Way to Huawei
In the meantime, I kept track of job openings to see what was going on in the market, to identify potential clients. I started seeing openings from a company called Huawei Technologies and got intrigued. So, I send an email to see if they were up for meeting to figure what it was that they did. Within 5 minutes I got a reply from their HR department asking whether I wanted to come in for a job interview. After kindly declining and emphasizing I was not looking for a job but merely interested in their company and products we set up a meeting with their CEO and Sales Director. After that we circled around each other for a while, where they made their interest known in hiring me but I was still focused on my other job. This went on until in 2005, when I decided to go for it and help them put the company on the map here. That brings us to today, 16 years later, and I am currently one of the longest sitting local employees here.
My first role at Huawei was as Product Manager and later as a Technical Sales Director, with a local focus. After a while in that position I became the Solutions and Account Director for our projects with KPN. I did this until 2015. Around this time there was an audit done on our security processes and I saw the outcomes as a nice task to work on. Right after I made the switch to the security domain, the world seemed to explode and Huawei was accused of all sorts of things. That shifted the focus of my role from primarily internally based on our audit, towards more externally to accommodate clients that got worried and had questions after all the negative coverage about Huawei. That responsibility never really stopped and from 2016-2017 I was asked to also set up privacy compliance within the company in preparation of the GDPR. In 2019 we appointed a separate Privacy Director and my focus went back to external communication on our compliance and Cybersecurity procedures. In March of this year  the company decided to bring Privacy and Security closer together again because these areas are just so interlinked. At this point I was appointed as the Cyber Security and Privacy Officer once again. Cybersecurity, that is Confidentiality, Integrity and Availability, is after all partially meant to uphold privacy.
“What I have realised is that I never really left sales. I just transitioned from selling products to selling trust.”
What does your security role look like?
So, that is why we implemented security by design. ‘Security by design’ is the process of creating all sorts of guidelines and protocols to integrate security in the design and production process of each product. The entire supply chain, including shipping and implementation of products is included in this verification process. We have learned a lot from all the accusations regarding the security of our products, even though none have ever been proven. Of course, we can say of ourselves that we are secure, but that is not sufficient. So, we make sure that all our products comply with sector standards and certifications in collaboration with issuing bodies and we work with an independent department that at the end of the development process thoroughly checks our products and whether they are permitted to be used in a specific market and by specific clients according to that market’s legislation and security requirements. To give an example, in some countries ‘lawful intercept’ is a requirement for telecom products to have. That is the possibility to tap into traffic flowing over the network, for example for law enforcement. But we only make these options accessible according to functions; in the Netherlands this option has to be available for operators of public networks, but is not allowed for business clients. So we do not give that functionality to the latter.
And how is privacy factored in there?
For the Benelux, Ireland and Portugal I am also responsible for making sure privacy requirements are implemented in our products and way of working. The functional departments are the ‘risk owners’, but my role is that of ‘risk control owner’; making sure the functional departments stick to what is allowed.
Security and privacy at Huawei are structured in a topdown manner, if you don’t these topics in that way it will become a mess. We have transparency centres and an independent cybersecurity lab that has the authority to stop production or distribution if a product does not meet the security and privacy standards. In the transparency centres we offer remote and secure access to the source codes of our products so that clients can do an audit of their own if they would like to.
What I have realised is that I never really left sales. I just transitioned from selling products to selling trust. That is actually what we are talking about here. So yes, I see it as a challenge. Of course it can be frustrating at times to hear accusations that are completely baseless but still influence public opinion. That means I am continuously telling our story, inviting people over to explain how we work and how we adhere to the strictest standards. In a lot of areas we have more security audits and processes than our competitors.
Does it still give me satisfaction? Yes, otherwise I would quit this position in an instant.
As you still get satisfaction out of it, does that mean you also see progress and positive results?
Well, it comes with ups-and-downs. Whenever a new article appears I have to again explain everything we do and what is wrong about the assertions. What also makes it challenging is that security is a very complicated topic. Cybersecurity is a big challenge in general so it is also something that we have to tackle with each other as different stakeholders. Our role in that process is to support and show that we make sure that our people do not do nefarious things, that our products do not have shady backdoors and that we quickly tackle vulnerabilities we come across. One part of our approach now is to publish articles, write position papers addressing the parliament and engage in discussions with government agencies to make sure they are properly informed. Increasingly, I also have background interviews with journalists where I explain everything; about the security, how our products work but also the landscape of European laws and regulations that have to be transposed to the Dutch legal system. I try to explain all the parties involved and the legislative process and how that translates to practical requirements.
What we are actually arguing for is a ‘zero-trust’ model; where nothing and no one operates on a basis of trust. Instead there are clear standards that every party is subject to and they constantly have to be validated. A model like that can also come with contractual provisions of ‘thou shall/shall not’ and huge fines in case a party is in breach, that is how it works in Germany.
NB: The United States likewise is moving towards a zero trust model for the IT sector.
That model is linked with verifications, certifications and for that we need certain standards, so that brings us back to the start of the circle of security regulation.
What makes our situation extra complicated is that we notice that people hesitate to even talk to us. So without engaging us some people will read an article by a journalist that lacks any proof or sometimes even makes completely counterfactual claims. But because people do not speak to us they will just take the article on face value and think it is a valid confirmation of what the public opinion already claimed.
What I do know, and I am very passioned about having the honor to fulfill this role, is that if I see as little as one signal that something in our organisation is off; then I will be gone the day after tomorrow. I would not be able to do this job if I was not convinced about what I am, and we are, doing is right. Does that mean I know everything that happens at Huawei? Of course not. So the only thing I can do is take the organisation with me in ensuring that we do everything in our power to prevent bad things. Can I guarantee that no employee of Huawei is under any kind of pressure of the Chinese government? No I cannot. What I can do is make sure that the processes are organised in a way that such a person cannot have unbridled access or disrupt the security requirements to access networks or personal data.
What is the education that brought you to this field?
I started with HTS Elektro in my younger years. And I constantly try to work on myself through internal and external training and courses, like CISM and CISP. I am not really an engineer in the sense that I am a cybersecurity expert that can assess a product or code’s security level on bits and bytes. Nor do I want or need to be.
With the increasing digitalisation of the world, we as a supplier of ICT products have an increasing role and responsibility. Not just with making sure alarm numbers (like 112) are always available, but also with autonomous cars. So if security can no longer be guaranteed anymore the consequences will be increasingly disastrous. With the development of IoT, the attack surface of networks keeps increasing exponentially. I find it interesting, almost from a philosophical point of view, to see if and how we can keep these processes secure. What do we need in order to do that? Translating what that means for us, not just in product development but also for governance, is what I find very interesting. That is a constantly evolving process.
Recently we also had an audit on ISO27701, a follow up on ISO27001 (NB: the basic standard of information security) with a deeper focus on privacy, that sheds light on the amount of we work we still have to do. If only because we are dealing with people and the workforce continuously changes with people moving on and new ones coming in. That also means that the work on awareness is never done and requires a lot of effort.
It is very grateful work, but also tiring at times. I never have to worry about a lack of topics during birthday dinners either anymore. At first people asked me ‘Huawei, what is that?’. Well, that time is over.
“There are so many very complicated and deep subjects to dive into that if you choose to enter the security and privacy field at this moment or in the next 20-30 years, the world is at your feet.”
I always say that privacy and security have become fundamental parts of our modern day life. If you can play a role in that field, whether in a technical or a supporting role, it is an incredibly valuable position you will have in helping to secure society. It can be contract management, governance, commercial. In the ‘old world’ you would have a role in an organisation and you could for example be an engineer. Nowadays you need to be able to put on three different hats; not just functional, but also ‘how does it impact privacy? Are the data streams secure? How is physical security guaranteed?’. If you manage to think in this way and find this interesting, the world is at your feet.
I am fully convinced that we are moving towards a zero trust model, because there are so many variables to consider that you have to focus on specific topics. The current geopolitical situation is that the United States has come to the realisation that they have been sleeping and are trying to overcorrect using restrictive measures. That approach will pass and different worlds will reintegrate and we have to be ready to tackle the different challenges when that happens.
I also give talks on high schools to help teenagers realise all the possibilities and areas surrounding cybersecurity. AI, tackling deepfakes; there are so many very complicated and deep subjects to dive into that if you choose to enter the security and privacy field at this moment or in the next 20-30 years, the world is at your feet.
Just look at job openings online, it is everywhere, I get calls from headhunters two times a week because everyone is looking for expertise in this field. And while I am always curious about new challenges, I consistently tell them that I still have a job to finish here at Huawei. If I have been able to contribute a bit to the change in perception about our role in security and move away from allegations that we are a mouthpiece of the Chinese government, then I consider my work done, but for now there is enough left to do.