Sound?As He Builds an Augmented Intelligence-Powered Cognitive

SafeSafe andand Sound?Sound?

As he builds an augmented intelligence-powered cognitive enterprise, IBM Global Chief Data Officer Inderpal Bhandari is pushing everyone to keep data privacy top of mind.

BY SARAH FISTER GALE PORTRAITS BY BALL & ALBANESE

24 INSIGNIAM QUARTERLY | Fall 2018

Executives are being held to account for security vulnerabilities leading to the theft of sensitive customer information—top leaders at Equifax, Yahoo, Target and other companies have been shown the door in the wake of major breaches. Entire companies are seeing their fortunes wane if customers turn away from how their personal data is being used. The Cambridge Analytica scandal, for example, put major dents in Facebook’s brand and raised questions about the company’s business model. In a digital world, data is both an asset to be leveraged and a liability to be protected. “Executives are not only becoming more “Executives aware of the importance of data security, they are also increasingly being held accountable are not only after data breaches,” says Inderpal Bhandari, global chief data officer (CDO) of IBM, the becoming more $80 billion global technology organization headquartered in Armonk, New York, USA. aware of the No surprise, then, that CDOs are now among the most important leaders in many of importance of the world’s top companies. Ten years ago, this C-suite role was virtually unheard of. But today data security, CDOs act as transformation leaders, charting a company’s digital course, finding new ways they are also to leverage data, and safeguarding customer and company data. As data breaches become increasingly commonplace and complex data privacy regulations are implemented, executives are being held looking to their CDO for security guidance and guarantees. accountable Mr. Bhandari is up to the challenge. He began his career with IBM in 1990 studying after data data mining at the Watson Research Center and became one of the first executives to breaches.” earn the title of CDO in 2006 while at Medco —Inderpal Bhandari, Health Solutions. Over the years, he helped global chief data officer, IBM to define the role as it evolved from “king of the data warehouse” to transformation

26 INSIGNIAM QUARTERLY | Fall 2018

INSIGNIAM QUARTERLY COPYRIGHT © INSIGNIAM HOLDING LLC. ALL RIGHTS RESERVED. CONFIDENTIAL FALL 2018 AND PROPRIETARY. MAY NOT BE REPRODUCED IN ANY FORM, BY ELECTRONIC OR PRINT OR ANY OTHER MEANS, WITHOUT THE EXPRESS WRITTEN PERMISSION OF INSIGNIAM. VISIT WWW.INSIGNIAM.COM FOR CONTACTS. “We made the decision early on that building a relat ionship of trust between us and our clients and customers makes perfect strategic business sense. It is the direction the market will go.” —Inderpal Bhandari

leader. Since returning to IBM as CDO in augmented intelligence allows IBM’s subject 2015, Mr. Bhandari has been redefining the matter experts to submit a query and instantly company’s data strategy based on the vision receive all of the information they need to of a “cognitive enterprise” that is powered solve a problem, regardless of where that data by augmented intelligence and has data resides and what format it takes. protection at its core. “We made the decision “The cognitive enterprise system helps them early on that building a relationship of trust answer questions more effectively, rapidly and between us and our clients and customers accurately because they’re able to harness all makes perfect strategic business sense,” he of this information, which previously they says. “It is the direction the market will go.” wouldn’t have been able to use,” he says. This makes IBM’s data more valuable and The Promise and the Perils efficient, but it also makes data security a lot The vision Mr. Bhandari is in the process of more challenging. In an era where the number implementing at IBM underscores both the and scale of data breaches continues to grow, promise and perils of data-centric enterprises. data security is now a C-suite imperative. Here is how the IBM cognitive enterprise “The C-suite must make data privacy works: Advanced augmented intelligence and security a top priority for the company, systems and analytics powers can instantly recognizing that a lapse can put the enterprise merge multiple vast datasets to generate new itself at risk,” Mr. Bhandari says. “Seventy-five insights on demand. In Mr. Bhandari’s vision, percent of consumers say they will not buy a product from a company—no matter how great it is—if they don’t trust the company to protect their data.” With this in mind, Mr. Bhandari has broadened IBM’s security practices to encompass data privacy. This necessitates additional security barriers in everything IBM designs. “It’s evident that you have to protect the privacy of the subject whose data you are carrying,” he says. Mr. Bhandari notes that as augmented intelligence capabilities advance, it can lead IBM researchers celebrate a pat- to unexpected data privacy ent for a system risks. He points to the classic that detects and counteracts example of a major retailer cyberattacks. analyzing data for marketing

purposes about a consumer PHOTO COURTESY OF IBM

28 INSIGNIAM QUARTERLY | Fall 2018

buying prenatal vitamins and other products. to Mr. Bhandari, are botnets: malware that The company inferred she was pregnant and causes a collection of connected devices to be then sent her marketing materials for baby controlled by a hacker without the owner’s clothes and other products—only to discover knowledge. Hackers “are able to harness that she was in high school and her parents were botnets at a scale never before possible and unaware of her pregnancy. “Each data element use them against companies, individuals and by itself was OK, but the conclusion clearly even governments,” he says. “That is a major violated her privacy,” he says. “This is the nature technology challenge.” of analytics. It is what makes it so powerful, but it Building a culture of trust amid such also makes it hard from a regulatory standpoint malicious threats is a key leadership challenge to perfectly protect everybody.” Mr. Bhandari faces as he works to build a data-driven cognitive enterprise. To create A Culture of Trust secure products and infrastructure, trust must For Mr. Bhandari, this kind of scenario be embedded in everything IBM does. As an reinforces his commitment to building trust example, he cites IBM’s cloud computing into every element of IBM’s product design platform. It was architected from the ground process. “In this environment, the only thing up so that even in a multi-tenant, multi-cloud that a customer can lean on is ‘Can I really trust environment, the company can guarantee 60 this organization to look after my interests?’” every client that their data—and any insights of organizations he says. “That’s why it has to be part of our drawn from it—is controlled by them, unless data privacy culture.” they choose to let it be shared. say they As a global organization that processes, But the company’s data privacy strategies are more stores and analyzes millions of bits of data cannot be limited to the internal IBM concerned from customers and clients, IBM is obligated infrastructure. “Trust needs to extend through to be sure every action it takes directly benefits the supply chain, because if the enterprise about a data the owner of that data and any related vendor. can’t trust a vendor it makes them vulnerable breach from a “That is what is required today. I believe to being breached,” he says. Sixty percent third party, such companies that have acted otherwise will face of organizations now say they are more significant challenges.” concerned about a data breach from a third as a partner or The constant threat of security breaches party, such as a partner or vendor, than from vendor, than makes it difficult to deliver on a promise of within their own company, according to a from within trust to customers. In the first half of 2017, 2017 survey by Ponemon Institute and Opus. more than 6 billion records were exposed From a leadership perspective, embedding their own through 2,227 publicly disclosed data breaches, sound data privacy practices through an company. according to a report from Risk Based Security. organization—and building new data-driven Source: Ponemon Institute and Opus That number of records was an all-time high, enterprise tools—is fundamentally a change putting executives like Mr. Bhandari on alert. management challenge. “To get to a data- “There is the risk that powerful technologies driven culture, the CDO of a major enterprise like artificial intelligence and the internet of must play the role of change agent-in-chief,” things can be misused by bad actors, which Mr. Bhandari says. “Having recognized this makes it very difficult to protect data,” he over my career as a four-time CDO, my says. One of the biggest risks today, according leadership style has evolved to ‘fail fast’ by

quarterly.insigniam.com | INSIGNIAM QUARTERLY 29

INSIGNIAM QUARTERLY COPYRIGHT © INSIGNIAM HOLDING LLC. ALL RIGHTS RESERVED. CONFIDENTIAL FALL 2018 AND PROPRIETARY. MAY NOT BE REPRODUCED IN ANY FORM, BY ELECTRONIC OR PRINT OR ANY OTHER MEANS, WITHOUT THE EXPRESS WRITTEN PERMISSION OF INSIGNIAM. VISIT WWW.INSIGNIAM.COM FOR CONTACTS. “To get to a data-driven culture, the CDO of a major enterprise must play the role of change agent-in-chief.” —Inderpal Bhandari

design. One learns by making a series of teams prioritize data security and privacy. missteps that are all but inevitable as one Executives need to “make employees aware pushes the envelope to effect change.” of the consequences of data breaches and High-level relationships matter. He credits poor data privacy practices,” he says, adding his close working relationship with IBM’s that even if it adds time or cost to a project, Chief Information Security Officer David it is worth it. “A culture of trust does impart Cass and Chief Privacy Officer Cristina additional constraints on the setup, and it Cabella for promoting the strategic vision does make the engineering process more of the cognitive enterprise to every business complicated. But making sure clients and unit leader and project team. Building these customers can trust us with their data is relationships is the best way for a CDO the only way to make use of these new to promote a culture of trust and ensure technologies for their benefit.” IQ

30 INSIGNIAM QUARTERLY | Fall 2018

INSIGNIAM QUARTERLY COPYRIGHT © INSIGNIAM HOLDING LLC. ALL RIGHTS RESERVED. CONFIDENTIAL FALL 2018 AND PROPRIETARY. MAY NOT BE REPRODUCED IN ANY FORM, BY ELECTRONIC OR PRINT OR ANY OTHER MEANS, WITHOUT THE EXPRESS WRITTEN PERMISSION OF INSIGNIAM. VISIT WWW.INSIGNIAM.COM FOR CONTACTS. The Evolution Starts Now The European Union’s new GDPR data privacy regime is a big deal—but not in the way many people think. By Novid Parsi

Suddenly, “privacy policy” emails flooded everyone’s inbox. In May, those emails were the most obvious indication that the European Union’s new General Data Protection Regulation (GDPR) had gone into effect. It felt like a whole new day for data privacy—but contrary to popular perception, the GDPR does not fundamentally change the rules for how companies handle data, says Jack Carvel, general counsel for London, England-based Qubit, which provides personalization software. But the new regulation does mark a shift in the balance of power European Parliament between companies and customers, President Antonio Tajani greets Facebook Mr. Carvel says. CEO Mark Zuckerberg, As before, companies still have left, in Brussels in May. to be transparent about how they PHOTO BY JOHN THYS/AFP/GETTY IMAGES use an individual’s data. They have to be upfront about what they are and this must be evidenced by an on internal data management sys- collecting, why they are collecting it affirmative action. The GDPR also tems where the company had 100 and how long they will keep it, Mr. clarifies accountability: Companies percent control. “But then I learned Carvel notes. They also still have to have to document their compliance. that the major work was in how we be fair in their use of data, and they For example, when someone asks worked with suppliers and clients— cannot collect more information a company to provide or delete the best result would only occur if than they actually need. That is why all their personal information, the we were all on the same page.” the Information Commissioner’s company has to document that it IBM has tens of thousands of Office—the U.K. regulatory body has done so. supply relationships, and the data that upholds information rights— The GDPR’s basic guiding prin- security team had to be sure any called the GDPR an evolution in data ciple of fairness and transparency solution they brought forward was protection, not a revolution. should limit what Mr. Carvel calls compliant. “So collaboration was a But new stiff fines are now in the creepy uses of data—in particular, key aspect of what we had to do,” mix. The maximum fine for non- the ways that some companies use he says. The team spent months compliance with the GDPR is ¤20 a slew of information to target ads collaborating with every vendor to million or 4 percent of a company’s and products to individuals or to be sure the way they captured, used global annual revenue—whichever make decisions affecting their lives. and stored data was GDPR-compli- is greater. (For Facebook, that could Inderpal Bhandari, chief data offi- ant at every step. be $1.6 billion.) Little surprise, then, cer (CDO) at IBM, says the GDPR has It was not merely a “check that companies are taking the GDPR informed his company’s data security the box” activity. “Through the more seriously. strategy as much as the risk of data compliance process we found that Another significant change breaches. That strategy is about everybody had different levels of brought on by the GDPR, which ap- building relationships with customers preparedness, but also different plies to any company processing the that are built around trust. “The interpretations of the GDPR.” That data of EU citizens, involves implied movement around data sovereignty required some unavoidable debate. consent. “The internet had worked obviously informs our thinking.” “Given the yardstick by which we on the basis of implied consent: Complying with the regulation judge ourselves regarding trust, se- ‘By using this site, you comply with was a “massive challenge,” he says. curity and privacy, we knew we had this long policy,’” Mr. Carvel says. It was also the occasion for one of to go the extra mile,” Mr. Bhandari “Under the GDPR, companies can’t his leadership missteps since be- says. “It was a massive effort across rely on implied consent anymore.” coming IBM’s CDO in 2015. Initially the board, but I think differentiates Now, businesses must receive an in- Mr. Bhandari thought IBM could us in terms of our commitment to dividual’s explicit, informed consent, achieve compliance by focusing only data privacy.”

quarterly.insigniam.com | INSIGNIAM QUARTERLY 31