to thinking about.” One of the most interesting dilemmas, Morrow says, with an air of passion, is “looking at the intersection of technology and policy making, depending upon which country or which part of the world you’re living in, and how this plays into identity and privacy.”

This is a dialogue about which Morrow speaks feverishly and devotedly. When asked to elaborate, she states: “What I’ve noticed, machine-to-machine; what we’re doing with wearables; where we’re going with cloud and Intercloud; what we see now happening in the industry today; with legislation you really have to be cognizant of what you’re doing in the cybersphere. You really need to have that security hat on.” She continues, explaining that there are many different tenants and modalities to take into consideration. “There’s what you do internally in the company, to protect yourself for your assets; what you do in terms of attack vectors; you have to protect yourself as a citizen; and you have to look at breaking things for yourself.” As individuals have many different roles, this can be seen as a microcosm for cybersecurity needs. “You are a citizen, you are an employee, you are a private person in your house. If you think about all of these, what does it look like? Technology means people know a lot about you. It has a very disruptive conversation about privacy overall. Should we just say there is no privacy? Should you declare ‘no privacy?’ What would that look like? And I think this is a very interesting debate that we’re having or could be having.”

Of attack vectors, in particular, Morrow warns, companies must always be paranoid about their data, and so must individuals. “They ARE going to go after your data, to attack you as a country, which gets you into nation-state areas of concern.” You can’t anticipate everything, though, Morrow admits, because attacks keep getting better and better, and attackers are most often the earliest adopters of new technology. Perhaps the most interesting question Morrow poses about this dilemma is, “When do you start to declare war?” She continues, “You have to be very, very careful about what this looks like. Now we’re in this digital world and that has implications to digital laws and digitization of functions in terms of when it is a war, and when it is not a war.”

“I’m of the opinion that we should be very careful about legislation here, about having laws that dictate, because there is some very interesting legislation that comes out of this in terms of looking out how you can defend yourself.” She mentions possibilities of business opportunities such as cyber insurance, risk sharing, and others. Morrow is also an advocate of developing a bill of rights in cyberspace or cyber security space, with “the potential of one that could go into the United Nations one day, possibly even starting with the IEEE, where we decide to adhere to certain standards, knowing that there are going to be bodies of people who don’t.” Of course, this once again brings up the controversy of whether it is ethical to develop and implement global, digitalized codes of ethics.

Morrow, a senior-grade member who has been frequently involved in IEEE publications, IEEE Women in Engineering, the IEEE Communications Society, IEEE Young Professionals group, the IEEE Internet of Things initiative, and IEEE Standards Association, mentions that IEEE can help keep professionals current on information important to this quickly evolving space, as well as enter the global conversation. She suggests a commitment to not only special interest articles, but to summits and the institution of new platforms by which dialogues could be fostered. Since the world of privacy and security are changing so quickly, frequent publications and summits could expound upon new attacks that people are seeing, new areas of potential research, and this could lead to better standardization around the world and amongst companies, which is currently a challenge within the industry. “If you don’t do that, then you risk having security holes and then you have a problem. Who’s responsible? Where’s the accountability? We need to think about the ‘and’ here, and not the ‘or.’ And I think that’s an area where perhaps the IEEE could become more involved,” urges Morrow.

“Change is so exponential, and I do believe that we are going to have to have, in the government space very close dialogues; also private and public relationships in the space, so that we don’t over-rotate. But on the other hand, you have some bill or rights statement that say, ‘these are the modalities; these are the tenants,’ and then at least we start somewhere.”