Comcast Corporation (CMCSA) Earnings Call Transcript & Summary

Next up is our Securing the Future of Work session. Rocco Grillo. Rocco, welcome to the program and take it away with your rock star panel, please.

Awesome. Thank you, Hunter. Thanks, everyone. It's always a pleasure to join friends, colleagues and industry experts at HMG. Just another one to roll out, and to Hunter's point, pleased to be able to lead a session with some rock stars. Just listening to all the expertise and the things that are going on in the industry who could have predicted the last 3 months. And for myself, I'm a Managing Director with Alvarez & Marsal. I lead our Global Cyber Risk and Incident Response Investigation. I'd say over the last 10 years, 12 years, helped companies respond to some of the largest cyberattacks in the industry. But if anything, in the last 3 months, outside of saying wow, we've seen things from ransomware attacks, attacks on the cloud, business e-mail compromise. I can't say phishing one more time, spiking through the roof, even further to that third parties. And that almost seems like the new norm, if we can't get to the target attackers, they're going after the third-party service providers. And last but not least, the fraud and the nation's data attacks that are going on. As much as I mentioned, being ready and prepared to respond to them, if it's taught us anything, being resilient and looking at contingency planning and further. To that end, I'd like to just introduce the panel of expertise that we have here. I'm going to hand off to them in a moment to talk a little bit about themselves and the theme of our session, Securing the Future of Work. With us today is Michael Iwanoff from Iconectiv, Sudhanshu Kairab from Comcast, and last but not least, Sudhanshu Kairab from Procter & Gamble. Michael, if you want to kick us off, that would be great.

Sure. Well it's a pleasure to be with this group today. Always a pleasure to hear insight from professionals that have represented here and get the questions from other peers in the industry. My name is Michael Iwanoff. I am the Chief Information Officer, Chief Information Security Officer for Iconectiv. Iconectiv is a global telecommunications services company, providing some services that you may be aware of to the industry and some services that are really hardline for the telecom carriers. The services you may be familiar with. We manage the number registry. Cell and hardline number registry that is used for porting numbers. So if you ever go and want to upgrade your phone or you move to a different carrier from like a AT&T to Verizon, Iconectiv is the company on the back end that is managing the porting of that number when you want to keep your number and move over to the new carrier. In addition to that, you may be familiar with short codes. For all of you, fine gentlemen and ladies out there who are watching Dancing with the Stars, at the same time, my wife and I are watching it or American Idol or any of those, we're at the end of the episode, you get the vote for your favorite individual. That is actually utilizing short codes. It is fixing a certain value to a certain number. And on the back end, Iconectiv has to manage it and make sure all of the carriers are familiar with what those codes are and what they're supposed to do and how it's managed. And so those are some of the things that you may be aware that we do and many of other things, like CMDB-type database stuff that's routing information that we provide to carriers that allow their entities to interconnect. And lastly, I would just say, up and coming, Iconectiv is leading the effort on addressing robocalling. So we are really a trust tanker in the industry. The carriers are trusting Iconectiv to put forward, and we already launched a part of that solution. It's called the policy administrator, which allows all other service providers and certificate authorities to work with us so they can start basically tagging or certifying their phone calls that are coming through the telecommunications network so that on your end of the phone call, you can start seeing whether or not it's a trusted party. And if it's not, then it is a scammer/a robocalling malicious attacker. So we're working to put that in place. And hopefully, these things are getting adopted really soon for all of our benefit. Thank you, Rocco.

Fantastic. Thank you, Michael, and a lot of great things happening there at Iconectiv. It's fortunate we are speaking to the 3 of you, just hearing the different things that your companies are doing. Sudhanshu, want to go up next? I think you're maybe on mute.

I was on mute.

Got it. There you go. All set.

Thanks, Rocco. Thanks for having me. This is actually my first HMG session ever. So I've known Rocco for years and he asked me to attend. So it's really been a great session so far, some great insights from everybody. So I am the Vice President of Cybersecurity, Governance, Risk and Compliance at Comcast Cable. I think probably most of you know Comcast Cable, we provide Internet services, a whole slew of residential services, also services out to businesses. My role is really focused on a part of the information security team where I'm most focused on security governance, all things related to security compliance, awareness and training. So just I really work with a lot of different positions within Comcast Cable in terms of supporting their initiatives.

I do want to say, Sudhanshu, that I really love my Xfinity X1 service, and the ability to now set recordings from my phone. Thank you for that.

That's awesome. That's great. Good to hear.

Good stuff. Thanks, Sudhanshu. Kostas, over to you, my friend.

Yes. Good afternoon, everyone. It's a pleasure to be here with my colleagues, and hopefully, I can provide some insights and contribute some meaningful points to the conversation. I'm Sudhanshu Kairab. I am the Global CISO for Procter & Gamble. We are the largest consumer goods manufacturing company in the world, operate out of 85 countries. And Rocco, to your point earlier on who could have predicted it. I don't know about predictions, but certainly, we saw our business in China being impacted late in the fall. And while we certainly had no expectations of the magnitude of this here in the U.S., I think some of those early learnings that we took away were certainly helpful in our response to the pandemic and our ability to pivot and change.

Fantastic. Thanks, Kostas. And I really want to jump into some of the questions. I know we have a limited amount of time, but with the 3 of you and your experiences, we could probably take the whole afternoon and have everybody at the edge of their chairs.

One of the things we -- I rattled off a couple of the things that we were seeing in helping clients but at the same time, Michael, when we were talking, we were talking about some of the spikes in phishing and just the different ransomware attacks and so forth. There's so many different things that evolved over the last 3 months. There's some of the things that -- I almost like to call them blind spots. What are some of the things that you think may be unrealized or that company, not so much overlooking, but areas that we're looking towards employees and going from the workforce being at our headquarters to overnight almost being remote? What are some of the things that you think companies may be overlooking or even as we go into the future state that companies need to take a look at?

Yes. Good question, Rocco. I think one of the things that first comes to mind for me, and I'm a big proponent of speaking on threat modeling. With my work with government entities, the working groups that I sit on with DHS and any of the other types of seminars that I spend some time in, I oftentimes do focus on threat modeling because I feel like it is somewhat of a lost art in information security and information security programs and CISOs by way of that. And so over the last 3 months, so many of our companies haven't just transformed to work remote, we've added new products, new services. We transitioned where we were doing work, maybe where we were storing information, where we were accessing information. We've opened up channels for our customers, our clients, our partners, third parties to be able to work with us remotely as well. We've done probably the most significant transformation of data accessibility in a short period of time than we ever had in our careers. And so what I would challenge all of our peers on this call and this seminar today is to ask yourselves whether or not, in this transformation, your information security groups have taken up the recent review of looking at your threat models. You now have maybe new ways of data being accessed, new technologies that are being used as less covered. If you're familiar with threat modeling, it even comes out of missed standards, 853 might talk about it and some -- then there are some other parts that really get into details. But basically, your security group should be looking at and evaluating threat modeling on an annual basis and then whenever there's significant security issues or significant changes in architecture. And doing so, what you're aiming to do is look at what is the most important information that you have, the keys to the kingdom, what do you have that you're trying to protect? Who do you think the attackers are that would be trying to get to that data? And what would be the attack profiles they would be using to get to that data? And so you might have financial information, and you believe that the prime attackers that are looking to get that would be cyber criminals, utilizing attack profiles such as phishing, social engineering, malware. And then for each of those, you need to take the time to look at, what is the likelihood and impact of those attacks and ensure, finally, that your controls around them are secure, taking up kind of a turn towards what we have today for those who have implemented additional remote access capabilities. For those who have implemented additional access controls that allow third parties or other entities to access environments. Have those controls been locked down in such a way that it is allowing and enabling your business, but managing the risk of security. And so in short, I just repeat and say that having a refocus on the threat modeling assessments and understanding your risks on the environment is something I highly recommend companies are doing at this time based on all these changes.

Great points, Mike. Thanks for providing us, especially on the threat model, and as we rattle off all these different things, that companies should do. We're not hearing too many companies talk on the threat model and the more mature ones, ahead of the curve, are. And you pointed to one in your last comment there about third-party risk management and so forth. There's an organizational shared assessment. So it's been around for a while and put a framework together coupled with innovation. And we just - I helped put out a white paper on IoT technology. So look at -- from what you're talking about on the threat modeling to third parties, to innovation and technology. And Sudhanshu, I know that third-party risk and compliance is a real big hotspot for you. But on the heels of what Michael just shared, what are your thoughts that company should be doing, especially when you look at the third-party risk in the middle of the pandemic as well as governance and you can be sure there'll be a lot more compliance and regulatory measures that are going to be coming down the pike for sure?

So, yes, sure, Rocco. Yes, it's amazing. I mean, third parties are facing the same challenges as we are as companies, right? They're having -- they're facing COVID just like we are. And when you have some dependency on third parties, we certainly do. And one of the things that they're coming to the same conclusions that they can't work -- they have to work from home. They have to worry about things like connectivity. For us, we need to make sure that however they're working for home or wherever they're working from, they're still working in a secure manner. So it's forcing us to kind of reexamine those relationships and what happens when the workforce of a third party is now working somewhere else. So everything from how they're connecting into our systems, what machines they're using, are they using company owned -- are they using company-issued machines? Are they using their personal devices? And you got to kind of think of all those provisions. And with that said, you also need to take a look again at your -- at the contracts that you have with them. What types of -- what are the legal implications if they start working differently? And are you adequately protected? So we've gone through and work very closely with third parties and the relationship owners and really gotten a lot closer to how they actually work with us in making sure that we're protected. The other thing it really -- what has given us insight into is just their own DR capabilities. How quickly are our third parties able to shift and be able to -- really be able to support us? So especially when we start thinking about groups that are offshore where connectivity is an issue, the hours that they work, any number of things, but it's really for us just to take a really hard look at how we work with third parties. And I think in the future, it's also going to affect the way that we look at third parties when we assess them. And also -- and how we look at them from an ongoing monitoring perspective. The one thing I'll add is the other thing we're also seeing is just their dependency on their own third parties. So really fourth parties for us, right? So they would also have concerns about their own third party. So it's kind of a chain reaction, but it's something that we need to be very mindful of because we are sort of head-on.

No doubt. You can outsource the function, but you know who owns the risk when that third-party is driving at the wheel with your phone, your data or whatever it may be.

Yes. That's a great point because, yes, they do -- you're still also responsible when they're working on your behalf. So you still have legal obligation associated with any kind of consumer data, anything that they really access. You're still responsible as a company, so you really need to be kind of mindful of that.

Sure. And as much as we've spoken about all the things that could happen, all the things that are happening, some of the other panelists from the previous sessions were talking about digital transformation, innovation and embracing it and you've had companies that have jumped into the cloud 5-plus years ago, some not so fast. I think we're going to see everyone's hand pushed. And if you haven't, you better jump in or if you haven't been left behind already, you're going to be left in fast -- even faster. To that end, Kostas, I know you and your team and partners around the world have worked in a lot of different business transformation innovations and so forth. In the midst of COVID, without saying the obvious, as we continue moving forward, I almost don't want to use the word post-COVID because just as you think we're turning the corner, setback here or there if we see what's going on around the country. But from your perspective, Kostas, it's not just from an actional standpoint globally, what are some of the digital transformation measures that companies are going to be tackling as they move forward?

Yes. Thanks, Rocco. I think to the comment that you made for companies that have really invested in digital transformation and really have looked at the cloud as an enabler, not only for their business, but their consumers. Customers, for example, are significantly ahead in addressing some of the challenges I think we're experiencing today in the COVID environment. For us, I started a program 5 years ago to aggressively move into the cloud. And one of our last enterprise security capabilities was actually migrated on March 9, in the middle of the announcements of companies sending their employees home. And thankfully, for us, that was the last day of security capability that was in the traditional data center. Today, and I've spoken to many of my colleagues and I love to hear from the panelists themselves, our entire security stack is in the cloud, and it has given us unparalleled flexibility in scaling up solutions or bringing online new capabilities that we don't have to depend on personnel that have to visit the data center or resources that are not available due to restrictions, whether their travel or otherwise. And I think one of the biggest challenges that we've seen on a global scale as the world has seen different variations of lockdowns and restrictions, the ability for people to physically be able to go into the office has been significantly impacted aside from the fact that we have this pandemic, and people are now considering how do we get back in some limited form into the office. So virtualization for us has been a key enabler, something that we saw, again, earlier in the year as our experience in China clearly demonstrated that we had to be agile, and we have to provide operational continuity to the organization, including customers and employees as well as third parties. And our ability to quickly, in the cloud, spin up virtualized environments has been a significant enabler. And even from a security perspective, when you think about malware, for example, it's one thing to be able to isolate and contain it, which I'm sure everyone here is doing well. But it's another thing when you do that, and the employee now has no ability to continue to work, so you start impacting your productivity, you start impacting your operations. You multiply that over time. We're now into a 3-month cycle of COVID, and you can quickly see how that can scale up and be a significant outage for you, your suppliers and the employees. And lastly, the supply chain. I think for us, particularly, we're a vast company, again, in many, many different markets around the world, seeing the attacks that are emanating in the supply chain already a significant concern and something that we've been addressing with table tops prior to COVID. But really, the learnings and the ability to reapply that now in our organization has been really, I think, a competitive advantage for us. So we're prepared for the outage. We have resiliency implemented in our solutions, and we're working with our third-party suppliers. So if they go down, if their systems are not accessible, we at least have virtualization capacity and capability to allow them to continue to support our operations remotely.

Fantastic. Great points, Kostas. Thanks for that. I know, Mike, we were talking about business continuity, technologies and so forth. And even at the beginning, I had mentioned resiliency. Kostas to your point, if you never -- doing the table tops, we're never going to have the crystal ball. But at the same time, while we can't predict the future, some contingency planning, you mentioned resiliency a couple of times. Want to throw back to you on that point, Mike, in terms of -- well we've got the business continuity, we're looking at traditional resiliency measures, what kind of technology, what kind of innovations, especially what Iconectiv does, should businesses be looking at moving forward?

Yes. That's a challenging question. Thank you for giving me the challenging one, Rocco.

I didn't mean to put you on the spot there. But I mean, with the panelists we have there, you guys just surely overlap nicely together.

Sure. So Kostas effectively really communicated the benefits of not just looking at the cloud as an option, but Iconectiv, much like Procter & Gamble, had put a fully fledged formal program together. I don't know if Kostas, as you call it, a cloud first strategy when you first started it or not, but...

Correct. Yes.

Yes. But having a program in place that looks at new products and services and in addition to migrating over previously existing products and services that may have been on-prem solutions. So I have seen a lot of my peers that have accelerated those efforts in the last 3 months. Last 3 or 4 months, they've accomplished what a plan would have taken them 9 to 18 months to do. And they've effectively been able to accelerate those efforts. And so I agree wholeheartedly with Kostas how important those transitions can be, especially if it's already in the business goals and objectives to move on them and not delaying them. Because while I would stress that -- and Kostas, you can back me up on this, that the in-year cost of moving to the cloud, surprisingly, will probably not save every company what you think it will save compared to an on-prem environment. If you still have space, if you still have virtual machine space and hardware, software solutions, all that stuff in your prem -- on-prem solution, expanding to the cloud and having to build out a security suite, the logging, the monitoring, capturing, all of that in addition to whether you're going land with the AWS and Lambda or you're going to a serverless architecture or a server architecture, depending on which environment you choose, I think most of my peers would say that you don't necessarily find in-year savings, but it's the -- beyond the in-year saving, it's the continued uses of those environments, expanding, getting the capabilities of the other products and services that may be offered. Google is just fabulous for their AI, machine-learning capabilities. Amazon is just well known for all of the other services that you can take advantage of that will help -- that you could integrate with your existing products. So there's kind of characteristics that each provide, but I would encourage many of our peers here to not defer if you already started down that path and potentially even look at accelerating. Because as one of our previous panelists had mentioned, we don't think that something like what we've gone through today in these last few months of the pandemic will be the last we've seen in our lifetime, right? And so having environments where redundancy is already in place, continuity is in place, the ability to shift from regions or within region is really at a click of a button, and those systems and services could be built there, it's really a huge benefit to global teams that normally have to manage data centers to do so.

Yes. Mike, that's a great point.

I would add there as an insight there. We actually saw about a 30% reduction in cost in moving from the traditional data center into the cloud. And what we ended up doing is taking that savings and reinvested back in automation and building up engineering talent. So for those of you who are on the call, going into the cloud sounds like a great idea. It is a great idea. I would encourage it, as Michael did. But I would also tell you, you need to build your own engineering teams to not rely on a third-party to architect, build and design that cloud environment for you and maintain that expertise in your own walls. That is going to be the competitive advantage for companies going forward. That's what gives us the ability with speed and agility to change a lot of our solutions without really relying on expensive third partners. We do have them in the ecosystem, but build your engineering team, you can thank me a year from now or 2 years from now in another call.

For sure. Great points, guys. Much as we've spoken about, the corporations, the innovation, Sudhanshu, and all of you, for that matter, looking at the end user, the individuals, the customers, with everything going on, Sudhanshu, we've talked about the employees being the Achilles heel, but put them back to our end customers. I know we're coming up on the time so -- but to that end, Sudhanshu, if you could give us a little insight on the individual users. What have you been doing in the wake of that?

Yes. So with the new normal, it's just it's more important than ever that we maintain our end-user training, especially when it comes to security and things. So we've had very kind of targeted content that we've provided to our employees and contractors around things like phishing scams, and we saw a resurgence of those after COVID started. So employees were getting targeted with coronavirus-related scams about maps and statuses and that sort of thing. But then we've also looked at with the new arrangements, the working from home. So now the home security network is even more important. So we're giving them -- we provided some education around best practices for the Wi-Fi security, not mixing your personal and your work devices, trying and keep them really separate. Even things like, if you have documents that are confidential in nature that you're not throwing away with the regular trash, we're trying to just keep them aware and keep that content really kind of always going on our kind of internal websites. But then also, as you know with Comcast, we have employees all over the place, not just in the field and other locations, so we're using all of our communications channels. We're really working with our communications teams to really get that word out and make sure that they're constantly getting messaged with just being -- what they can do to be secure for -- not just to protect themselves for work but really to protect themselves in general. And to that end, we've also started putting out content for our consumer about how they can protect themselves again for -- in this interesting time.

Great. Fantastic, Sudhanshu. I know Hunter is waving me on there. A wealth of experience and expertise leadership. Just wanted to thank Michael, Sudhanshu and Kostas again for putting this great presentation together and making time out of your busy schedule to join us today. Hunter, over to you. Thanks again for having me.

Excellent, Rocco. Thank you, gentlemen. Awesome job. Really appreciate your engagement. Love to have you back.

Thank you, Hunter.

Love to have you back in the future time.

Thank you, Hunter.

That's a wrap-up. Another world-class summit here at HMG Live! Thanks so much for all the active engagement. Big thanks and shout out to Gary Sorrentino and the folks over at Zoom for being a great national partner. A big shout out to Larry and the Philadelphia SIM chapter check -- Philadelphia SIM out, it's a great organization. And thanks again to all of our speakers, our panelists for a great program. Please spread the word. We'll literally be here -- back here tomorrow with the Financial Services Summit in New York and then Thursday is the Innovation Summit from Silicon Valley. Take care and be safe.