In Culture of Compliance’s first episode, Sabrina Serafin, Frazier & Deeter’s National Process, Risk & Governance Practice leader, talks with Darryl Cox, Strategic Cloud Adviser & Sales Executive at QTS Realty Trust, about changes to compliance and how it affects companies now.
Evolution of Compliance Transcript
This transcript was assembled by hand and may contain some errors.
It has been edited for readability.
Sabrina: Welcome to Frazier & Deeter’s Culture of Compliance podcast series. I’m Sabrina Serafin, Partner and National Leader of Frazier & Deeter’s Process, Risk & Governance practice. Today’s topic addresses the evolution of compliance, and our guest is Darryl Cox, Strategic Cloud Advisor at QTS, one of the largest data center providers in the world. Thank you for being here today, Darryl.
Darryl: Thanks, Sabrina. Appreciate you having me.
Sabrina: You’ve had a lifelong interest in technology, starting with programming camp and your first personal computer, which was an Apple?
Darryl: IIe, yes. Back in the day when I was a kid, I think maybe seven or eight years old.
Sabrina: All right, well thinking about the changes to the compliance environment since then, how did we get here?
Darryl: Well, you know, compliance is a bit of a natural outcropping of security, and really, security is a natural outcropping of data and data itself. When I when I think a little bit about how we got here, I try to go back in history, and I mean way back in history, and you know, man’s evolution from the caveman grunting days to where we are today really kind of accelerated once we started documenting data.
If you think about it, there was a caveman back in the day, and he learned something; if he was able to communicate that to subsequent generations through a spoken language, that meant that next generation didn’t have to re-learn that situation in their life. The ability to have agriculture, whatever it may be. That evolved eventually into written language. And from there, the explosion of everything from the alphabet to the printing press really disseminated a huge amount of data. Well, that data eventually became very valuable out there, whether it was sending information from a warring faction Emperor to Emperor back in maybe B.C. times or the early ages.
That also led to people looking to take advantage of that data, get that information so they can better react to a wartime situation or get information about transactions that are happening. And so as miscreants were trying to take advantage of this data and information that’s becoming available, people had to find ways to secure that data. I look back sometimes to B.C. times, and the first use of security, there was a device called the scytale. The scytale was a rod, where you’d wrap a piece of papyrus around it, and a way to create cryptography for some of those communications. And so, that evolved over the years, as you would imagine, into all the advanced cryptography we have today. Well, that was a lot easier when the owner of the data was also the controller of the data. We talk about information security basics: you’ve got this subject and object interaction.
You know, the object is the data or the thing itself that some application or person or entity wants to interact with. When simply the data owner had full control over it, you could make whatever rules you want to around it based on its value.
I think about the safe at my house. I’ve got a small safe where I keep things that are important to me in my life. It’s pretty easy for me to figure out what I put in that safe because I know what I value the most, and I stick it in there.
Well, when you get to the point where the data controller is no longer the data owner, you start to have some challenges. Imagine if I told you, “Here’s some important information. Make sure you take care of it.” Well, do you put it in your safe or do you keep it someplace else?
All that kind of evolved around the time when banking started to become important, and when it was physical objects, it was a little bit easier; still complicated. Once we digitized this data and put it in the hands of data controllers, now we have a very complicated situation. How do those data controllers know what value I place on that object that I own? And how do I ensure that they’re doing the right thing with that data? The dawn of compliance and regulation is here.
Sabrina: So, now that we’re in the 21st century, I’ve heard you often say that data is our most valuable commodity. So, talk to us about that.
Darryl: Absolutely. It used to be that a physical object was the most important thing, whether it was property, a piece of gold, or any other sort of asset, my home. Things that were physical in nature. Well, these days, we’ve moved to the point where those types of valuable assets in a lot of ways are digitized. My deed for my property and whatnot is online. All of my health care or financial transactions are online. But in addition, we also have everything about our lives that’s been digitized, from our likes, our dreams, the friends that we have. I was just on a discussion with LinkedIn talking about how to mine the data that they have. This data has really become the most valuable commodity in our economy as well as in human evolution. It’s not surprising that man’s most accelerated advancement has come as the proliferation of data collection and documentation is throughout the entire ecosystem that we live in today.
Sabrina: So, many of us in the industry watched Mark Zuckerberg’s testimony and noted the Senate’s plea for self regulation. You just talked about likes and mining data. So, talk to us about the difference between government and governance over this data.
Darryl: Well, that’s an excellent question and an excellent comment that you made there. You know, as you mentioned, Billy Long basically saying that, “Hey, Mr. Zuckerberg, here’s a bit of advice for you. Congress is good at two things: doing nothing, which we’re probably all very familiar with and, certainly, overreacting. And so far we’ve done nothing on Facebook, but we’re getting ready to overreact.” And that goes to your point about governance versus government. If we wait for the government to set a standard, oftentimes they’re reacting many years after there’s been an abuse of the data that’s being held by data controllers; companies, individuals or other governments that have caused damage to these data owners – essentially you and I, in most cases here.
So, if we wait for the government to overreact to that, it would be much better for the corporate entities to actually apply their own governance. In fact, I believe that long term, the best governance for business is going to lead to more of a competitive advantage in the marketplace versus waiting for the government to come along and whack the industry or individual companies over the head. Now, what’s unfortunate about that, and maybe I’m a bit naive in that perhaps my children and their generation won’t give up 99% of their security and privacy for productivity and comfort.
But I’m really hoping that the next generations actually look to value the governance that companies are putting out there in an effort to provide much better security controls and compliance that’s self regulated or self-governed, versus waiting for industry to regulate them. Unfortunately, these days, what we’re seeing is the consumers of these companies services and products are putting no value on security in governance. Assuming it’s built in, wanting a very inexpensive product, perhaps free, and then just penalize the companies once they have a breach, penalize them terribly. I’m not sure the incentives are aligned there.
Sabrina: Right. Well, I think that the speed or the rapid pace in which technology evolves and is presented to consumers is so enticing that security, privacy, compliance is an afterthought.
Darryl: Yeah, it really is. It’s a bit unfortunate. These days, it seems like we really need to have a flip of the mindset and perhaps something like what’s going on in the EU with GDPR is directionally correct. You know I like to think that the culture of the European Union is a little bit different than the culture of what we have stateside. I believe there’s kind of an inherent mistrust of third parties collecting and holding data, and it’s rooted in probably some pretty good fears and some abuses that happened in history, certainly World War I and World War II to the population as a result of some of that stuff. However, I’m not sure that that’s the answer.
I don’t know how we convince these data controllers, who are these third party companies or governments, that they’re always going to have the best interests and the best controls over that data that align with every single individual for which you’re holding that data. It almost feels like we need to flip the script and get to the point where you as the individual actually hold and own and can control that data the way we had it, you know, decades and centuries and millennia ago. I’m hoping someday we’re going to create some sort of application, maybe it’s a new iPhone app out there, where I now hold every bit of my data about me, every bit of my digital transactions, all of my personal preferences, and that I only authorize a third party, whether it’s a government or a business, access to it once I’ve given very specific and implicit permission to it, and only then can they see that data temporarily, and then it’s automatically wiped. We’ve got to put the power back into the people. I just don’t think third parties, no matter how many rules we write, are ever going to have the incentives that are aligned properly.
Sabrina: Well, this this Culture of Compliance series is intended to highlight the competitive advantage that companies, organizations and even, in some cases, individuals have when they do put the consumer first, when they put the data owner first. And you focus on data center to cloud hybrid IT solutions that enable this technology innovation. So, talk to us about where we now hold data and how we have to think differently about this commodity.
Darryl: Yeah, QTS, at its roots is a data center provider, and I’ve worked for them for them for a number of years. There’s certainly an evolution going on in the space right now. You have the major cloud providers, also called hyper scale providers, which would be inclusive of those Facebooks, Apples of the world, the Ubers of the world. And as those pieces of this puzzle begin to mature, there’s three kind of places where data is being created and consumed that are evolving. One is data is being produced and created at the endpoints.
And what I mean by endpoints, your devices, soon to be your cars, your smart planes, your smart homes. Every interaction that you have, just mountains of data are being produced. Those edge points are then sucking into what we now collectively refer to in the industry as the edge, and these are more local or municipal based consumption points and aggregation points for all that data created at the endpoint. Maybe some processing or regulatory requirement is being held locally and that’s pushed up to what I call the “Data Factory,” which is the true giant mega data centers of the world. It’s all starting to feel a lot like what happened in the utility industry.
And as that industry matured and business became to really rely on in the industrial age, just as business is relying on this data factory in the 21st century, you’re starting to see a maturation of security up the stack, and that’s really going towards a more internal governance process. The data center, as I mentioned, is really maturing, you’re seeing consolidation and a lot of standardization in that space. It’s moving up into the hardware platforms. Very few people even want to own hardware anymore these days. They want to consume it as they move up in the operating system level at infrastructure as a service. And over the next few years you’re going to see an evolution into the middleware or platform as a service containers, which is a new form of where the computing is going to happen closer to where the data is at and eventually function as a service.
And as these segments become more mature, security is going to be built in. And consolidation will happen. So, at QTS, we really see that ecosystem and look to connect all these different platforms from the endpoints to the edge to the data factory and the data center as these segments mature. So that provides a very secure and governed way of consuming the data, just like a Data Factory would.
Sabrina: Thank you, Darryl, and I could talk to you about this for hours, but this is our time. I want to really thank you for being here with us today for your interesting insight and perspectives. For our audience, thank you for listening to Frazier & Deeter’s Culture of Compliance podcast, and please join us for our next episode.