French Caldwell: Perils of a connected world

French Caldwell has seen covert social-engineering tactics from the Cold War era—women from the enemy camp courting sailors to get information—to the Internet age, when hackers fool users to let slip their personal information. He has served as diplomatic liaison for the U.S. Congressional Commission on Roles and Missions of the Armed Forces. He was a vice president at Gartner, looking after enterprise governance, risk, and compliance (GRC) until 2014, when he joined Palo Alto-based MetricStream as chief evangelist. MetricStream is a cloud company that helps enterprises manage information security risks and compliance. Recently, during a visit to Bengaluru to spend time at MetricStream’s R&D centre, he spoke to Fortune India on risk in the Internet age and how companies need to disclose more about what they do with customer data.

How did a naval officer deployed on a nuclear submarine wade into GRC?
(Laughs) As a submariner, we had a lot of risks to manage. Think about what we were doing underwater: Every 100 feet we go down adds 44 pounds of pressure per square inch. With that kind of pressure, the submarine actually compresses. As we talk, we are subjected to about 14 pounds per square inch. The submarine had nuclear weapons, high-pressure hydraulics, high-voltage electricity, conventional torpedoes with highly volatile fuels: (smiles) Is this a place you’d like to work? Our job was to operate against adversaries while managing risks. We were able to deal with uncertainty because we managed the risks well, much like businesses today should do. We are seeing the re-emergence of nationalism, multilateral institutions in distress, and fractures in the post-Cold War world order. But companies have to maintain business relationships around the world. GRC is about helping them deal with uncertainties, protect their brand, and maintain their integrity.

What are the concerns of enterprise clients in hostile geopolitical environments?
First, the concept of the nation state is under threat. Also, people are distrustful of governments—recent research points to government being the most distrusted institution after financial services and banking. There are threats such as governments wanting to enforce their own national Internet.

What is it about governments that worries global companies?
Regulatory uncertainty and cybersecurity. Even when companies are confident of their compliance record, they only know what to comply with. They also want to know what new risks they will face and how they are performing against them in an uncertain world.

Then there is increasing concern about third parties, say, in supply chain, IT services [companies that have customer information], business partners in a foreign country, or engineering and construction firms. The concerns could be on issues like third parties bribing government officials. A company’s reputation is linked to the third party’s ability to comply with laws. Organisations that work with thousands of third-party relationships need to break them down by importance: the 1% which are strategic, but pose high risks to business. Then, the second tier of 10%, and then the rest.

Which are the sectors that have taken to GRC?
By value, these would be the heavily regulated ones. BFSI (banking, financial services, and insurance) has historically been the largest customer. A couple of years ago, manufacturing began to get as big in terms of customers. Then, the IT industry—services firms, software companies—and telecom.

We are now seeing tremendous interest from retail, largely driven by third-party and supply-chain relationships. This is interesting because even suppliers are concerned about the [reputation of] brands they are working for. It entails compliance with the regional and ethical codes of conduct. This shows that retail, one of the least-regulated industries, is coming on board GRC. When I was with Gartner, we got almost no GRC enquiries from government entities. It was around 4% of all enquiries in 2013. Last year, it was 15%.

What are the GRC areas that are of interest to government?
They are mostly around IT, being driven by cybersecurity concerns. Next is audit—trying to improve the quality and productivity of auditors by automating as much as possible. This has become common worldwide—it’s not a First World vs. Third World phenomenon. The drivers of this are different across the world. In some of the oil-rich countries where there are many state-owned enterprises, the governments want to ensure that their enterprises are corruption free and have world-class audit systems. To be globally competitive, they have to show that their compliance and financial reporting is true and correct. However, in western countries, audits are driven by the need to be productive. The third area is enterprise risk management, especially in Britain and the U.S.

How surprised were you when Edward Snowden managed to leak classified information on surveillance programmes? And what has changed since?
Most of my colleagues [at Gartner] and I were surprised—not because such a breach was possible, but by its magnitude. We would make sure that a government employee or contractor we bring into such a [sensitive] environment has the right security clearances and trust that a contractor with security clearance won’t do bad things. During the Cold War, when countries were trying to reduce the number of nuclear warheads, we had to trust, but verify. That is the truth about security.
[In the Snowden case] what were we doing to monitor behaviour to ensure that the people working inside the U.S. National Security Agency (NSA) were not doing something foolish?
Since then, I have seen a stronger interest in behavioural analytics—using the data maintained on applications, network, and servers of an organisation —to prevent leaks. The issue here is not a person’s history, but about looking at what type of person she or he is and the behavioural characteristics. But this also makes people nervous because you might start discriminating against them based on behavioural characteristics—that is the risk.

What is the flip side of analytics?
In 2010 Eric Schmidt [then CEO of Google] said something on the lines of “We know what you’re looking for, we know where you are, and we kind of know what you are thinking.” Google, Facebook, and companies that collect data for marketing purposes are building behavioural profiles [based on our data]. Google knows what I am thinking, and it drives information based on that.

What is the responsibility of companies when governments want to access granular customer data? Foes this boil down to surveillance?
I don’t know whether I am more worried about the NSA having my personal information, or social network sites and search companies having it. I can be sure the NSA is not reselling my information, but big data aggregators like Google and Facebook are doing that. According to law, my credit card number, driving licence number, and national identification number are my personal information. Expand that to include medical history. The law [and government] is not touching my behavioural profile. But if someone is able to access my virtual identity, which has been built using online information about me, that’s a problem. My identity is being sold.

I am doing research at Northeastern University as a doctoral candidate—I am not quite the oldest (laughs), but one of the oldest. I am looking at the “impact of disruptive technologies on public policy”. Studying privacy issues in IT, I realise that there were privacy principles developed back in the ’70s. They evolved into the framework for the Organisation for Economic Co-operation and Development’s Privacy Principles, which was adopted by many countries. [The OECD Privacy Principles were guidelines for privacy legislation that would facilitate smooth flow of data globally without compromising personal rights.]

We have to take a different view of privacy—it is about a person’s ability to control their actions and decisions. That is under threat. If Schmidt says he knows what I am thinking, Google can sell that information to third parties and they can influence me into doing something [they want]. We need to look at how much of this is going on, and also at responsible use.

So, what is responsible use?
I am proposing that organisations, whether it is government, private sector, or industry, come up with standards and set grades for responsible use. The standards can be based on classifying companies—those which collect information that goes into building behavioural profiles, and others that manage or use such profiles.

So what is a responsible use grade? If the full benefit of the behavioural profile accrues to a consumer, then the company gets a 5. For example, when bank customers apply for a loan, the bank uses their information to decide whether they can be trusted with its money. In such a case, the information benefits the customers the most; it is not meant for selling to someone.
If your information is being collected and you are getting no benefit, the grade will be lower. Say, in the case of Google, responsible use would include letting the end user know or at least a way to judge if they can trust the service. Google would be somewhere between a 2 and 3 because users can search information in return for their behavioural data.Responsible use would also consider how well users are protected, and how many organisations are sharing a piece of information.

Should a responsible-use practice be legislated?
This practice will work better as an industry standard. Often, industry standards are more effective than legislation.

How are threats to online data increasing?
Five years ago, stealing medical insurance records was not considered a major threat. It was seen more as a privacy concern than a lawsuit. Now, it’s cybercrime because the information can be used to generate false medical claims. Similarly, behavioural profiles are going to rise in value. Who knows how much extortion is happening based on companies being hacked.

Is greater adoption of the cloud and migration of functions online becoming an opportunity for management of compliance and risk?
Cloud adoption has been high, signalling that the middle market is coming alive for GRC. A lot of it has to do with sensitivity to regulators. Moreover, the middle market relies on cloud solution providers. For us, cloud sales of GRC software products grew 74% over the past two years. It was unbelievable.

GRC is important, but the GRC software [required to protect everything else in operations] is not seen as being so. If a company’s IT department has to focus on core operations, the GRC software can reside in the cloud. But we are also seeing companies take a cloud-first approach. One of the benefits of cloud applications is that customers can always have the latest version. We can reprovision and upgrade hundreds of customers in a few minutes.

Until 2013, the primary GRC buyers were large publicly listed companies. Now, these companies have fewer reservations about cloud solutions. This is also true of large manufacturers.