Data security and privacy management with Carol Lee, VP of ISACA China, Hong Kong

Joe Kornik: Welcome to the VISION by Protiviti interview. I'm Joe Kornik, Editor-in-Chief of VISION by Protiviti, our global content resource examining big themes that will impact the C-suite and executive boardrooms worldwide. Today, we're exploring the Future of Privacy, and I'm happy to welcome in Carol Lee, Vice President of OSAKA China, Hong Kong chapter, as well as the Deputy GM, cybersecurity and risk management of Hang Long Properties. For more than 25 years, Carol has been well known in the cybersecurity field, and her accolades include the 2021 global 100 Certified Ethical Hacker Hall of Fame, as well as the 2023 Women in IT Asia award. Carol will be sitting down today with my colleague, Michael Pang, APAC lead for productivity technology consulting. Michael, I'll turn it over to you to begin.

Michael Pang: Thanks, Joe. Carol, thank you for your time and thank you for joining us today.

Carol Lee: Nice to meet all of you guys.

Pang: First of all, just to kick start the in terms of talking about privacy, how can companies balance the needs of personalizing customer experience with actually growing demands and regulatory controls in privacy and data protection?

Lee: Well, in fact, this is a very relevant question. Personally, I think companies implementing the privacy-by-design principle within their implementation system life cycle is the best answer. Companies can benefit from it naturally. Let's dive into a few examples that illustrate the power of privacy by design. Firstly, customer experience and privacy-by-design both have a common goal of forming a customer data link, or data dictionary. With a customer’s personal information dictionary built and maintained across the life cycle, the company can easily visualize the types of customer personal data collected, stored and processed and further use it to align their customer data analytics strategies, tailor their services, minimize and imitate entry efforts of customer while improving customer experience without compromising on privacy protection. Another aspect of privacy-by-design approach is its proactive nature that will benefit the company by integrating privacy consideration into design systems and processes so a company can address privacy issues at an early stage, rather than retrofitting privacy protection after the fact. When personal information is adequately and normalized or de-identified, this not only enhances data protection, but also fosters digital trust and customer confidence, which is invaluable in today's business environment.

Pang: Interesting, a lot of the things that you mentioned, could be considered best practices while we have different regulations in Asia Pacific or in Hong Kong with the PDPO (Personal Data Privacy Ordinance). Do you think the government or regulatory body needs to embed some of this into the regulations, and how do you think those bodies in the government will actually play a role in shaping or regulating the data privacy in the future?

Lee:  Yeah, sure. The government and regulatory bodies certainly play a pivotal role in shaping the future of data privacy. Their inferences can be crucial to introduce technical frameworks and guidelines and adoption and assist compliance. This framework is essential as they provide clear direction for business to protect individual privacy rights, while enabling responsible data use. Regulatory reporting can also incentivize business to focus on privacy by requiring privacy engineering professional qualifications for companies that handle massive personal information. Similarly, we have seen like qualification requirements for security professionals in critical infrastructure, right? Unfortunately, unlike cybersecurity, privacy-by-design has only a few global professional qualifications as of now. We, ISACA, is an organization dedicated to promoting digital trust and offering the certified data privacy solution engineer, CDPSE certification. This certification is tailored for IT professionals responsible for integrating data privacy into a technology platform. It encourages the adoption of privacy-by-design principles and privacy-enhanced technologies in managing data privacy program. As far as I'm aware, IAPP is another organization also providing privacy certification for legal and other professional people. If qualification requirements can be mandated, personally, I believe there's more educational players that can join the market to shape the culture of privacy. By then, data privacy and protection mindsets can be ingrained into every aspect of business and different job functions.

Pang: No, that's a very valid. I think it's very important to actually create a sort of a professional pool of resources for data privacy, similar to the one that the industry created earlier.

Lee:  Yeah.

Pang: In terms of key challenges facing business today or your future a lot of organizations of having global presence, global operations. What do you think is a challenge now in the future in terms of complying with global data privacy regulations, because just within Asia Pacific, we have very different mindset, or even set of approach in data privacy regulations. How can business have you seen your time to comply with this regulation?

Lee: Across most data privacy professionals that I talked to before, businesses with operation in multiple countries face a significant challenge, which is the resolution of personal information, normalization and re-identification definitions in different data privacy regulation. Let's take patient information as an example to illustrate: patient information usually refers to patient’s name, address, government ID, card numbers, personal particulars and medical history. If we assign each patient with a patient ID, remove all direct identifiers like names, address ID, card number, and also remove the indirect identifier, like date of birth, it can be considered as a normalized status in some countries, but not in EU and mainland China. EU and mainland China regulation has explicitly stated re-identification and relatability with additional information does not meet a normalization requirement. So, looking ahead, I think similar regulation variation challenges will keep evolving as more and more countries around the world introduce and update their data privacy regulations as new technologies emerge. Businesses will need to stay agile and adaptive to ensure the compliance with all different regulations.

Pang: So I think that one of the biggest challenge would be having the data privacy team to really keep up to date and actually fully aware of the slight differences between different regulations, so that they know, OK, what I can do here and what I can do here, so that the difference can be very small, so keeping up to speed and even sort of giving into the details, I think that's going to be a big challenge.

Lee: Yeah, definitely.

Pang: Carol, you mentioned new technologies, and I'm sure that this new technology interview cannot avoid talking about AI. So, with the rise of AI and big data, how do you think the landscape of differences will change in the next five to 10 years? I know 10 years a big time in the AI space.

Lee: Although I don't have a crystal ball, but in the next five to 10 years, I see digital trust will undoubtedly take center stage in the landscape of data privacy. With the increasing inference of AI and big data. As AI systems and big data rely on vast amount of information, the possibility of re-identification and re-linkability with additional information that we just talked about in the back data and AI environment will be much, much higher. And most countries will also enact AI law in the next few years, and this AI law will definitely intercept with data privacy as AI basically is one type of automated decision making, right? However, unlike general personal information regulation that emphasizes legitimate use, AI regulation may also prohibit some of the use of like biometric data, if this biometric data in the AI system may introduce societal bias—if it can infer immersive emotion, categorize individuals based on face, based on voice recording. When AI becomes more deeply integrated into our daily life, ensuring data privacy will be paramount in preserving human rights, preventing unauthorized surveillance and also preventing identity theft. Another pressing issue that I observe in the age of AI is the personal information for AI model training data without proper consent. If we use personal information as the training data for AI systems, we’ll face a digital trust concern, especially when data subjects exercise their rights. And we all know retraining AI model by updating and removing certain personal information is not a small investment.

Pang: Yeah, it's definitely a part from training, even the usage of AI in terms of serving the customers. Customers may actually say a lot of their personal information tell the AI chatbot the names and information, capturing and destroying and ensuring ways data is being shared and so forth is going to be quite difficult.

Lee: Yeah, exactly.

Pang: Last but not least, with technology continuing to evolve, as well as the data privacy law being sort of increased or strengthened, what do you think are the proactive steps organizations should take to future proof their data privacy practice across different technology and different platforms?

Lee: I think firstly, enterprises must embrace a proactive and continuous approach to clarify their data privacy accountability and responsibility, so that they can ensure data collection transparency and secure data and protect against cyber threats, and also empower individuals with control over their own personal information.

Pang: Yes, I think that's going to be very important. With that, thank you Carol and thank you very much for your time. You're very generous for your insights. And, on behalf of all the viewers, thank you very much.

Lee: Yeah, thank you so much. Thank you for the invitation. Nice to talk to you.

Pang: Thank you. Back to you, Joe.

Kornik: Thanks Michael and thanks Carol. And thank you for watching the VISION by Protiviti interview. On behalf of Michael Pang and Carol Lee, I'm Joe Kornik, we'll see you next time.

Privacy, data protection and cybersecurity in the boardroom with Dr. Gregg Li

Joe Kornik: Welcome to the VISION by Protiviti interview. I'm Joe Kornik, Editor-in-Chief of VISION by Protiviti, our global content resource examining big themes that will impact the C suite on executive boardrooms worldwide. Today, we're exploring the Future of Privacy, and I'm happy to welcome in Dr Gregg Li, who has been the chief architect and surgeon for board of directors for over 30 years in Asia and the Pacific Rim, his focus has been on technology and governance, transformation of boards, and over the years, his clients have included one of the largest global IPOs at the time, the Link Real Estate Investment Trust and one of the oldest NGOs in Asia, the Tung Wah group of hospitals. Dr. Gregg will be sitting down today with my colleague, Michael Pang, APAC, leader for Protiviti’s technology consulting. Michael, I'll turn it over to you to begin.

Michael Pang: Thanks. Joe. Dr. Gregg, thank you very much for joining us today.

Dr. Gregg Li: Thank you. Michael, looking forward to it.

Pang: Yes, looking forward for a good chat. So, first of all, what is the board's role in ensuring the organization remain compliant with the ever-changing data privacy or regulations?

Li: You know, I see a lot of questions on a balance between what the board should be doing. Generally speaking, there's something called ‘conformance and performance.’ Conformance is basic compliance. And many boards who try very much to be compliant, but many boards forget about performance. But yes, the role is finding that right balance. But you find that when we're talking about piracy, things happen very quickly, and you try to catch up at the end. So, what I'm saying is the board usually finds out or is the last one to find out. Then you say, ‘oops,’ and you just try to catch up. So, the balance should be there. But once things kick off, you drop everything else and go deep in. In terms of privacy, a lot of things are changing. We look at GDPR, we look at what the China is doing and what the U.S. is doing. You know, the intention is always good, but there's little fine differences, I'm sure, you know, so these little differences makes things difficult. For example, you know, GDPR doesn't have a maximum fine, but you know the PIPL, they do places like Hong Kong, Singapore, they're also catching up. So, there are increasingly cyber breaches, and they need to be involved. So I guess to find the right balance, the board needs to really get inside information for the risk committee from the CDO, CTO, and I think most importantly, from people inside and outside. So, you need people coming from the outside saying: Have you done this? So frequent update is very important.

Pang: More specifically, you mentioned that previously that sometimes something doesn't work well when the board interfaces. So, what can the board do in terms of getting to know more about how the sector situation is?  And also how do they actually make sure there is a good balance between innovation and data privacy? Rather than focus on just good innovations, but forgetting about data privacy?

Li: Again, ain. You know, following up on your stream of thought, how do you balance that, right? How do you balance innovation against the need for robust piracy and data protection, right? When I first started this 30 years ago, I thought the more time you spend on innovation, the less time you spend on this management. So that was a trade off. Then I found out that's not true; you can actually do both. There's a lot of overlap between what you just said, between innovation and the need for privacy and data protection. But the balance is dynamic. It’s shifting and moving very quickly. The question you ask is, how would the board know? The board would know by having many eyes, many layers of sensors. You have the risk committee, you have the external auditor, you even have the customers telling you if something's wrong, and that's very important.

Pang: So, do you think currently across the different board of directors that you have or worked with or been a part of…  do you think there is enough transparency or accountability in the boards towards data privacy? And if the answer is, well, we’re not there yet, not ideal, then what do you think the board needs to do in order to actually increase the transparency and accountability?

Li: This touches on culture, and culture is very much a tradition, and every board is different because every company is different, and how do you reinforce that? Culture, transparency and accountability start at the top. So, you have the chairman or the CEO saying ‘this is how we're going to operate.’ But I find that sometimes you need to cheat a little bit by telling the board to spend five minutes talking about privacy, and IT issues. Always put that on the agenda, otherwise you're going to forget about it. And this is education process. You get the CTO speaking. So, this is the hard thing of today's meeting. Now, as a board director, you find that you really don't have time, there’s too many things happening, and when you join a meeting it’s very tight and you need to focus. I find that one of the most important things in terms of transparency is internal transparency, meaning you do everything you can at the board level, but you find that some of your employees when they pass data to a partner, they're not conscious to take out that private information, and those go automatically, and you know it's going to get you, so you worry about those, but you ask your CTO to look after that. So, transparency, yes, it is not easy. And again, coming back to the culture. So, you need to impose a culture. Maybe you want to have a policy, a procedure,  as a reminder that everybody's very important and before you send anything to a vendor or partner. Have you done this? Have you deleted some of the sensitive data, financial data, health data, for example.

Pang: Apart from culture, do you think the boards, in general, have—because we talk about data privacy or even cyber security, and those can be quite technical to people outside the IT areas—do you think the boards—in order to create a culture—do you think the board needs to improve or actually have more people from the IT space in order to actually create the transparency and responsibility or accountability, so that they actually know how to manage, to govern the CEO and CIO in order to upkeep the data privacy?

Li: The board needs to constantly learn, like you said, but it's not easy. And a CTO is not usually given the airtime that he needs. I remember one case where I asked the board to think about drafting a code of practice of a code of conduct on AI and ethics. So, start working on it. At least when you come to a topic, you can quickly refer to it. ‘Oh, this is the things that we prefer to have. These are things we shouldn't go to.’ So, by pre planning and pre thinking, it helps you frame faster. The board needs learning and continuing feedback, and it's very important. Maybe I would encourage the CTO to do a session off site, not at a board meeting, you know, once a year or twice a year, and just spend half an hour talking about things that are very important.

Pang: Dr. G., I know that you have in the past, you have been a consultant or helped the board to transform. So, if you are facing a board, of if you're joining a board tomorrow, and if you have to give them three or four pieces of advice in order to strengthen their data privacy governance, what would you think those three or four ideas you would give them?

Lii: OK, that's a tough question. When I say if joining as a director, which is different than if I'm joining as an advisor, let's say I'm joining as director. If I'm director, then everybody being equal, I want to make sure that everybody is informed at the same time. I would encourage the company to first start with setting, like we said before, a code of conduct. So, working with consultants, to say, OK this is something that we need because we need to establish our institutional trust within a company, and this is one level, our code of conduct, things that we prefer to go there. On the longer term, I would encourage a company look into building the institutional, institutional trust with the customer, right? Because with AI now, if you go back to fundamental things like Drucker would say, everything depends on having a customer. If you don't have a customer, what's the point? And with AI, we can actually understand the customers better. So, we can actually use AI to really build the trust with the customer. So, what does that mean? That means that you have to follow through on what you say you're going to do, right? You have to walk the talk, basically. You need to put in your belief what is a company that has fair play, that acts with good intention and takes responsibility when it makes mistakes. You need to set up that belief system. OK. Belief system, I think, is very powerful, like a core conduct that will assess a culture. The second thing I would do is setting the boundary. You know, these are things that we don't go, and I use policies, for example, policies that company will have to follow. The third is, I need diagnostics. I need to find out what's going on on a frequent basis. So maybe ethical hacking, or kind or tests that you know you guys do all the time. I know in your industry, there's something called zero trust, right? Which means very interactive, even though you put up a firewall, and even though you give certain employees certain access, you still need to monitor anything that deviates from the ordinary, and to be informed, not that we want to, you know, spy on the person, but to inform that something is not the same.

Pang: Thank you, Dr. G. Thank you very much for your time and insight today. We've covered a lot and very much enjoyed our discussions. But before we end, I'm wondering what's your thought about how things will play out over the next couple of years? Especially as you, at the very beginning, mentioned that regulations don’t hit hard enough and need to be strengthened. At the same time, there’s all this new technology and also expectations from customers are getting higher because of all the kinds of incidents that we have experienced in the past. So how optimistic are you in terms of the board of directors and companies are actually getting it right? Or do you think they will continue to continue to struggle?

Li: I'm confident that they're not getting it right. It's always trying to catch up. And you know, we're in a  world where everything's volatile and uncertain, right, chaotic; so we need to do the right thing and build up, build up a level of trust. So, I was saying, you know what, the case of Tylenol, though, or McDonald's, for example, there was a long history of a case from McDonald's. They make those little toys, you know, toys that people love. Customers really love the toy, so they buy the hamburger, toss the hamburger, keep the toy. Well, that didn't go well for society, but because McDonald has done a lot of good things before, so they built a lot of trust with society, so they were able to take that, right? So, what I'm saying is, in a time of uncertainty, it is good time to stop building that institutional trust with your customer, that that, you know the what do you call that, the favor bank, right? That you can draw on someday in the future. So how do you do that? Well, you got to stop planning early. You start working and not just wait for things to happen, because things will happen. Like you said, you know, cybersecurity is not a matter of “if,”  it's when, and you don't know when something might happen. So, you might as well do something proactively, start building the bank, putting deposit into your bank.

Pang: Thanks, Dr. G! You're very generous of your time, and I appreciate your insight.

Li: Thank you very much. Those are good questions; you got me thinking. I hope it helps. Thank you.

Pang: Thank you. Back to you, Joe.

Kornik: Thank you, Michael. And Thanks, Greg. And thank you for watching the VISION by Protiviti interview. I'm Joe Kornik. We'll see you next time.

Joe Kornik: Welcome to the VISION by Protiviti interview. I'm Joe Kornik, editor in chief of VISION by Protiviti, our global content resource examining big themes that will impact the C suite on executive boardrooms worldwide. Today, we're exploring the Future of Privacy, and I'm happy to welcome in Dr Gregg Li, who has been the chief architect and surgeon for board of directors for over 30 years in Asia and the Pacific Rim, his focus has been on technology and governance, transformation of boards, and over the years, his clients have included one of the largest global IPOs at the time, the Link Real Estate Investment Trust and one of the oldest NGOs in Asia, the Tung Wah group of hospitals. Dr. Gregg will be sitting down today with my colleague, Michael Pang, APAC, leader for Protiviti’s technology consulting. Michael, I'll turn it over to you to begin.

Michael Pang: Thanks. Joe. Dr. Gregg, thank you very much for joining us today.

Dr. Gregg Li: Thank you. Michael, looking forward to it.

Pang: Yes, looking forward for a good chat. So, first of all, what is the board's role in ensuring the organization remain compliant with the ever-changing data privacy or regulations?

Li: You know, I see a lot of questions on a balance between what the board should be doing. Generally speaking, there's something called ‘conformance and performance.’ Conformance is basic compliance. And many boards who try very much to be compliant, but many boards forget about performance. But yes, the role is finding that right balance. But you find that when we're talking about piracy, things happen very quickly, and you try to catch up at the end. So, what I'm saying is the board usually finds out or is the last one to find out. Then you say, ‘oops,’ and you just try to catch up. So, the balance should be there. But once things kick off, you drop everything else and go deep in. In terms of privacy, a lot of things are changing. We look at GDPR, we look at what the China is doing and what the U.S. is doing. You know, the intention is always good, but there's little fine differences, I'm sure, you know, so these little differences makes things difficult. For example, you know, GDPR doesn't have a maximum fine, but you know the PIPL, they do places like Hong Kong, Singapore, they're also catching up. So, there are increasingly cyber breaches, and they need to be involved. So I guess to find the right balance, the board needs to really get inside information for the risk committee from the CDO, CTO, and I think most importantly, from people inside and outside. So, you need people coming from the outside saying: Have you done this? So frequent update is very important.

Pang: More specifically, you mentioned that previously that sometimes something doesn't work well when the board interfaces. So, what can the board do in terms of getting to know more about how the sector situation is?  And also how do they actually make sure there is a good balance between innovation and data privacy? Rather than focus on just good innovations, but forgetting about data privacy?

Li: Again, ain. You know, following up on your stream of thought, how do you balance that, right? How do you balance innovation against the need for robust piracy and data protection, right? When I first started this 30 years ago, I thought the more time you spend on innovation, the less time you spend on this management. So that was a trade off. Then I found out that's not true; you can actually do both. There's a lot of overlap between what you just said, between innovation and the need for privacy and data protection. But the balance is dynamic. It’s shifting and moving very quickly. The question you ask is, how would the board know? The board would know by having many eyes, many layers of sensors. You have the risk committee, you have the external auditor, you even have the customers telling you if something's wrong, and that's very important.

Pang: So, do you think currently across the different board of directors that you have or worked with or been a part of…  do you think there is enough transparency or accountability in the boards towards data privacy? And if the answer is, well, we’re not there yet, not ideal, then what do you think the board needs to do in order to actually increase the transparency and accountability?

Li: This touches on culture, and culture is very much a tradition, and every board is different because every company is different, and how do you reinforce that? Culture, transparency and accountability start at the top. So, you have the chairman or the CEO saying ‘this is how we're going to operate.’ But I find that sometimes you need to cheat a little bit by telling the board to spend five minutes talking about privacy, and IT issues. Always put that on the agenda, otherwise you're going to forget about it. And this is education process. You get the CTO speaking. So, this is the hard thing of today's meeting. Now, as a board director, you find that you really don't have time, there’s too many things happening, and when you join a meeting it’s very tight and you need to focus. I find that one of the most important things in terms of transparency is internal transparency, meaning you do everything you can at the board level, but you find that some of your employees when they pass data to a partner, they're not conscious to take out that private information, and those go automatically, and you know it's going to get you, so you worry about those, but you ask your CTO to look after that. So, transparency, yes, it is not easy. And again, coming back to the culture. So, you need to impose a culture. Maybe you want to have a policy, a procedure,  as a reminder that everybody's very important and before you send anything to a vendor or partner. Have you done this? Have you deleted some of the sensitive data, financial data, health data, for example.

Pang: Apart from culture, do you think the boards, in general, have—because we talk about data privacy or even cyber security, and those can be quite technical to people outside the IT areas—do you think the boards—in order to create a culture—do you think the board needs to improve or actually have more people from the IT space in order to actually create the transparency and responsibility or accountability, so that they actually know how to manage, to govern the CEO and CIO in order to upkeep the data privacy?

Li: The board needs to constantly learn, like you said, but it's not easy. And a CTO is not usually given the airtime that he needs. I remember one case where I asked the board to think about drafting a code of practice of a code of conduct on AI and ethics. So, start working on it. At least when you come to a topic, you can quickly refer to it. ‘Oh, this is the things that we prefer to have. These are things we shouldn't go to.’ So, by pre planning and pre thinking, it helps you frame faster. The board needs learning and continuing feedback, and it's very important. Maybe I would encourage the CTO to do a session off site, not at a board meeting, you know, once a year or twice a year, and just spend half an hour talking about things that are very important.

Pang: Dr. G., I know that you have in the past, you have been a consultant or helped the board to transform. So, if you are facing a board, of if you're joining a board tomorrow, and if you have to give them three or four pieces of advice in order to strengthen their data privacy governance, what would you think those three or four ideas you would give them?

Li: OK, that's a tough question. When I say if joining as a director, which is different than if I'm joining as an advisor, let's say I'm joining as director. If I'm director, then everybody being equal, I want to make sure that everybody is informed at the same time. I would encourage the company to first start with setting, like we said before, a code of conduct. So, working with consultants, to say, OK this is something that we need because we need to establish our institutional trust within a company, and this is one level, our code of conduct, things that we prefer to go there. On the longer term, I would encourage a company look into building the institutional, institutional trust with the customer, right? Because with AI now, if you go back to fundamental things like Drucker would say, everything depends on having a customer. If you don't have a customer, what's the point? And with AI, we can actually understand the customers better. So, we can actually use AI to really build the trust with the customer. So, what does that mean? That means that you have to follow through on what you say you're going to do, right? You have to walk the talk, basically. You need to put in your belief what is a company that has fair play, that acts with good intention and takes responsibility when it makes mistakes. You need to set up that belief system. OK. Belief system, I think, is very powerful, like a core conduct that will assess a culture. The second thing I would do is setting the boundary. You know, these are things that we don't go, and I use policies, for example, policies that company will have to follow. The third is, I need diagnostics. I need to find out what's going on on a frequent basis. So maybe ethical hacking, or kind or tests that you know you guys do all the time. I know in your industry, there's something called zero trust, right? Which means very interactive, even though you put up a firewall, and even though you give certain employees certain access, you still need to monitor anything that deviates from the ordinary, and to be informed, not that we want to, you know, spy on the person, but to inform that something is not the same.

Pang: Thank you, Dr. G. Thank you very much for your time and insight today. We've covered a lot and very much enjoyed our discussions. But before we end, I'm wondering what's your thought about how things will play out over the next couple of years? Especially as you, at the very beginning, mentioned that regulations don’t hit hard enough and need to be strengthened. At the same time, there’s all this new technology and also expectations from customers are getting higher because of all the kinds of incidents that we have experienced in the past. So how optimistic are you in terms of the board of directors and companies are actually getting it right? Or do you think they will continue to continue to struggle?

Li: I'm confident that they're not getting it right. It's always trying to catch up. And you know, we're in a  world where everything's volatile and uncertain, right, chaotic; so we need to do the right thing and build up, build up a level of trust. So, I was saying, you know what, the case of Tylenol, though, or McDonald's, for example, there was a long history of a case from McDonald's. They make those little toys, you know, toys that people love. Customers really love the toy, so they buy the hamburger, toss the hamburger, keep the toy. Well, that didn't go well for society, but because McDonald has done a lot of good things before, so they built a lot of trust with society, so they were able to take that, right? So, what I'm saying is, in a time of uncertainty, it is good time to stop building that institutional trust with your customer, that that, you know the what do you call that, the favor bank, right? That you can draw on someday in the future. So how do you do that? Well, you got to stop planning early. You start working and not just wait for things to happen, because things will happen. Like you said, you know, cybersecurity is not a matter of “if,”  it's when, and you don't know when something might happen. So, you might as well do something proactively, start building the bank, putting deposit into your bank.

Pang: Thanks, Dr. G! You're very generous of your time, and I appreciate your insight.

Lii: Thank you very much. Those are good questions; you got me thinking. I hope it helps. Thank you.

Pang: Thank you. Back to you, Joe.

Kornik: Thank you, Michael. And thanks, Greg. And thank you for watching the VISION by Protiviti interview. I'm Joe Kornik. We'll see you next time.

National Australia Bank’s Paul Jevtovic: Public-private partnerships key to data privacy

Joe Kornik: Welcome to the VISION by Protiviti interview. I’m Joe Kornik, Editor-in-Chief of VISION by Protiviti, our global content resource examining big themes that will impact the C-suite and executive boardrooms worldwide. Today, we’re exploring the future of privacy, and we’re joined by Paul Jevtovic, the Chief Financial Crime Risk Officer and Executive, Group MLRO, at National Australia Bank. Paul has enjoyed a long career serving Australia in national and international law enforcement, national intelligence, anticorruption and as CEO of AUSTRAC, as well as Regional Money Laundering Reporting Officer and Head of Financial Crime at HSBC. Paul will be speaking with my Protiviti colleague, Managing Director Adam Johnston. Adam, I’ll turn it over to you to begin.

Adam Johnston: Thanks, Joe, and welcome, Paul. Paul, first, thanks so much for taking time out of your busy schedule to speak with us today. It’s great to have you.

Paul Jevtovic: Thanks, Adam. Great to be here. Appreciate the invitation.

Johnston: Now, I know privacy is a topic you care deeply about, particularly given your experience across governments, law enforcement, as a former financial crime regulator and most recently, a banking and financial services executive across Asia Pacific. So, to start us off, can you describe the key challenges we face in balancing data privacy regulations and AML requirements?

Jevtovic: Yes. Look, it is something that is dear to my heart because I think it is both a significant challenge, but equally, a great opportunity. I think we’re at a bit of a crossroads where we are confronted with outdated privacy laws and I think that there’s probably less debate about that now and greater recognition, coupled with shifting community expectations. There is a reconciliation needed between community expectations around the kind of banking services. People want things faster, seamless, safer, and I think we’re at that point where we need to understand what are we prepared to forego that was traditionally captured under the privacy regimes that we operate under for some of those increased services. So, I think that’s the kind of landscape in which we’re trying to navigate a way forward.

Johnston: Yes, I know. Absolutely. How about the challenges associated with cross-border data transfers, given the varying international privacy laws?

Jevtovic: In Australia, for example, there’s quite a diverse range of thinking on the issue of privacy and you can imagine then if you transpose that into a global setting where there is a lack of consistency amongst jurisdictions. There are very different cultural expectations around privacy and so trying to reconcile that in a global context is a significant challenge. We need to be thinking about what are those fundamental principles upon which, from a global standards perspective, we can agree and we’ve proven that we can do that in ways. If you think about financial crime, we have the Financial Action Task Force, which nearly every country in the world has embraced and fundamentally, they’re setting global principles and global standards for everyone to follow. So, it can be done and I think that’s where we’re at on the privacy venue as well.

Johnston: Yes. No, fantastic. What about from an employee perspective? How do you educate employees about navigating the complexities of diligent AML practices with the safeguarding of individual rights and personal information?

Jevtovic: Yes. In our bank, for example, we culturally were driven by customer obsession and that fundamentally means that no matter where you work in the bank, we put our customer first, whether that’s in the quality of services, the way we engage them, keeping them safe. So, that customer obsession is critical and it’s something that 38,000 people in my organization have buy-in because our CEO has set a very clear expectation around that. People really have bought into it and rightly so, given what our banking industry is all about. The other way is to ensure that we help educate our people and train our people. I know that our organization has robust mandatory training around our privacy laws and around some of the challenges of navigating those laws, whilst delivering a service and keeping our customers safe.

Johnston: Yes, absolutely. How concerned are you that AI will be used to steal or even create identities, making KYC that much more difficult within organizations?

Jevtovic: Yes. Look, AI is a dual-edged sword. There is no question that it’s going to entities presenting opportunities for us to protect our customers safer, more efficiently. Technology and the maximization of data, which really is what AI is at its core, is a real opportunity that we should embrace. However, for all the opportunities it presents, it is also a tool for organized crime and they have already embraced it and are compromising individuals and organizations.

Johnston: Paul, what are your thoughts, in your current role and as a former regulator, on how or even whether AI and LLMs can be developed without compromising customer privacy? Will use of technologies that anonymize and pseudonymize customer data undermine the effectiveness of these models?

Jevtovic: The issue is going to be, how do we ensure anonymization so that we can maximize LLMs in using case studies, et cetera, the sharing of data within a large multi-jurisdictional organization and then the sharing of data more broadly between organizations. Why is that important? The reality is that no one organization, whether it be government or private sector, is going to be able to defend itself, its customers against serious and organized crime. I’ve been on the public record saying that I think the greatest nemesis of organized crime is a unified public and private sector working in harmony. I think LLMs are a great opportunity, but again, it’s going to be the ability to anonymize and protect the privacy aspect of the data that each of our organizations deal with.

Johnston: Yes, and Paul, just given your experience as well, maybe, what are your views on that cooperation between private and public sector and is it advancing? Is it keeping pace?

Jevtovic: Yes. Look, I think it is advancing and is it advancing fast enough? From a personal perspective, no. I would like to see it accelerated for the reasons I’ve mentioned. I believe it is a differentiator for how we fight crime globally. I don’t think it was ever anticipated by the criminals that governments and the private sector would work hand in hand, together, and I think that’s been exploited for a very, very long time. We’ve seen just in some of the evolution of the last, let’s say, decade of public-private partnerships, how powerful we can be. We’re only at the tip of the iceberg, I think, of realizing our true capabilities when we work as one. If I was to point at a very good example, is the way governments and the private sector have come together around tackling cyber. There is a very good example. If I think back to tragedies like 9/11 where the war against terror unified both public and private. I’d like us to stop waiting for catastrophes, to come together and actually realize the opportunities that exist, but things have got to continue to evolve. For example, we’ve got to trust each other. Government agencies have to increase their level of trust of the private sector. The private sector has to earn that trust and you earn it by the way you protect the information, the way you collaborate without compromise. So, I think we have made progress. We’re not making it fast enough and I think there’s a lot more that we can do.

Johnston: Yes, great insights. I’m contemplating, is it even realistic to think that financial institutions can protect customer privacy anymore just given the pace of hackers and criminals, which are often first to adopt the new technologies and different methods, and so as you allude, that partnership and cooperation is critical for both to keep pace. Does the financial services industry do enough to inform customers about their privacy rights, how their data is used? Is there more financial services industry should be doing or even regulators, for that matter, to inform customers on how their data is being used?

Jevtovic: Yes. Look, I think from my own organization, it is a priority and it is something we’re very conscious of, but I think—look, scams have highlighted just how critical and how education, it’s got to be limitless because the risk—and again, staying with scams for a minute, the typologies around the type of scams criminals are committing are evolving. You and I are going to finish this interview and there will be new scam typologies that didn’t exist before we started. There’s the reality of our environment and so that education process must be constant. It must continually evolve and so I think again, it goes to my earlier point about a shared responsibility. I think, as an organization, we have the responsibility to help our customers understand that risk and that should be regularly available information on our products and services, which I know are a priority for our business colleagues.

Johnston: Yes, fantastic. Paul, looking out three to five years, what is your view on privacy risk for financial institutions? What will they be facing? What’s your advice to institutions that are committed to being best in class in managing these risks?

Jevtovic: Yes. Look, in our organization and in previous organizations I’ve been involved with, and particularly in the last, let’s say, 12 to 15 years where data became such a critical commodity in business, in the way we fight crime, I think the role of customer advocates and privacy advocates, data advocates within organizations need to have an appropriate voice to ensure that we are conscious in all the decisions we make around those issues, around privacy, around data ethics, et cetera. I think there needs to be an ongoing education around the ethical use of data, whether that be through a privacy lens, is the use consistent with the reasons for which an individual provided the data in the first place? So, there needs to be that constant consciousness, if you like, around the ethics around how we use data. Again, I would say the third pillar for me is education and training. This is a space that I think organizations need to continue to invest in from an education perspective.

Johnston: Look, Paul, thank you so much. Very valuable insights and we’ll obviously be keeping an eye on the future of privacy. Any final comments before we hand back over to Joe?

Jevtovic: Now, look, Adam, thank you. Thanks, Protiviti, for providing a platform to share some of those thoughts. I would just say that we shouldn’t be afraid of some of the challenges. They can sound daunting. Privacy has been a taboo subject in many jurisdictions for a very long time. I think the more we talk about it, the less taboo it will become and we just need to have eyes wide open. I think we’ve worked very hard around protecting privacy for decades. I would hate to see the baby out with the bath water here. We need to get the balance right and I think ongoing engagement between the public and private sector, giving the individuals a voice that we actually listen to, that’s the combination that we need to get right and it’s always going to be a balance. Let’s not be mistaken. The threat of serious and organized crime is not diminishing. They are embracing technology faster, arguably, than legitimate industries and organizations. So, we’ve got to respond to that, and I would like to see that response in the shape of greater unification of the public and private sectors.

Johnston: Fantastic. Paul, look, thanks again. Thanks so much for your time and with that, we’ll hand back over to Joe.

Kornik: Thanks, Adam, and thanks, Paul. Thank you for listening to the VISION by Protiviti interview. On behalf of Adam Johnston and Paul Jevtovic, I’m Joe Kornik. We’ll see you next time.

TPG Telecom’s head of risk on data privacy, cybersecurity, AI and the regulatory landscape

Joe Kornik: Welcome to the VISION by Protiviti podcast. I’m Joe Kornik, Editor-in-Chief of VISION by Protiviti, a global content resource examining big themes that will impact the C-suite and executive boardrooms worldwide. Today, we’re exploring the future of privacy, and we welcome Malcolm Eng, Head of Risk, Business Partnering at TPG Telecom in Australia, where he and his team lead enterprises risk management for the company. Malcolm has spent the past decade working with some of Australia’s leading organizations, navigating the complexities of data privacy, risk and the regulatory landscape. Sitting down with Malcolm today is my colleague, Ruby Chen, a director with Protiviti Australia. Ruby, I’ll turn it over to you to begin.

Ruby Chen: All right. Thank you so much, Joe, for the introduction. Today, I’m so excited to have Malcolm here on the podcast. I’ve known Malcolm since—that seems to be so long ago, pre-COVID era. We both used to work at the banking industry. I still remember we were saying our goodbyes and I’ll meet you on the other side, hopefully. [Laughter] I’m glad that we both made it. Since then, Malcolm has pivoted away from the banking industry into technology, and now more recently into telecommunications. I’m really keen to hear Malcolm’s insights around latest in the telecom industry. So, thank you so much for joining us, Malcolm.

Malcolm Eng: Thank you for having me, Ruby. Times have definitely changed since we’ve known each other, and I do recall saying goodbye before COVID, and I think through COVID I was wondering when I will actually see Ruby again, so I’m glad we’ve gotten in touch and had a lot of very interesting conversations. I’m very excited to be here, looking forward to sharing some of my thoughts on the topic.

Chen: Fantastic. Thank you. All right, before we dive into the serious questions, I have a fundamental question for you, Malcolm. Do you think you could actually live without all the technology gadgets we’re surrounded by?

Eng: I like that we’re starting with a light question. I might start with a little bit of a story. I remember when I got my first smart light, it was a cheap smart light I got from Kmart. I was so amazed when I got home by the convenience and flexibility of it, and especially the multiple colors, that I changed all my lights at home. A little while later, I got home one evening and none of my lights would turn on. My wi-fi wasn’t working. I couldn’t figure how to turn the lights on and I had removed all my non-smart lights. So, I ended up putting up some candles. It was very romantic and I ended up re-reading Dune. Three things come to mind for me. Firstly, the I forgot how much I enjoyed those books, and I thought I should actually do that more. Secondly, as someone whose home is still filled with smart lights, though ones that I can now turn on without connectivity, I cannot imagine living without all the gadgets that I rely on. It’s really amazing to think how technology has become such a big part of our daily lives. Lastly, there’s so much potential with technology and value to people’s lives. I think there’s something to be said about finding that balance where they work for us and not against us.

Chen: As your example illustrates, right, connectivity is such a critical part for all the technology that we rely on these days, and telecommunications industry plays a very important role in providing us with that capability. And with the pace of technological changes and the increasingly unpredictable nature of the business environment, it seems that organizations are facing more unexpected disruptions. I’m keen to hear your thoughts around how is TPG Telecom addressing these challenges?

Eng: At TPG Telecom, is one of the Australia’s largest telecommunication providers, Ensuring that we can provide a robust ongoing supply of critical products and services to our customers, our people, and the broader community is a responsibility that we take very seriously. I think resilience starts with preparation. We start with our networks, which are built with resiliency in mind. What does that mean? Our architecture is designed with physical and logical separation to enhance robustness, routing protocols, separation of product layers are used to improve our ability to withstand disruption.

Chen: I totally agree. I think resiliency is so high in the radar. Something that comes into mind is actually a recent outage which impacted many of us, including myself. So, the CrowdStrike outage, right? It was such a high-profile outage that had a wide-ranging impact across Australia as well as globally. Are there any lessons to be learned and how has TPG reassessed its risk management strategies and practices since then?

Eng: CrowdStrike is the one that comes to my mind, too. I was actually at the airport when the outage happened. I remember being stuck in the road just outside the airport for two hours wondering what was happening. Let’s say, it wasn’t the best travel experience I’ve had and I might leave it there.

Chen: Right.

Eng: Recent incidents have definitely brought operation resilience to the front of mind of a lot of people when it comes to risk management. A few key considerations stand out for me when thinking about resiliency. Firstly, reemphasizing the point that resilience starts with preparation, recognizing that disruptions are a possibility and we should be ready to respond, to recover, to continue to operate. We shouldn’t assume that things will always go perfectly. Instead, we should be prepared for the unexpected, to ensure that we can react quickly and get back on track without too much disruption.

Secondly, while it was great to focus on pursuing the latest and greatest, whether it’s technology, innovation, or even risk management and resilience practices, getting the basics right, I think, is just as important. Things like change management, testing and controled deployment of changes, heightened monitoring during change windows, third-party management, incident management and response, user awareness and training. Scenario planning simulations for emergency and crisis situations are also critical. You probably do not want an actual incident to be the first time you respond.

Chen: I want to pivot a little bit now moving into emerging tech and risk, and talking about artificial intelligence, which is such a hot topic everywhere I go, no matter what conference or webinar that I attend. I was curious to know, with the rapid evolution of AI technologies and the unique privacy challenges posed by 5G and other emerging technologies, how is TPG addressing potential risks associated with these advancements?

Eng: There’s definitely a lot of excitement around AI recently. A lot of attention has largely been driven by generative AI, or gen AI,  tools like ChatGPT, Dall-E have kindled the fire in people’s imagination. That’s made AI much more visible, more interactive and more relevant for the average person. There’s one school of thought that the challenge facing the technology now is one of demonstrating outcomes, that the application of the technology is not enough. It’s about delivering results, with the real measure of success being the value that it can actually bring. I think this can be illustrated with the Gartner Hype Cycle, which accordingly has gen AI passing the peak of inflated expectations this year, heading into the trough of disillusionment. I’m always amused by those terms. It’s a phase that is somewhat of a make-or-break period for technology where the initial hype will fade and the technology must prove its real value.

There’s another viewpoint, which argues that gen AI represents a fundamental shift, that it will bring transformational impact, with use cases that are not yet fully understood, that the classification as a standalone innovation is too narrow. Instead, it should be looked at as foundational technology, a platform for a new generation of AI-driven solutions.

Regardless of the side of the court that you take, a key driver for the hype around AI is this seemingly huge potential for innovation and transformation that it brings, but at the same time, we should still remember that the technology also brings new challenges that we need to manage carefully, and this is the recognition that we have in TPG Telecom. Technology, emerging technologies, are inherently dual use, double-edged, bi-faceted. They provide real opportunities, but they will also bring along real risk. It’s important that we understand both the threats and opportunities of any innovation so we can better adapt the technologies for positive advancement while mitigating the harms.

Some examples, 5G and internet of things, or IoT. 5G offers unprecedented connectivity and speed. The convergence with the technology with IoT provides us much more opportunities for significant increases in connected devices, flow of information, and new use cases. At the same time, they vastly increased the surface area for threats, for vulnerabilities, for risk. The increase in volume and complexity of data and systems brings more potential for failure points and inefficiencies. We’ve talked about AI and machine learning. These technologies can help improve automation, operational efficiency, allowing more proactive security measures, such as anticipating potential threats faster and more accurately. At the same time, they can be used to scale up capabilities, complexities, and automation of cyberattacks.

Chen: So, Malcom, I want to move into the next line of questioning, which is around cyber security. Emerging technologies and AI that we’ve talked about bring transformative potential, but with that comes an evolving risk landscape, and cybersecurity in particular is becoming more sophisticated. How is TPG tackling this growing challenge?

Eng: Persistent, unrelenting cyberattacks on individuals and organizations. I think that’s a good way to describe the landscape today. I’ve also heard people use the word insidious, which I think is quite apt. Here in Australia and globally as well, we’ve seen a surge in incidents, from data breaches to ransomware attacks. Some statistics, according to the ACCC, or the Australian Competition and Consumer Commission, in 2022, the combined losses to scams alone were at least $3.1 billion, which is an 80% increase on the total recorded from ‘21. Losses reduced somewhat in ‘23, but Australians still reported $2.7 billion lost to scams. Some people may give themselves a pat on the back for an improvement, but I think it’s still a staggering amount of money.

The use of AI has made this problem worse. At the beginning of the year, we saw a 300% increase in scams as a result of use of crime GPTs. AI is making cybercrime easier, more accessible for less technically capable cybercriminals. Cybersecurity at TPG Telecom is at the forefront of our risk management strategy. The maturity of our capabilities is critical to all that we do. We are investing heavily in our people, our systems, our controls, key areas that we’ve be focused on over the last years. Vulnerability remediation, expanding security capabilities, transforming our IT infrastructure, and standardizing policies and controls. In ‘23, we increased the security technology budget significantly. We’ve more than doubled the size of the team.

An innovative approach that we’ve adopted is the creation of internal red and blue security teams, or as I like to call them, hackers and catchers. The red team would act as an adversary, simulating cyberattacks and probing weaknesses, while the blue team would defend against it, responding to these simulated threats with the goal to seek out and fix vulnerabilities before external parties can take advantage of them. Fun idea? I wish I had thought of it, but unfortunately, I can’t take credit. It’s a concept that originated from military strategy and exercises.

Cross industry collaboration is something we believe that’s very important. To collaborate across industries or peers, government and academia to come together and share knowledge so we can proactively and collectively enhance the security of the nation. We recently cohosted with the University of New South Wales the 21st Annual International Conference on Privacy, Security and Trust. The conference brought together professionals, researchers, academics, and government with the view to shake the future of privacy and security. TPG Telecom presented two papers at the conference, one showing the benefits of having an internal red team and the other on the value of understanding how AI optimization can be applied to support cybersecurity practices. As most leading organizations in Australia, we’ve begun investigating the use AI for enhancing security support and as a tool to bolster our defenses.

With government, we are a member of the Joint Cybersecurity Center where we collaborate with government agencies and industry partners on national threat intelligence and cyber incidents. Similar to our approach to resilience and emerging technologies, we work to keep on top of the evolving landscape. We work on our adaptability and continued improvement; at the same time, we pursue innovation with a focus on getting the foundations right. I believe we cannot stop the progress of technological innovation. We can aim to participate and contribute in a positive way to better serve all Australians and to protect the security of customers, people, and the broader community.       

Chen: Thanks for sharing that, Malcolm, and I think it’s fantastic to see so much investment being placed into this part of the business, which comes to show how much attention and seriousness TPG places into this area in particular, looking forward to the future. It’s a good segue into our last question. Looking ahead, how do you envision the landscape of privacy risks of the next five years, and how should organizations address the emerging threats while maintaining customer trust?

Eng: It’s a big question. Complex and multifaceted is how I would describe the future landscape of privacy risk. In recent years, there has been a noticeable shift towards the harmonization of data privacy standards and regulations globally. I think as data flows increasingly across borders, more consistent frameworks can help facilitate these transfers, and it also helps ensure data protection across jurisdictions. In this regard, the EU’s general data protection regulation, or GDPR, has had quite a significant impact on practices globally. It set a high benchmark for data privacy and protection. Its extraterritorial scope prompted many businesses outside of Europe to align their practices to GDPR standards. With data breaches becoming a global concern, it has also guided regulatory change in many countries, and so there’s an increased focus on data protection and more changing regulations worldwide. I think it’s also fair to say that GDPR has affected public’s awareness regarding the importance of privacy rights and the value of personal data.

Stricter regulations, global harmonization of data privacy standards I think is a trend that we will continue to see for the years ahead. Similarly in Australia the ongoing reforms of the Australian Privacy Act have indicated an appetite for a GDPR aligned regime.

The way that I like to think about regulations is that regulations are designed to solve a problem. Oftentimes, it’s easy to focus on what we need to do to comply with requirements, but instead of solving solely for regulations, we should also ask ourselves, how can we solve the problems that the regulation is aimed at, this framing I find can help solve for the regulation and help ensure that the approach taken is what looks best for the organization.     

Another trend that we’re seeing that I believe will continue to accelerate is the increased digitization driven by faster connectivity and emerging technologies. Organizations will need to be prepared to deal with an increasing volume and diversity of data. Coupled with increasing regulation, this will significantly increase the complexity of data protection. Technologies that we’ve touched on like AI, machine learning, automation, will accelerate the changes. The sophistication of cyber threats will increase, and so will security measures and defense capabilities.

The management of unstructured data will become critical. As analytics and AI advance, it will enable more insights to be extracted from unstructured data. With a lack of inherent structure to the data, the increase in volume and use will introduce more complexities with management, things like storage and scalability, data integration for analysis, data quality, in addition to protection and security.

Quantum computing, it has the potential to break traditional encryption methods, making a lot of today’s models vulnerable. There’s a practice called, “Store now, decrypt later,” which is about collecting currently unreadable encrypted data with the expectation that can be decrypted in the future. Something to keep in mind is that cyber criminals and threat actors don’t just target companies from time to time. They target companies 24/7. They are patient and very, very persistent.

Focus on privacy by design. Ensure that privacy is embedded in products and services, rather than bolt on as an afterthought. Data minimalization: only collect what is necessary. Continue to invest in and improve technological capabilities, innovate and iterate and foster a culture that puts privacy and security first with ongoing education, awareness, and leadership.      

Chen: That’s fantastic, Malcolm. Thank you so much for at least leaving those wise words with us and I just want to thank you so much for being on this podcast.

Eng: Thank you, Ruby. It’s been a pleasure speaking to you today. I’ve very much enjoyed the discussion.

Chen: Thanks, Malcolm. All right. Then, Joe, we’ll hand it back to you.

Kornik: Thanks, Ruby, and thanks Malcolm, and thank you for listening to the VISION by Protiviti Podcast. Please rate and subscribe wherever you listen to podcast and be sure to visit vision.protivity.com to view all of our latest content. Until next time, I’m Joe Kornik.

Did China break encryption? Protiviti’s quantum director sets the record straight

Joe Kornik: Welcome to the VISION by Protiviti Interview. I’m Joe Kornik, Editor-in-Chief of VISION by Protiviti, our global content resource examining big themes that will impact the C-suite and executive board rooms worldwide. Today, we’re exploring the future of privacy, and I’m joined by my Protiviti colleague, Konstantinos Karagiannis, Director of Quantum Computing Services.

Konstantinos has been helping organizations get ready for quantum opportunities and threats that lie ahead. He’s been involved in the quantum computing industry since 2012, and is the host of Protiviti’s popular podcast, “The Post-Quantum World.” Konstantinos, thank you so much for joining me today.

Konstantinos Karagiannis: Yes, thanks for having me. It’s always great to join you.

Kornik: So, Konstantinos, I’ve been hearing more and more about quantum. I know you’ve been at this for a long time but lately, I’ve been hearing more and more about it in the media, including in mid-October, something happened in China. I’m not going to pretend to understand exactly what happened, but I’ve heard things or seen things about potentially military-grade encryption being cracked, which seems way earlier than we thought, I think. So, is the end of encryption here early, it’s what I know some in the media have called “Q-Day.” Has that arrived?

Karagiannis: The short answer is no, which is good. It’s not the end of encryption already. It’s funny that this Chinese story broke pretty heavily over the weekend as we’re recording this, and I was like, “I’m going to have an interesting week. I already know this is going to be one where I’m going to be asked a lot of interesting things.

So, basically, we don’t have a great translation of this Chinese paper. A Chinese paper was published, and in it they make some pretty strong claims, but the abstract is in English and then after that it dives right into Chinese. So, if you try and translate it with machines or whatever, AI, you end up with some holes, and as a result, no one’s reproduced this yet. So, I can’t come on today and say that based on reproductions and other teams that I could say that this paper is even real, but let’s say the claims are true. Let’s pretend it’s not some nation-state psy-op to try and freak out the West or something. Even if the claims are 100% true, it doesn’t really spell the end of encryption. So, that’s the awesome news, right? Even worst case, it’s not all over.

People might have been hearing for a while now that we need fault-tolerant quantum computing to crack encryption, and that just means that quantum computers are noisy. They’re prone to interference, the qubits fall apart, you can’t do the complicated math of Shor’s algorithm to crack something like RSA. So, we need error correction. These things are starting to be built, error-correcting machines, but it could be 10 years or longer before we have one powerful enough using those traditional paradigms to crack encryption.

What’s scary about this Chinese paper is that they used the current annealing quantum computer from D-Wave. That’s a machine that’s on the cloud right now that you can access and use today. It raises all sorts of questions about access, where did these researchers come in from, D-Wave’s technically Canadian. So, it’s all this stuff, because your listeners might have heard of the quantum export bans going on. So, I can’t comment on that, I don’t know how they got access to it, but basically this machine exists and can be used.

So, annealing is different. It’s not error corrected. It’s not even designed to give you the correct answer. A gate-based quantum computer, the ones that we thought would be cracking encryption, they’re designed to take a problem through a series of quantum gates and give you a definitive this or that, you know, whatever your problem is. Annealing is more like an optimization finder. It’s sort of like a global optimization peaks-and-valleys solver.

So, if I were to ask you to imagine, I love this example, driving around the United States and finding the highest and lowest points, that would take you forever; whereas an annealer can literally do something called “tunneling”; it can move through all of those peaks and valleys and find the lowest one, let’s say. That kind of optimization machine is what they used in this problem. So, that’s a little scary because it’s a new approach.

Kornik: Right, and I was reading some of the media reports and the researchers, I guess, claim to have factored a 50-bit number. Can you explain the significance of that in the context of RSA encryption?

Karagiannis: Sure. So, a 50-bit number, first of all, is not terribly large, in fact we’ve tangoed in this area before and I’ll talk about that a little bit later, but basically, they picked a number, let’s say 2289753, and they wanted to try and get its factors. A 50-bit number, you can think of it as 50 bits, you know, a bit is a zero or one, right? So, if you were to string 50 of them in a row, each of those bits has two options, a zero or a one. Because of that, the math gets very interesting. It becomes 2ⁿ, so it would be 2 to the 50th power. Those are all the possible combinations of ones and zeros.

That’s a pretty big number, right? But if you’re going to try and crack something like RSA, you’re talking about a 2048-bit key. That is way bigger. You’re thinking more along the lines of 2 to the 2048th power. These numbers get insanely large. The universe only has 2 to the 80th power particles in it. So, these are just numbers that you can’t even fathom. So, it’s not like 2 to the 50 is anywhere near or even touching 2048; exponential math is not really something humans are comfortable thinking about. Like you could represent that number I cited before, that seven digits, right? If you were to represent a 2048-bit number, you would use 617 digits. So, take that number they factored, add 610 more digits to it, and that’s just one. That’s crazy. That’s not even scratching the surface.

So, as a result, we’re nowhere near anything that could be called military-grade encryption or a real risk today. That’s kind of like for starters.

Kornik: Okay. Well, that certainly makes me feel better and I’m guessing most of the people watching also feel better. What are some of the practical challenges in scaling quantum annealing to a level where it could truly threaten our encryption standards?

Karagiannis: We’re having a hard time scaling regular gate-based machines, right? That’s why we don’t have these fault-tolerant systems yet. When it comes to annealing, the question is, does this paper show any kind of linear path that scaling even becomes an issue? In the paper, they push for a hybrid quantum classical approach. What that means is they’re using the optimization of the annealer to sort of bundle numbers in a way that you can optimally then apply classical approaches too.

So, you could think of it as, like, a search for the keys. You are kind of bundling likely places to look for the keys, and then you’re going to use classical hardware to look for the keys. That’s really hopelessly simplifying it. I just want to make sure that it doesn’t fly right over our listeners’ heads. So, that’s what’s happening. It’s kind of like a machine learning. They almost call it like an approach to machine learning, which it’s really not but they’re calling it that. This is like optimization.

So, because of that layout, they’re hoping that this will scale. That’s fair to hope that, but when you look at the classical systems that are involved, I’m not convinced that you can go much farther. Like even if you can optimize for a larger key search, I don’t think the hardware you then have to rely on to do the actual searching would be able to keep up. I think we’re going to hit the scale limit fast.

This isn’t the first time we’ve seen this kind of limitation. People might remember in December 2022, there was a paper that kind of created a stir, once again from China. It was called “Factoring integers with sublinear resources on a superconducting quantum processor.” It’s a big, crazy title, but basically in it, everyone might remember that they claimed to factor a 48-bit number with 10 of those gate-type qubits we talked about that we were building. Using extrapolation, they said you’d only need 372 to crack RSA. That’s terrifying because we thought we would need many, many thousands of error-corrected qubits to factor RSA. So, that was sort of a “sky is falling” situation.

Google researchers did a little bit of validation. Remember I said we don’t have access to the paper translated here so no one’s been able to reproduce the results, but Google researchers were able to work on the problem and prove that it would stop around 70-bits. So, the sky didn’t fall then, and right now, it might not be falling here either, because I have a feeling that if you try to scale this up, you’re going to have those classical system constrains that will kick in and sort of like protect it from getting too much farther.

That said, it’s interesting, and whenever we have new approaches like this, it makes me worry that some little kernel of them will show us a path forward. Some optimization process—there’ve been other papers too, I’m not going to go down rabbit holes—but everyone’s probably going to find something that fails but it still makes us go, “Okay, we might have something to worry about in the future where we can learn from this. So, there’s always that.

Kornik: Well, great. Thank you so much for shedding some light on that and making us feel perhaps a little bit better, or perhaps a little bit more on alert or high-alert as we probably all should be anyway.

We are sitting here in the middle of cybersecurity month, and VISION by Protiviti is focused on the future of privacy. So, I’m just curious, if we could take sort of a 30,000-foot view and talk a little bit about how organizations should be preparing for the potential impact of quantum computing on their cybersecurity infrastructure, on their data security framework, even if it’s maybe not the most immediate threat but we know it’s coming eventually.

Karagiannis: Sure. One big thing to point out is this approach that was published in the Chinese paper can’t touch the new NIST post-quantum cryptographic standards that were released on August 13th, 2024. The lattice-based approach in there is safe from this type of attack and safe from Shor’s algorithm, which is the quantum attack we were all worrying about.

So, really the best thing you could be doing right now is starting the migration plans for PQC. It’s time to start taking inventory, start looking at what cryptography you have in place, start looking at which critical assets you might want to protect first. Because migrating to new cryptography takes time and it’s tricky. So, that’s the journey you have to begin on. This paper will not, as I said, threaten PQC, so why not start looking towards PQC because that is going to be a path that everyone has to take.

It’s also important to note that eventually, NIST is going to start recommending the deprecation of some classical cyphers. So, whether you believe that quantum computers are 10 years or 10 million years away that can crack encryption, it doesn’t matter. Eventually, you’re going to start failing audits and things like that if you don’t have the latest cyphers in place. So, it is really time to start examining your environment and making a move to PQC.

Kornik: Well, Konstantinos, thank you so much for giving us that insight. We’re certainly glad that we’ve got you to sort it all out for us and to help us make sense of it. Even if I didn’t understand everything you said, I understood a great deal of it, so I am further along than I was before we started talking. So, thank you for that.

Karagiannis: Yes, and if I manage to recreate the paper, I’ll be sure to come on and tell you what happened.

Kornik: Yes, please do.

Karagiannis: Okay.

Kornik: Thanks, Konstantinos, I appreciate it, and thank you for watching the VISION by Protiviti interview. On behalf of Konstantinos Karagiannis, I’m Joe Kornik. We’ll see you next time.

Former Apple, Google CPOs talk tech, data, AI and privacy’s evolution

Joe Kornik: Welcome to the VISION by Protiviti interview. I’m Joe Kornik, Editor-in-Chief of VISION by Protiviti, our global content resource examining big themes that will impact the C-suite and executive boardrooms worldwide. Today, we’re exploring the future of privacy, and we’re thrilled to welcome in a pair of privacy luminaries for a panel discussion led by Protiviti’s Tom Moore. Both of today’s guests have previously held high-profile roles as chief privacy officers of two of the largest tech firms in the world and are now with global law firm Gibson Dunn. Jane Horvath is Co-Chair of the firm’s Privacy, Cybersecurity, and Data Innovation Practice Group. Previously, Jane was CPO at Apple, Global Privacy Council at Google, and the DOJ’s first Chief Privacy Counsel and Civil Liberties Officer. Joining Jane today will be Keith Enright, also a partner in Gibson Dunn, where he serves as Co-Chair of both the firm’s Tech and Innovation Industry Group and the Artificial Intelligence Practice Group. Previously, Keith was Vice President and CPO at Google. Leading today’s discussion will be my Protiviti colleague, Senior Managing Director, Tom Moore. Tom, I’ll turn it over to you to begin.

Tom Moore: Great. Thank you, Joe. I’m honored today to be with Keith and Jane. You guys are awesome leaders in the privacy space, and I think we’re going to have a great conversation.

Keith Enright: Yes, it’s such a pleasure. Thanks for having me.

Jane Horvath: Hi. Tom, thank you so much for inviting me. I’m excited to talk about privacy today.

Moore: You both were chief privacy officers of two of the largest companies in the world and at the forefront of many of the issues facing privacy and data protection today. Let’s reflect on that time for just a little bit. Jane, let’s start with you. What are some of the biggest challenges you faced, or one or two highlights from that period?

Horvath: Probably the biggest challenge that I faced, actually, there were probably two challenges. The first was 9/11 government surveillance. A lot of the audience may remember the San Bernardino case in which the federal government, the FBI, asked us to build a backdoor into the operating system. They were doing it with good intentions, there’d been a horrific terrorist attack, but that really raised a lot of the issues that we grapple with every day: where is the balance between security, meaning encryption, and privacy. Then the other I would say is, as my time went, privacy became more and more regulated. Of course, we saw GDPR, and we’re seeing more and more states enact privacy laws, many of which actually are not compatible. We have Asia, we have China that enacted a privacy law that is really ostensibly a data localization law. So I would say it got more challenging from a regulatory standpoint.

Moore: Keith, what about you?

Enright: I have very similar themes, I would say. I would break it down to, say, complexity, velocity, and scale, capture the challenges. Complexity in terms of the diversity of the product portfolio, the incredible rate of technological innovation and change, trying to make sure that you are staying sufficiently technically sophisticated enough so that you could give both good legal advice and counsel, but you could also help keep the business moving forward and not serve as an unhelpful headwind to progress and innovation. Velocity and scale, at Google, we were launching tens of thousands of products every single year. They were being used by billions of people all over the world to stay connected and stay productive. So taking all of the complexity of the environment, all of the additional legal and regulatory requirements as Jane points out, as the environment got far, far, far more complicated, mapping all of that to clear actionable advice to allow hundreds of product teams across the global organization to continue innovating and bringing great products into production was a pretty incredible existing challenge.

In terms of highlights, and I’ll point to one serendipitously because of my good friend and partner, Jane here, probably the single greatest highlight of my Google career was during the pandemic, we had this incredible moment where our respective leaders set aside the commercial interests of the organization, and gave Jane and I really significant runway to collaborate on privacy protective exposure notification technology, which involved working closely with engineers and innovators, and then also involved the global roadshow of engaging with not only the data protection regulators we knew very well, but public health authorities and others who needed to be brought along and sort of educated on the notion that we really could use privacy as a feature in deploying this incredibly important technology around the world, in a way that was indisputably going to save lives.

Moore: What a great example of not only intra-firm cooperation and collaboration but inter-firm as well. Keith, you hit upon an important topic, your business leaders and how you engaged with them. Is there one or two things you wish every business leader knew before you went to talk to them, so you had common grounding?

Enright: I suppose what I would love for leaders at every organization to bring into the conversation with their privacy and data protection leadership, it would be a general understanding that privacy is not a compliance problem to be solved. It is a set of risks and opportunities that exist between technical innovation, business priorities, individual rights and freedoms of users, user expectations, which are going to be different in different places around the world for different age groups, for different individuals. The incredible complexity of the problem and opportunity around privacy requires business leaders to understand—this is about weighing equities. It’s about delivering utility in a responsible way. It’s about innovating in a way that’s going to keep your organization on the right side of history.

I do think privacy leaders have a significant challenge when they’re engaging with the C-suite or the boardroom to somehow remind their leadership: you can’t get compliance fatigue from privacy and data protection. Because the environment is going to keep getting more complicated, you sort of need to engage with this as an opportunity to future-proof your product strategy, and be vigilant and diligent about thinking about how do we make responsible investments to make sure that we’re doing this appropriately, and never think of it as a solved problem.

Moore: Very interesting. It’s profound as well. Jane, I can’t think of too many companies that have the reputation for supporting privacy from a consumer standpoint than Apple. Take us into the into the boardroom or take us into the C-suite at Apple. What were some of those conversations you had? What were the type of questions you received from the board or the C-suite?

Horvath: Sure. So like Keith, I was very lucky. When I started at Apple, it was very apparent that there was a deep respect for privacy. My main partner was the head of privacy engineering, and we didn’t do anything without each other every meeting, every conversation, and I think the most important thing that over the 11 years I was there was, like, people think privacy, “I don’t care about privacy.” Not Apple, but people are saying, “Oh, I don’t care about privacy. They can have all my data,” but there are really innovative ways that you can build privacy in, that doesn’t mean you’re not collecting their data. So we distilled privacy when we were counseling and doing product counseling down to four main principles at Apple. The first was data minimization. That’s sort of overarching, because anybody who works with engineers, like telling them they have to comply with GDPR, their eyes roll in the back. So for us, it was great to distill it down. So data minimization, on-device processing, but it was even more. This is that innovative step, where you can innovate, and it is really a subset of data minimization. So people think, “Oh, minimizing data means I can’t collect data.” It actually means you can’t collect identifiable data. So have you considered sampling data? Have you considered creating a random identifier to collect data? So these were some of the things that every day when we were counseling.

The third principle, choice. Consumers should know what’s happening with their data. Do they know? So it’s transparency and do they have choices about it. So many of you who use iPhones get to make choices every day about data collection.

Then finally, security. You really can’t build a product to be protective of privacy without considering security.

So that was sort of the secret sauce that Apple was distilling this thing called “privacy” down to these four principles, and we briefed the board on the principles. We didn’t have to, but my boss at the time, felt like it was important to talk to the board about the things that we wanted to do with privacy, and they thought it was a great idea, and Tim was hugely passionate about the issue. So from the executive suite, it flowed down through the company. So my job was relatively easy because I didn’t have to make the sales pitch.

Moore: The principles approach is a good one. I think what you lined out there was relevant then and it’s relevant now. Those are sustainable principles that are very much top of mind for chief privacy officers, their bosses and the C-Suite, as well as the board. You’re not privacy officers anymore other than in terms of providing advice to that cohort, but tell us a little bit about what should CPOs be thinking about today and into 2025, so kind of a short-term, where should they be triaging issues, what should be top of mind?

Horvath: I think that the buzzword out there is AI, and I think CPOs are very, very well set to handle the issue of AI. They’ve set up compliance programs; as we’re looking at AI, AI is just very much software, and as we’re looking at the first regulatory framework in the EU, it’s all about harms. So it’s balancing risk, balancing harms.

I think the bigger challenge is, of course, this software needs lots of data, but again, you can pull from your innovative quill and decide that yes, it needs data, but does it need data that’s linked to an individual person, are there things that you can do with the data set? So I think CPOs can be very, very helpful and valued members of the team as companies are considering how to use their existing data.

Of course, as we talked about earlier, privacy’s become much more regulated and that data was collected pursuant to a certain number of agreements, a privacy policy. So the CPO is going to have to be deeply involved in determining, if you’re going to use the data for a different purpose, how do you do it? So I think the CPO shouldn’t panic. The CPO can never and has never been able to be the “no” person, but the CPO can be a really innovative member going forward, in my opinion.

Enright: I agree with everything that Jane said. I think it’s a very interesting moment, not only for CPOs, for chief privacy officers, but for privacy professionals more generally. I think by most estimations, if you look at, say, the last 15, 20 years, the privacy profession has enjoyed an incredible tailwind. Many folks, us on this call, have enjoyed just a tremendous professional benefit from the growth of the profession, the explosion of new legal requirements, which Jane had kind of pointed to; the fact that organizations woke up to some of these risks; in part, the passage of the GDPR in 2018 and the notion of 4% of global annual turnover civil penalties for noncompliance, made it to an extent greater than had ever been the case in the past, a board-level conversation, where you had boards of directors and C-suites of large multinational concerns, suddenly sensing that they had some clear accountability to ensure that management was contemplating and mitigating these risks appropriately, and that there was a privacy and data protection component to core business strategy.

Something very interesting has happened, say, over the last five years, where privacy and data protection continue to flourish. You also had a number of other areas of legal and compliance risk scaling up very quickly and very dramatically. You have content regulation online for large platforms and others. You have the challenge of protecting children and families online, sort of rising to the fore with increased regulatory intention. Also, as Jane said correctly, I think artificial intelligence has just exploded over the last couple of years. Now, those of us who are sort of specialists in the field have been working with artificial intelligence for over a decade, but the explosion of LLMs and generative AI has really, of course, created an unprecedented level of investment and attention in that area—that’s having a bunch of interesting effects. You have C-suite and board level attention is now being, in some ways, diverted to how do you understand how AI affects your business strategy, how do you anticipate potential disruption, how are you looking at whether some of these innovations are going to allow your business strategy to allow you to take share from your competitors, all of that has senior leadership looking across organizations to try to find leadership resources and technical talent to focus on the AI question and the AI problem and the AI opportunity.

One domain which seems immediately adjacent and particularly delicious for that kind of recruitment is privacy and data protection, as many of the features that the AI space has—you have a tremendous amount of technological innovation over a relatively short period of time, you have an explosion of regulation, inconsistencies, domestically and internationally, and you have not just in-house—you also have the regulatory community is going through an analogous struggle. They’re trying to find their way in a new AI-dominant world, all of which has caused privacy professionals to be really considering, do they pivot? Do you shift from being a privacy and data protection specialist to being an AI governance specialist? Do you evolve and expand? Do you decide to sort of rebrand yourself and stretch your portfolio into more things? Do you actively solicit senior executive requests that you take on accountability for some of these adjacent domains, or do you resist them, recognizing that privacy and data protection remain an extraordinarily challenging remit, and the CPO or some other senior leader may have some apprehension about overextending themselves, agreeing to be held accountable for something far beyond what was already an extraordinarily challenging remit.

So I think it’s a really interesting moment for privacy leaders. I have some strong views on this which we may talk about, but like the TLDR on it is, I think you need to embrace that change. I think trying to hold on to the past and preserve your privacy brand exclusively is not going to prove to be the most prescient or professionally advantageous strategy, given just the velocity and shape of the change that’s coming to us.

Moore: So Keith, I think we, the three of us, can stipulate that that is the right approach for privacy leaders, but can you go into a little bit more detail about how. What should a privacy leader be doing maybe in the next three years or so to prepare themselves and educate themselves to meet these challenges of technology, innovation, regulation, all the things colliding together that you just described?

Enright: So a candid response to that question requires a very clear understanding of the culture of your organization and what your business strategy is. If you’re working for a Google or an Apple, there’s a certain set of plays in your playbook that you need to run to ensure that you are appropriately educating your senior leadership and bringing them along, and making sure that you are understanding the risk landscape, staying appropriately sophisticated on the way things are impacted or changed by AI. Again, in large organizations like that, you have the benefit of these vast reservoirs of resources that you can draw upon to make sure that you are not only staying technically proficient, but that you’re serving as connective tissue across all of these different complementary teams and functions so you’re preparing your organization to not only endure, but to thrive through that wave of change that’s coming.

But not everybody’s going to be at an organization like Google or Apple. I think for privacy leaders, almost anywhere else, you are going to need to understand what is the risk appetite of your leadership, what are the consequences of the changes on the horizon for your core business strategy. What kind of resources are available to you in terms of do you have a privacy program that is very high-level of maturity and some of those resources can be extended or redeployed to think about things like AI governance? Or do you have an underfunded anemic privacy program that is already carrying an unsustainable level of risk, and you found yourself in a “Hunger Game” situation trying to fight just to keep the thing operating at a level that you feel comfortable being held accountable for? All of those variables are going to be essential things for privacy and data protection leaders to sort of really press against.

I think, again, this is going to be an interesting moment over the course for the next few years, as I believe there is a wave of investigations and enforcement coming across the next two to three years. First, in the core privacy and data protection space, the General Data Protection Regulation, many other laws and regulations around the world, they haven’t gone away. Just because industry is increasingly interested in, confused by and distracted by what artificial intelligence means, that doesn’t prevent data protection authorities and data protection regulators from launching investigations and from initiating enforcement for your, call them “legacy obligations” under regimes like the General Data Protection Regulation.

I think we’ve actually seen a relatively limited wave of enforcement for the last couple of years, because regulators’ capacity has been largely absorbed with trying to digest and understand the way that the ecosystem is changing as well, but I think that’s going to settle in over the next few years and I think we are going to see privacy regulators enforcing in the context of privacy, privacy regulators enforcing in the context of AI, AI regulators enforcing in the context of AI—all of this is going to create an interesting political dynamic, I think, in jurisdictions around the world, which is going to dramatically amplify the need for organizations to be making substantial investments and preparing themselves for a changing and increasing risk environment.

Horvath: Just to give an example, right now, the Irish DPC, their Meta and X are no longer training their AI on European data. So, how many other investigations are ongoing at the DPC that are basically holding up the AI products? So here is another area where the CPO is going to have to be a bridge to the company. Because as Keith said, I think a lot of businesses think, “Okay. This privacy thing’s over. We went through the privacy thing. Now, we’re going to concentrate on the AI thing,” but the privacy regulators, particularly in Europe where the fines are pretty stringent, they’re not going away. They are a single-issue regulator, and I think it will be more challenging for CPOs because their budgets are going to get slashed, and where you’re operating in a company whose margins are tight or who doesn’t generally—they’re going to be hiring these AI people also. So there’s going to be less of a pot of money to go around and more work.

So I agree completely with Keith, we’re going to see a lot of activity. We are already kind of seeing it from the FTC. They are issuing very, very broad CIDs, the OpenAI CID that was leaked to the press, it was just like an expedition of everything about their company. So I think that’s going to be another area when you have a regulator knocking that it’s going to be really critically important to get a hold of it, don’t panic, see where you can narrow it down and address the regulator head-on.

Moore: Jane, I wholeheartedly agree with you. I think that that regulation coming not only from Europe but in the U.S. with the three letter agencies, but also the states, is a focus right now, but let’s look at the future. Does the U.S. have a federal privacy law, data protection law, in the next three to five years?

Horvath: I’m going to be bullish and say, “yes,” at a certain point, because I think we get very close to having one, but I think AI—probably AI, children—all of these different areas are going to push it across the finish line at a certain point, but I don’t know. Keith, what do you think?

Enright: So I share your optimism, actually. Memories are short, but not too terribly long ago, we really did have growing optimism that we were going to see omnibus federal privacy legislation. There are a lot of interesting things happening. For most of my career, the position of industry, generally, was that they would never support a bill that didn’t have extremely strong federal preemption and did not have a private right of action. And you started seeing multiple large industry players beginning to soften, even on some of those core positions, just before the pandemic really, which I found incredibly interesting—like the political will and, I think, the growing awareness that we require some kind of consistent federal standard to allow some level of compliance with increasingly varied requirements manifesting in these state laws that are coming into effect. It seems to be generating momentum. Now again, as this always happened before, it all fell apart and we were set back again, but it did, it suggests to me the impossibility of a federal law is probably overstated. I think there is a road there, and there will inevitably be compromises, surprises, and idiosyncrasies and whatever that ultimate law that makes its way over the line looks like, but I do think we’ll see something. I think in single digit years ahead of us, we will have a federal law in the U.S.

Moore: Let’s pivot to your current responsibilities, Jane. Tell me about the differences between leading a large company like Apple’s privacy team versus providing legal advice services to multiple clients.

Horvath: I’m really enjoying it, actually. I’ve been a serial in-house person, did my stint in government. I worked at Google and actually was on the interview panel that hired Keith, what a great panel that was, and then Apple, and I’m really having fun working with a lot of different clients. I also still have a global practice. I ran a global team in Apple. I love the global issues. I’ve got a few clients in the Middle East, working on different AI projects, doing things from policy to compliance to HR. It just keeps me going and it’s exciting. I think the most fun is working with a client and understanding their business, but also having the client say, “Oh, you understand what I’m going through. You understand that I can’t just go tell the business “x,” because I’ve been in-house, and I know where they are. So it’s an exciting time. There’s just so many different developments going on, not just in AI: cybersecurity, data localization, content regulation. There are just huge amounts of interesting issues.

Moore: So top of mind for those clients, you get a call, what’s the—I think you just probably mentioned it, but what are the top two or three things those clients are talking to you about right now?

Horvath: Incident response is a big one. The biggest question we’re having right now is, we want to use AI internally, what are the risks? How do we grapple with rolling out AI tools? What are the benchmarks? What are the guardrails we need to put in place? What are the policies we need to put in place? How do we do it while minimizing liability? Because AI hallucinates and has other issues, and how do you grapple with those issues? So that’s probably my biggest issue right now.

Moore: Great. Keith, I presume you have lots of opportunities after your Google career, why professional practice?

Enright: It’s probably useful to just describe sort of the things that are in common. One of the things that always made me feel so blessed to join Google when I did almost 14 years ago, was the privilege of working with the best and brightest people. We got to work on this incredible portfolio of products that were being used by billions of people all over the world, really with a sincere commitment of making people’s lives better. The original motto of organizing the world’s information and making it universally accessible and useful, that resonated deeply with me. It was very easy to be passionate about the work and excited about the work. You do anything for 13 1/2 years, and you get comfortable to some extent, even something as challenging is leading privacy for Google. When Jane actually reached out to me to tell me a little bit about the opportunity taking shape here at Gibson, and not just in support of one company’s vision or one company’s product portfolio, but to be able to support thousands of leaders and thousands of innovators across tens of thousands of products all over the world, that’s exactly the kind of thing that is going to help me to stay challenged and do my best work and keep growing and evolving.

Moore: I’m excited for both of you. Obviously, your compatibility reads through loud and clear. Thank you very much, Jane. Thank you very much, Keith. I really appreciate you’re here in today. Joe, back to you. Thank you.

Kornik: Thanks, Tom, and thanks, Jane and Keith, for that fascinating discussion. I appreciate your insights. Thank you for watching the VISION by Protiviti interview. On behalf of Tom, Jane, and Keith, I’m Joe Kornik. We’ll see you next time.