Future of Privacy Forum CEO Jules Polonetsky on “exciting but risky” road ahead

Joe Kornik: Welcome to the VISION by Protiviti interview. I’m Joe Kornik, Editor-in-Chief of VISION by Protiviti, our global content resource examining big themes that will impact the C-suite and executive boardrooms worldwide. Today, we’re exploring the future of privacy, and I’m excited to welcome Jules Polonetsky to the program. For 15 years, Jules has been CEO of the Future of Privacy Forum, a global non-profit that serves as a catalyst for privacy leadership, where Jules has helped advance principled data practices, assisted in the drafting of data protection legislation, and presented expert testimony with legislatures around the world. He is an adjunct faculty member for the AI Law and Policy Seminar at the College of William & Mary Law School. Jules will be speaking with my Protiviti colleague, Senior Managing Director Tom Moore. Tom, I’ll turn it over to you to begin.

Tom Moore: Great. Thank you, Joe. I couldn’t think of anybody better to talk about the future of privacy than Jules Polonetsky. Jules, I’m so happy you’re joining us today. Thank you.

Jules Polonetsky: Delighted.

Moore: If you don’t mind, tell us a little bit more about the Future of Privacy Forum, its history, what you’re working on today?

Polonetsky: We’ve been around for about 15 years, and our members are very generally the chief privacy officers at 200 plus organizations. The people who are really trying to grapple with the fact that the organizations they lead are driving the AI agenda, whether it’s big tech companies or startups, or banking, or car companies, right? Everybody is challenged by the fact that the pace of how data is being used is accelerating and the norms of what’s right, what’s legal, what’s creepy, what’s innovative and exciting to users is rapidly developing, and it’s developing everywhere in the world. So we work with those folks to create best practices, standards, try to support reasonable legal rules and structures around it.

We do that as well with the leading policymakers because it turns out they’re busy. They’ve got a big agenda. They’re trying to deal with wars around the world, the economy, all the challenges that legislators and government leaders grapple with, and they want and need support. They want to know which country is doing it right. What can we learn? Where are their mistakes? How does this technology work? So we try to work as the pragmatic voice, optimistic about tech and data, but quite aware that things can and will go wrong if you don’t have clear guidelines, clear landmarks for how organizations can be responsible as they roll out new data-powered products.

Moore: Excellent, and congratulations on 15 years of existence for the Future of Privacy Forum. Let’s talk about it. You obviously have your pulse on the world of privacy, and what do you think are some of the biggest issues over the next five years? If you’re a business leader, you’re a leader of an enterprise, you’re a regulator, what should you be thinking about? What should you be focused on to get prepared for the next five years?

Polonetsky: You know, the easy answer is to immediately talk about AI, but before we go to AI I think it makes sense for us to pause sort of a second and recognize that it’s only the last few years where you’ve been able to assume that almost everybody, in any at least decent, advantaged, progressing economy, has a mobile phone, probably has a smartphone, probably has apps, probably is connected to people via some sort of social media or WhatsApp group or the like. The world has started hurling, part of it—it’s a COVID world, where suddenly we all got comfortable doing things over video conference. We became a small world where people are connected, which means that the good and the bad things that happen around the world immediately reverberate. It means the bad actors can do their work from every part of the world and can develop sophisticated, complicated organizations and have sort of teams and levels of different delegated services that they can use as they deal with organizations.

So we’ve moved to this super connected, super immediate, sort of 24/7 world where users can create a giant alarm, sometimes correctly, sometimes incorrectly, when they think that your organization is doing the wrong thing, and it immediately is driven into the media because the media seem to spend a good chunk of their day following what happens on social media.

Those stages are only going to accelerate, but we’re also seeing the backlash, right? People who are just feeling burnt out because they were locked up at home during COVID, and they didn’t get to go out, and now they’re still gaming all day and all night, and they’re still connected. All the business tools are pinging them, not just on email, but on Slack, on Teams, and all these tools. Being ready and thoughtful and structured enough to navigate this incredibly frothy, turbulent world—and then let’s talk about AI, where suddenly the investments are moving so quickly that the policy concerns are being left temporarily by the wayside, right? Who would have imagined that we’re rolling out products and we say, “Well, actually, they don’t work a lot of the time, but when they do, they do these incredible really cool things except it can’t be fully reliable but we’re relying on it for incredibly important processes like interacting with our customers.”

So, for a long time, the problems of our current generated AI tools were well-aware and you had leading companies saying, “Not yet. We don’t know the answers yet to how we’re going to put out stuff that isn’t reliable but can do super cool things, but actually also might be discriminatory, right?” For better or worse, the dam burst and everyone, from the most conservative organization to the wildest startup, is rolling out stuff that comes with lots of risks.

So that’s the world we live in. Chief privacy officers and legal and compliance folks suddenly need to go from a careful measured world where they do assessments, and they consult, and they discuss, and they give advice and the business accepts the advice, to a place where people are rolling things out that are purchased from vendors who’ve purchased from vendors and putting it out in the market. So we are in an exciting, risky—exciting because really cool things are happening, but I don’t know that we’ve ever seen as much risk or drama and guess what? The media are super interested because it’s about AI. So it can be the silliest flap and suddenly it’s front page news.

Moore: You mentioned chief privacy officers, heads of legal, heads of compliance. They’re at the forefront of all this. The roles continue to evolve with AI and other technologies. Tell me about what you see as the primary role of the head of privacy within a large organization.

Polonetsky: You know, I see two trends. This is really a role that’s in flux. There is one trend, maybe it’s a negative trend or maybe it’s just the way of the world as laws and policies become established. When I first became a chief privacy officer many, many years ago, it was a novel title and it wasn’t the highly-regulated companies that had the most senior executives in these roles. The banks had regulation and structures and lines of defense and dealt with it for years. HIPAA, the health privacy and portability law was in place and organizations had structures around that. It was the startups, the internet companies, it was the ad tech companies who didn’t have detailed legislation, at least not in the U.S., but who were running into all of these explosions of concern, or the data companies who were suddenly able to do so much more than just send you targeted mail, who needed senior executives navigating the nuances of, “What do the consumers really want and what is civil society saying? They’re making a fuss about this. And what about regulators who want to support the internet and want to support these new business models, and who are very excited to come up with new laws and rules? And what about our customers who need to understand what we’re doing with their data in ways that we’ve never used their data before?”

Here now, we’re in a world that’s become far more regulated. We’ve got all these state laws in the U.S. now. We’ve got AI laws. We have privacy laws. We have global data protection regulation not just in Europe, which has been a leader and has been mature, but almost every other jurisdiction. We’ve got a team in Africa. The countries across Africa are rolling out data protection regulation. South America, the big economies, India, right? The most giant economies, China, all have new data protection regulation and, now, new AI regulation. So for some companies they’ve said, “We don’t need the drama. We know how to do compliance. We worry about all kinds of compliance issues.” Some companies are rolling these roles into compliance and perhaps eliminating this sort of executive type role. Other companies are going in exactly the other direction. They’re looking at the challenges of AI, which are not only about privacy, but start with, in many cases, personal information that’s collected and used and already regulated by data protection law. Even automated decisioning is already regulated by data protection law. So, some companies are recognizing that here’s this incredibly strategic area, who is going to help us shape what are very nuanced decisions about not only how to deal with complying with laws— “Hey, we’re now going to use video and improve it and your face is involved, and our customer’s data is involved, and we’re going to read their confidential information to create better tools that serve them. But, boy, they better trust us and trust the output.”

We see multiple layers of regulation, for instance, in Europe, where not only do we have privacy law, not only do we have AI law, but we have new kinds of competition laws. New laws that force you to provide data to your competitors. New laws that force you to provide data for researchers. So, we see a number of other companies saying, “Digital governance has become really complicated and we need somebody or some team managing the envelope of restrictions that exist around how we use data.”

So we're at an inflection point, and we’ll either, over time, see some of this absorbed into the legal and compliance structure of the organization, but I think we’re seeing a whole new breed of folks who are stepping up from data protection to a broader scope, whether it’s AI, whether it’s perhaps digital governance, perhaps it might be ethics. That’s where it’s going.

Moore: Excellent. So speaking of that broader scope, talk to the privacy community, the privacy leader, chief privacy officer, or other title. What do they need to do to prepare themselves for this environment to grow into those broader responsibilities?

Polonetsky: I love telling some of my colleagues and friends in data protection, they spend too much time on data protection. By that, I mean there is so much. I mean you can’t stop. There’s a new law. There’s a new regulation and California keeps rolling out new changes. The Europeans keep interpreting and reinterpreting. So you can really spend all your time keeping up with the incredible rush of details. But the reality is, guys, people, gentlemen, ladies, all of you, you know how to do that. There might be a nuance, there might be an item to deal with, you know how to read legislation. You know how to do compliance. What’s changing super-fast are the way your business, the way your sector is using data. Things that were norms are now changing. Things that the platforms are doing for their business that affects your business are changing. Spend more time, please, legal, compliance, ethics, privacy people, being gurus of how data is being used because that’s going to help you ask the smart question. You ask your legal assessment question, you’re going to get your legal assessment answer. Understanding how your partner and what their business goals are and how they’re really planning to use data give you the opportunity to ask much more probing questions that answer what you need to know.

Moore: Earlier, Jules, you mentioned Europeans, the GDPR. They’ve obviously invested quite a bit in legislating, regulating, enforcing the data protection for European citizens. Are they striking the right balance? Related question, what lessons can the U.S. learn should we ever get to national privacy law in the U.S.?

Polonetsky: GDPR, I think, is a very thoughtful document. The European legal process is a challenging process. It’s not one country. It’s a union. My hope is that we will move in the U.S. to regulate quickly around AI and data protection. Even if it’s not perfect, I think businesses need the certainty. They need a level playing field, and then they’ll compete. If anything ended up being too restricted, then we can go back and debate it. Right now, I think we’re suffering from a gap, tools being rolled out, and the law is sort of catching up in a way that may end up being quite challenging.

Moore: So let me put you on the spot, turn that hope into a prediction. By 2030, do we have a U.S. national privacy law or do we still have the state patchwork, federal agencies regulating, state agencies regulating?

Polonetsky: By 2030, I think the answer is easily yes. By next year, the answer is, “That’s going to be hard to say.” You know, it took the Europeans seven years to build out GDPR. Again, mostly, 70-80% of GDPR was already in the UK’s data protection law and German data protection law. They didn’t start with a blank slate. We’re talking about regulating a huge chunk of the U.S. economy. That’s complicated. It ought to be taking a while. I think Congress is in this period where they’re struggling through understanding the complexity of what it takes. So, you know what? Although I’d like them to do it now so that the states don’t all go do disparate things, it’s going to take them some time. They should take the time, but they need to do a bit better a job really getting thoughtful and smart, and there are hard issues that need to be debated by critics, and business, and researchers and so forth.

Moore: So Jules, on a couple occasions today, you’ve expressed optimism or hope. Let’s go the other route for just a second. What if we don’t get this right? What if national law, thoughtful and smart, doesn’t come into play by 2030? What could be the consequences of not getting this right?

Polonetsky: I don’t think we have a choice to not get this right. I think the not getting this right, perhaps, is doing it very piecemeal, doing it in ways—My home state of Maryland has done a very strict state privacy law that doesn’t have any greater flexibility for research. Could they have really intended to make it very, very complicated and hard, the home of the National Institutes of Health and leading universities and so forth? Could they have intended to do that? So, I think we could have inadvertent, complicated mistakes, complications of multi-state compliance that cost money and cost time and probably don’t add any value.

So I think we move slowly and haphazardly if the world is state laws, the world is regulation by crisis and pushback. We end up not being trusted to use the most robust forms of data that we actually do need. We need data about sensitive populations to identify where discrimination can be taking place, where are people not getting access to health facilities. So if state laws make me worry about collecting any sensitive data, which many of them do with minimization or opt-in requirements, then it’s too risky. I don’t collect that location data, and that’s fine. We’ll protect some people who won’t get targeted by ads or who won’t have sensitive locations being exposed, but we then won’t have the data that the CDC needs to understand how a pandemic spreads. We won’t have information needed to know how students travel to school and traffic information. So we’ll end up in a world where we progress, but with drama, with regulation by Twitter and media headline and class action litigation.

We need the certainty of a level playing field, as imperfect as laws will always be, so that we can actually move forward rapidly, particularly around AI where there are huge debates. We need to decide, is it okay to suck up all the data from the public internet? Well, you know what? Maybe it’s public data, but maybe we didn’t actually intend this when we hammered out the IP rules and the copyright rules, and maybe we want to think about what the right balance is. If not, it’s the courts that are going to decide it. Let’s decide it with good, thoughtful public policy.

Moore: Jules, this has been fantastic. You shared an incredible amount of information, breadth of both concern but also optimism. I’m thrilled that you joined us today. Thank you for your time and hope to see you again soon.

Polonetsky: I am indeed optimistic despite, I think, all the drama. Exciting things are happening with data. We just need to get the guardrails that can help us drive quickly, safely.

Moore: Great, thank you. Back to you, Joe.

Kornik: Thanks, Tom. And thanks, Jules. And thank you for watching the VISION by Protiviti interview. On behalf of Tom and Jules, I’m Joe Kornik. We’ll see you next time.

Protecting data and minimizing threats with Microsoft’s Sarah Armstrong-Smith

Joe Kornik: Welcome to the VISION by Protiviti interview. I'm Joe Kornik Editor-in-Chief of VISION by Protiviti, our global content resource examining big themes that will impact the C-Suite and executive boardrooms worldwide. Today we're exploring the future of privacy, and we welcome in Sarah Armstrong Smith, Microsoft Chief Security Advisor for Europe, Middle East and Africa, Independent Board Advisor, and author of “Understanding the Cyber Attacker Mindset: Building a strategic security program to counteract threats.” Today, she'll be speaking with my Protiviti colleague Roland Carandang, Managing Director in the London Office and one of our global leaders for innovation, security, and privacy. Roland, I'll turn it over to you to begin.

Roland Carandang: Thanks so much Joe. Sarah, welcome. Congratulations on the publication of your latest book and thank you so much for being with us today.

Sarah Smith: That's great to be here. Thank you.

Carandang: I'm going to dive in with a very big question just to start things off. What do you see as the biggest threats to data privacy right now and what are some things that executives and boards should be focused on?

Smith: Yes. Well, I think I'm going to go for the easy option to start with being a Chief Security Adviser at Microsoft, it has to be just the scope and scale of cyber-attacks. Now they're at a range that we have never seen before just in terms of the ferocity of those different types of threat actors. What are they doing? What are they after in particular? Then when we talk about cyber attacks, we then got to think about what are those threat actors after. In essence they're looking to, how do I monetize my return on investment? Some of those are financially motivated actors, some of those might be espionage, nation state actors, they're activists, but ultimately, it's all about data and that's something we've really got to be cognizant about. So whenever we've had a cyber-attack, we then have to think about the data breaches and what does that mean for the impact to those individuals that may be impacted by that cyber attack as well.

Then we have questions that no doubt have to be answered, maybe that’s through regulators, our own business, our customers, partners, with regards to what data, how much data, and what's the impact of that. If I took all of that combined, when we're talking about cyber attacks, data breaches, intellectual property theft, whichever way you want to look at it, ultimately it'll come down to one thing, which is effective data governance. I would really say, what data, where is it, what is the value of that data, and what are my expectations, not just from regulators but consumers and employees as well, about how I should be protecting that data no matter what is on the horizon?

Carandang: On VISION by Protiviti we often talk about AI, and I know that's something that's on your mind. Ultimately, what impact do you think AI will have on data privacy and data security. Is there anything that business leaders should be doing to prepare for that now?

Smith: Well, I think with any technology there are always pros and cons. So we start with the pro. Ultimately, when you think about the ability for AI, machine learning, to provide really deep insights across large data sets. I think one of the biggest challenges that a lot of companies have, reflecting on where we started is where's my data, how much data, how much data exposure do I have? Getting those real deep insights but also thinking about how I can use that data to drive innovation

It's no doubt we're thinking about AI and just the scale of innovation that we've seen over the last couple of years. We're seeing tremendous work with regards to breakthroughs in science, medicine, and technology. So there's absolutely no doubt that there are some huge positive impacts for a lot of companies.

Now, I go to the cons. So kind of the reverse of that. In particular when we think about Gen AI, so that's only been around in the last couple years. It's probably made famous by ChatGPT. There are multiple other AI models. Then we got to think about how that was actually trained and where did that data come from. Some of the data, let's say, might have been scraped off the Internet. It could have been taken from social media. There's a multiple ways in which this data has come from and it's been asking a lot of questions again about what data, where did that data come from, do I have any say in that data in terms of consent, legitimate interest and all of these type of things. Again, if I can reflect back to the first question with regards to the cyber attackers and how they are thinking about amplifying their cyber-attacks with some of these large language models. Again, I think from a nation state perspective, highly resourced, highly motivated threat actors.

Now a couple of months ago Microsoft actually issued some research in conjunction with Open AI, as we're talking about ChatGPT. What we identified, if we took some of the larger nation state actors, they're using these models to do reconnaissance so that they're learning about their targets and they're also using those large language models to refine their attack. So this is just a caveat that the AI itself is not doing anything bad. It's not a naughty AI. It's still tool in the threat actors kit bag. When we're talking about phishing, ransomware, malware, whatever the case may be, the AI is just another tool, if you think about it that way. I want to think about AI, and I know there's a lot of companies that are spinning up R&D centers, innovation, thinking about the art of the possible. Maybe they are building their own models or they're buying them, whatever the case. There are some really fundamental things as we're talking about privacy in particular, that's responsible and ethical AI. It's a really having deep appreciation for those security and privacy implications, the detriment of some of those large language models and how they're being utilized but also keep thinking about privacy-enhancing technology. So having encryption, how we're thinking about managing the data or the data when it's exfiltrated… none of those things change just because we have some new technologies, right? We can't lose sight of the fundamental, the foundation layers if you like, of security and privacy in particular.

Carandang: That's super interesting, Sarah. Microsoft clearly has a big role to play—it sounds like such an understatement—in AI but it also has just lots of customers as well and customer data. Since you mentioned it, can you just tell us a bit more about your role at Microsoft and how a company—you mentioned large data sets, and how a company like that deals with protecting its customer data. How do you spend your days and perhaps some of your nights as well?

Smith: Can I say, it's never a dull day, let's say, being at a big tech company. If I've had to talk about my role first and foremost, in essence, my role is to liaise with our largest enterprise customers across Europe. I work multi country and multi sector and it's really at that C-seat level. I can be talking to CISO, CIO, CTOs. It's really understanding those biggest challenges. Some of that we've already touched on. We've talked about cyber security, cyber-attacks, how they're evolving. We've talked about evolving technology particularly when it comes to AI, responsible AI and all of these things but it all fundamentally comes down to data and really understanding the value and the proposition of all of this big tech together.

Now we look at the cloud in its most simplistic form, irrespective of the size of the enterprises that we're talking about. Although I'm at this level I've obviously got lots of different small enterprises and consumers who are utilizing the cloud. I would say the real value comes down to the shared responsibility model first and foremost. So if you thought about having your own data center or your own services, you're responsible for everything. You're responsible for the building, the infrastructure, the networks, all of the data, and all of these things. The big difference when you move to the cloud, and some of that comes down to the type of cloud or SaaS services or whatever the case may be, but the shared responsibility modeling, that just means the platform, the cloud platform, itself is the accountability of the cloud service provider. So in essence that infrastructure—patching, backups, recovery—won’t completely go away but it's one of those things that you don't necessarily have to think about.

The other part of that shared responsibility model, if you think about all of the different companies across the globe, some of those are highly regulated entities and those regulations are going to differ depending on what country they're in or even what region they're in. Now part of that, for customers to be able to adopt the cloud, Microsoft also has to have a very comprehensive compliance portfolio. If you're thinking about, we’re talking about GDPR or we're talking about various different standards like NIST for example, the underpinning platform first and foremost has to have all of those controls in place that you take advantage of. There's a huge advantage right out-of-the-box I'd say in terms of the inbuilt capability that's already there by standard and by default. The challenge, however, is you have to take advantage of it. This still means you’re still accountable for who's accessing that data and what data you put into the cloud.

Carandang: You mentioned in the introduction in your new book, Understand the Cyber Attacker Mindset. It dives right into the global cyber crime. You've engaged with actual cyber criminals. What are some of the key takeaways that you learned from your engagement with those cyber criminals that you could share with the audience here?

Smith: I think what's interesting to me and why I wrote it is to really focus on the human part of security. I think again, when we think about security, a lot of people think about we're here to protect data and we're here to protect technology and servers in the cloud and all of these things but actually, the data only has a value to it when we understand the repercussions of the impact of some of that data in the wrong hands and how it could be misused, abused in various different things. I think what we talked about at the beginning is a million and one ways in which I could potentially attack you but there's only a finite reason why I would want to, and why I'm motivated enough to want to do it. So I looked at the different types of threat actors. As I said, we've got some that are financially motivated, we've got activists, nation state actors, and we've got malicious insiders as well. Then it's the same data but in the different hands, what is the impact of that? Then it's being able to work backwards and say, “Ok, well, if someone was trying to sell this data, if someone was trying to use this data for espionage, if someone was trying to use it for other nefarious purposes, what do I need to do to protect that in all of those different hands, in essence?” That's really important, to understand the human motivation behind it and why they are willing to go to that extra degree to get their hands on that data. So I think about it from a very, very simplistic, no matter what size organization is we're talking about, the little ones up to the big enterprises, and I try and keep it quite simple. Our strategy in essence comes down to protecting the access in and the exit out. So the access in is identity. As we're talking about privacy it’s identity in all its guises. So it's identity as a human and identity of things. So we're talking about laptops and devices and various things like that. In essence from the threat actors perspective, I have to find a way into your network. I don't particularly care how I get in. Whether I'm trying to do those phishing emails, I'm going directly to the source, or I found a vulnerability in your network. I will find any which way in to that network. The exit out really then comes into that data. What is it I'm trying to exfiltrate out of your company that's giving me that value in particular.

Carandang: Thank you, Sarah. That's fantastic. You mentioned scale earlier. Just with the number of data or tax on data growing exponentially day by day, I do wonder if it's time for just some bold paradigm shifts. Do you see any of these shifts on the horizon? For example, can you imagine where consumers will start to pay small fees for otherwise free services, so companies won't need to sell that data to third parties?

Smith: I think we're going to see that a little bit. I think people are starting to pay for subscription services where it's a highly tailored service. They don't get adverts or the adverts they do get are more tailored. We are starting to see these people who want an enriched service. But I think the challenge we have as well is, a lot of this technology, particularly when we’re talking about social media, has been around for a very long time and it's been free for a very long time. Even when we know that when it is free, you’ve heard the comments you are in essence the commodity but there's data, there's profiling that's being sold to varying degrees across different companies depending on how you're interacting with some of their services.

I think the interesting thing is even when we've spoken about the size of some of the cyber attacks, the size of some of the data breaches, the fact that we've had these regulations, the fact that we've had record-breaking fines as a result of misuse or abuse of data and selling of data in various different things, has it actually stopped people from using it? I would argue not. Maybe there's a handful of people who are a bit mindful of it. I think you'll get pockets of people that want a better service and that you could sell it as a better service and enriched service or some way, maybe you'll have those kinds of people who might want to do that but I think overall, I can't see it happening to a large extent.

Carandang: Got it. Thank you, Sarah. So we've covered a lot today. I wanted to just ask you your overall feelings on maybe the next five years or so. So take us out to 2030. Tell us what you see. Are we in a better place? How well we have gone with this endeavor.

Smith: I think it's interesting, isn't it? Like we talked about GDPR, we talked about how long that's been around. So we are over five years since GDPR has come into being and other regulations around the world are all coming up to a varying degrees. Has it made any difference? I'm not sure. Arguably, I think it's going to have to get much worse before it gets better but I do think there is some positive coming as well. I would just frame that with where we started, when we're talking about cybersecurity and what's the game changer. So I think what we have seen is this willingness for more collaboration across big tech but across multiple different countries and jurisdictions. Particularly when we think about different actors and they're moving data around and moving data, there's money laundering, people are hiding in plain sight, making it really hard to bring a lot of these people to justice. Therefore what we have seen, as I said, in the last couple of years, is that willingness to collaborate, the willingness to share intelligence and really, really think about, there are some of these core principles of what we've been talking about and really then coming back to those foundational levels that we talk about. How do we have security and privacy by design, by default and as standard, so that nobody questions all of these things that have to be added on. Are you doing it for the right reasons? It just is. So, I think, as I said, there's going to be a lot more work. It's not going to be easy. I have a tiny bit of optimism that we can tip the balance but I just want to be realistic at the same point, not underestimating how much work is involved.

Carandang: That’s brilliant, Sarah. Thank you so much for your time and insight today. You've been very generous. Thank you for the great work you're doing more generally, and congratulations again on your book. Joe, back to you.

Kornik: Thank you for watching the VISION by Protiviti interview. On behalf of Roland and Sarah, I'm Joe Kornik. We'll see you next time.

Former CISO on what boards are getting wrong about data protection and privacy

Joe Kornik: Welcome to the VISION by Protiviti interview. I’m Joe Kornik, Editor-in-Chief of VISION by Protiviti, a global content resource examining big themes that will impact the C-Suite and executive boardrooms worldwide. Today, we’re exploring the future of privacy, and I’m thrilled to welcome Sue Bergamo to the program. Sue is an executive advisor, former CIO, CISO, and global technology strategist from Microsoft. She sits on several boards, is host of the Short Takes podcast, and author of “So, You Want to be a CISO: A practical guide to becoming a successful cybersecurity leader.” Sue, thank you so much for joining me today.

Sue Bergamo: Thank you for having me. It’s a pleasure to be here.

Kornik: First off, Sue, let’s talk about the state of the CISO. As you point out in your book, which I mentioned in the intro, “So, You Want to be a CISO,” the position is really in a state of flux right now. So, talk to me a little bit about where the CISO is right now and how it’s changing, and if you think it will continue to be a critical part of the executive team going forward.

Bergamo: I like to use the term evolution because we’re in a position that I hope will evolve to a better state in the future. Just like the CIO role about 20 years ago it had to go through some ebbs and flows and finally, it came out at the end of the tunnel in a much better spot. Everyone was very much aware of what the CIO needed and wanted to do which was really around our back office applications for our infrastructure that run our corporations.

The CISO role is going through that evolution and unfortunately, right now, it’s in a really ugly spot. I’m hopeful that it will come out a little bit better. What’s going on in the industry is the SEC’s cyber disclosure rule that came into effect late last year, which basically said the CISO does not need to report to the board, but the board and the executive team need to be aware of cyber incidents. So, what ended up happening with that—and I can go into more elaboration around two CISOs that were charged with felonies for material breaches that happened in the past—but what happened with that is that—this is my opinion based on what I see and what I know—executive teams decided that CISOs weren’t really needed. A lot of the CISOs said, “We’re not going to put up with these personal liabilities.” So, a lot of us left our positions and then there were a whole bunch of us that lost their jobs because the SEC, the cyber disclosure rule, talked about awareness. They didn’t put the CISO on the board, but they talked about awareness with incidents.

So, what has transpired is—and I don’t mean with this with any disrespect to SecOps managers—but inexperienced, from a CISO perspective, SecOps managers secure the operations people will put into the role of head of security. Sometimes CISO, but mostly head of security because they deal with incident response. Now, the dirty little secret in most organizations is that when an incident occurs, the SecOps manager has a major role in that breach, defending against the breach, but they’re really there to tell the CISO where the threat is coming from. They are not there to lead the band. They’re only there for a very specific focus. So, I see this convergence of inexperienced people and cyber criminals and we’ll see what the future brings, but I do hope that when this evolution comes to fruition the CISO will be put into a much better position, much better light with the executive team.

Kornik: You mentioned those SEC decisions and regulations. I don’t know if you want to expand on that at all or talk more specifically about where CISOs find themselves between a rock and a hard place right now.

Bergamo: Yes. There’s really three types of CISOs. There’s the very inexperienced one that’s just coming into the role, not really sure what they’re doing. Again, it’s not a dig. They have to learn and they’re going to learn the hard way. There’s the middle-of-the-road, as I call it. They’re more experienced than the inexperienced ones, but they’re still trying to find their spot in the position. Then there’s the experts who were exiting. So, a lot of CISOs on the inexperienced and middle-of-the-road side, believe that our jobs are really about the technology, and that is so far from the truth. The experienced ones know that we follow something called the triad, it’s confidentiality, integrity, and availability. We do that, we accomplish the triad through people, process, and technology. People obviously are employees, process is security frameworks and controls, and then the tech. Once you get the tech up and running and optimized for efficiencies so it’s giving you the data that you need in order to defend your companies, the tech is the easy part. It changes all the time, but that’s the easy part. It’s the compliance frameworks that take the majority of our time and if you ask any experienced CISO, they’ll tell you, once the tech is installed and optimized, we spend the majority of our time on compliance and data privacy. The newbies, as I refer to them, sometimes we have to explain this to them and explain why compliance and data privacy are so important.

So, it’s a little bit of a mess out there right now and then you throw in the personal liability. Let me just expand upon that for a moment. We had two well-known CISOs with two public, very public companies—I won’t mention their names—charged with felonies through the SEC which led to the cybersecurity disclosure rule being implemented after the first one. The second one fell into that disclosure rule. That sent shockwaves. Not just waves, but shockwaves through the CISO industry and we’re just sitting here saying to ourselves, “Holy cow.” A lot of us don’t have a lot of support because everybody thinks cyber is our problem and not theirs. It takes a village to defend a company against cyber attackers. Now, we’re being held personally responsible and felony charges, potential jail time, so we’re all saying ourselves, “I don’t think so,” which is why there’s a huge influx of us getting out of the role.

Kornik: Right. So, let’s talk a little bit more about the strategic role of the CISO or where that falls in the organization. Let’s talk specifically about data governance and protecting privacy. How did the companies that do it best do it best? In your experience, do they have chief privacy officers or chief data officers? Is there a playbook that business leaders should be following to really make sure that they’re getting this right?

Bergamo: I wish there was a playbook, but there isn’t. So, I think that’s half of the battle because everyone has a cellphone or a computer, and everyone feels that they know technology and they know data. This is a very specialized field. The CIO—I’ll just say tech and security—it’s a very specialized field. I’ve been fortunate enough to have both roles and yes, everyone always has an opinion on how we can do our jobs better, but this is our craft, and we have all kinds of different education or certifications. There’s no one thing that anyone can point to and no one game plan. But good C-level tech and security executives are well-rounded. We study. We research. We get involved and we understand how to protect data. Now, that AI is coming out, we have a whole new set of technologies that we need to encompass into our program. So, it’s about staying involved and understanding what we need to do to protect the data.

Kornik: When you’re in those conversations with the C-Suite, the boards, and the business leaders, do you think they understand the importance, not just the compliance and the governance aspect of this, but maybe the business importance of data privacy and what that means ultimately to building customer trust in the business and the bottom line?

Bergamo: I do think that everyone understands that data matters and that data is important to running the business. I mean, every business needs information in order to make good decisions and to process customer requests, B2B requests, employee requests. It’s all data driven and so is it given enough limelight? It depends on the size of the company. I do think that the executives and the boards understand the importance of data and how to use it, but I think where they fall short is really in the investments of strategizing and securing the information and giving even the technology or the engineering teams what they need to make sure that that data is sound.

Kornik: Right, and that’s an interesting perspective I would say from the company side. How confident are you that we’ll get this right for the customer, the client, the consumer? Are you optimistic that they’ll be better off over the next several years?

Bergamo: I’m always optimistic. The sun’s always shining in my world, right? Data is the stronghold of every company. From managing the most—my new piece of information all the way to executive reporting. Everybody’s processing information. So, I think with some of the technologies that are coming out either through public cloud vendors or through artificial intelligence, I think that the data and the ability to gather data is just going to be better in the future.

Kornik: Well, Sue, you said you’re an optimist. So, I’m going to leave you with this final question where I ask you to look out a few years. Maybe the end of the decade, let’s say 2030. Where do you think will be in terms of privacy, data privacy? Do you think 2030 is a better place than where we are currently?

Bergamo: Well, we can only get better with time, right? Kind of like a fine wine. So, I’m optimistic that material breaches will continue to happen fast and furiously and finally, our business brothers and sisters will wake up and say, “Oh, I need to be responsible for security too. I need to be responsible to help the CISO or the CIO, or whoever, with my data problems. Maybe I should get more involved.” So, I am optimistic that eventually the tables will turn. I think it’s going to take a little bit more time but 2030, sure, I’ll go with that.

Kornik: Great. Well, thanks so much for the time today, Sue, and the insights. I really enjoyed our conversation.

Bergamo: Thank you, Joe. I appreciate you having me.

Kornik: And thank you for watching the VISION by Protiviti interview. On behalf of Sue Bergamo, I’m Joe Kornik. We’ll see you next time.

The Economist’s Dexter Thillien: Privacy in peril AMID digital data explosion

Joe Kornik: Welcome to the VISION by Protiviti Interview. I’m Joe Kornik, Editor-in-Chief of VISION by Protiviti, our global content resource examining big themes that will impact the C-suite and executive boardrooms worldwide. Today, we’re exploring the future of privacy, and I’m happy to be joined by The Economist’s Dexter Thillien. Dexter is the lead analyst for technology and data at The Economist Intelligence Unit, the research arm of The Economist. Dexter is the lead author of numerous reports on AI, cyber security, data privacy, technology, and regulation, as well as a frequent speaker on the intersection of the digital economy and global business. We spoke to Dexter last year about privacy in the metaverse and he has been kind enough to come back. Dexter, thank you so much for joining me today.

Dexter Thillien: Great to be here.

Kornik: Dexter, in a digital economy I don’t think there’s any question that data privacy is now and probably will continue to be one of the biggest issues facing consumers and companies, the rest of this decade and probably much further into the future, actually. What do you see as the biggest threats in terms of data privacy for both customers and companies?

Thillien: Yes, thank you for the question. First of all, you’re right to differentiate between companies and consumers because I think they will have different issues to deal with. For companies, they’re owning more and more personal data as part of the business processes, the key is to make sure that the data is secured. That means putting the right government system in place internally. So, instance, that only the right people can access sensitive data. Also, making sure that the company’s own data, any data from suppliers or consumer is being dealt with properly. That’s going to become more and more of an issue to deal with because there’s going to be more and more data to deal with. For some companies, it might even become a competitive advantage. We’ve seen Apple trying to do that in terms of its privacy policy compared to its competitors.

For consumers, it’s a different question, different range of issues. For consumers, it’s important to keep the data safe and secure, but it is also becoming increasingly difficult because we’re giving away much more personal data at any one time. Giving away personal data is no longer about just filling a form, but any time we see something online or do something online, and also anytime we’re going to be on the move because most of us are going to have a smartphone. Many of the apps we have on our smartphone will also collect a huge amount of data. We may become a bit blasé about all those data we’re giving away, but it’s also very difficult to operate and to use the internet and go online if we’re trying to minimize the amount of data we give away. Meta, as an example, tried to build a more private platform which has been charging users and making privacy as a premium feature, but is so far this has been refused by the European Commission in the European Union. The issue is that advertising remains the cornerstone of Meta which means that it is free as long as we give away much of our personal data. With the addition of pictures and videos and on top of text and also facial recognition entering the fray we’re starting to giveaway data which is even more unique and much more difficult to replace if it ever becomes hacked.

Kornik: I’ve been reading a lot of The EIU’s position papers on AI and really all emerging technologies, which includes quantum and spatial and biometric computing, and how those will ultimately impact data and privacy. How do you see AI and those other emerging technologies I mentioned impacting privacy going forward?

Thillien: I think it will all have an impact. So, starting with artificial intelligence, artificial intelligence is all about data. The fact that some are arguing that we may run out web data as early as 2026 as well as so much of a personal data we have given away so far. One of the major issues with artificial intelligence is the output as a model as it may give away as part of answer some personal data because that personal data is part of the input. Sometimes it’s very, very difficult to understand why it does that. We have seen some cases in Europe where this has happened and privacy regulators are keeping track. There is also consent issue which is why Meta say they will not release its most advanced Llama model in Europe because the company is not entirely sure if it can comply with the GDPR in terms of using pictures and videos and things other than text—content other than text.

In terms of quantum computing we’ve seen in August the National Institute of Science of Technology in the U.S. releasing its first post-quantum encryption standards and this is over the fears that a quantum computer might break the current encryption standards sooner rather than later. It’s still not very clear when that will happen and we do not think at The EIU that it’s going to happen any time soon, at least in the short to medium term because many, many technical hurdles remain. But it’s better to be safe especially as some of the encrypted data which can be, will still be very, very valuable when and if quantum computer becomes operational.

When we’re talking about biometric data and biometric computing it raises a question of what type of data we might be sharing. When it is possible to change an email address or even your financial or other details, it is impossible to change your fingerprint or your DNA. We may not be—we may not be able to identify in terms of what we share, but it is something we consider if we don’t want to—that data and want to make sure that the data do not fall into the wrong hands.

Kornik: Right. Thanks, Dexter. You mentioned GDPR. So, let me just follow up on that. Globally, Europe has invested significantly in data protection rules with GDPR. Japan has had very strict privacy laws in place as well. Meanwhile, India and China not so much. U.S. is somewhere in the middle, but has no federal regulation. A lot of the states have sort of taken the lead on that front. Where is the sweet spot? Who is getting this right? Does too much regulation stifle innovation or does not enough create chaos? Where do you stand on regulation?

Thillien: I think finding the sweet spot between regulation and innovation is what every policymaker, every regulator, is trying to do. I think it’s a problem or an issue for all tech regulation and not just data privacy. This could happen when sometimes regulation becomes more of a box-ticking exercise and we have seen that with cookies in Europe. It has no real impact on privacy because—for instance, active consent will now be fully given. I do think we do need some level of regulation because without it any protection will be lacking and there needs to be independent rules put in place.

I think for me there are two main things to consider when we’re talking about regulation. The first is fragmentation. Many, many businesses will be global in nature, whereas, regulation is very often not. This means that making a decision as to what to do, whether to follow offshore jurisdiction is required, whether there would be some overlap or to go with the strictest rule and have only one set of rules to comply globally for the company. Now, some companies have already done that in terms of the GDPR.

The second and probably the most important one is enforcement. I think rules are very nice, but without the right enforcement it can be a bit pointless. We’ve seen, again, with the GDPR where it’s taking quite a long time before any rulings or any judgement because it can be very, very tough for regulators to make the case. It’s very important to note what level you can enforce before you start thinking of regulation.

Kornik: Barely a week goes by without hearing about another significant breach, right? I just wonder if consumers specifically are becoming desensitized to these breaches, do we suffer low expectations when it comes to our own privacy?

Thillien: I don’t know if we desensitize, but I think the issue that is not always visible or very visible to the main user, we often hear about an attack where millions if not even billions of entries have been hacked, but the impact of that attack is very difficult to gauge because in most cases that means we’re going to receive a bit more spam emails. It becomes much more personal when they are a financial repercussions is in attack meaning we can be scammed or buying details are now available with people buying things online with that money. I also want to make the point that companies can try to do as much as they can and many, many do but the attacker, in this case the hacker, is much more favored than a defender because the attacker, in terms of an attack needs to get it right once when a defender has to get it right all the time. Now, as we’re spending more and more time online it means that the attacked surface is only increasing, which means that those breaches will keep happening.

Kornik: Right. We’ve seen big companies—I mean, very big tech companies even playing sort of fast and loose with data and privacy. Even children’s privacy, I think, is—we’ve heard that has been in the news recently. Can we trust the private sector? I mean, we were talking about regulations so I’m just curious. Can we trust the private sector to do what’s right in terms of privacy? Are boards and the C-suite taking this issue seriously enough, do you think?

Thillien: Some are, but I still don’t think that self-regulation is the answer. While I mentioned the GDPR might not be as well enforced as it should be it still offers a EU citizen much more protection than in many other jurisdictions across the world. You mentioned that the U.S. still doesn’t have federal rules, is trying to remedy that in terms of children. It needs to get passed through congress which is very difficult as well. The U.S. also has a much bigger, what I would call, a third-party market. With the data you might have given happily to a provider or a retailer is then sold on to a third party without you knowing about it, and perhaps you wouldn’t want that particular company, the third party company, to have access to your data. Companies do have to take it seriously because it can impact their reputation if it is proven they haven’t done as much as they could have should it be hacked. With a greater penetration of technology in the world place and the move towards digital information it can also become a phenomenal advantage to business continuity. I think the example of the CrowdStrike incident in July 2024 has shown how reliant we’ve become on digital technology and how important it is to protect those. Could it become a competitive advantage is very, very difficult to say because privacy is one of those areas where doing things right to make sure nothing happens has a limited impact, but not doing things right when something is happening could have a major negative impact. So, the positive and the upside is not very apparent, but you do need to do as much as possible to make sure that nothing actually happens.

Kornik: Dexter, I appreciate your time today. I really enjoyed our conversation. I just have one more question and it’s forward looking. I’m wondering if you could take me out to the end of the decade, let’s say 2030, and tell me what you see around data and privacy. I’m wondering how we’ll view privacy in 2030.

Thillien: I think for me it’s evolving concept because the online world has become so prevalent, but the right to privacy is also a fundamental human right whether it is online or offline. This is part of Article 12 for Universal Declaration of Human Rights which is, and I’m going to quote that, “No one should be subjected to arbitrary interference with their privacy, family, home or correspondence, nor to attacks upon their honor or reputation. Everybody has the right to the protection of the law against such interference or attacks.” I think this is the case both in the online world and both in the offline world. I’m going to give you a personal example maybe. I graduated from my school in very late 20th century. I don’t think I used the internet at all for any of my course work during high school. If you can see, for instance, the iPhone launched in 2007, so 17 years ago, and Facebook in 2004, so 20 years ago, it shows that many, many younger people are now what we call fully digital native and are going to have maybe a different perspective. What I find interesting is some mystery that I saw over the last few months and years where kids, where younger people, were telling their parents not to upload pictures of them online. It made me think about the concept of what I might call online privacy native. Where maybe the younger generation is less keen to share publicly compared to the previous generation. I think we’ll have to wait and see to see what will actually happen going forward.

Kornik: Yes, that’s interesting. I hadn’t really thought about that, but you’re right. That generation did seem more conscious—conscientious about sharing photos.

Thillien: I think they might have a different perspective when it comes to their online persona and their offline self and what they share online. So, they might not have all vision for all generation, vision of privacy more broadly, but in terms of what they’re doing online because they’re fully digital native and they are online a lot of time. Everybody is going to have a smartphone. That’s not going to change. We’re still going to be using the internet. We’re still going to share some data. There is still going to be probably from the younger generation which have only known that kind of a different perspective in terms of what they’re willing to share and especially what they’re not willing to share and to what they might get in return for what they’re sharing. I think it’s very early days and we’ll have to wait and see.

Kornik: Right. Very interesting. Thanks, Dexter, for that perspective and your insights. I really enjoyed our conversation today.

Thillien: Thank you very much for having me.

Kornik: Thank you for joining the VISION by Protiviti interview. On behalf of Dexter Thillien, I’m Joe Kornik. We’ll see you next time.