TPG Telecom’s head of risk on data privacy, cybersecurity, AI and the regulatory landscape

Joe Kornik: Welcome to the VISION by Protiviti podcast. I’m Joe Kornik, Editor-in-Chief of VISION by Protiviti, a global content resource examining big themes that will impact the C-suite and executive boardrooms worldwide. Today, we’re exploring the future of privacy, and we welcome Malcolm Eng, Head of Risk, Business Partnering at TPG Telecom in Australia, where he and his team lead enterprises risk management for the company. Malcolm has spent the past decade working with some of Australia’s leading organizations, navigating the complexities of data privacy, risk and the regulatory landscape. Sitting down with Malcolm today is my colleague, Ruby Chen, a director with Protiviti Australia. Ruby, I’ll turn it over to you to begin.

Ruby Chen: All right. Thank you so much, Joe, for the introduction. Today, I’m so excited to have Malcolm here on the podcast. I’ve known Malcolm since—that seems to be so long ago, pre-COVID era. We both used to work at the banking industry. I still remember we were saying our goodbyes and I’ll meet you on the other side, hopefully. [Laughter] I’m glad that we both made it. Since then, Malcolm has pivoted away from the banking industry into technology, and now more recently into telecommunications. I’m really keen to hear Malcolm’s insights around latest in the telecom industry. So, thank you so much for joining us, Malcolm.

Malcolm Eng: Thank you for having me, Ruby. Times have definitely changed since we’ve known each other, and I do recall saying goodbye before COVID, and I think through COVID I was wondering when I will actually see Ruby again, so I’m glad we’ve gotten in touch and had a lot of very interesting conversations. I’m very excited to be here, looking forward to sharing some of my thoughts on the topic.

Chen: Fantastic. Thank you. All right, before we dive into the serious questions, I have a fundamental question for you, Malcolm. Do you think you could actually live without all the technology gadgets we’re surrounded by?

Eng: I like that we’re starting with a light question. I might start with a little bit of a story. I remember when I got my first smart light, it was a cheap smart light I got from Kmart. I was so amazed when I got home by the convenience and flexibility of it, and especially the multiple colors, that I changed all my lights at home. A little while later, I got home one evening and none of my lights would turn on. My wi-fi wasn’t working. I couldn’t figure how to turn the lights on and I had removed all my non-smart lights. So, I ended up putting up some candles. It was very romantic and I ended up re-reading Dune. Three things come to mind for me. Firstly, the I forgot how much I enjoyed those books, and I thought I should actually do that more. Secondly, as someone whose home is still filled with smart lights, though ones that I can now turn on without connectivity, I cannot imagine living without all the gadgets that I rely on. It’s really amazing to think how technology has become such a big part of our daily lives. Lastly, there’s so much potential with technology and value to people’s lives. I think there’s something to be said about finding that balance where they work for us and not against us.

Chen: As your example illustrates, right, connectivity is such a critical part for all the technology that we rely on these days, and telecommunications industry plays a very important role in providing us with that capability. And with the pace of technological changes and the increasingly unpredictable nature of the business environment, it seems that organizations are facing more unexpected disruptions. I’m keen to hear your thoughts around how is TPG Telecom addressing these challenges?

Eng: At TPG Telecom, is one of the Australia’s largest telecommunication providers, Ensuring that we can provide a robust ongoing supply of critical products and services to our customers, our people, and the broader community is a responsibility that we take very seriously. I think resilience starts with preparation. We start with our networks, which are built with resiliency in mind. What does that mean? Our architecture is designed with physical and logical separation to enhance robustness, routing protocols, separation of product layers are used to improve our ability to withstand disruption.

Chen: I totally agree. I think resiliency is so high in the radar. Something that comes into mind is actually a recent outage which impacted many of us, including myself. So, the CrowdStrike outage, right? It was such a high-profile outage that had a wide-ranging impact across Australia as well as globally. Are there any lessons to be learned and how has TPG reassessed its risk management strategies and practices since then?

Eng: CrowdStrike is the one that comes to my mind, too. I was actually at the airport when the outage happened. I remember being stuck in the road just outside the airport for two hours wondering what was happening. Let’s say, it wasn’t the best travel experience I’ve had and I might leave it there.

Chen: Right.

Eng: Recent incidents have definitely brought operation resilience to the front of mind of a lot of people when it comes to risk management. A few key considerations stand out for me when thinking about resiliency. Firstly, reemphasizing the point that resilience starts with preparation, recognizing that disruptions are a possibility and we should be ready to respond, to recover, to continue to operate. We shouldn’t assume that things will always go perfectly. Instead, we should be prepared for the unexpected, to ensure that we can react quickly and get back on track without too much disruption.

Secondly, while it was great to focus on pursuing the latest and greatest, whether it’s technology, innovation, or even risk management and resilience practices, getting the basics right, I think, is just as important. Things like change management, testing and controled deployment of changes, heightened monitoring during change windows, third-party management, incident management and response, user awareness and training. Scenario planning simulations for emergency and crisis situations are also critical. You probably do not want an actual incident to be the first time you respond.

Chen: I want to pivot a little bit now moving into emerging tech and risk, and talking about artificial intelligence, which is such a hot topic everywhere I go, no matter what conference or webinar that I attend. I was curious to know, with the rapid evolution of AI technologies and the unique privacy challenges posed by 5G and other emerging technologies, how is TPG addressing potential risks associated with these advancements?

Eng: There’s definitely a lot of excitement around AI recently. A lot of attention has largely been driven by generative AI, or gen AI,  tools like ChatGPT, Dall-E have kindled the fire in people’s imagination. That’s made AI much more visible, more interactive and more relevant for the average person. There’s one school of thought that the challenge facing the technology now is one of demonstrating outcomes, that the application of the technology is not enough. It’s about delivering results, with the real measure of success being the value that it can actually bring. I think this can be illustrated with the Gartner Hype Cycle, which accordingly has gen AI passing the peak of inflated expectations this year, heading into the trough of disillusionment. I’m always amused by those terms. It’s a phase that is somewhat of a make-or-break period for technology where the initial hype will fade and the technology must prove its real value.

There’s another viewpoint, which argues that gen AI represents a fundamental shift, that it will bring transformational impact, with use cases that are not yet fully understood, that the classification as a standalone innovation is too narrow. Instead, it should be looked at as foundational technology, a platform for a new generation of AI-driven solutions.

Regardless of the side of the court that you take, a key driver for the hype around AI is this seemingly huge potential for innovation and transformation that it brings, but at the same time, we should still remember that the technology also brings new challenges that we need to manage carefully, and this is the recognition that we have in TPG Telecom. Technology, emerging technologies, are inherently dual use, double-edged, bi-faceted. They provide real opportunities, but they will also bring along real risk. It’s important that we understand both the threats and opportunities of any innovation so we can better adapt the technologies for positive advancement while mitigating the harms.

Some examples, 5G and internet of things, or IoT. 5G offers unprecedented connectivity and speed. The convergence with the technology with IoT provides us much more opportunities for significant increases in connected devices, flow of information, and new use cases. At the same time, they vastly increased the surface area for threats, for vulnerabilities, for risk. The increase in volume and complexity of data and systems brings more potential for failure points and inefficiencies. We’ve talked about AI and machine learning. These technologies can help improve automation, operational efficiency, allowing more proactive security measures, such as anticipating potential threats faster and more accurately. At the same time, they can be used to scale up capabilities, complexities, and automation of cyberattacks.

Chen: So, Malcom, I want to move into the next line of questioning, which is around cyber security. Emerging technologies and AI that we’ve talked about bring transformative potential, but with that comes an evolving risk landscape, and cybersecurity in particular is becoming more sophisticated. How is TPG tackling this growing challenge?

Eng: Persistent, unrelenting cyberattacks on individuals and organizations. I think that’s a good way to describe the landscape today. I’ve also heard people use the word insidious, which I think is quite apt. Here in Australia and globally as well, we’ve seen a surge in incidents, from data breaches to ransomware attacks. Some statistics, according to the ACCC, or the Australian Competition and Consumer Commission, in 2022, the combined losses to scams alone were at least $3.1 billion, which is an 80% increase on the total recorded from ‘21. Losses reduced somewhat in ‘23, but Australians still reported $2.7 billion lost to scams. Some people may give themselves a pat on the back for an improvement, but I think it’s still a staggering amount of money.

The use of AI has made this problem worse. At the beginning of the year, we saw a 300% increase in scams as a result of use of crime GPTs. AI is making cybercrime easier, more accessible for less technically capable cybercriminals. Cybersecurity at TPG Telecom is at the forefront of our risk management strategy. The maturity of our capabilities is critical to all that we do. We are investing heavily in our people, our systems, our controls, key areas that we’ve be focused on over the last years. Vulnerability remediation, expanding security capabilities, transforming our IT infrastructure, and standardizing policies and controls. In ‘23, we increased the security technology budget significantly. We’ve more than doubled the size of the team.

An innovative approach that we’ve adopted is the creation of internal red and blue security teams, or as I like to call them, hackers and catchers. The red team would act as an adversary, simulating cyberattacks and probing weaknesses, while the blue team would defend against it, responding to these simulated threats with the goal to seek out and fix vulnerabilities before external parties can take advantage of them. Fun idea? I wish I had thought of it, but unfortunately, I can’t take credit. It’s a concept that originated from military strategy and exercises.

Cross industry collaboration is something we believe that’s very important. To collaborate across industries or peers, government and academia to come together and share knowledge so we can proactively and collectively enhance the security of the nation. We recently cohosted with the University of New South Wales the 21st Annual International Conference on Privacy, Security and Trust. The conference brought together professionals, researchers, academics, and government with the view to shake the future of privacy and security. TPG Telecom presented two papers at the conference, one showing the benefits of having an internal red team and the other on the value of understanding how AI optimization can be applied to support cybersecurity practices. As most leading organizations in Australia, we’ve begun investigating the use AI for enhancing security support and as a tool to bolster our defenses.

With government, we are a member of the Joint Cybersecurity Center where we collaborate with government agencies and industry partners on national threat intelligence and cyber incidents. Similar to our approach to resilience and emerging technologies, we work to keep on top of the evolving landscape. We work on our adaptability and continued improvement; at the same time, we pursue innovation with a focus on getting the foundations right. I believe we cannot stop the progress of technological innovation. We can aim to participate and contribute in a positive way to better serve all Australians and to protect the security of customers, people, and the broader community.       

Chen: Thanks for sharing that, Malcolm, and I think it’s fantastic to see so much investment being placed into this part of the business, which comes to show how much attention and seriousness TPG places into this area in particular, looking forward to the future. It’s a good segue into our last question. Looking ahead, how do you envision the landscape of privacy risks of the next five years, and how should organizations address the emerging threats while maintaining customer trust?

Eng: It’s a big question. Complex and multifaceted is how I would describe the future landscape of privacy risk. In recent years, there has been a noticeable shift towards the harmonization of data privacy standards and regulations globally. I think as data flows increasingly across borders, more consistent frameworks can help facilitate these transfers, and it also helps ensure data protection across jurisdictions. In this regard, the EU’s general data protection regulation, or GDPR, has had quite a significant impact on practices globally. It set a high benchmark for data privacy and protection. Its extraterritorial scope prompted many businesses outside of Europe to align their practices to GDPR standards. With data breaches becoming a global concern, it has also guided regulatory change in many countries, and so there’s an increased focus on data protection and more changing regulations worldwide. I think it’s also fair to say that GDPR has affected public’s awareness regarding the importance of privacy rights and the value of personal data.

Stricter regulations, global harmonization of data privacy standards I think is a trend that we will continue to see for the years ahead. Similarly in Australia the ongoing reforms of the Australian Privacy Act have indicated an appetite for a GDPR aligned regime.

The way that I like to think about regulations is that regulations are designed to solve a problem. Oftentimes, it’s easy to focus on what we need to do to comply with requirements, but instead of solving solely for regulations, we should also ask ourselves, how can we solve the problems that the regulation is aimed at, this framing I find can help solve for the regulation and help ensure that the approach taken is what looks best for the organization.     

Another trend that we’re seeing that I believe will continue to accelerate is the increased digitization driven by faster connectivity and emerging technologies. Organizations will need to be prepared to deal with an increasing volume and diversity of data. Coupled with increasing regulation, this will significantly increase the complexity of data protection. Technologies that we’ve touched on like AI, machine learning, automation, will accelerate the changes. The sophistication of cyber threats will increase, and so will security measures and defense capabilities.

The management of unstructured data will become critical. As analytics and AI advance, it will enable more insights to be extracted from unstructured data. With a lack of inherent structure to the data, the increase in volume and use will introduce more complexities with management, things like storage and scalability, data integration for analysis, data quality, in addition to protection and security.

Quantum computing, it has the potential to break traditional encryption methods, making a lot of today’s models vulnerable. There’s a practice called, “Store now, decrypt later,” which is about collecting currently unreadable encrypted data with the expectation that can be decrypted in the future. Something to keep in mind is that cyber criminals and threat actors don’t just target companies from time to time. They target companies 24/7. They are patient and very, very persistent.

Focus on privacy by design. Ensure that privacy is embedded in products and services, rather than bolt on as an afterthought. Data minimalization: only collect what is necessary. Continue to invest in and improve technological capabilities, innovate and iterate and foster a culture that puts privacy and security first with ongoing education, awareness, and leadership.      

Chen: That’s fantastic, Malcolm. Thank you so much for at least leaving those wise words with us and I just want to thank you so much for being on this podcast.

Eng: Thank you, Ruby. It’s been a pleasure speaking to you today. I’ve very much enjoyed the discussion.

Chen: Thanks, Malcolm. All right. Then, Joe, we’ll hand it back to you.

Kornik: Thanks, Ruby, and thanks Malcolm, and thank you for listening to the VISION by Protiviti Podcast. Please rate and subscribe wherever you listen to podcast and be sure to visit vision.protivity.com to view all of our latest content. Until next time, I’m Joe Kornik.

Did China break encryption? Protiviti’s quantum director sets the record straight

Joe Kornik: Welcome to the VISION by Protiviti Interview. I’m Joe Kornik, Editor-in-Chief of VISION by Protiviti, our global content resource examining big themes that will impact the C-suite and executive board rooms worldwide. Today, we’re exploring the future of privacy, and I’m joined by my Protiviti colleague, Konstantinos Karagiannis, Director of Quantum Computing Services.

Konstantinos has been helping organizations get ready for quantum opportunities and threats that lie ahead. He’s been involved in the quantum computing industry since 2012, and is the host of Protiviti’s popular podcast, “The Post-Quantum World.” Konstantinos, thank you so much for joining me today.
NKS

Konstantinos Karagiannis: Yes, thanks for having me. It’s always great to join you.

Kornik: So, Konstantinos, I’ve been hearing more and more about quantum. I know you’ve been at this for a long time but lately, I’ve been hearing more and more about it in the media, including in mid-October, something happened in China. I’m not going to pretend to understand exactly what happened, but I’ve heard things or seen things about potentially military-grade encryption being cracked, which seems way earlier than we thought, I think. So, is the end of encryption here early, it’s what I know some in the media have called “Q-Day.” Has that arrived?

Karagiannis: The short answer is no, which is good. It’s not the end of encryption already. It’s funny that this Chinese story broke pretty heavily over the weekend as we’re recording this, and I was like, “I’m going to have an interesting week. I already know this is going to be one where I’m going to be asked a lot of interesting things.

So, basically, we don’t have a great translation of this Chinese paper. A Chinese paper was published, and in it they make some pretty strong claims, but the abstract is in English and then after that it dives right into Chinese. So, if you try and translate it with machines or whatever, AI, you end up with some holes, and as a result, no one’s reproduced this yet. So, I can’t come on today and say that based on reproductions and other teams that I could say that this paper is even real, but let’s say the claims are true. Let’s pretend it’s not some nation-state psy-op to try and freak out the West or something. Even if the claims are 100% true, it doesn’t really spell the end of encryption. So, that’s the awesome news, right? Even worst case, it’s not all over.

People might have been hearing for a while now that we need fault-tolerant quantum computing to crack encryption, and that just means that quantum computers are noisy. They’re prone to interference, the qubits fall apart, you can’t do the complicated math of Shor’s algorithm to crack something like RSA. So, we need error correction. These things are starting to be built, error-correcting machines, but it could be 10 years or longer before we have one powerful enough using those traditional paradigms to crack encryption.

What’s scary about this Chinese paper is that they used the current annealing quantum computer from D-Wave. That’s a machine that’s on the cloud right now that you can access and use today. It raises all sorts of questions about access, where did these researchers come in from, D-Wave’s technically Canadian. So, it’s all this stuff, because your listeners might have heard of the quantum export bans going on. So, I can’t comment on that, I don’t know how they got access to it, but basically this machine exists and can be used.

So, annealing is different. It’s not error corrected. It’s not even designed to give you the correct answer. A gate-based quantum computer, the ones that we thought would be cracking encryption, they’re designed to take a problem through a series of quantum gates and give you a definitive this or that, you know, whatever your problem is. Annealing is more like an optimization finder. It’s sort of like a global optimization peaks-and-valleys solver.

So, if I were to ask you to imagine, I love this example, driving around the United States and finding the highest and lowest points, that would take you forever; whereas an annealer can literally do something called “tunneling”; it can move through all of those peaks and valleys and find the lowest one, let’s say. That kind of optimization machine is what they used in this problem. So, that’s a little scary because it’s a new approach.

Kornik: Right, and I was reading some of the media reports and the researchers, I guess, claim to have factored a 50-bit number. Can you explain the significance of that in the context of RSA encryption?

Karagiannis: Sure. So, a 50-bit number, first of all, is not terribly large, in fact we’ve tangoed in this area before and I’ll talk about that a little bit later, but basically, they picked a number, let’s say 2289753, and they wanted to try and get its factors. A 50-bit number, you can think of it as 50 bits, you know, a bit is a zero or one, right? So, if you were to string 50 of them in a row, each of those bits has two options, a zero or a one. Because of that, the math gets very interesting. It becomes 2ⁿ, so it would be 2 to the 50th power. Those are all the possible combinations of ones and zeros.

That’s a pretty big number, right? But if you’re going to try and crack something like RSA, you’re talking about a 2048-bit key. That is way bigger. You’re thinking more along the lines of 2 to the 2048th power. These numbers get insanely large. The universe only has 2 to the 80th power particles in it. So, these are just numbers that you can’t even fathom. So, it’s not like 2 to the 50 is anywhere near or even touching 2048; exponential math is not really something humans are comfortable thinking about. Like you could represent that number I cited before, that seven digits, right? If you were to represent a 2048-bit number, you would use 617 digits. So, take that number they factored, add 610 more digits to it, and that’s just one. That’s crazy. That’s not even scratching the surface.

So, as a result, we’re nowhere near anything that could be called military-grade encryption or a real risk today. That’s kind of like for starters.

Kornik: Okay. Well, that certainly makes me feel better and I’m guessing most of the people watching also feel better. What are some of the practical challenges in scaling quantum annealing to a level where it could truly threaten our encryption standards?

Karagiannis: We’re having a hard time scaling regular gate-based machines, right? That’s why we don’t have these fault-tolerant systems yet. When it comes to annealing, the question is, does this paper show any kind of linear path that scaling even becomes an issue? In the paper, they push for a hybrid quantum classical approach. What that means is they’re using the optimization of the annealer to sort of bundle numbers in a way that you can optimally then apply classical approaches too.

So, you could think of it as, like, a search for the keys. You are kind of bundling likely places to look for the keys, and then you’re going to use classical hardware to look for the keys. That’s really hopelessly simplifying it. I just want to make sure that it doesn’t fly right over our listeners’ heads. So, that’s what’s happening. It’s kind of like a machine learning. They almost call it like an approach to machine learning, which it’s really not but they’re calling it that. This is like optimization.

So, because of that layout, they’re hoping that this will scale. That’s fair to hope that, but when you look at the classical systems that are involved, I’m not convinced that you can go much farther. Like even if you can optimize for a larger key search, I don’t think the hardware you then have to rely on to do the actual searching would be able to keep up. I think we’re going to hit the scale limit fast.

This isn’t the first time we’ve seen this kind of limitation. People might remember in December 2022, there was a paper that kind of created a stir, once again from China. It was called “Factoring integers with sublinear resources on a superconducting quantum processor.” It’s a big, crazy title, but basically in it, everyone might remember that they claimed to factor a 48-bit number with 10 of those gate-type qubits we talked about that we were building. Using extrapolation, they said you’d only need 372 to crack RSA. That’s terrifying because we thought we would need many, many thousands of error-corrected qubits to factor RSA. So, that was sort of a “sky is falling” situation.

Google researchers did a little bit of validation. Remember I said we don’t have access to the paper translated here so no one’s been able to reproduce the results, but Google researchers were able to work on the problem and prove that it would stop around 70-bits. So, the sky didn’t fall then, and right now, it might not be falling here either, because I have a feeling that if you try to scale this up, you’re going to have those classical system constrains that will kick in and sort of like protect it from getting too much farther.

That said, it’s interesting, and whenever we have new approaches like this, it makes me worry that some little kernel of them will show us a path forward. Some optimization process—there’ve been other papers too, I’m not going to go down rabbit holes—but everyone’s probably going to find something that fails but it still makes us go, “Okay, we might have something to worry about in the future where we can learn from this. So, there’s always that.

Kornik: Well, great. Thank you so much for shedding some light on that and making us feel perhaps a little bit better, or perhaps a little bit more on alert or high-alert as we probably all should be anyway.

We are sitting here in the middle of cybersecurity month, and VISION by Protiviti is focused on the future of privacy. So, I’m just curious, if we could take sort of a 30,000-foot view and talk a little bit about how organizations should be preparing for the potential impact of quantum computing on their cybersecurity infrastructure, on their data security framework, even if it’s maybe not the most immediate threat but we know it’s coming eventually.

Karagiannis: Sure. One big thing to point out is this approach that was published in the Chinese paper can’t touch the new NIST post-quantum cryptographic standards that were released on August 13th, 2024. The lattice-based approach in there is safe from this type of attack and safe from Shor’s algorithm, which is the quantum attack we were all worrying about.

So, really the best thing you could be doing right now is starting the migration plans for PQC. It’s time to start taking inventory, start looking at what cryptography you have in place, start looking at which critical assets you might want to protect first. Because migrating to new cryptography takes time and it’s tricky. So, that’s the journey you have to begin on. This paper will not, as I said, threaten PQC, so why not start looking towards PQC because that is going to be a path that everyone has to take.

It’s also important to note that eventually, NIST is going to start recommending the deprecation of some classical cyphers. So, whether you believe that quantum computers are 10 years or 10 million years away that can crack encryption, it doesn’t matter. Eventually, you’re going to start failing audits and things like that if you don’t have the latest cyphers in place. So, it is really time to start examining your environment and making a move to PQC.

Kornik: Well, Konstantinos, thank you so much for giving us that insight. We’re certainly glad that we’ve got you to sort it all out for us and to help us make sense of it. Even if I didn’t understand everything you said, I understood a great deal of it, so I am further along than I was before we started talking. So, thank you for that.

Karagiannis: Yes, and if I manage to recreate the paper, I’ll be sure to come on and tell you what happened.

Kornik: Yes, please do.

Karagiannis: Okay.

Kornik: Thanks, Konstantinos, I appreciate it, and thank you for watching the VISION by Protiviti interview. On behalf of Konstantinos Karagiannis, I’m Joe Kornik. We’ll see you next time.

Former Apple, Google CPOs talk tech, data, AI and privacy’s evolution

Joe Kornik: Welcome to the VISION by Protiviti interview. I’m Joe Kornik, Editor-in-Chief of VISION by Protiviti, our global content resource examining big themes that will impact the C-suite and executive boardrooms worldwide. Today, we’re exploring the future of privacy, and we’re thrilled to welcome in a pair of privacy luminaries for a panel discussion led by Protiviti’s Tom Moore. Both of today’s guests have previously held high-profile roles as chief privacy officers of two of the largest tech firms in the world and are now with global law firm Gibson Dunn. Jane Horvath is Co-Chair of the firm’s Privacy, Cybersecurity, and Data Innovation Practice Group. Previously, Jane was CPO at Apple, Global Privacy Council at Google, and the DOJ’s first Chief Privacy Counsel and Civil Liberties Officer. Joining Jane today will be Keith Enright, also a partner in Gibson Dunn, where he serves as Co-Chair of both the firm’s Tech and Innovation Industry Group and the Artificial Intelligence Practice Group. Previously, Keith was Vice President and CPO at Google. Leading today’s discussion will be my Protiviti colleague, Senior Managing Director, Tom Moore. Tom, I’ll turn it over to you to begin.

Tom Moore: Great. Thank you, Joe. I’m honored today to be with Keith and Jane. You guys are awesome leaders in the privacy space, and I think we’re going to have a great conversation.

Keith Enright: Yes, it’s such a pleasure. Thanks for having me.

Jane Horvath: Hi. Tom, thank you so much for inviting me. I’m excited to talk about privacy today.

Moore: You both were chief privacy officers of two of the largest companies in the world and at the forefront of many of the issues facing privacy and data protection today. Let’s reflect on that time for just a little bit. Jane, let’s start with you. What are some of the biggest challenges you faced, or one or two highlights from that period?

Horvath: Probably the biggest challenge that I faced, actually, there were probably two challenges. The first was 9/11 government surveillance. A lot of the audience may remember the San Bernardino case in which the federal government, the FBI, asked us to build a backdoor into the operating system. They were doing it with good intentions, there’d been a horrific terrorist attack, but that really raised a lot of the issues that we grapple with every day: where is the balance between security, meaning encryption, and privacy. Then the other I would say is, as my time went, privacy became more and more regulated. Of course, we saw GDPR, and we’re seeing more and more states enact privacy laws, many of which actually are not compatible. We have Asia, we have China that enacted a privacy law that is really ostensibly a data localization law. So I would say it got more challenging from a regulatory standpoint.

Moore: Keith, what about you?

Enright: I have very similar themes, I would say. I would break it down to, say, complexity, velocity, and scale, capture the challenges. Complexity in terms of the diversity of the product portfolio, the incredible rate of technological innovation and change, trying to make sure that you are staying sufficiently technically sophisticated enough so that you could give both good legal advice and counsel, but you could also help keep the business moving forward and not serve as an unhelpful headwind to progress and innovation. Velocity and scale, at Google, we were launching tens of thousands of products every single year. They were being used by billions of people all over the world to stay connected and stay productive. So taking all of the complexity of the environment, all of the additional legal and regulatory requirements as Jane points out, as the environment got far, far, far more complicated, mapping all of that to clear actionable advice to allow hundreds of product teams across the global organization to continue innovating and bringing great products into production was a pretty incredible existing challenge.

In terms of highlights, and I’ll point to one serendipitously because of my good friend and partner, Jane here, probably the single greatest highlight of my Google career was during the pandemic, we had this incredible moment where our respective leaders set aside the commercial interests of the organization, and gave Jane and I really significant runway to collaborate on privacy protective exposure notification technology, which involved working closely with engineers and innovators, and then also involved the global roadshow of engaging with not only the data protection regulators we knew very well, but public health authorities and others who needed to be brought along and sort of educated on the notion that we really could use privacy as a feature in deploying this incredibly important technology around the world, in a way that was indisputably going to save lives.

Moore: What a great example of not only intra-firm cooperation and collaboration but inter-firm as well. Keith, you hit upon an important topic, your business leaders and how you engaged with them. Is there one or two things you wish every business leader knew before you went to talk to them, so you had common grounding?

Enright: I suppose what I would love for leaders at every organization to bring into the conversation with their privacy and data protection leadership, it would be a general understanding that privacy is not a compliance problem to be solved. It is a set of risks and opportunities that exist between technical innovation, business priorities, individual rights and freedoms of users, user expectations, which are going to be different in different places around the world for different age groups, for different individuals. The incredible complexity of the problem and opportunity around privacy requires business leaders to understand—this is about weighing equities. It’s about delivering utility in a responsible way. It’s about innovating in a way that’s going to keep your organization on the right side of history.

I do think privacy leaders have a significant challenge when they’re engaging with the C-suite or the boardroom to somehow remind their leadership: you can’t get compliance fatigue from privacy and data protection. Because the environment is going to keep getting more complicated, you sort of need to engage with this as an opportunity to future-proof your product strategy, and be vigilant and diligent about thinking about how do we make responsible investments to make sure that we’re doing this appropriately, and never think of it as a solved problem.

Moore: Very interesting. It’s profound as well. Jane, I can’t think of too many companies that have the reputation for supporting privacy from a consumer standpoint than Apple. Take us into the into the boardroom or take us into the C-suite at Apple. What were some of those conversations you had? What were the type of questions you received from the board or the C-suite?

Horvath: Sure. So like Keith, I was very lucky. When I started at Apple, it was very apparent that there was a deep respect for privacy. My main partner was the head of privacy engineering, and we didn’t do anything without each other every meeting, every conversation, and I think the most important thing that over the 11 years I was there was, like, people think privacy, “I don’t care about privacy.” Not Apple, but people are saying, “Oh, I don’t care about privacy. They can have all my data,” but there are really innovative ways that you can build privacy in, that doesn’t mean you’re not collecting their data. So we distilled privacy when we were counseling and doing product counseling down to four main principles at Apple. The first was data minimization. That’s sort of overarching, because anybody who works with engineers, like telling them they have to comply with GDPR, their eyes roll in the back. So for us, it was great to distill it down. So data minimization, on-device processing, but it was even more. This is that innovative step, where you can innovate, and it is really a subset of data minimization. So people think, “Oh, minimizing data means I can’t collect data.” It actually means you can’t collect identifiable data. So have you considered sampling data? Have you considered creating a random identifier to collect data? So these were some of the things that every day when we were counseling.

The third principle, choice. Consumers should know what’s happening with their data. Do they know? So it’s transparency and do they have choices about it. So many of you who use iPhones get to make choices every day about data collection.

Then finally, security. You really can’t build a product to be protective of privacy without considering security.

So that was sort of the secret sauce that Apple was distilling this thing called “privacy” down to these four principles, and we briefed the board on the principles. We didn’t have to, but my boss at the time, felt like it was important to talk to the board about the things that we wanted to do with privacy, and they thought it was a great idea, and Tim was hugely passionate about the issue. So from the executive suite, it flowed down through the company. So my job was relatively easy because I didn’t have to make the sales pitch.

Moore: The principles approach is a good one. I think what you lined out there was relevant then and it’s relevant now. Those are sustainable principles that are very much top of mind for chief privacy officers, their bosses and the C-Suite, as well as the board. You’re not privacy officers anymore other than in terms of providing advice to that cohort, but tell us a little bit about what should CPOs be thinking about today and into 2025, so kind of a short-term, where should they be triaging issues, what should be top of mind?

Horvath: I think that the buzzword out there is AI, and I think CPOs are very, very well set to handle the issue of AI. They’ve set up compliance programs; as we’re looking at AI, AI is just very much software, and as we’re looking at the first regulatory framework in the EU, it’s all about harms. So it’s balancing risk, balancing harms.

I think the bigger challenge is, of course, this software needs lots of data, but again, you can pull from your innovative quill and decide that yes, it needs data, but does it need data that’s linked to an individual person, are there things that you can do with the data set? So I think CPOs can be very, very helpful and valued members of the team as companies are considering how to use their existing data.

Of course, as we talked about earlier, privacy’s become much more regulated and that data was collected pursuant to a certain number of agreements, a privacy policy. So the CPO is going to have to be deeply involved in determining, if you’re going to use the data for a different purpose, how do you do it? So I think the CPO shouldn’t panic. The CPO can never and has never been able to be the “no” person, but the CPO can be a really innovative member going forward, in my opinion.

Enright: I agree with everything that Jane said. I think it’s a very interesting moment, not only for CPOs, for chief privacy officers, but for privacy professionals more generally. I think by most estimations, if you look at, say, the last 15, 20 years, the privacy profession has enjoyed an incredible tailwind. Many folks, us on this call, have enjoyed just a tremendous professional benefit from the growth of the profession, the explosion of new legal requirements, which Jane had kind of pointed to; the fact that organizations woke up to some of these risks; in part, the passage of the GDPR in 2018 and the notion of 4% of global annual turnover civil penalties for noncompliance, made it to an extent greater than had ever been the case in the past, a board-level conversation, where you had boards of directors and C-suites of large multinational concerns, suddenly sensing that they had some clear accountability to ensure that management was contemplating and mitigating these risks appropriately, and that there was a privacy and data protection component to core business strategy.

Something very interesting has happened, say, over the last five years, where privacy and data protection continue to flourish. You also had a number of other areas of legal and compliance risk scaling up very quickly and very dramatically. You have content regulation online for large platforms and others. You have the challenge of protecting children and families online, sort of rising to the fore with increased regulatory intention. Also, as Jane said correctly, I think artificial intelligence has just exploded over the last couple of years. Now, those of us who are sort of specialists in the field have been working with artificial intelligence for over a decade, but the explosion of LLMs and generative AI has really, of course, created an unprecedented level of investment and attention in that area—that’s having a bunch of interesting effects. You have C-suite and board level attention is now being, in some ways, diverted to how do you understand how AI affects your business strategy, how do you anticipate potential disruption, how are you looking at whether some of these innovations are going to allow your business strategy to allow you to take share from your competitors, all of that has senior leadership looking across organizations to try to find leadership resources and technical talent to focus on the AI question and the AI problem and the AI opportunity.

One domain which seems immediately adjacent and particularly delicious for that kind of recruitment is privacy and data protection, as many of the features that the AI space has—you have a tremendous amount of technological innovation over a relatively short period of time, you have an explosion of regulation, inconsistencies, domestically and internationally, and you have not just in-house—you also have the regulatory community is going through an analogous struggle. They’re trying to find their way in a new AI-dominant world, all of which has caused privacy professionals to be really considering, do they pivot? Do you shift from being a privacy and data protection specialist to being an AI governance specialist? Do you evolve and expand? Do you decide to sort of rebrand yourself and stretch your portfolio into more things? Do you actively solicit senior executive requests that you take on accountability for some of these adjacent domains, or do you resist them, recognizing that privacy and data protection remain an extraordinarily challenging remit, and the CPO or some other senior leader may have some apprehension about overextending themselves, agreeing to be held accountable for something far beyond what was already an extraordinarily challenging remit.

So I think it’s a really interesting moment for privacy leaders. I have some strong views on this which we may talk about, but like the TLDR on it is, I think you need to embrace that change. I think trying to hold on to the past and preserve your privacy brand exclusively is not going to prove to be the most prescient or professionally advantageous strategy, given just the velocity and shape of the change that’s coming to us.

Moore: So Keith, I think we, the three of us, can stipulate that that is the right approach for privacy leaders, but can you go into a little bit more detail about how. What should a privacy leader be doing maybe in the next three years or so to prepare themselves and educate themselves to meet these challenges of technology, innovation, regulation, all the things colliding together that you just described?

Enright: So a candid response to that question requires a very clear understanding of the culture of your organization and what your business strategy is. If you’re working for a Google or an Apple, there’s a certain set of plays in your playbook that you need to run to ensure that you are appropriately educating your senior leadership and bringing them along, and making sure that you are understanding the risk landscape, staying appropriately sophisticated on the way things are impacted or changed by AI. Again, in large organizations like that, you have the benefit of these vast reservoirs of resources that you can draw upon to make sure that you are not only staying technically proficient, but that you’re serving as connective tissue across all of these different complementary teams and functions so you’re preparing your organization to not only endure, but to thrive through that wave of change that’s coming.

But not everybody’s going to be at an organization like Google or Apple. I think for privacy leaders, almost anywhere else, you are going to need to understand what is the risk appetite of your leadership, what are the consequences of the changes on the horizon for your core business strategy. What kind of resources are available to you in terms of do you have a privacy program that is very high-level of maturity and some of those resources can be extended or redeployed to think about things like AI governance? Or do you have an underfunded anemic privacy program that is already carrying an unsustainable level of risk, and you found yourself in a “Hunger Game” situation trying to fight just to keep the thing operating at a level that you feel comfortable being held accountable for? All of those variables are going to be essential things for privacy and data protection leaders to sort of really press against.

I think, again, this is going to be an interesting moment over the course for the next few years, as I believe there is a wave of investigations and enforcement coming across the next two to three years. First, in the core privacy and data protection space, the General Data Protection Regulation, many other laws and regulations around the world, they haven’t gone away. Just because industry is increasingly interested in, confused by and distracted by what artificial intelligence means, that doesn’t prevent data protection authorities and data protection regulators from launching investigations and from initiating enforcement for your, call them “legacy obligations” under regimes like the General Data Protection Regulation.

I think we’ve actually seen a relatively limited wave of enforcement for the last couple of years, because regulators’ capacity has been largely absorbed with trying to digest and understand the way that the ecosystem is changing as well, but I think that’s going to settle in over the next few years and I think we are going to see privacy regulators enforcing in the context of privacy, privacy regulators enforcing in the context of AI, AI regulators enforcing in the context of AI—all of this is going to create an interesting political dynamic, I think, in jurisdictions around the world, which is going to dramatically amplify the need for organizations to be making substantial investments and preparing themselves for a changing and increasing risk environment.

Horvath: Just to give an example, right now, the Irish DPC, their Meta and X are no longer training their AI on European data. So, how many other investigations are ongoing at the DPC that are basically holding up the AI products? So here is another area where the CPO is going to have to be a bridge to the company. Because as Keith said, I think a lot of businesses think, “Okay. This privacy thing’s over. We went through the privacy thing. Now, we’re going to concentrate on the AI thing,” but the privacy regulators, particularly in Europe where the fines are pretty stringent, they’re not going away. They are a single-issue regulator, and I think it will be more challenging for CPOs because their budgets are going to get slashed, and where you’re operating in a company whose margins are tight or who doesn’t generally—they’re going to be hiring these AI people also. So there’s going to be less of a pot of money to go around and more work.

So I agree completely with Keith, we’re going to see a lot of activity. We are already kind of seeing it from the FTC. They are issuing very, very broad CIDs, the OpenAI CID that was leaked to the press, it was just like an expedition of everything about their company. So I think that’s going to be another area when you have a regulator knocking that it’s going to be really critically important to get a hold of it, don’t panic, see where you can narrow it down and address the regulator head-on.

Moore: Jane, I wholeheartedly agree with you. I think that that regulation coming not only from Europe but in the U.S. with the three letter agencies, but also the states, is a focus right now, but let’s look at the future. Does the U.S. have a federal privacy law, data protection law, in the next three to five years?

Horvath: I’m going to be bullish and say, “yes,” at a certain point, because I think we get very close to having one, but I think AI—probably AI, children—all of these different areas are going to push it across the finish line at a certain point, but I don’t know. Keith, what do you think?

Enright: So I share your optimism, actually. Memories are short, but not too terribly long ago, we really did have growing optimism that we were going to see omnibus federal privacy legislation. There are a lot of interesting things happening. For most of my career, the position of industry, generally, was that they would never support a bill that didn’t have extremely strong federal preemption and did not have a private right of action. And you started seeing multiple large industry players beginning to soften, even on some of those core positions, just before the pandemic really, which I found incredibly interesting—like the political will and, I think, the growing awareness that we require some kind of consistent federal standard to allow some level of compliance with increasingly varied requirements manifesting in these state laws that are coming into effect. It seems to be generating momentum. Now again, as this always happened before, it all fell apart and we were set back again, but it did, it suggests to me the impossibility of a federal law is probably overstated. I think there is a road there, and there will inevitably be compromises, surprises, and idiosyncrasies and whatever that ultimate law that makes its way over the line looks like, but I do think we’ll see something. I think in single digit years ahead of us, we will have a federal law in the U.S.

Moore: Let’s pivot to your current responsibilities, Jane. Tell me about the differences between leading a large company like Apple’s privacy team versus providing legal advice services to multiple clients.

Horvath: I’m really enjoying it, actually. I’ve been a serial in-house person, did my stint in government. I worked at Google and actually was on the interview panel that hired Keith, what a great panel that was, and then Apple, and I’m really having fun working with a lot of different clients. I also still have a global practice. I ran a global team in Apple. I love the global issues. I’ve got a few clients in the Middle East, working on different AI projects, doing things from policy to compliance to HR. It just keeps me going and it’s exciting. I think the most fun is working with a client and understanding their business, but also having the client say, “Oh, you understand what I’m going through. You understand that I can’t just go tell the business “x,” because I’ve been in-house, and I know where they are. So it’s an exciting time. There’s just so many different developments going on, not just in AI: cybersecurity, data localization, content regulation. There are just huge amounts of interesting issues.

Moore: So top of mind for those clients, you get a call, what’s the—I think you just probably mentioned it, but what are the top two or three things those clients are talking to you about right now?

Horvath: Incident response is a big one. The biggest question we’re having right now is, we want to use AI internally, what are the risks? How do we grapple with rolling out AI tools? What are the benchmarks? What are the guardrails we need to put in place? What are the policies we need to put in place? How do we do it while minimizing liability? Because AI hallucinates and has other issues, and how do you grapple with those issues? So that’s probably my biggest issue right now.

Moore: Great. Keith, I presume you have lots of opportunities after your Google career, why professional practice?

Enright: It’s probably useful to just describe sort of the things that are in common. One of the things that always made me feel so blessed to join Google when I did almost 14 years ago, was the privilege of working with the best and brightest people. We got to work on this incredible portfolio of products that were being used by billions of people all over the world, really with a sincere commitment of making people’s lives better. The original motto of organizing the world’s information and making it universally accessible and useful, that resonated deeply with me. It was very easy to be passionate about the work and excited about the work. You do anything for 13 1/2 years, and you get comfortable to some extent, even something as challenging is leading privacy for Google. When Jane actually reached out to me to tell me a little bit about the opportunity taking shape here at Gibson, and not just in support of one company’s vision or one company’s product portfolio, but to be able to support thousands of leaders and thousands of innovators across tens of thousands of products all over the world, that’s exactly the kind of thing that is going to help me to stay challenged and do my best work and keep growing and evolving.

Moore: I’m excited for both of you. Obviously, your compatibility reads through loud and clear. Thank you very much, Jane. Thank you very much, Keith. I really appreciate you’re here in today. Joe, back to you. Thank you.

Kornik: Thanks, Tom, and thanks, Jane and Keith, for that fascinating discussion. I appreciate your insights. Thank you for watching the VISION by Protiviti interview. On behalf of Tom, Jane, and Keith, I’m Joe Kornik. We’ll see you next time.

Future of Privacy Forum CEO Jules Polonetsky on “exciting but risky” road ahead

Joe Kornik: Welcome to the VISION by Protiviti interview. I’m Joe Kornik, Editor-in-Chief of VISION by Protiviti, our global content resource examining big themes that will impact the C-suite and executive boardrooms worldwide. Today, we’re exploring the future of privacy, and I’m excited to welcome Jules Polonetsky to the program. For 15 years, Jules has been CEO of the Future of Privacy Forum, a global non-profit that serves as a catalyst for privacy leadership, where Jules has helped advance principled data practices, assisted in the drafting of data protection legislation, and presented expert testimony with legislatures around the world. He is an adjunct faculty member for the AI Law and Policy Seminar at the College of William & Mary Law School. Jules will be speaking with my Protiviti colleague, Senior Managing Director Tom Moore. Tom, I’ll turn it over to you to begin.

Tom Moore: Great. Thank you, Joe. I couldn’t think of anybody better to talk about the future of privacy than Jules Polonetsky. Jules, I’m so happy you’re joining us today. Thank you.

Jules Polonetsky: Delighted.

Moore: If you don’t mind, tell us a little bit more about the Future of Privacy Forum, its history, what you’re working on today?

Polonetsky: We’ve been around for about 15 years, and our members are very generally the chief privacy officers at 200 plus organizations. The people who are really trying to grapple with the fact that the organizations they lead are driving the AI agenda, whether it’s big tech companies or startups, or banking, or car companies, right? Everybody is challenged by the fact that the pace of how data is being used is accelerating and the norms of what’s right, what’s legal, what’s creepy, what’s innovative and exciting to users is rapidly developing, and it’s developing everywhere in the world. So we work with those folks to create best practices, standards, try to support reasonable legal rules and structures around it.

We do that as well with the leading policymakers because it turns out they’re busy. They’ve got a big agenda. They’re trying to deal with wars around the world, the economy, all the challenges that legislators and government leaders grapple with, and they want and need support. They want to know which country is doing it right. What can we learn? Where are their mistakes? How does this technology work? So we try to work as the pragmatic voice, optimistic about tech and data, but quite aware that things can and will go wrong if you don’t have clear guidelines, clear landmarks for how organizations can be responsible as they roll out new data-powered products.

Moore: Excellent, and congratulations on 15 years of existence for the Future of Privacy Forum. Let’s talk about it. You obviously have your pulse on the world of privacy, and what do you think are some of the biggest issues over the next five years? If you’re a business leader, you’re a leader of an enterprise, you’re a regulator, what should you be thinking about? What should you be focused on to get prepared for the next five years?

Polonetsky: You know, the easy answer is to immediately talk about AI, but before we go to AI I think it makes sense for us to pause sort of a second and recognize that it’s only the last few years where you’ve been able to assume that almost everybody, in any at least decent, advantaged, progressing economy, has a mobile phone, probably has a smartphone, probably has apps, probably is connected to people via some sort of social media or WhatsApp group or the like. The world has started hurling, part of it—it’s a COVID world, where suddenly we all got comfortable doing things over video conference. We became a small world where people are connected, which means that the good and the bad things that happen around the world immediately reverberate. It means the bad actors can do their work from every part of the world and can develop sophisticated, complicated organizations and have sort of teams and levels of different delegated services that they can use as they deal with organizations.

So we’ve moved to this super connected, super immediate, sort of 24/7 world where users can create a giant alarm, sometimes correctly, sometimes incorrectly, when they think that your organization is doing the wrong thing, and it immediately is driven into the media because the media seem to spend a good chunk of their day following what happens on social media.

Those stages are only going to accelerate, but we’re also seeing the backlash, right? People who are just feeling burnt out because they were locked up at home during COVID, and they didn’t get to go out, and now they’re still gaming all day and all night, and they’re still connected. All the business tools are pinging them, not just on email, but on Slack, on Teams, and all these tools. Being ready and thoughtful and structured enough to navigate this incredibly frothy, turbulent world—and then let’s talk about AI, where suddenly the investments are moving so quickly that the policy concerns are being left temporarily by the wayside, right? Who would have imagined that we’re rolling out products and we say, “Well, actually, they don’t work a lot of the time, but when they do, they do these incredible really cool things except it can’t be fully reliable but we’re relying on it for incredibly important processes like interacting with our customers.”

So, for a long time, the problems of our current generated AI tools were well-aware and you had leading companies saying, “Not yet. We don’t know the answers yet to how we’re going to put out stuff that isn’t reliable but can do super cool things, but actually also might be discriminatory, right?” For better or worse, the dam burst and everyone, from the most conservative organization to the wildest startup, is rolling out stuff that comes with lots of risks.

So that’s the world we live in. Chief privacy officers and legal and compliance folks suddenly need to go from a careful measured world where they do assessments, and they consult, and they discuss, and they give advice and the business accepts the advice, to a place where people are rolling things out that are purchased from vendors who’ve purchased from vendors and putting it out in the market. So we are in an exciting, risky—exciting because really cool things are happening, but I don’t know that we’ve ever seen as much risk or drama and guess what? The media are super interested because it’s about AI. So it can be the silliest flap and suddenly it’s front page news.

Moore: You mentioned chief privacy officers, heads of legal, heads of compliance. They’re at the forefront of all this. The roles continue to evolve with AI and other technologies. Tell me about what you see as the primary role of the head of privacy within a large organization.

Polonetsky: You know, I see two trends. This is really a role that’s in flux. There is one trend, maybe it’s a negative trend or maybe it’s just the way of the world as laws and policies become established. When I first became a chief privacy officer many, many years ago, it was a novel title and it wasn’t the highly-regulated companies that had the most senior executives in these roles. The banks had regulation and structures and lines of defense and dealt with it for years. HIPAA, the health privacy and portability law was in place and organizations had structures around that. It was the startups, the internet companies, it was the ad tech companies who didn’t have detailed legislation, at least not in the U.S., but who were running into all of these explosions of concern, or the data companies who were suddenly able to do so much more than just send you targeted mail, who needed senior executives navigating the nuances of, “What do the consumers really want and what is civil society saying? They’re making a fuss about this. And what about regulators who want to support the internet and want to support these new business models, and who are very excited to come up with new laws and rules? And what about our customers who need to understand what we’re doing with their data in ways that we’ve never used their data before?”

Here now, we’re in a world that’s become far more regulated. We’ve got all these state laws in the U.S. now. We’ve got AI laws. We have privacy laws. We have global data protection regulation not just in Europe, which has been a leader and has been mature, but almost every other jurisdiction. We’ve got a team in Africa. The countries across Africa are rolling out data protection regulation. South America, the big economies, India, right? The most giant economies, China, all have new data protection regulation and, now, new AI regulation. So for some companies they’ve said, “We don’t need the drama. We know how to do compliance. We worry about all kinds of compliance issues.” Some companies are rolling these roles into compliance and perhaps eliminating this sort of executive type role. Other companies are going in exactly the other direction. They’re looking at the challenges of AI, which are not only about privacy, but start with, in many cases, personal information that’s collected and used and already regulated by data protection law. Even automated decisioning is already regulated by data protection law. So, some companies are recognizing that here’s this incredibly strategic area, who is going to help us shape what are very nuanced decisions about not only how to deal with complying with laws— “Hey, we’re now going to use video and improve it and your face is involved, and our customer’s data is involved, and we’re going to read their confidential information to create better tools that serve them. But, boy, they better trust us and trust the output.”

We see multiple layers of regulation, for instance, in Europe, where not only do we have privacy law, not only do we have AI law, but we have new kinds of competition laws. New laws that force you to provide data to your competitors. New laws that force you to provide data for researchers. So, we see a number of other companies saying, “Digital governance has become really complicated and we need somebody or some team managing the envelope of restrictions that exist around how we use data.”

So we're at an inflection point, and we’ll either, over time, see some of this absorbed into the legal and compliance structure of the organization, but I think we’re seeing a whole new breed of folks who are stepping up from data protection to a broader scope, whether it’s AI, whether it’s perhaps digital governance, perhaps it might be ethics. That’s where it’s going.

Moore: Excellent. So speaking of that broader scope, talk to the privacy community, the privacy leader, chief privacy officer, or other title. What do they need to do to prepare themselves for this environment to grow into those broader responsibilities?

Polonetsky: I love telling some of my colleagues and friends in data protection, they spend too much time on data protection. By that, I mean there is so much. I mean you can’t stop. There’s a new law. There’s a new regulation and California keeps rolling out new changes. The Europeans keep interpreting and reinterpreting. So you can really spend all your time keeping up with the incredible rush of details. But the reality is, guys, people, gentlemen, ladies, all of you, you know how to do that. There might be a nuance, there might be an item to deal with, you know how to read legislation. You know how to do compliance. What’s changing super-fast are the way your business, the way your sector is using data. Things that were norms are now changing. Things that the platforms are doing for their business that affects your business are changing. Spend more time, please, legal, compliance, ethics, privacy people, being gurus of how data is being used because that’s going to help you ask the smart question. You ask your legal assessment question, you’re going to get your legal assessment answer. Understanding how your partner and what their business goals are and how they’re really planning to use data give you the opportunity to ask much more probing questions that answer what you need to know.

Moore: Earlier, Jules, you mentioned Europeans, the GDPR. They’ve obviously invested quite a bit in legislating, regulating, enforcing the data protection for European citizens. Are they striking the right balance? Related question, what lessons can the U.S. learn should we ever get to national privacy law in the U.S.?

Polonetsky: GDPR, I think, is a very thoughtful document. The European legal process is a challenging process. It’s not one country. It’s a union. My hope is that we will move in the U.S. to regulate quickly around AI and data protection. Even if it’s not perfect, I think businesses need the certainty. They need a level playing field, and then they’ll compete. If anything ended up being too restricted, then we can go back and debate it. Right now, I think we’re suffering from a gap, tools being rolled out, and the law is sort of catching up in a way that may end up being quite challenging.

Moore: So let me put you on the spot, turn that hope into a prediction. By 2030, do we have a U.S. national privacy law or do we still have the state patchwork, federal agencies regulating, state agencies regulating?

Polonetsky: By 2030, I think the answer is easily yes. By next year, the answer is, “That’s going to be hard to say.” You know, it took the Europeans seven years to build out GDPR. Again, mostly, 70-80% of GDPR was already in the UK’s data protection law and German data protection law. They didn’t start with a blank slate. We’re talking about regulating a huge chunk of the U.S. economy. That’s complicated. It ought to be taking a while. I think Congress is in this period where they’re struggling through understanding the complexity of what it takes. So, you know what? Although I’d like them to do it now so that the states don’t all go do disparate things, it’s going to take them some time. They should take the time, but they need to do a bit better a job really getting thoughtful and smart, and there are hard issues that need to be debated by critics, and business, and researchers and so forth.

Moore: So Jules, on a couple occasions today, you’ve expressed optimism or hope. Let’s go the other route for just a second. What if we don’t get this right? What if national law, thoughtful and smart, doesn’t come into play by 2030? What could be the consequences of not getting this right?

Polonetsky: I don’t think we have a choice to not get this right. I think the not getting this right, perhaps, is doing it very piecemeal, doing it in ways—My home state of Maryland has done a very strict state privacy law that doesn’t have any greater flexibility for research. Could they have really intended to make it very, very complicated and hard, the home of the National Institutes of Health and leading universities and so forth? Could they have intended to do that? So, I think we could have inadvertent, complicated mistakes, complications of multi-state compliance that cost money and cost time and probably don’t add any value.

So I think we move slowly and haphazardly if the world is state laws, the world is regulation by crisis and pushback. We end up not being trusted to use the most robust forms of data that we actually do need. We need data about sensitive populations to identify where discrimination can be taking place, where are people not getting access to health facilities. So if state laws make me worry about collecting any sensitive data, which many of them do with minimization or opt-in requirements, then it’s too risky. I don’t collect that location data, and that’s fine. We’ll protect some people who won’t get targeted by ads or who won’t have sensitive locations being exposed, but we then won’t have the data that the CDC needs to understand how a pandemic spreads. We won’t have information needed to know how students travel to school and traffic information. So we’ll end up in a world where we progress, but with drama, with regulation by Twitter and media headline and class action litigation.

We need the certainty of a level playing field, as imperfect as laws will always be, so that we can actually move forward rapidly, particularly around AI where there are huge debates. We need to decide, is it okay to suck up all the data from the public internet? Well, you know what? Maybe it’s public data, but maybe we didn’t actually intend this when we hammered out the IP rules and the copyright rules, and maybe we want to think about what the right balance is. If not, it’s the courts that are going to decide it. Let’s decide it with good, thoughtful public policy.

Moore: Jules, this has been fantastic. You shared an incredible amount of information, breadth of both concern but also optimism. I’m thrilled that you joined us today. Thank you for your time and hope to see you again soon.

Polonetsky: I am indeed optimistic despite, I think, all the drama. Exciting things are happening with data. We just need to get the guardrails that can help us drive quickly, safely.

Moore: Great, thank you. Back to you, Joe.

Kornik: Thanks, Tom. And thanks, Jules. And thank you for watching the VISION by Protiviti interview. On behalf of Tom and Jules, I’m Joe Kornik. We’ll see you next time.

Protecting data and minimizing threats with Microsoft’s Sarah Armstrong-Smith

Joe Kornik: Welcome to the VISION by Protiviti interview. I'm Joe Kornik Editor-in-Chief of VISION by Protiviti, our global content resource examining big themes that will impact the C-Suite and executive boardrooms worldwide. Today we're exploring the future of privacy, and we welcome in Sarah Armstrong Smith, Microsoft Chief Security Advisor for Europe, Middle East and Africa, Independent Board Advisor, and author of “Understanding the Cyber Attacker Mindset: Building a strategic security program to counteract threats.” Today, she'll be speaking with my Protiviti colleague Roland Carandang, Managing Director in the London Office and one of our global leaders for innovation, security, and privacy. Roland, I'll turn it over to you to begin.

Roland Carandang: Thanks so much Joe. Sarah, welcome. Congratulations on the publication of your latest book and thank you so much for being with us today.

Sarah Smith: That's great to be here. Thank you.

Carandang: I'm going to dive in with a very big question just to start things off. What do you see as the biggest threats to data privacy right now and what are some things that executives and boards should be focused on?

Smith: Yes. Well, I think I'm going to go for the easy option to start with being a Chief Security Adviser at Microsoft, it has to be just the scope and scale of cyber-attacks. Now they're at a range that we have never seen before just in terms of the ferocity of those different types of threat actors. What are they doing? What are they after in particular? Then when we talk about cyber attacks, we then got to think about what are those threat actors after. In essence they're looking to, how do I monetize my return on investment? Some of those are financially motivated actors, some of those might be espionage, nation state actors, they're activists, but ultimately, it's all about data and that's something we've really got to be cognizant about. So whenever we've had a cyber-attack, we then have to think about the data breaches and what does that mean for the impact to those individuals that may be impacted by that cyber attack as well.

Then we have questions that no doubt have to be answered, maybe that’s through regulators, our own business, our customers, partners, with regards to what data, how much data, and what's the impact of that. If I took all of that combined, when we're talking about cyber attacks, data breaches, intellectual property theft, whichever way you want to look at it, ultimately it'll come down to one thing, which is effective data governance. I would really say, what data, where is it, what is the value of that data, and what are my expectations, not just from regulators but consumers and employees as well, about how I should be protecting that data no matter what is on the horizon?

Carandang: On VISION by Protiviti we often talk about AI, and I know that's something that's on your mind. Ultimately, what impact do you think AI will have on data privacy and data security. Is there anything that business leaders should be doing to prepare for that now?

Smith: Well, I think with any technology there are always pros and cons. So we start with the pro. Ultimately, when you think about the ability for AI, machine learning, to provide really deep insights across large data sets. I think one of the biggest challenges that a lot of companies have, reflecting on where we started is where's my data, how much data, how much data exposure do I have? Getting those real deep insights but also thinking about how I can use that data to drive innovation

It's no doubt we're thinking about AI and just the scale of innovation that we've seen over the last couple of years. We're seeing tremendous work with regards to breakthroughs in science, medicine, and technology. So there's absolutely no doubt that there are some huge positive impacts for a lot of companies.

Now, I go to the cons. So kind of the reverse of that. In particular when we think about Gen AI, so that's only been around in the last couple years. It's probably made famous by ChatGPT. There are multiple other AI models. Then we got to think about how that was actually trained and where did that data come from. Some of the data, let's say, might have been scraped off the Internet. It could have been taken from social media. There's a multiple ways in which this data has come from and it's been asking a lot of questions again about what data, where did that data come from, do I have any say in that data in terms of consent, legitimate interest and all of these type of things. Again, if I can reflect back to the first question with regards to the cyber attackers and how they are thinking about amplifying their cyber-attacks with some of these large language models. Again, I think from a nation state perspective, highly resourced, highly motivated threat actors.

Now a couple of months ago Microsoft actually issued some research in conjunction with Open AI, as we're talking about ChatGPT. What we identified, if we took some of the larger nation state actors, they're using these models to do reconnaissance so that they're learning about their targets and they're also using those large language models to refine their attack. So this is just a caveat that the AI itself is not doing anything bad. It's not a naughty AI. It's still tool in the threat actors kit bag. When we're talking about phishing, ransomware, malware, whatever the case may be, the AI is just another tool, if you think about it that way. I want to think about AI, and I know there's a lot of companies that are spinning up R&D centers, innovation, thinking about the art of the possible. Maybe they are building their own models or they're buying them, whatever the case. There are some really fundamental things as we're talking about privacy in particular, that's responsible and ethical AI. It's a really having deep appreciation for those security and privacy implications, the detriment of some of those large language models and how they're being utilized but also keep thinking about privacy-enhancing technology. So having encryption, how we're thinking about managing the data or the data when it's exfiltrated… none of those things change just because we have some new technologies, right? We can't lose sight of the fundamental, the foundation layers if you like, of security and privacy in particular.

Carandang: That's super interesting, Sarah. Microsoft clearly has a big role to play—it sounds like such an understatement—in AI but it also has just lots of customers as well and customer data. Since you mentioned it, can you just tell us a bit more about your role at Microsoft and how a company—you mentioned large data sets, and how a company like that deals with protecting its customer data. How do you spend your days and perhaps some of your nights as well?

Smith: Can I say, it's never a dull day, let's say, being at a big tech company. If I've had to talk about my role first and foremost, in essence, my role is to liaise with our largest enterprise customers across Europe. I work multi country and multi sector and it's really at that C-seat level. I can be talking to CISO, CIO, CTOs. It's really understanding those biggest challenges. Some of that we've already touched on. We've talked about cyber security, cyber-attacks, how they're evolving. We've talked about evolving technology particularly when it comes to AI, responsible AI and all of these things but it all fundamentally comes down to data and really understanding the value and the proposition of all of this big tech together.

Now we look at the cloud in its most simplistic form, irrespective of the size of the enterprises that we're talking about. Although I'm at this level I've obviously got lots of different small enterprises and consumers who are utilizing the cloud. I would say the real value comes down to the shared responsibility model first and foremost. So if you thought about having your own data center or your own services, you're responsible for everything. You're responsible for the building, the infrastructure, the networks, all of the data, and all of these things. The big difference when you move to the cloud, and some of that comes down to the type of cloud or SaaS services or whatever the case may be, but the shared responsibility modeling, that just means the platform, the cloud platform, itself is the accountability of the cloud service provider. So in essence that infrastructure—patching, backups, recovery—won’t completely go away but it's one of those things that you don't necessarily have to think about.

The other part of that shared responsibility model, if you think about all of the different companies across the globe, some of those are highly regulated entities and those regulations are going to differ depending on what country they're in or even what region they're in. Now part of that, for customers to be able to adopt the cloud, Microsoft also has to have a very comprehensive compliance portfolio. If you're thinking about, we’re talking about GDPR or we're talking about various different standards like NIST for example, the underpinning platform first and foremost has to have all of those controls in place that you take advantage of. There's a huge advantage right out-of-the-box I'd say in terms of the inbuilt capability that's already there by standard and by default. The challenge, however, is you have to take advantage of it. This still means you’re still accountable for who's accessing that data and what data you put into the cloud.

Carandang: You mentioned in the introduction in your new book, Understand the Cyber Attacker Mindset. It dives right into the global cyber crime. You've engaged with actual cyber criminals. What are some of the key takeaways that you learned from your engagement with those cyber criminals that you could share with the audience here?

Smith: I think what's interesting to me and why I wrote it is to really focus on the human part of security. I think again, when we think about security, a lot of people think about we're here to protect data and we're here to protect technology and servers in the cloud and all of these things but actually, the data only has a value to it when we understand the repercussions of the impact of some of that data in the wrong hands and how it could be misused, abused in various different things. I think what we talked about at the beginning is a million and one ways in which I could potentially attack you but there's only a finite reason why I would want to, and why I'm motivated enough to want to do it. So I looked at the different types of threat actors. As I said, we've got some that are financially motivated, we've got activists, nation state actors, and we've got malicious insiders as well. Then it's the same data but in the different hands, what is the impact of that? Then it's being able to work backwards and say, “Ok, well, if someone was trying to sell this data, if someone was trying to use this data for espionage, if someone was trying to use it for other nefarious purposes, what do I need to do to protect that in all of those different hands, in essence?” That's really important, to understand the human motivation behind it and why they are willing to go to that extra degree to get their hands on that data. So I think about it from a very, very simplistic, no matter what size organization is we're talking about, the little ones up to the big enterprises, and I try and keep it quite simple. Our strategy in essence comes down to protecting the access in and the exit out. So the access in is identity. As we're talking about privacy it’s identity in all its guises. So it's identity as a human and identity of things. So we're talking about laptops and devices and various things like that. In essence from the threat actors perspective, I have to find a way into your network. I don't particularly care how I get in. Whether I'm trying to do those phishing emails, I'm going directly to the source, or I found a vulnerability in your network. I will find any which way in to that network. The exit out really then comes into that data. What is it I'm trying to exfiltrate out of your company that's giving me that value in particular.

Carandang: Thank you, Sarah. That's fantastic. You mentioned scale earlier. Just with the number of data or tax on data growing exponentially day by day, I do wonder if it's time for just some bold paradigm shifts. Do you see any of these shifts on the horizon? For example, can you imagine where consumers will start to pay small fees for otherwise free services, so companies won't need to sell that data to third parties?

Smith: I think we're going to see that a little bit. I think people are starting to pay for subscription services where it's a highly tailored service. They don't get adverts or the adverts they do get are more tailored. We are starting to see these people who want an enriched service. But I think the challenge we have as well is, a lot of this technology, particularly when we’re talking about social media, has been around for a very long time and it's been free for a very long time. Even when we know that when it is free, you’ve heard the comments you are in essence the commodity but there's data, there's profiling that's being sold to varying degrees across different companies depending on how you're interacting with some of their services.

I think the interesting thing is even when we've spoken about the size of some of the cyber attacks, the size of some of the data breaches, the fact that we've had these regulations, the fact that we've had record-breaking fines as a result of misuse or abuse of data and selling of data in various different things, has it actually stopped people from using it? I would argue not. Maybe there's a handful of people who are a bit mindful of it. I think you'll get pockets of people that want a better service and that you could sell it as a better service and enriched service or some way, maybe you'll have those kinds of people who might want to do that but I think overall, I can't see it happening to a large extent.

Carandang: Got it. Thank you, Sarah. So we've covered a lot today. I wanted to just ask you your overall feelings on maybe the next five years or so. So take us out to 2030. Tell us what you see. Are we in a better place? How well we have gone with this endeavor.

Smith: I think it's interesting, isn't it? Like we talked about GDPR, we talked about how long that's been around. So we are over five years since GDPR has come into being and other regulations around the world are all coming up to a varying degrees. Has it made any difference? I'm not sure. Arguably, I think it's going to have to get much worse before it gets better but I do think there is some positive coming as well. I would just frame that with where we started, when we're talking about cybersecurity and what's the game changer. So I think what we have seen is this willingness for more collaboration across big tech but across multiple different countries and jurisdictions. Particularly when we think about different actors and they're moving data around and moving data, there's money laundering, people are hiding in plain sight, making it really hard to bring a lot of these people to justice. Therefore what we have seen, as I said, in the last couple of years, is that willingness to collaborate, the willingness to share intelligence and really, really think about, there are some of these core principles of what we've been talking about and really then coming back to those foundational levels that we talk about. How do we have security and privacy by design, by default and as standard, so that nobody questions all of these things that have to be added on. Are you doing it for the right reasons? It just is. So, I think, as I said, there's going to be a lot more work. It's not going to be easy. I have a tiny bit of optimism that we can tip the balance but I just want to be realistic at the same point, not underestimating how much work is involved.

Carandang: That’s brilliant, Sarah. Thank you so much for your time and insight today. You've been very generous. Thank you for the great work you're doing more generally, and congratulations again on your book. Joe, back to you.

Kornik: Thank you for watching the VISION by Protiviti interview. On behalf of Roland and Sarah, I'm Joe Kornik. We'll see you next time.