That sounds like a dynamic start of a career, how did you end up where you are now?

Way to Huawei

In the meantime, I kept track of job openings to see what was going on in the market, to identify potential clients. I started seeing openings from a company called Huawei Technologies and got intrigued. So, I send an email to see if they were up for meeting to figure what it was that they did. Within 5 minutes I got a reply from their HR department asking whether I wanted to come in for a job interview. After kindly declining and emphasizing I was not looking for a job but merely interested in their company and products we set up a meeting with their CEO and Sales Director. After that we circled around each other for a while, where they made their interest known in hiring me but I was still focused on my other job. This went on until in 2005, when I decided to go for it and help them put the company on the map here. That brings us to today, 16 years later, and I am currently one of the longest sitting local employees here.

Career within a career

My first role at Huawei was as Product Manager and later as a Technical Sales Director, with a local focus. After a while in that position I became the Solutions and Account Director for our projects with KPN. I did this until 2015. Around this time there was an audit done on our security processes and I saw the outcomes as a nice task to work on. Right after I made the switch to the security domain, the world seemed to explode and Huawei was accused of all sorts of things. That shifted the focus of my role from primarily internally based on our audit, towards more externally to accommodate clients that got worried and had questions after all the negative coverage about Huawei. That responsibility never really stopped and from 2016-2017 I was asked to also set up privacy compliance within the company in preparation of the GDPR. In 2019 we appointed a separate Privacy Director and my focus went back to external communication on our compliance and Cybersecurity procedures. In March of this year [2021] the company decided to bring Privacy and Security closer together again because these areas are just so interlinked. At this point I was appointed as the Cyber Security and Privacy Officer once again. Cybersecurity, that is Confidentiality, Integrity and Availability, is after all partially meant to uphold privacy. 

“What I have realised is that I never really left sales. I just transitioned from selling products to selling trust.”

What does your security role look like?

So, that is why we implemented security by design. ‘Security by design’ is the process of creating all sorts of guidelines and protocols to integrate security in the design and production process of each product. The entire supply chain, including shipping and implementation of products is included in this verification process. We have learned a lot from all the accusations regarding the security of our products, even though none have ever been proven. Of course, we can say of ourselves that we are secure, but that is not sufficient. So, we make sure that all our products comply with sector standards and certifications in collaboration with issuing bodies and we work with an independent department that at the end of the development process thoroughly checks our products and whether they are permitted to be used in a specific market and by specific clients according to that market’s legislation and security requirements. To give an example, in some countries ‘lawful intercept’ is a requirement for telecom products to have. That is the possibility to tap into traffic flowing over the network, for example for law enforcement. But we only make these options accessible according to functions; in the Netherlands this option has to be available for operators of public networks, but is not allowed for business clients. So we do not give that functionality to the latter.

And how is privacy factored in there?

For the Benelux, Ireland and Portugal I am also responsible for making sure privacy requirements are implemented in our products and way of working. The functional departments are the ‘risk owners’, but my role is that of ‘risk control owner’; making sure the functional departments stick to what is allowed.

Security and privacy at Huawei are structured in a topdown manner, if you don’t these topics in that way it will become a mess. We have transparency centres and an independent cybersecurity lab that has the authority to stop production or distribution if a product does not meet the security and privacy standards. In the transparency centres we offer remote and secure access to the source codes of our products so that clients can do an audit of their own if they would like to.

What is it like for you as a person to have the role you have at Huawei now?

What I have realised is that I never really left sales. I just transitioned from selling products to selling trust. That is actually what we are talking about here. So yes, I see it as a challenge. Of course it can be frustrating at times to hear accusations that are completely baseless but still influence public opinion. That means I am continuously telling our story, inviting people over to explain how we work and how we adhere to the strictest standards. In a lot of areas we have more security audits and processes than our competitors.

Does it still give me satisfaction? Yes, otherwise I would quit this position in an instant.

As you still get satisfaction out of it, does that mean you also see progress and positive results?

Well, it comes with ups-and-downs. Whenever a new article appears I have to again explain everything we do and what is wrong about the assertions. What also makes it challenging is that security is a very complicated topic. Cybersecurity is a big challenge in general so it is also something that we have to tackle with each other as different stakeholders. Our role in that process is to support and show that we make sure that our people do not do nefarious things, that our products do not have shady backdoors and that we quickly tackle vulnerabilities we come across. One part of our approach now is to publish articles, write position papers addressing the parliament and engage in discussions with government agencies to make sure they are properly informed. Increasingly, I also have background interviews with journalists where I explain everything; about the security, how our products work but also the landscape of European laws and regulations that have to be transposed to the Dutch legal system. I try to explain all the parties involved and the legislative process and how that translates to practical requirements. 

What we are actually arguing for is a ‘zero-trust’ model; where nothing and no one operates on a basis of trust. Instead there are clear standards that every party is subject to and they constantly have to be validated. A model like that can also come with contractual provisions of ‘thou shall/shall not’ and huge fines in case a party is in breach, that is how it works in Germany.

NB: The United States likewise is moving towards a zero trust model for the IT sector.

That model is linked with verifications, certifications and for that we need certain standards, so that brings us back to the start of the circle of security regulation.

What makes our situation extra complicated is that we notice that people hesitate to even talk to us. So without engaging us some people will read an article by a journalist that lacks any proof or sometimes even makes completely counterfactual claims. But because people do not speak to us they will just take the article on face value and think it is a valid confirmation of what the public opinion already claimed.

What I do know, and I am very passioned about having the honor to fulfill this role, is that if I see as little as one signal that something in our organisation is off; then I will be gone the day after tomorrow. I would not be able to do this job if I was not convinced about what I am, and we are, doing is right. Does that mean I know everything that happens at Huawei? Of course not. So the only thing I can do is take the organisation with me in ensuring that we do everything in our power to prevent bad things. Can I guarantee that no employee of Huawei is under any kind of pressure of the Chinese government? No I cannot. What I can do is make sure that the processes are organised in a way that such a person cannot have unbridled access or disrupt the security requirements to access networks or personal data.

What is the education that brought you to this field?

I started with HTS Elektro in my younger years. And I constantly try to work on myself through internal and external training and courses, like CISM and CISP. I am not really an engineer in the sense that I am a cybersecurity expert that can assess a product or code’s security level on bits and bytes. Nor do I want or need to be. 

With the increasing digitalisation of the world, we as a supplier of ICT products have an increasing role and responsibility. Not just with making sure alarm numbers (like 112) are always available, but also with autonomous cars. So if security can no longer be guaranteed anymore the consequences will be increasingly disastrous. With the development of IoT, the attack surface of networks keeps increasing exponentially. I find it interesting, almost from a philosophical point of view, to see if and how we can keep these processes secure. What do we need in order to do that? Translating what that means for us, not just in product development but also for governance, is what I find very interesting. That is a constantly evolving process.

Recently we also had an audit on ISO27701, a follow up on ISO27001 (NB: the basic standard of information security) with a deeper focus on privacy, that sheds light on the amount of we work we still have to do. If only because we are dealing with people and the workforce continuously changes with people moving on and new ones coming in. That also means that the work on awareness is never done and requires a lot of effort. 

It is very grateful work, but also tiring at times. I never have to worry about a lack of topics during birthday dinners either anymore. At first people asked me ‘Huawei, what is that?’. Well, that time is over.

“There are so many very complicated and deep subjects to dive into that if you choose to enter the security and privacy field at this moment or in the next 20-30 years, the world is at your feet.”

What would be your advice to people in the job market who might be interested in cybersecurity but not sure if they are suited for a technical sounding field?

I always say that privacy and security have become fundamental parts of our modern day life. If you can play a role in that field, whether in a technical or a supporting role, it is an incredibly valuable position you will have in helping to secure society. It can be contract management, governance, commercial. In the ‘old world’ you would have a role in an organisation and you could for example be an engineer. Nowadays you need to be able to put on three different hats; not just functional, but also ‘how does it impact privacy? Are the data streams secure? How is physical security guaranteed?’. If you manage to think in this way and find this interesting, the world is at your feet. 

I am fully convinced that we are moving towards a zero trust model, because there are so many variables to consider that you have to focus on specific topics. The current geopolitical situation is that the United States has come to the realisation that they have been sleeping and are trying to overcorrect using restrictive measures. That approach will pass and different worlds will reintegrate and we have to be ready to tackle the different challenges when that happens.

I also give talks on high schools to help teenagers realise all the possibilities and areas surrounding cybersecurity. AI, tackling deepfakes; there are so many very complicated and deep subjects to dive into that if you choose to enter the security and privacy field at this moment or in the next 20-30 years, the world is at your feet. 

Just look at job openings online, it is everywhere, I get calls from headhunters two times a week because everyone is looking for expertise in this field. And while I am always curious about new challenges, I consistently tell them that I still have a job to finish here at Huawei. If I have been able to contribute a bit to the change in perception about our role in security and move away from allegations that we are a mouthpiece of the Chinese government, then I consider my work done, but for now there is enough left to do.

HTS Elektro

Let us first get to know you a bit. How did you end up in the field of security?

G: That only happened two years ago for me. I did a master in Crisis & Security Management, not at all a technical degree. During that master I took an elective course on cybersecurity, focused on the governance side of things. Before that moment I pictured cybersecurity as a pure ‘tech’ discipline. However, during this elective I learned about the other aspects and I got really enthusiastic about it. So, I followed up on this interest with a couple of internships, one of which was at the Global Forum of Cyber Expertise (located on the HSD Campus). I quickly realised that I really wanted to work in the security domain and just needed to find the right employer. I managed to set up some talks with people at Accenture and it immediately clicked.

Most people might think that technical skills are required to work in cybersecurity, but that is not the case. Within our Security team we have two tracks: ‘Client & Market’ and ‘Client Delivery and Operations’. The former is more aimed towards talent with a background like mine whereas the latter is more technical.

M: That is one of the fun parts, Gamze mentions the two tracks but in fact there are a lot of different subtracks within those two as well. Even the more technical track is not just about tech disciplines; it includes a lot of client-facing tasks and understanding of the broader security subject. That broad scope is one of the upsides of working for Accenture. I came in 16 years ago after my studies in Business Administration and after different positions I am now a bid manager, managing large deals. That is part of why I am still here; all the options that are provided and different things one can do. It is good to realise that what you do when you start working is not what you will always end up doing.

G: There is so much to learn. Within Security, we have different domains and different sectors and there is room to explore it all. What we do with the topics of diversity and inclusion here is like an extracurricular activity, the same is true for my marketing tasks.

Something else that we noticed is that Accenture also posts openings for MBO level positions. In our analysis of the broader job market in cybersecurity we see that it seems underdeveloped in this regard. Openings often list HBO+ education as a demand even though it does not seem necessary for the kind of tasks listed. How does Accenture implement that diversity of educational background?

M: That is another advantage of our size; we are active on the different levels of cybersecurity. So we have the strategic and consultancy part, the technology part, and the operational part. The first is more about shaping a vision and the formulating and preparing of a project. Technology is the implementation of a project. Operational focuses on keeping an implemented project going and maintaining it.

That is why whenever people ask me what skills they need to have to work at Accenture, I reply that it really depends on the layer they are interested in. There are so many options that there is probably always a place that suits you.

Diversity and inclusion is an important factor in the work you do, what is your motivation for promoting further inclusion in the workplace, especially in your focus area of women in tech?

G: I think we, as women, are pretty underrepresented in the field of tech. This is something one also sees in particular job profiles or different layers within the company. Analysts and consultants are equally balanced gender-wise. However, the higher the position, the fewer women one sees. And I believe strongly in role models, they are essential in creating hope and trust for other people that they can reach the same level of success. An example is my Managing Director; she has two kids, is a real power woman and has a husband with a career of his own. She is comfirmation that I could have the same without sacrificing either career or family, if I want to. I think inclusion is a subject that deserves constant attention, and not just attention but also action. Without action, ‘diversity and inclusion’ can seem like a very vague concept. So through organising certain events and workshops and collaborating with other organisations, we want to continue to create that awareness.

M: The field of tech is traditionally a male dominated field, this is true for cybersecurity as well. One of the main reasons for founding ‘Women in Tech’ was that the women who worked in technology could not find each other. Which is a shame, because it can be such a benefit to be able to exchange experiences.

A couple of years ago, less than 30% of the people working in tech, the largest department within Accenture, were women. One of the main goals we decided to work on since then within inclusion & diversity was gender diversity. Of course, diversity applies to a lot more things, but we found that the gender gap was so big that that was an important part to focus on. Right now, you can already see in lower level positions that there is much more of a balance after only a few years. The higher level positions are where we still have a lot of work to do. One can see that women may otherwise leave the company, when they look ‘up’ and think that it is impossible to break into the highest echelons as a woman. 

This work in inclusion and diversity is not a one-way street that just focuses on the position of women. Men also face particular struggles in the workplace. One of these struggles is wanting to become a father and having parental leave that is more equal to that of a woman. The focus for us is really on equality.

When you say that there is a greater balance in the lower level positions than before, what are the advantages of that change?

G: If you look at diversity in general, not just in gender but also in culture, educational background, and sexual orientation, you notice that it brings new insights and perspectives. Instead of having a team with ten people who studied computer science, a team that also includes a lawyer, philosopher, and someone with an MBA leads to new insights that in turn drive innovation and cool solutions. For example, we have a former fashion designer in our team who worked for a fashion house in Paris and is now part of our security team. Someone like that brings a bunch of creativity and a new way of thinking. That is also diversity.

M: Exactly that. We saw that the gender balance was something that really needed focus, but different backgrounds and ways of thinking are no less important in creating the environment that fosters innovation and helps people develop.

How do you feel that these diversity projects are embraced within the organisation? Not just from the executive level but also between colleagues? 

M: That’s a really interesting question. At Accenture we set the global goal to have a completely equal representation throughout all layers of the organisation of 50/50 men and women by 2025. That goal elicits a lot of emotions and reactions. Some people claim that there is no problem, that women are favoured this way, and some women say that they do not want to feel as if they progress based on their sex. There is a lot of emotion in this topic. However, by setting this goal one also sees that there is commitment from the top management. They see that it is something we are behind on and want to change that. In the workplace there is a bit more reaction and perhaps friction. 

Within the broader diversity and inclusion movement we are working along three axes; awareness, connectivity, and inspiration. Awareness is about making people realise that there are some things that happen on the workfloor that are not okay, for example as a result of unconscious bias. Besides the three axes, we have defined subgroups around themes like gender, inclusive workforce, cross-cultural, working parents and LGBTQ+. In those groups, people like Gamze and I work on advancing those causes so that combined we can realise more inclusion. Inclusion meaning here that everyone feels that they can be truly be themselves and feel at home at Accenture.

M: The challenge is in balancing the extent of the emotion. On the one hand you want to keep the workforce on board, but on the other you still want to do enough to actually enact change. Setting hard goals, like a 50/50 gender balance by 2025, is necessary to push forward with change and that approach fits the decisive culture of Accenture. Without it, concrete things likely would not happen. 

A practical example of diversity is that of including non-conventional profiles for certain roles in the hiring process, like someone with an art or philosophy background. What we noticed is that the people tasked with recruitment had reservations about this approach at first, but in the end gave feedback that they were pleasantly surprised by the results. That is the same thing we hope to create with the implementation of the 50/50 goal, that it opens people’s eyes to the potential.

G: When I started working for clients I realised that I had no idea of how to approach a lot of tasks yet. Recognising the knowledge of your colleagues and that they are there to help you is invaluable. Everyone was in the same boat when they started. At first you might be very insecure and doubt whether you are in the right place, but if you allow yourself to be open to your colleagues you will learn so much more and recognize that they have had the same experiences.

M: That is also what inclusivity is actually about. Not the targets, but feeling safe enough to open up and show doubt and vulnerability. That attitude is what we try to foster and promote. If I give my presentations, the kneejerk response is ‘oh not this story again about groups and targets’, but when I follow up with examples of situations that response changes to ‘that is not okay!’.

G: What I said about role models also ties into this. If you show your vulnerabilities and allow others to see that, they will feel more comfortable to do the same and follow your example.

So I can imagine a hypothetical situation where you have a team meeting in a law firm. The room filled with all lawyers and one economist. If management announces that the firm will have a 50/50 workforce of lawyers and economists, a lot of the lawyers will look around and know that that means they must leave or that a number of economists have to be hired to offset the percentages. How does the organisation deal with the emotion and organisational challenges surrounding the topic?

M: Well, we hire all the extra people! No, I am joking, but only a little. There always is growth and movement at Accenture. People will naturally move out of jobs, advance in their careers and the organization hopefully keeps growing. Even just in changing positions; Accenture operates worldwide, so there is a lot of movement possible even within in the company. So we try to ask people when they move out of their position to consider possible successors for their role. And not just to ensure the same quality of work, but we also ask those people to consider different profiles from their own. 

So we all know at Accenture that we will not work with the same group forever. And that is part of our model; if you are in the same place for ten years, people will expect you to move to another role, location or just an entirely different employer.

Do you have any final tips for up-and-coming talent?

G: Just try it. What you can expect is diversity; diversity of clients, of projects and of your team members. And in our team you contribute to help making the world a bit more secure.

M: Regardless of whether you apply to Accenture or somewhere else, just be yourself. Do not try to fit a model of what you think the template for a ‘good consultant’ is. Try to assess for yourself in which way you could add value to a role or company.

Crisis & Security Management / Business Administration