Are you ready to dive into the future of privacy, AI, and data risk management?

We have Russell Sherman CTO and co-founder of VISO TRUST, an AI-powered solution for third-party risk management.

We discuss:

1. Why AI is more than just a buzzword and why Privacy Pros need to adopt and adapt to stay ahead of the game
2. How to leverage AI in third-party risk management to stay competitive
3. The secrets to successfully transition into Privacy and specialise in AI

If you want to be ahead of the curve and dominate in this space, this episode is a must listen.

Russell Sherman is the CTO and co-founder of VISO TRUST, an AI-powered SaaS solution that scales and automates third-party risk management.

He is an accomplished technology executive, security leader, and security product innovator, previously working at highly regulated technology companies, including ASAPP, Varo Money, LendingClub and Dell SecureWorks, with extensive experience in third-party cyber.

If you're ready to transform your career and become the go-to GDPR expert, get your copy of 'The Easy Peasy Guide to GDPR' here: https://www.bestgdprbook.com/

Follow Jamal on LinkedIn: https://www.linkedin.com/in/kmjahmed/

Follow Russ on LinkedIn: https://www.linkedin.com/in/neverenoughinfo/

Get Exclusive Insights, Secret Expert Tips & Actionable Resources For A Thriving Privacy Career That We Only Share With Email Subscribers

► https://newsletter.privacypros.academy/sign-up

Subscribe to the Privacy Pros Academy YouTube Channel

► https://www.youtube.com/c/PrivacyPros

Join the Privacy Pros Academy Private Facebook Group for:

• Free LIVE Training
• Free Easy Peasy Data Privacy Guides
• Data Protection Updates and so much more

Apply to join here whilst it's still free: https://www.facebook.com/groups/privacypro

The thoughts and opinions expressed by guests on this podcast are solely their own and do not necessarily reflect the views of their employers or any other individual or organisation.

If you're thinking about changing your career and focusing more on AI, start to research a little bit more about the fundamental first principles around artificial intelligence and inference. Build a knowledge and understanding of the use of the tools. So get your hands more dirty and more hands on. The revolution is here. We're past cloud, we're past AI being very important, and professionals need to adopt and adapt.

Are you ready to know what you don't know about Privacy Pros? Then you're in the right place.

Welcome to the Privacy Pros Academy podcast by Kazient Privacy Experts, the podcast to launch progress and excel your career as a privacy pro.

Hear about the latest news and developments in the world of privacy. Discover fascinating insights from leading global privacy professionals, and hear real stories and top tips from the people who've been where you want to get to. We've trained people in over 137 countries and counting. So whether you're thinking about starting a career in data privacy or you're an experienced professional, this is the podcast for you.

Hello and welcome to another episode of the Privacy Pros podcast. I'm your host Jamal Ahmed, founder and lead trainer at the Privacy Pros Academy, and I'm thrilled to be talking to you today because we've got a special episode. In today's episode, I've got a veteran security expert with us, and you're in for a treat because we'll be having an in-depth conversation all about the use of artificial intelligence and machine learning in data privacy. So stay tuned and how to determine what tools and softwares are the best fit for your organisation. So today I have with me Russell Sherman. Russ, welcome to the show. He is the CTO and co-founder of VISO TRUST, an AI-powered SaaS solution that scales and automates third-party risk management. He is an accomplished technology executive, security leader, and security product innovator, previously working at highly regulated technology companies, including ASAPP, Varo Money, LendingClub and Dell SecureWorks, with extensive experience in third-party cyber.

Thanks, Jamal. Very happy to be here and I'm flattered for that introduction. Thank you very much.

It's a privilege to have you here. Now, if a movie was made of your life, what genre would it be and who would play you?

Oh, gosh, aspirationally I think it would be an adventure movie, maybe Sci-Fi laced in there too. My life in security began pretty early. I was tinkering with computers and I was introduced to them rather young professionally. I began my career in deep packet inspection and I worked in a security operations centre, and that was where I really became familiar with security and data security practices and really the risk of data loss. My career evolved from there. I began focusing on more foundational business security practices when I started working at a start up in San Francisco. That company was moving quickly towards going public, lending club, and it was there that I kind of expanded to serve folks in my previous role of a security operations centre analyst, but also more broadly in the business to reduce risk. And I saw a lot of pain in the problem of reducing third party risk, which is where I start to focus a lot on and eventually began thinking about starting a company to help other people.

I love it. So I'm going to get this specifically into AI now. So the use of AI and machine learning is topical across all industries. How is it currently being used in privacy? And in your opinion, what's the game changing advantage of AI in this field that we absolutely can't afford to overlook?

Sure. So I see AI, and in particular I see privacy as a subset of broader security or data risk management. And really the way that I see machine learning and artificial intelligence helping businesses is allowing them to better understand complex topics and sets of unstructured language in a short period of time. So, for instance, a privacy policy now with the power of large language models becomes very easy to understand in a short period of time. You no longer need to really have a legal background to understand the implications within them. If you can apply artificial intelligence in a broader risk management framework, you can actually make decisions much faster and potentially reduce risk more effectively. So that way I see that adopting tools and practices around leveraging AI in your broader risk management function to be really providing an advantage to you in the business as you aim to innovate and bring on more third parties, which is really a strong part of building a competitive business right now.

Absolutely. Thank you for sharing. And with AI becoming an increasingly sophisticated, what are some of the ethical considerations that privacy professionals should be aware of when we're actually implementing these AI solutions into our privacy and data risk and governance management programs?

Okay, great. Thank you for sharing that. So I want to come back to what you just said at the end there, because I see this challenge all too often is you've signed the deal, the agreements in place, and now we're identifying all of these problems. So that is a very big concern and it's a very big challenge we see time and time again. So I want to come back to that. But in terms of summing up what you just explained, so you basically gave me three key tips. Number one, you said, remember, when you're learning something, it's not just that you have to be open to continuously learning about it. Things will change. You will actually have more perspective. So you always need to be open to be constantly learning. It's not a once and done, so be open to constantly learning. Number two, you said there are frameworks out there that have been developed. You've referenced the framework that came out earlier this year with NIST AI RMF. So there's frameworks there that we can actually use. So we should actually start using those frameworks. And the third thing you said is, it's not just enough to be aware of this and know there's a framework in place, but actually understand how that framework works, actually understand the reasoning behind it so you can apply it in a pragmatic way to get the kind of results that you're getting. And when things do change, not only does it present risks, but it also presents opportunities. So don't have this pessimistic view or this fearful view towards it. Approach it with an open mind and see, okay, what are the things that this challenges this phase and how do we tackle them? And also, what are the benefits or opportunities this is presenting and how can we exploit them and make the most of them? So thank you for sharing that. Now, one of the things that you mentioned there is your company helps overcome this challenge of when the business goes and they sign a contract and you've done some kind of a light touch due diligence. You've done something, but it's only once you start doing business, you start handing over your data, the things that you've been trusted with and you realise, sugar, there's a few things that are not quite right about this. It's a bit too late to do anything about it now. So should we just pretend it doesn't exist and it’ll go away or is this going to keep you up all night so you've come up with a solution to overcome that. Tell us more about that.

Sure. As I mentioned, I see privacy and now AI trust risk management as two subsets of a broader third-party risk management program. And early in my career, dealing with a fast-moving start up, aiming to become public and really having a lot of pressure from clients, prospects and government agencies around compliance and the strength of our own risk management function. I found that really the company wanted to adopt more and more technology and move more quickly to compete. Right. You need to adopt new technologies and use third parties to compete. And what we found was that the kind of older traditional approach of asking your vendor to answer a large number of, let's say, security and privacy related questions simply took too long to complete in the time that the business was aiming to be effectively adopting that new technology. So we basically say something like you can't move at the speed of business in that case. And so when we thought about building a tool or framework for doing this, we focused on some high level tenets of a broader strong security program and really trying to understand how a business is investing in maturing those different high level control areas and focused on protecting the data that you might be sharing with them. And instead of asking specific questions, leveraging things like artificial intelligence to collect as much information as you can from that business as quickly as possible. So making it very easy for both your internal business stakeholder as well as the third party to exchange this relevant information in the form of whatever they might have it in. So you're obviously very familiar with a privacy policy. You might be looking for certain compliance certifications when you evaluate the strength of a privacy program like HIIPA or PCI. And what we do is we take those documents in that unstructured language, and we quickly analyse and ingest, understand and extract and allow you to interrogate and understand that information much more quickly than you would have if you were sending a questionnaire and effectively answering a questionnaire for you in a very short period of time. And to go back to kind of the speed of business, when you change how long it takes to collect and understand this information, you can make decisions much more quickly, which kind of fundamentally changes the process that you might have adopted in the past for evaluating third parties. So you go from a place of pain and frustration from every business stakeholder involved to empowering your business stakeholders, to inform and make decisions much sooner, and perhaps more often the case, select a vendor that is more considerate and cares more about the privacy and the security of the data that you're going to exchange with them.

I got it. So essentially what you're saying is what your product or what your software solution, this AI software solution does is it helps businesses to remain competitive. And one of the biggest challenges that you found in your role was the cost of doing business was taking too long because of this way it was done. You send out a questionnaire, they send some stuff back. They haven't answered the questions in the way you expect. So you go back and ask for clarification. Someone goes on holiday, then it comes back and something else gets lost in the inbox. And it can take forever and ever. And by the time you may have finally managed to adopt this business into your thing, you're already behind the competition. It's already taken too long, you're already behind your timelines. And you found that was actually frustrating growth and development for businesses. And from that experience, you've come up with this way where you can actually get the AI to get those answers for you. So you will go to whoever is that was pitching to work with you, that you'd like to work with, and say, hey, show us whatever you have in terms of data privacy, in terms of security, any standards you have anything you're already compliant with. You take all of that information, feed it into the solution, and that will start based on what's important to your organization. Bring up all of that information, identify any risks that need further addressing, identify all of the areas which is compliant, and allow your stakeholders to make better decisions quicker to help the business move further forward faster.

That's right.

That's amazing. So what kind of business or what size of business would really benefit from your solution? Yeah.

Okay, so it sounds like whether I'm a start-up, small or medium sized business or an enterprise and regardless of what industry I'm in, there could be lots of benefits to actually bringing in this tool to help us manage our third party risk management. And one of the things that you'll actually help us do is focus on the ones that are actually a bit of a challenge to focus on and the ones that are actually okay. We know that we don't have to actually divert our focus until we get this taken care of. So it sounds like a really practical and pragmatic solution that you're providing there. If somebody wants to learn more about this or get a demo or see how easy it is to actually use and operate, what's the best way to get in touch?

Sure, you can sign up and try our product for free today. We offer the ability to sign up and experience the kind of evolution of usage of AI in the context of reviewing a third party for free. A self service registration is now open and you can get a free assessment of any third party. So we encourage folks to sign up and see it for themselves. You can obviously also sign up for a demo if you'd like, help introducing the tool with your team or yourself.

And is it very complicated too? Is there a huge learning curve or is it quite simple as just get myself registered and just plug and play?

Well, I'm leading the product in technology and it's kind of my focus to make it very clear and intuitive how to use the product. I'd like to think that if you are familiar with the general problem space of identifying and then reviewing a third party, it is straightforward. We do have a guided walkthrough when you first sign up and so I do think that it's not that complex and I think overall that's a philosophy I think folks should adapt, which is really at its core, it's not a very complex problem. You just need to understand better how another business is focused on investing in the fundamental controls of reducing the risk of doing business with you. And you can get mired down in the details of very particular security or privacy related questions. But if you take a step back and focus on what matters, you can get the coverage you need across all of your third parties, which is more important, I think, than maybe focusing on only one out of a thousand without better understanding all of them.

That makes perfect sense. Thank you, Russ. So my next question for you is how do we keep third party AI solutions from becoming our next big privacy problem or next big privacy headache?

Sure. So the problem is not going away, right? And again, it's a subset of broader third party risk management. And I do think that this aligns with VISO TRUST's core value prop of enabling or empowering your team with tools and business practices necessary for quickly evaluating and understanding the risk. Adopt a sensible and flexible approach to quickly evaluate a potential third party's investment in the controls necessary to protect your companies and your customers sensitive data. I think we as a community of folks who care about privacy or security need to accept that these tools are going to evolve. They're going to be used at pretty much every company. It's quickly becoming kind of a democratising technology. It's almost table stakes already to have some predictive capability to empower your own product or service to be more valuable. So it isn't a question of, I don't want to do business with companies who use AI. It's quickly becoming important to understand that pretty much every company at some point will evolve to use tools that have AI kind of empowering them or adopting and using AI internally. And I think in the general third party risk management approach, you really pick and choose who you partner with based on the strength and the focus of their controls around protecting data and privacy. And you need to adopt that same approach just perhaps more quickly now, because we're seeing that the value proposition of using these new tools is so interesting and it is so valuable that it's just kind of a force multiplier to the problem of generally adopting more and more third parties and sharing that data.

Okay, great. Thank you. So essentially what you’re saying is it's not about avoiding using AI or avoiding working with companies that are using AI. It's actually understanding how is it being used, what are the risks that it might present, and then making good decisions on who we actually choose to engage and work with. So thank you for that. That's very helpful Russ. Now, how is machine learning flipping the script on traditional approaches to detecting data breaches?

So the promise of artificial intelligence for detection and response of a data breach, this promise has been around for quite some time. It's actually not new given the latest large language or generative AI revolution. There was always the promise of using AI to do things like detect anomalies and security events. And as someone who worked very closely in adopting those technologies early on, I recognize how powerful these tools can be. I wouldn't say they're flipping the script as much as they've advanced to a point where you can adopt the technology and get value out of it much more quickly. So, for instance, instead of having to kind of predict a potential type of breach or critical security event using the data that you have now and trying to kind of think about the potential scenarios that you might want to be searching for, or inferring newer artificial intelligence services, allow you to just put that data in the place where it is normally and at any point in time trying to begin to kind of ask questions about it that don't necessarily require that investment in training data, artificial intelligence model training anymore. So it's kind of a force multiplier and it allows you to essentially ask any arbitrary question of data rather than have to predict and think about those questions ahead of time. And I think anomaly detection is kind of one of those earlier examples of artificial intelligence being used to detect breaches, but now you can do all sorts of things like essentially ask any question of this large data set to detect other types of breaches.

Okay, great, thank you. Thank you for sharing. And I have one final question for you. So you've had a great career. What are three tips that you would give to our listeners on how they can really make sure that they thrive in their careers? Maybe it's easier if I say if you were to go back 20 odd years and give yourself some tips knowing what you know now, what would you tell your past self?

Let me just think about three, because there's just so much advice one would give themselves. I think first, don't panic and try and stay focused on the bigger picture. I think it's very easy to see the technology and the tools kind of evolve around you past your own understanding. And if you want to become certified or build strength in a particular focus area, perhaps first focus on getting your hands dirty and really better understand the use of the technology. So I think if I had to give myself some advice, I'd probably say use the tools that I'm trying to learn about the risks presented from. So for instance, if you're thinking about changing your career and focusing more on AI, start to research a little bit more about the fundamental first principles around artificial intelligence and inference. So build a knowledge and understanding of the use of the tools so that in the context of working with people to better implement them, you can empathize and understand that the value is there and that also you can have a conversation that's effective. So get your hands more dirty and more hands on. I think also familiarizing yourself with these frameworks that are being written and maybe even being more involved. If I had to give myself another piece of advice, it would be to kind of look at kind of papers and proposals of these frameworks earlier to understand kind of what the industry leaders and researchers kind of are thinking about delivering in terms of a framework. So, for instance, learn about the AI 1.0 or the AI 1.0 RMF from NIST and try and kind of understand why they're focusing on these particular areas of framing the risk and breaking down the risks and trustworthiness of a large language model or artificial intelligence service. And then I think another piece of advice. Third one would be on really having fun while you do it, because I think it's very easy to get, especially in a security and privacy context, think about all of the danger, and if you're focused on risk, you might not be as interested in taking risks. And I think part of growing is getting out of your comfort zone more often, and I think that does involve taking certain risks.

Great. Love those three tips. So number one is actually don't be scared of what you don't know. Actually start embracing it. Go and dig in. Get your hands dirty, play around with it, get familiar with it. Number two is actually understand the structure around what's coming up. Get involved with the academics, get involved with your thought leaders, get involved with the bodies that are coming up and working on these things and really appreciate it. So you get that clarity. And finally, you said, remember to have fun. We can't just sit there and think about all of the worst stuff that's going to happen. Even that might be part of your job is to figure out what could happen and stop it from happening, but get out of your comfort zone, take some risk and try something new, but have fun whilst doing it. Thank you. Russell, that was absolutely amazing, valuable advice. Thank you for all of the tips that you've shared throughout the podcast. And if you're listening and you're thinking more about the solution that Russ has spoken about and you think you might be great for your industry, then don't worry, we'll include all of the relevant links in the show.

You know, Jamal, I really, really appreciate it. I don't get to talk a lot about the larger space. I'm focused a lot on building the team and focusing around the vision of adopting technology. If I could reiterate anything, it would be the revolution is here. We're past cloud, we're past AI being very important, and professionals need to adopt and adapt, and I'm very excited to kind of be a part of that. And I really appreciate the opportunity to share my experience, Jamal and I love what you're doing, so very honoured to be here. Thank you very much.

Thank you. It's an absolute privilege having you. Until next time, peace be with you.

If you enjoyed this episode, be sure to subscribe, like and share so you're notified when a new episode is released.

Remember to join the Privacy Pros Academy Facebook Group, where we answer your questions.

Thank you so much for listening. I hope you're leaving with some great things that will add value on your journey as a world class privacy pro.

Please leave us a four- or five-star review.

And if you'd like to appear on a future episode of our podcast or have a suggestion for a topic you'd like to hear more about, please send an email to team@kazient.co.uk.

Until next time, peace be with you.