Protecting data and minimizing threats with Microsoft’s Sarah Armstrong-Smith

Joe Kornik: Welcome to the VISION by Protiviti interview. I'm Joe Kornik Editor-in-Chief of VISION by Protiviti, our global content resource examining big themes that will impact the C-Suite and executive boardrooms worldwide. Today we're exploring the future of privacy, and we welcome in Sarah Armstrong Smith, Microsoft Chief Security Advisor for Europe, Middle East and Africa, Independent Board Advisor, and author of “Understanding the Cyber Attacker Mindset: Building a strategic security program to counteract threats.” Today, she'll be speaking with my Protiviti colleague Roland Carandang, Managing Director in the London Office and one of our global leaders for innovation, security, and privacy. Roland, I'll turn it over to you to begin.

Roland Carandang: Thanks so much Joe. Sarah, welcome. Congratulations on the publication of your latest book and thank you so much for being with us today.

Sarah Smith: That's great to be here. Thank you.

Carandang: I'm going to dive in with a very big question just to start things off. What do you see as the biggest threats to data privacy right now and what are some things that executives and boards should be focused on?

Smith: Yes. Well, I think I'm going to go for the easy option to start with being a Chief Security Adviser at Microsoft, it has to be just the scope and scale of cyber-attacks. Now they're at a range that we have never seen before just in terms of the ferocity of those different types of threat actors. What are they doing? What are they after in particular? Then when we talk about cyber attacks, we then got to think about what are those threat actors after. In essence they're looking to, how do I monetize my return on investment? Some of those are financially motivated actors, some of those might be espionage, nation state actors, they're activists, but ultimately, it's all about data and that's something we've really got to be cognizant about. So whenever we've had a cyber-attack, we then have to think about the data breaches and what does that mean for the impact to those individuals that may be impacted by that cyber attack as well.

Then we have questions that no doubt have to be answered, maybe that’s through regulators, our own business, our customers, partners, with regards to what data, how much data, and what's the impact of that. If I took all of that combined, when we're talking about cyber attacks, data breaches, intellectual property theft, whichever way you want to look at it, ultimately it'll come down to one thing, which is effective data governance. I would really say, what data, where is it, what is the value of that data, and what are my expectations, not just from regulators but consumers and employees as well, about how I should be protecting that data no matter what is on the horizon?

Carandang: On VISION by Protiviti we often talk about AI, and I know that's something that's on your mind. Ultimately, what impact do you think AI will have on data privacy and data security. Is there anything that business leaders should be doing to prepare for that now?

Smith: Well, I think with any technology there are always pros and cons. So we start with the pro. Ultimately, when you think about the ability for AI, machine learning, to provide really deep insights across large data sets. I think one of the biggest challenges that a lot of companies have, reflecting on where we started is where's my data, how much data, how much data exposure do I have? Getting those real deep insights but also thinking about how I can use that data to drive innovation

It's no doubt we're thinking about AI and just the scale of innovation that we've seen over the last couple of years. We're seeing tremendous work with regards to breakthroughs in science, medicine, and technology. So there's absolutely no doubt that there are some huge positive impacts for a lot of companies.

Now, I go to the cons. So kind of the reverse of that. In particular when we think about Gen AI, so that's only been around in the last couple years. It's probably made famous by ChatGPT. There are multiple other AI models. Then we got to think about how that was actually trained and where did that data come from. Some of the data, let's say, might have been scraped off the Internet. It could have been taken from social media. There's a multiple ways in which this data has come from and it's been asking a lot of questions again about what data, where did that data come from, do I have any say in that data in terms of consent, legitimate interest and all of these type of things. Again, if I can reflect back to the first question with regards to the cyber attackers and how they are thinking about amplifying their cyber-attacks with some of these large language models. Again, I think from a nation state perspective, highly resourced, highly motivated threat actors.

Now a couple of months ago Microsoft actually issued some research in conjunction with Open AI, as we're talking about ChatGPT. What we identified, if we took some of the larger nation state actors, they're using these models to do reconnaissance so that they're learning about their targets and they're also using those large language models to refine their attack. So this is just a caveat that the AI itself is not doing anything bad. It's not a naughty AI. It's still tool in the threat actors kit bag. When we're talking about phishing, ransomware, malware, whatever the case may be, the AI is just another tool, if you think about it that way. I want to think about AI, and I know there's a lot of companies that are spinning up R&D centers, innovation, thinking about the art of the possible. Maybe they are building their own models or they're buying them, whatever the case. There are some really fundamental things as we're talking about privacy in particular, that's responsible and ethical AI. It's a really having deep appreciation for those security and privacy implications, the detriment of some of those large language models and how they're being utilized but also keep thinking about privacy-enhancing technology. So having encryption, how we're thinking about managing the data or the data when it's exfiltrated… none of those things change just because we have some new technologies, right? We can't lose sight of the fundamental, the foundation layers if you like, of security and privacy in particular.

Carandang: That's super interesting, Sarah. Microsoft clearly has a big role to play—it sounds like such an understatement—in AI but it also has just lots of customers as well and customer data. Since you mentioned it, can you just tell us a bit more about your role at Microsoft and how a company—you mentioned large data sets, and how a company like that deals with protecting its customer data. How do you spend your days and perhaps some of your nights as well?

Smith: Can I say, it's never a dull day, let's say, being at a big tech company. If I've had to talk about my role first and foremost, in essence, my role is to liaise with our largest enterprise customers across Europe. I work multi country and multi sector and it's really at that C-seat level. I can be talking to CISO, CIO, CTOs. It's really understanding those biggest challenges. Some of that we've already touched on. We've talked about cyber security, cyber-attacks, how they're evolving. We've talked about evolving technology particularly when it comes to AI, responsible AI and all of these things but it all fundamentally comes down to data and really understanding the value and the proposition of all of this big tech together.

Now we look at the cloud in its most simplistic form, irrespective of the size of the enterprises that we're talking about. Although I'm at this level I've obviously got lots of different small enterprises and consumers who are utilizing the cloud. I would say the real value comes down to the shared responsibility model first and foremost. So if you thought about having your own data center or your own services, you're responsible for everything. You're responsible for the building, the infrastructure, the networks, all of the data, and all of these things. The big difference when you move to the cloud, and some of that comes down to the type of cloud or SaaS services or whatever the case may be, but the shared responsibility modeling, that just means the platform, the cloud platform, itself is the accountability of the cloud service provider. So in essence that infrastructure—patching, backups, recovery—won’t completely go away but it's one of those things that you don't necessarily have to think about.

The other part of that shared responsibility model, if you think about all of the different companies across the globe, some of those are highly regulated entities and those regulations are going to differ depending on what country they're in or even what region they're in. Now part of that, for customers to be able to adopt the cloud, Microsoft also has to have a very comprehensive compliance portfolio. If you're thinking about, we’re talking about GDPR or we're talking about various different standards like NIST for example, the underpinning platform first and foremost has to have all of those controls in place that you take advantage of. There's a huge advantage right out-of-the-box I'd say in terms of the inbuilt capability that's already there by standard and by default. The challenge, however, is you have to take advantage of it. This still means you’re still accountable for who's accessing that data and what data you put into the cloud.

Carandang: You mentioned in the introduction in your new book, Understand the Cyber Attacker Mindset. It dives right into the global cyber crime. You've engaged with actual cyber criminals. What are some of the key takeaways that you learned from your engagement with those cyber criminals that you could share with the audience here?

Smith: I think what's interesting to me and why I wrote it is to really focus on the human part of security. I think again, when we think about security, a lot of people think about we're here to protect data and we're here to protect technology and servers in the cloud and all of these things but actually, the data only has a value to it when we understand the repercussions of the impact of some of that data in the wrong hands and how it could be misused, abused in various different things. I think what we talked about at the beginning is a million and one ways in which I could potentially attack you but there's only a finite reason why I would want to, and why I'm motivated enough to want to do it. So I looked at the different types of threat actors. As I said, we've got some that are financially motivated, we've got activists, nation state actors, and we've got malicious insiders as well. Then it's the same data but in the different hands, what is the impact of that? Then it's being able to work backwards and say, “Ok, well, if someone was trying to sell this data, if someone was trying to use this data for espionage, if someone was trying to use it for other nefarious purposes, what do I need to do to protect that in all of those different hands, in essence?” That's really important, to understand the human motivation behind it and why they are willing to go to that extra degree to get their hands on that data. So I think about it from a very, very simplistic, no matter what size organization is we're talking about, the little ones up to the big enterprises, and I try and keep it quite simple. Our strategy in essence comes down to protecting the access in and the exit out. So the access in is identity. As we're talking about privacy it’s identity in all its guises. So it's identity as a human and identity of things. So we're talking about laptops and devices and various things like that. In essence from the threat actors perspective, I have to find a way into your network. I don't particularly care how I get in. Whether I'm trying to do those phishing emails, I'm going directly to the source, or I found a vulnerability in your network. I will find any which way in to that network. The exit out really then comes into that data. What is it I'm trying to exfiltrate out of your company that's giving me that value in particular.

Carandang: Thank you, Sarah. That's fantastic. You mentioned scale earlier. Just with the number of data or tax on data growing exponentially day by day, I do wonder if it's time for just some bold paradigm shifts. Do you see any of these shifts on the horizon? For example, can you imagine where consumers will start to pay small fees for otherwise free services, so companies won't need to sell that data to third parties?

Smith: I think we're going to see that a little bit. I think people are starting to pay for subscription services where it's a highly tailored service. They don't get adverts or the adverts they do get are more tailored. We are starting to see these people who want an enriched service. But I think the challenge we have as well is, a lot of this technology, particularly when we’re talking about social media, has been around for a very long time and it's been free for a very long time. Even when we know that when it is free, you’ve heard the comments you are in essence the commodity but there's data, there's profiling that's being sold to varying degrees across different companies depending on how you're interacting with some of their services.

I think the interesting thing is even when we've spoken about the size of some of the cyber attacks, the size of some of the data breaches, the fact that we've had these regulations, the fact that we've had record-breaking fines as a result of misuse or abuse of data and selling of data in various different things, has it actually stopped people from using it? I would argue not. Maybe there's a handful of people who are a bit mindful of it. I think you'll get pockets of people that want a better service and that you could sell it as a better service and enriched service or some way, maybe you'll have those kinds of people who might want to do that but I think overall, I can't see it happening to a large extent.

Carandang: Got it. Thank you, Sarah. So we've covered a lot today. I wanted to just ask you your overall feelings on maybe the next five years or so. So take us out to 2030. Tell us what you see. Are we in a better place? How well we have gone with this endeavor.

Smith: I think it's interesting, isn't it? Like we talked about GDPR, we talked about how long that's been around. So we are over five years since GDPR has come into being and other regulations around the world are all coming up to a varying degrees. Has it made any difference? I'm not sure. Arguably, I think it's going to have to get much worse before it gets better but I do think there is some positive coming as well. I would just frame that with where we started, when we're talking about cybersecurity and what's the game changer. So I think what we have seen is this willingness for more collaboration across big tech but across multiple different countries and jurisdictions. Particularly when we think about different actors and they're moving data around and moving data, there's money laundering, people are hiding in plain sight, making it really hard to bring a lot of these people to justice. Therefore what we have seen, as I said, in the last couple of years, is that willingness to collaborate, the willingness to share intelligence and really, really think about, there are some of these core principles of what we've been talking about and really then coming back to those foundational levels that we talk about. How do we have security and privacy by design, by default and as standard, so that nobody questions all of these things that have to be added on. Are you doing it for the right reasons? It just is. So, I think, as I said, there's going to be a lot more work. It's not going to be easy. I have a tiny bit of optimism that we can tip the balance but I just want to be realistic at the same point, not underestimating how much work is involved.

Carandang: That’s brilliant, Sarah. Thank you so much for your time and insight today. You've been very generous. Thank you for the great work you're doing more generally, and congratulations again on your book. Joe, back to you.

Kornik: Thank you for watching the VISION by Protiviti interview. On behalf of Roland and Sarah, I'm Joe Kornik. We'll see you next time.

Former CISO on what boards are getting wrong about data protection and privacy

Joe Kornik: Welcome to the VISION by Protiviti interview. I’m Joe Kornik, Editor-in-Chief of VISION by Protiviti, a global content resource examining big themes that will impact the C-Suite and executive boardrooms worldwide. Today, we’re exploring the future of privacy, and I’m thrilled to welcome Sue Bergamo to the program. Sue is an executive advisor, former CIO, CISO, and global technology strategist from Microsoft. She sits on several boards, is host of the Short Takes podcast, and author of “So, You Want to be a CISO: A practical guide to becoming a successful cybersecurity leader.” Sue, thank you so much for joining me today.

Sue Bergamo: Thank you for having me. It’s a pleasure to be here.

Kornik: First off, Sue, let’s talk about the state of the CISO. As you point out in your book, which I mentioned in the intro, “So, You Want to be a CISO,” the position is really in a state of flux right now. So, talk to me a little bit about where the CISO is right now and how it’s changing, and if you think it will continue to be a critical part of the executive team going forward.

Bergamo: I like to use the term evolution because we’re in a position that I hope will evolve to a better state in the future. Just like the CIO role about 20 years ago it had to go through some ebbs and flows and finally, it came out at the end of the tunnel in a much better spot. Everyone was very much aware of what the CIO needed and wanted to do which was really around our back office applications for our infrastructure that run our corporations.

The CISO role is going through that evolution and unfortunately, right now, it’s in a really ugly spot. I’m hopeful that it will come out a little bit better. What’s going on in the industry is the SEC’s cyber disclosure rule that came into effect late last year, which basically said the CISO does not need to report to the board, but the board and the executive team need to be aware of cyber incidents. So, what ended up happening with that—and I can go into more elaboration around two CISOs that were charged with felonies for material breaches that happened in the past—but what happened with that is that—this is my opinion based on what I see and what I know—executive teams decided that CISOs weren’t really needed. A lot of the CISOs said, “We’re not going to put up with these personal liabilities.” So, a lot of us left our positions and then there were a whole bunch of us that lost their jobs because the SEC, the cyber disclosure rule, talked about awareness. They didn’t put the CISO on the board, but they talked about awareness with incidents.

So, what has transpired is—and I don’t mean with this with any disrespect to SecOps managers—but inexperienced, from a CISO perspective, SecOps managers secure the operations people will put into the role of head of security. Sometimes CISO, but mostly head of security because they deal with incident response. Now, the dirty little secret in most organizations is that when an incident occurs, the SecOps manager has a major role in that breach, defending against the breach, but they’re really there to tell the CISO where the threat is coming from. They are not there to lead the band. They’re only there for a very specific focus. So, I see this convergence of inexperienced people and cyber criminals and we’ll see what the future brings, but I do hope that when this evolution comes to fruition the CISO will be put into a much better position, much better light with the executive team.

Kornik: You mentioned those SEC decisions and regulations. I don’t know if you want to expand on that at all or talk more specifically about where CISOs find themselves between a rock and a hard place right now.

Bergamo: Yes. There’s really three types of CISOs. There’s the very inexperienced one that’s just coming into the role, not really sure what they’re doing. Again, it’s not a dig. They have to learn and they’re going to learn the hard way. There’s the middle-of-the-road, as I call it. They’re more experienced than the inexperienced ones, but they’re still trying to find their spot in the position. Then there’s the experts who were exiting. So, a lot of CISOs on the inexperienced and middle-of-the-road side, believe that our jobs are really about the technology, and that is so far from the truth. The experienced ones know that we follow something called the triad, it’s confidentiality, integrity, and availability. We do that, we accomplish the triad through people, process, and technology. People obviously are employees, process is security frameworks and controls, and then the tech. Once you get the tech up and running and optimized for efficiencies so it’s giving you the data that you need in order to defend your companies, the tech is the easy part. It changes all the time, but that’s the easy part. It’s the compliance frameworks that take the majority of our time and if you ask any experienced CISO, they’ll tell you, once the tech is installed and optimized, we spend the majority of our time on compliance and data privacy. The newbies, as I refer to them, sometimes we have to explain this to them and explain why compliance and data privacy are so important.

So, it’s a little bit of a mess out there right now and then you throw in the personal liability. Let me just expand upon that for a moment. We had two well-known CISOs with two public, very public companies—I won’t mention their names—charged with felonies through the SEC which led to the cybersecurity disclosure rule being implemented after the first one. The second one fell into that disclosure rule. That sent shockwaves. Not just waves, but shockwaves through the CISO industry and we’re just sitting here saying to ourselves, “Holy cow.” A lot of us don’t have a lot of support because everybody thinks cyber is our problem and not theirs. It takes a village to defend a company against cyber attackers. Now, we’re being held personally responsible and felony charges, potential jail time, so we’re all saying ourselves, “I don’t think so,” which is why there’s a huge influx of us getting out of the role.

Kornik: Right. So, let’s talk a little bit more about the strategic role of the CISO or where that falls in the organization. Let’s talk specifically about data governance and protecting privacy. How did the companies that do it best do it best? In your experience, do they have chief privacy officers or chief data officers? Is there a playbook that business leaders should be following to really make sure that they’re getting this right?

Bergamo: I wish there was a playbook, but there isn’t. So, I think that’s half of the battle because everyone has a cellphone or a computer, and everyone feels that they know technology and they know data. This is a very specialized field. The CIO—I’ll just say tech and security—it’s a very specialized field. I’ve been fortunate enough to have both roles and yes, everyone always has an opinion on how we can do our jobs better, but this is our craft, and we have all kinds of different education or certifications. There’s no one thing that anyone can point to and no one game plan. But good C-level tech and security executives are well-rounded. We study. We research. We get involved and we understand how to protect data. Now, that AI is coming out, we have a whole new set of technologies that we need to encompass into our program. So, it’s about staying involved and understanding what we need to do to protect the data.

Kornik: When you’re in those conversations with the C-Suite, the boards, and the business leaders, do you think they understand the importance, not just the compliance and the governance aspect of this, but maybe the business importance of data privacy and what that means ultimately to building customer trust in the business and the bottom line?

Bergamo: I do think that everyone understands that data matters and that data is important to running the business. I mean, every business needs information in order to make good decisions and to process customer requests, B2B requests, employee requests. It’s all data driven and so is it given enough limelight? It depends on the size of the company. I do think that the executives and the boards understand the importance of data and how to use it, but I think where they fall short is really in the investments of strategizing and securing the information and giving even the technology or the engineering teams what they need to make sure that that data is sound.

Kornik: Right, and that’s an interesting perspective I would say from the company side. How confident are you that we’ll get this right for the customer, the client, the consumer? Are you optimistic that they’ll be better off over the next several years?

Bergamo: I’m always optimistic. The sun’s always shining in my world, right? Data is the stronghold of every company. From managing the most—my new piece of information all the way to executive reporting. Everybody’s processing information. So, I think with some of the technologies that are coming out either through public cloud vendors or through artificial intelligence, I think that the data and the ability to gather data is just going to be better in the future.

Kornik: Well, Sue, you said you’re an optimist. So, I’m going to leave you with this final question where I ask you to look out a few years. Maybe the end of the decade, let’s say 2030. Where do you think will be in terms of privacy, data privacy? Do you think 2030 is a better place than where we are currently?

Bergamo: Well, we can only get better with time, right? Kind of like a fine wine. So, I’m optimistic that material breaches will continue to happen fast and furiously and finally, our business brothers and sisters will wake up and say, “Oh, I need to be responsible for security too. I need to be responsible to help the CISO or the CIO, or whoever, with my data problems. Maybe I should get more involved.” So, I am optimistic that eventually the tables will turn. I think it’s going to take a little bit more time but 2030, sure, I’ll go with that.

Kornik: Great. Well, thanks so much for the time today, Sue, and the insights. I really enjoyed our conversation.

Bergamo: Thank you, Joe. I appreciate you having me.

Kornik: And thank you for watching the VISION by Protiviti interview. On behalf of Sue Bergamo, I’m Joe Kornik. We’ll see you next time.

The Economist’s Dexter Thillien: Privacy in peril AMID digital data explosion

Joe Kornik: Welcome to the VISION by Protiviti Interview. I’m Joe Kornik, Editor-in-Chief of VISION by Protiviti, our global content resource examining big themes that will impact the C-suite and executive boardrooms worldwide. Today, we’re exploring the future of privacy, and I’m happy to be joined by The Economist’s Dexter Thillien. Dexter is the lead analyst for technology and data at The Economist Intelligence Unit, the research arm of The Economist. Dexter is the lead author of numerous reports on AI, cyber security, data privacy, technology, and regulation, as well as a frequent speaker on the intersection of the digital economy and global business. We spoke to Dexter last year about privacy in the metaverse and he has been kind enough to come back. Dexter, thank you so much for joining me today.

Dexter Thillien: Great to be here.

Kornik: Dexter, in a digital economy I don’t think there’s any question that data privacy is now and probably will continue to be one of the biggest issues facing consumers and companies, the rest of this decade and probably much further into the future, actually. What do you see as the biggest threats in terms of data privacy for both customers and companies?

Thillien: Yes, thank you for the question. First of all, you’re right to differentiate between companies and consumers because I think they will have different issues to deal with. For companies, they’re owning more and more personal data as part of the business processes, the key is to make sure that the data is secured. That means putting the right government system in place internally. So, instance, that only the right people can access sensitive data. Also, making sure that the company’s own data, any data from suppliers or consumer is being dealt with properly. That’s going to become more and more of an issue to deal with because there’s going to be more and more data to deal with. For some companies, it might even become a competitive advantage. We’ve seen Apple trying to do that in terms of its privacy policy compared to its competitors.

For consumers, it’s a different question, different range of issues. For consumers, it’s important to keep the data safe and secure, but it is also becoming increasingly difficult because we’re giving away much more personal data at any one time. Giving away personal data is no longer about just filling a form, but any time we see something online or do something online, and also anytime we’re going to be on the move because most of us are going to have a smartphone. Many of the apps we have on our smartphone will also collect a huge amount of data. We may become a bit blasé about all those data we’re giving away, but it’s also very difficult to operate and to use the internet and go online if we’re trying to minimize the amount of data we give away. Meta, as an example, tried to build a more private platform which has been charging users and making privacy as a premium feature, but is so far this has been refused by the European Commission in the European Union. The issue is that advertising remains the cornerstone of Meta which means that it is free as long as we give away much of our personal data. With the addition of pictures and videos and on top of text and also facial recognition entering the fray we’re starting to giveaway data which is even more unique and much more difficult to replace if it ever becomes hacked.

Kornik: I’ve been reading a lot of The EIU’s position papers on AI and really all emerging technologies, which includes quantum and spatial and biometric computing, and how those will ultimately impact data and privacy. How do you see AI and those other emerging technologies I mentioned impacting privacy going forward?

Thillien: I think it will all have an impact. So, starting with artificial intelligence, artificial intelligence is all about data. The fact that some are arguing that we may run out web data as early as 2026 as well as so much of a personal data we have given away so far. One of the major issues with artificial intelligence is the output as a model as it may give away as part of answer some personal data because that personal data is part of the input. Sometimes it’s very, very difficult to understand why it does that. We have seen some cases in Europe where this has happened and privacy regulators are keeping track. There is also consent issue which is why Meta say they will not release its most advanced Llama model in Europe because the company is not entirely sure if it can comply with the GDPR in terms of using pictures and videos and things other than text—content other than text.

In terms of quantum computing we’ve seen in August the National Institute of Science of Technology in the U.S. releasing its first post-quantum encryption standards and this is over the fears that a quantum computer might break the current encryption standards sooner rather than later. It’s still not very clear when that will happen and we do not think at The EIU that it’s going to happen any time soon, at least in the short to medium term because many, many technical hurdles remain. But it’s better to be safe especially as some of the encrypted data which can be, will still be very, very valuable when and if quantum computer becomes operational.

When we’re talking about biometric data and biometric computing it raises a question of what type of data we might be sharing. When it is possible to change an email address or even your financial or other details, it is impossible to change your fingerprint or your DNA. We may not be—we may not be able to identify in terms of what we share, but it is something we consider if we don’t want to—that data and want to make sure that the data do not fall into the wrong hands.

Kornik: Right. Thanks, Dexter. You mentioned GDPR. So, let me just follow up on that. Globally, Europe has invested significantly in data protection rules with GDPR. Japan has had very strict privacy laws in place as well. Meanwhile, India and China not so much. U.S. is somewhere in the middle, but has no federal regulation. A lot of the states have sort of taken the lead on that front. Where is the sweet spot? Who is getting this right? Does too much regulation stifle innovation or does not enough create chaos? Where do you stand on regulation?

Thillien: I think finding the sweet spot between regulation and innovation is what every policymaker, every regulator, is trying to do. I think it’s a problem or an issue for all tech regulation and not just data privacy. This could happen when sometimes regulation becomes more of a box-ticking exercise and we have seen that with cookies in Europe. It has no real impact on privacy because—for instance, active consent will now be fully given. I do think we do need some level of regulation because without it any protection will be lacking and there needs to be independent rules put in place.

I think for me there are two main things to consider when we’re talking about regulation. The first is fragmentation. Many, many businesses will be global in nature, whereas, regulation is very often not. This means that making a decision as to what to do, whether to follow offshore jurisdiction is required, whether there would be some overlap or to go with the strictest rule and have only one set of rules to comply globally for the company. Now, some companies have already done that in terms of the GDPR.

The second and probably the most important one is enforcement. I think rules are very nice, but without the right enforcement it can be a bit pointless. We’ve seen, again, with the GDPR where it’s taking quite a long time before any rulings or any judgement because it can be very, very tough for regulators to make the case. It’s very important to note what level you can enforce before you start thinking of regulation.

Kornik: Barely a week goes by without hearing about another significant breach, right? I just wonder if consumers specifically are becoming desensitized to these breaches, do we suffer low expectations when it comes to our own privacy?

Thillien: I don’t know if we desensitize, but I think the issue that is not always visible or very visible to the main user, we often hear about an attack where millions if not even billions of entries have been hacked, but the impact of that attack is very difficult to gauge because in most cases that means we’re going to receive a bit more spam emails. It becomes much more personal when they are a financial repercussions is in attack meaning we can be scammed or buying details are now available with people buying things online with that money. I also want to make the point that companies can try to do as much as they can and many, many do but the attacker, in this case the hacker, is much more favored than a defender because the attacker, in terms of an attack needs to get it right once when a defender has to get it right all the time. Now, as we’re spending more and more time online it means that the attacked surface is only increasing, which means that those breaches will keep happening.

Kornik: Right. We’ve seen big companies—I mean, very big tech companies even playing sort of fast and loose with data and privacy. Even children’s privacy, I think, is—we’ve heard that has been in the news recently. Can we trust the private sector? I mean, we were talking about regulations so I’m just curious. Can we trust the private sector to do what’s right in terms of privacy? Are boards and the C-suite taking this issue seriously enough, do you think?

Thillien: Some are, but I still don’t think that self-regulation is the answer. While I mentioned the GDPR might not be as well enforced as it should be it still offers a EU citizen much more protection than in many other jurisdictions across the world. You mentioned that the U.S. still doesn’t have federal rules, is trying to remedy that in terms of children. It needs to get passed through congress which is very difficult as well. The U.S. also has a much bigger, what I would call, a third-party market. With the data you might have given happily to a provider or a retailer is then sold on to a third party without you knowing about it, and perhaps you wouldn’t want that particular company, the third party company, to have access to your data. Companies do have to take it seriously because it can impact their reputation if it is proven they haven’t done as much as they could have should it be hacked. With a greater penetration of technology in the world place and the move towards digital information it can also become a phenomenal advantage to business continuity. I think the example of the CrowdStrike incident in July 2024 has shown how reliant we’ve become on digital technology and how important it is to protect those. Could it become a competitive advantage is very, very difficult to say because privacy is one of those areas where doing things right to make sure nothing happens has a limited impact, but not doing things right when something is happening could have a major negative impact. So, the positive and the upside is not very apparent, but you do need to do as much as possible to make sure that nothing actually happens.

Kornik: Dexter, I appreciate your time today. I really enjoyed our conversation. I just have one more question and it’s forward looking. I’m wondering if you could take me out to the end of the decade, let’s say 2030, and tell me what you see around data and privacy. I’m wondering how we’ll view privacy in 2030.

Thillien: I think for me it’s evolving concept because the online world has become so prevalent, but the right to privacy is also a fundamental human right whether it is online or offline. This is part of Article 12 for Universal Declaration of Human Rights which is, and I’m going to quote that, “No one should be subjected to arbitrary interference with their privacy, family, home or correspondence, nor to attacks upon their honor or reputation. Everybody has the right to the protection of the law against such interference or attacks.” I think this is the case both in the online world and both in the offline world. I’m going to give you a personal example maybe. I graduated from my school in very late 20th century. I don’t think I used the internet at all for any of my course work during high school. If you can see, for instance, the iPhone launched in 2007, so 17 years ago, and Facebook in 2004, so 20 years ago, it shows that many, many younger people are now what we call fully digital native and are going to have maybe a different perspective. What I find interesting is some mystery that I saw over the last few months and years where kids, where younger people, were telling their parents not to upload pictures of them online. It made me think about the concept of what I might call online privacy native. Where maybe the younger generation is less keen to share publicly compared to the previous generation. I think we’ll have to wait and see to see what will actually happen going forward.

Kornik: Yes, that’s interesting. I hadn’t really thought about that, but you’re right. That generation did seem more conscious—conscientious about sharing photos.

Thillien: I think they might have a different perspective when it comes to their online persona and their offline self and what they share online. So, they might not have all vision for all generation, vision of privacy more broadly, but in terms of what they’re doing online because they’re fully digital native and they are online a lot of time. Everybody is going to have a smartphone. That’s not going to change. We’re still going to be using the internet. We’re still going to share some data. There is still going to be probably from the younger generation which have only known that kind of a different perspective in terms of what they’re willing to share and especially what they’re not willing to share and to what they might get in return for what they’re sharing. I think it’s very early days and we’ll have to wait and see.

Kornik: Right. Very interesting. Thanks, Dexter, for that perspective and your insights. I really enjoyed our conversation today.

Thillien: Thank you very much for having me.

Kornik: Thank you for joining the VISION by Protiviti interview. On behalf of Dexter Thillien, I’m Joe Kornik. We’ll see you next time.