Privacy, data protection and cybersecurity in the boardroom with Dr. Gregg Li

Privacy, data protection and cybersecurity in the boardroom with Dr. Gregg Li

Joe Kornik: Welcome to the VISION by Protiviti interview. I'm Joe Kornik, Editor-in-Chief of VISION by Protiviti, our global content resource examining big themes that will impact the C suite on executive boardrooms worldwide. Today, we're exploring the Future of Privacy, and I'm happy to welcome in Dr Gregg Li, who has been the chief architect and surgeon for board of directors for over 30 years in Asia and the Pacific Rim, his focus has been on technology and governance, transformation of boards, and over the years, his clients have included one of the largest global IPOs at the time, the Link Real Estate Investment Trust and one of the oldest NGOs in Asia, the Tung Wah group of hospitals. Dr. Gregg will be sitting down today with my colleague, Michael Pang, APAC, leader for Protiviti’s technology consulting. Michael, I'll turn it over to you to begin.

Michael Pang: Thanks. Joe. Dr. Gregg, thank you very much for joining us today.

Dr. Gregg Li: Thank you. Michael, looking forward to it.

Pang: Yes, looking forward for a good chat. So, first of all, what is the board's role in ensuring the organization remain compliant with the ever-changing data privacy or regulations?

Li: You know, I see a lot of questions on a balance between what the board should be doing. Generally speaking, there's something called ‘conformance and performance.’ Conformance is basic compliance. And many boards who try very much to be compliant, but many boards forget about performance. But yes, the role is finding that right balance. But you find that when we're talking about piracy, things happen very quickly, and you try to catch up at the end. So, what I'm saying is the board usually finds out or is the last one to find out. Then you say, ‘oops,’ and you just try to catch up. So, the balance should be there. But once things kick off, you drop everything else and go deep in. In terms of privacy, a lot of things are changing. We look at GDPR, we look at what the China is doing and what the U.S. is doing. You know, the intention is always good, but there's little fine differences, I'm sure, you know, so these little differences makes things difficult. For example, you know, GDPR doesn't have a maximum fine, but you know the PIPL, they do places like Hong Kong, Singapore, they're also catching up. So, there are increasingly cyber breaches, and they need to be involved. So I guess to find the right balance, the board needs to really get inside information for the risk committee from the CDO, CTO, and I think most importantly, from people inside and outside. So, you need people coming from the outside saying: Have you done this? So frequent update is very important.

Pang: More specifically, you mentioned that previously that sometimes something doesn't work well when the board interfaces. So, what can the board do in terms of getting to know more about how the sector situation is?  And also how do they actually make sure there is a good balance between innovation and data privacy? Rather than focus on just good innovations, but forgetting about data privacy?

Li: Again, ain. You know, following up on your stream of thought, how do you balance that, right? How do you balance innovation against the need for robust piracy and data protection, right? When I first started this 30 years ago, I thought the more time you spend on innovation, the less time you spend on this management. So that was a trade off. Then I found out that's not true; you can actually do both. There's a lot of overlap between what you just said, between innovation and the need for privacy and data protection. But the balance is dynamic. It’s shifting and moving very quickly. The question you ask is, how would the board know? The board would know by having many eyes, many layers of sensors. You have the risk committee, you have the external auditor, you even have the customers telling you if something's wrong, and that's very important.

Pang: So, do you think currently across the different board of directors that you have or worked with or been a part of…  do you think there is enough transparency or accountability in the boards towards data privacy? And if the answer is, well, we’re not there yet, not ideal, then what do you think the board needs to do in order to actually increase the transparency and accountability?

Li: This touches on culture, and culture is very much a tradition, and every board is different because every company is different, and how do you reinforce that? Culture, transparency and accountability start at the top. So, you have the chairman or the CEO saying ‘this is how we're going to operate.’ But I find that sometimes you need to cheat a little bit by telling the board to spend five minutes talking about privacy, and IT issues. Always put that on the agenda, otherwise you're going to forget about it. And this is education process. You get the CTO speaking. So, this is the hard thing of today's meeting. Now, as a board director, you find that you really don't have time, there’s too many things happening, and when you join a meeting it’s very tight and you need to focus. I find that one of the most important things in terms of transparency is internal transparency, meaning you do everything you can at the board level, but you find that some of your employees when they pass data to a partner, they're not conscious to take out that private information, and those go automatically, and you know it's going to get you, so you worry about those, but you ask your CTO to look after that. So, transparency, yes, it is not easy. And again, coming back to the culture. So, you need to impose a culture. Maybe you want to have a policy, a procedure,  as a reminder that everybody's very important and before you send anything to a vendor or partner. Have you done this? Have you deleted some of the sensitive data, financial data, health data, for example.

Pang: Apart from culture, do you think the boards, in general, have—because we talk about data privacy or even cyber security, and those can be quite technical to people outside the IT areas—do you think the boards—in order to create a culture—do you think the board needs to improve or actually have more people from the IT space in order to actually create the transparency and responsibility or accountability, so that they actually know how to manage, to govern the CEO and CIO in order to upkeep the data privacy?

Li: The board needs to constantly learn, like you said, but it's not easy. And a CTO is not usually given the airtime that he needs. I remember one case where I asked the board to think about drafting a code of practice of a code of conduct on AI and ethics. So, start working on it. At least when you come to a topic, you can quickly refer to it. ‘Oh, this is the things that we prefer to have. These are things we shouldn't go to.’ So, by pre planning and pre thinking, it helps you frame faster. The board needs learning and continuing feedback, and it's very important. Maybe I would encourage the CTO to do a session off site, not at a board meeting, you know, once a year or twice a year, and just spend half an hour talking about things that are very important.

Pang: Dr. G., I know that you have in the past, you have been a consultant or helped the board to transform. So, if you are facing a board, of if you're joining a board tomorrow, and if you have to give them three or four pieces of advice in order to strengthen their data privacy governance, what would you think those three or four ideas you would give them?

Lii: OK, that's a tough question. When I say if joining as a director, which is different than if I'm joining as an advisor, let's say I'm joining as director. If I'm director, then everybody being equal, I want to make sure that everybody is informed at the same time. I would encourage the company to first start with setting, like we said before, a code of conduct. So, working with consultants, to say, OK this is something that we need because we need to establish our institutional trust within a company, and this is one level, our code of conduct, things that we prefer to go there. On the longer term, I would encourage a company look into building the institutional, institutional trust with the customer, right? Because with AI now, if you go back to fundamental things like Drucker would say, everything depends on having a customer. If you don't have a customer, what's the point? And with AI, we can actually understand the customers better. So, we can actually use AI to really build the trust with the customer. So, what does that mean? That means that you have to follow through on what you say you're going to do, right? You have to walk the talk, basically. You need to put in your belief what is a company that has fair play, that acts with good intention and takes responsibility when it makes mistakes. You need to set up that belief system. OK. Belief system, I think, is very powerful, like a core conduct that will assess a culture. The second thing I would do is setting the boundary. You know, these are things that we don't go, and I use policies, for example, policies that company will have to follow. The third is, I need diagnostics. I need to find out what's going on on a frequent basis. So maybe ethical hacking, or kind or tests that you know you guys do all the time. I know in your industry, there's something called zero trust, right? Which means very interactive, even though you put up a firewall, and even though you give certain employees certain access, you still need to monitor anything that deviates from the ordinary, and to be informed, not that we want to, you know, spy on the person, but to inform that something is not the same.

Pang: Thank you, Dr. G. Thank you very much for your time and insight today. We've covered a lot and very much enjoyed our discussions. But before we end, I'm wondering what's your thought about how things will play out over the next couple of years? Especially as you, at the very beginning, mentioned that regulations don’t hit hard enough and need to be strengthened. At the same time, there’s all this new technology and also expectations from customers are getting higher because of all the kinds of incidents that we have experienced in the past. So how optimistic are you in terms of the board of directors and companies are actually getting it right? Or do you think they will continue to continue to struggle?

Li: I'm confident that they're not getting it right. It's always trying to catch up. And you know, we're in a  world where everything's volatile and uncertain, right, chaotic; so we need to do the right thing and build up, build up a level of trust. So, I was saying, you know what, the case of Tylenol, though, or McDonald's, for example, there was a long history of a case from McDonald's. They make those little toys, you know, toys that people love. Customers really love the toy, so they buy the hamburger, toss the hamburger, keep the toy. Well, that didn't go well for society, but because McDonald has done a lot of good things before, so they built a lot of trust with society, so they were able to take that, right? So, what I'm saying is, in a time of uncertainty, it is good time to stop building that institutional trust with your customer, that that, you know the what do you call that, the favor bank, right? That you can draw on someday in the future. So how do you do that? Well, you got to stop planning early. You start working and not just wait for things to happen, because things will happen. Like you said, you know, cybersecurity is not a matter of “if,”  it's when, and you don't know when something might happen. So, you might as well do something proactively, start building the bank, putting deposit into your bank.

Pang: Thanks, Dr. G! You're very generous of your time, and I appreciate your insight.

Li: Thank you very much. Those are good questions; you got me thinking. I hope it helps. Thank you.

Pang: Thank you. Back to you, Joe.

Kornik: Thank you, Michael. And Thanks, Greg. And thank you for watching the VISION by Protiviti interview. I'm Joe Kornik. We'll see you next time.

Joe Kornik: Welcome to the VISION by Protiviti interview. I'm Joe Kornik, editor in chief of VISION by Protiviti, our global content resource examining big themes that will impact the C suite on executive boardrooms worldwide. Today, we're exploring the Future of Privacy, and I'm happy to welcome in Dr Gregg Li, who has been the chief architect and surgeon for board of directors for over 30 years in Asia and the Pacific Rim, his focus has been on technology and governance, transformation of boards, and over the years, his clients have included one of the largest global IPOs at the time, the Link Real Estate Investment Trust and one of the oldest NGOs in Asia, the Tung Wah group of hospitals. Dr. Gregg will be sitting down today with my colleague, Michael Pang, APAC, leader for Protiviti’s technology consulting. Michael, I'll turn it over to you to begin.

Michael Pang: Thanks. Joe. Dr. Gregg, thank you very much for joining us today.

Dr. Gregg Li: Thank you. Michael, looking forward to it.

Pang: Yes, looking forward for a good chat. So, first of all, what is the board's role in ensuring the organization remain compliant with the ever-changing data privacy or regulations?

Li: You know, I see a lot of questions on a balance between what the board should be doing. Generally speaking, there's something called ‘conformance and performance.’ Conformance is basic compliance. And many boards who try very much to be compliant, but many boards forget about performance. But yes, the role is finding that right balance. But you find that when we're talking about piracy, things happen very quickly, and you try to catch up at the end. So, what I'm saying is the board usually finds out or is the last one to find out. Then you say, ‘oops,’ and you just try to catch up. So, the balance should be there. But once things kick off, you drop everything else and go deep in. In terms of privacy, a lot of things are changing. We look at GDPR, we look at what the China is doing and what the U.S. is doing. You know, the intention is always good, but there's little fine differences, I'm sure, you know, so these little differences makes things difficult. For example, you know, GDPR doesn't have a maximum fine, but you know the PIPL, they do places like Hong Kong, Singapore, they're also catching up. So, there are increasingly cyber breaches, and they need to be involved. So I guess to find the right balance, the board needs to really get inside information for the risk committee from the CDO, CTO, and I think most importantly, from people inside and outside. So, you need people coming from the outside saying: Have you done this? So frequent update is very important.

Pang: More specifically, you mentioned that previously that sometimes something doesn't work well when the board interfaces. So, what can the board do in terms of getting to know more about how the sector situation is?  And also how do they actually make sure there is a good balance between innovation and data privacy? Rather than focus on just good innovations, but forgetting about data privacy?

Li: Again, ain. You know, following up on your stream of thought, how do you balance that, right? How do you balance innovation against the need for robust piracy and data protection, right? When I first started this 30 years ago, I thought the more time you spend on innovation, the less time you spend on this management. So that was a trade off. Then I found out that's not true; you can actually do both. There's a lot of overlap between what you just said, between innovation and the need for privacy and data protection. But the balance is dynamic. It’s shifting and moving very quickly. The question you ask is, how would the board know? The board would know by having many eyes, many layers of sensors. You have the risk committee, you have the external auditor, you even have the customers telling you if something's wrong, and that's very important.

Pang: So, do you think currently across the different board of directors that you have or worked with or been a part of…  do you think there is enough transparency or accountability in the boards towards data privacy? And if the answer is, well, we’re not there yet, not ideal, then what do you think the board needs to do in order to actually increase the transparency and accountability?

Li: This touches on culture, and culture is very much a tradition, and every board is different because every company is different, and how do you reinforce that? Culture, transparency and accountability start at the top. So, you have the chairman or the CEO saying ‘this is how we're going to operate.’ But I find that sometimes you need to cheat a little bit by telling the board to spend five minutes talking about privacy, and IT issues. Always put that on the agenda, otherwise you're going to forget about it. And this is education process. You get the CTO speaking. So, this is the hard thing of today's meeting. Now, as a board director, you find that you really don't have time, there’s too many things happening, and when you join a meeting it’s very tight and you need to focus. I find that one of the most important things in terms of transparency is internal transparency, meaning you do everything you can at the board level, but you find that some of your employees when they pass data to a partner, they're not conscious to take out that private information, and those go automatically, and you know it's going to get you, so you worry about those, but you ask your CTO to look after that. So, transparency, yes, it is not easy. And again, coming back to the culture. So, you need to impose a culture. Maybe you want to have a policy, a procedure,  as a reminder that everybody's very important and before you send anything to a vendor or partner. Have you done this? Have you deleted some of the sensitive data, financial data, health data, for example.

Pang: Apart from culture, do you think the boards, in general, have—because we talk about data privacy or even cyber security, and those can be quite technical to people outside the IT areas—do you think the boards—in order to create a culture—do you think the board needs to improve or actually have more people from the IT space in order to actually create the transparency and responsibility or accountability, so that they actually know how to manage, to govern the CEO and CIO in order to upkeep the data privacy?

Li: The board needs to constantly learn, like you said, but it's not easy. And a CTO is not usually given the airtime that he needs. I remember one case where I asked the board to think about drafting a code of practice of a code of conduct on AI and ethics. So, start working on it. At least when you come to a topic, you can quickly refer to it. ‘Oh, this is the things that we prefer to have. These are things we shouldn't go to.’ So, by pre planning and pre thinking, it helps you frame faster. The board needs learning and continuing feedback, and it's very important. Maybe I would encourage the CTO to do a session off site, not at a board meeting, you know, once a year or twice a year, and just spend half an hour talking about things that are very important.

Pang: Dr. G., I know that you have in the past, you have been a consultant or helped the board to transform. So, if you are facing a board, of if you're joining a board tomorrow, and if you have to give them three or four pieces of advice in order to strengthen their data privacy governance, what would you think those three or four ideas you would give them?

Li: OK, that's a tough question. When I say if joining as a director, which is different than if I'm joining as an advisor, let's say I'm joining as director. If I'm director, then everybody being equal, I want to make sure that everybody is informed at the same time. I would encourage the company to first start with setting, like we said before, a code of conduct. So, working with consultants, to say, OK this is something that we need because we need to establish our institutional trust within a company, and this is one level, our code of conduct, things that we prefer to go there. On the longer term, I would encourage a company look into building the institutional, institutional trust with the customer, right? Because with AI now, if you go back to fundamental things like Drucker would say, everything depends on having a customer. If you don't have a customer, what's the point? And with AI, we can actually understand the customers better. So, we can actually use AI to really build the trust with the customer. So, what does that mean? That means that you have to follow through on what you say you're going to do, right? You have to walk the talk, basically. You need to put in your belief what is a company that has fair play, that acts with good intention and takes responsibility when it makes mistakes. You need to set up that belief system. OK. Belief system, I think, is very powerful, like a core conduct that will assess a culture. The second thing I would do is setting the boundary. You know, these are things that we don't go, and I use policies, for example, policies that company will have to follow. The third is, I need diagnostics. I need to find out what's going on on a frequent basis. So maybe ethical hacking, or kind or tests that you know you guys do all the time. I know in your industry, there's something called zero trust, right? Which means very interactive, even though you put up a firewall, and even though you give certain employees certain access, you still need to monitor anything that deviates from the ordinary, and to be informed, not that we want to, you know, spy on the person, but to inform that something is not the same.

Pang: Thank you, Dr. G. Thank you very much for your time and insight today. We've covered a lot and very much enjoyed our discussions. But before we end, I'm wondering what's your thought about how things will play out over the next couple of years? Especially as you, at the very beginning, mentioned that regulations don’t hit hard enough and need to be strengthened. At the same time, there’s all this new technology and also expectations from customers are getting higher because of all the kinds of incidents that we have experienced in the past. So how optimistic are you in terms of the board of directors and companies are actually getting it right? Or do you think they will continue to continue to struggle?

Li: I'm confident that they're not getting it right. It's always trying to catch up. And you know, we're in a  world where everything's volatile and uncertain, right, chaotic; so we need to do the right thing and build up, build up a level of trust. So, I was saying, you know what, the case of Tylenol, though, or McDonald's, for example, there was a long history of a case from McDonald's. They make those little toys, you know, toys that people love. Customers really love the toy, so they buy the hamburger, toss the hamburger, keep the toy. Well, that didn't go well for society, but because McDonald has done a lot of good things before, so they built a lot of trust with society, so they were able to take that, right? So, what I'm saying is, in a time of uncertainty, it is good time to stop building that institutional trust with your customer, that that, you know the what do you call that, the favor bank, right? That you can draw on someday in the future. So how do you do that? Well, you got to stop planning early. You start working and not just wait for things to happen, because things will happen. Like you said, you know, cybersecurity is not a matter of “if,”  it's when, and you don't know when something might happen. So, you might as well do something proactively, start building the bank, putting deposit into your bank.

Pang: Thanks, Dr. G! You're very generous of your time, and I appreciate your insight.

Lii: Thank you very much. Those are good questions; you got me thinking. I hope it helps. Thank you.

Pang: Thank you. Back to you, Joe.

Kornik: Thank you, Michael. And thanks, Greg. And thank you for watching the VISION by Protiviti interview. I'm Joe Kornik. We'll see you next time.