How to foster a culture of data privacy and security in tech companies?

Matthew Fleck, CEO & Founder ● Apr 9th, 2024

The full transcript

Oleg

Hi, everybody! Welcome to the Devico Breakfast Bar! Here we speak with different people involved in the business landscape, share their experience, delve into the latest tech trends, and explore the ins and outs of IT outsourcing. I'm Oleg Sadikov, and today I'm excited to have Matthew Fleck from Anonomatic. Matthew, could you please start by telling us a bit about yourself and your professional background?

Matthew

Sure, happy to. And thank you for pronouncing the name of Anonomatic correctly. So, people have trouble with that to begin with. But it's all good. So, I've been in the software development arena my entire career. Actually, started way back in high school. When my high school started a PC lab, I fell in love with that. And when I went to college, I pretty much knew what I needed to do, what I wanted to do, and what I was good at. So, it's been a wonderful journey, great profession so far.

Oleg

Okay, great. Could you share with us your professional journey that led you to found Anonomatic? And what inspired you to delve into the realm of data privacy and software solutions?

Matthew

Yeah, it's actually pretty interesting. So, I spent about good half of my career working in AdTech. And if you've ever been in that field, no one ever thanks you for delivering commercials and ads. It's not something you're ever going to brag about. Now, it's a challenging thing, and there's lots of professional rewards for doing so, but it's not something that makes you feel good. So, I kind of bounced back and forth between working for other people and starting my own companies. And right when I was leaving a big international company, a prior client reached out to me and asked me if I could help her. Now, she was the president of the board of directors for an organization called the LA Trust for Children's Health. And what they do is they oversee over 100 different healthcare facilities spread across the campuses of Los Angeles Unified School District. Now, LAUSD has over 600,000 students. This is bigger than some states in the United States.

Most of those kids are underprivileged, and they just don't get any healthcare at all unless they receive it through the school. So, the School District years ago had this philosophy that they came up with of healthy family, healthy students. And so, what they did is they funded the creation of a network of school-based health centers. Now, these things have been very successful, but nobody could quantify how successful. So, what the LA Trust wanted to do was to collect detailed, what's called encounter data for each of the service providers who ran these school-based health centers, combining with the academic data, and discover what healthcare, mental service, vision care, dental care, what sort of services actually move the needle on academic performance. Will it increase attendance? Will it increase graduation rates? Will they do better on standardized test scores? And that, as compared to AdTech, led me to thinking, 'Yeah, that's something that's going to make me feel good. I'm actually helping real people do much better in their lives.'

But when I looked at the data I would be collecting and that I would have to organize and protect, it just scared me. There's no way I wanted to be responsible for data that level of detail. You know, because it had to be secure, and it had to be secure for decades – 40, 50, 60 years – you never want any of that information getting out. And as I looked at the technology that was available, there was just nothing around, right? Most people consider encryption to be the way to protect data. No encryption today is going to last 50 years. So, basically, that led me to invent this process, what we call polyanonymization. And from my background as a vendor in the AdTech world, I knew that the technology I was creating would have applicability across every industry in every country. So, it was always in my mind to actually take that technology, and found a company, and do what Anonomatic is doing today.

Oleg

That sounds impressive. Really. Anonomatic seems to be disrupting in landscape of data privacy with its software solution. What sets your approach apart from traditional methods, and how do you envision it revolutionizing the industry?

Matthew

Sure thing. Well, the traditional way that people have been protecting data for centuries is using some form of encryption or obfuscation. So, in more recent history, encryption and tokenization are the means by which people say, 'Oh, I'm ensuring data privacy.' But the data privacy problem hasn't gone away since people started using encryption and tokenization. So, if those two technologies could actually solve the data privacy problem, they would have done so decades ago. They never will. You can't encrypt your data to get data privacy. All it does is to make it harder for someone to get value from it when they steal it from you. The only way to really solve this problem and to look at it is to realize that data is not data. There's two types of data. There is data that drives business. These are the transactions, whether they be financial transactions, healthcare, social media posts, what have you. And then there are the different independent values, which identify who those transactions relate to.

And if you logically and physically separate the business value data – all those transactions – from the independent values that identify them, your overall risk drops through the floor. And as we like to say that if you remove and you polyanonymize all the data that is identified, all your transactions, you can take business records, my financial, my healthcare records, you can throw them on a billboard. I don't care if there's nothing in there that points to me. And so, that's what we permit. It's actually not all that challenging to deidentify data, but what Anonomatic has done is we've made what we call polyanonymized data, fully anonymized, deidentified data, as useful as fully identified data. And that's the real trick. That's what we've really done.

Oleg

What do you think about quantum computing and quantum encryption? Everyone – okay, not everyone – many say that the next boom after AI will be quantum computing. It actually already started. So, what do you think about quantum encryption? As far as I know, that could help. No?

Matthew

Well, it could help, but it's following the same path. I have this slide I like to use when kind of introducing what we do to somebody who's not familiar with us. And it starts back with the Greeks and the first known ways of trying to encrypt data. And then it has a timeline all the way up to post-quantum encryption. And as it moves along, the movement from one type of encryption technology to the next gets smaller, and smaller, and smaller. Why? Because people get smarter, and smarter, and smarter of breaking encryption. So, I think there's two things I think are really true about any form of encryption. One is nothing is going to last forever. And two is when somebody who wants your data has broken the way that you encrypt it, they're not going to tell you about it. You know, I think the Enigma machine in World War II, it's like the Allies knew for a long time what the Germans were saying, but they didn't tell them.

They're just like, 'Oh, we're going to use this. We're going to use that.' And what's been written about quite a bit is that hackers these days, when they get into a system, and they find encrypted data, they're just stealing it. Before, they used to leave it alone. It's like, I can't do anything with it. Now, they're stealing because they know at some point they will be able to do so. Let's take that to the quantum and what they're called post-quantum encryption. So, post-quantum encryption is just more iterations. I mean, mathematically, it is much more intense than the current AES encryption. And so, even if you have a quantum computer, they say it's still going to take too long to break it. Now, for those who may not be familiar with it, AES is the current kind of gold standard of encryption. If you weren't aware, AES standard was published the year before the Apple iPod was released. I don't know how many people are still using their iPods, but they're still using encryption – that's, you know, technology that's even older.

And while it would take common standard hardware these days, about a trillion years to break AES-256, a quantum computer will break it in about 20 seconds. So, that's why they need post-quantum encryption. If you think of all the iterations that you have to do to make it hard to break an encryption algorithm, think about having to use that encrypted data all the time. You've taken the data in your database, and you've encrypted it with post-quantum encryption, and you're not using a quantum computer when you need to decrypt it and use it. How much of a drag is that going to be on your entire process? So, in our viewpoint, you can't encrypt your way to data privacy and data security. It's just not gonna happen. It's a useful tool. It's a component. Any security should be layered, but it's not the be-all and end-all.

Oleg

Okay. Okay. Got it. Makes sense. What are some future trends you foresee in the field of data privacy, and how is Anonomatic preparing to adapt to these changes, probably, except quantum computing?

Matthew

Yeah, you know, that's really interesting. And quantum computers come in there as well. So, what's the biggest thing in the press and what everybody is talking about, both in tech and out, it's AI and generative AI. What happens when you compare or combine generative AI with quantum computers? And because the hackers aren't going to ignore this technology, nor enemy states, when they use generative AI with quantum computers for malicious purposes, we call that degenerative AI. And when degenerative AI is going to be used to attack your installation, try to get your data, really, the things that are out there in the market today, that people are using, they won't be able to stand up against it. And so, that is the biggest threat that I think people just aren't recognizing. Combine that with data is kind of becoming immutable, especially if you use something like Snowflake, or you're going to store it. I mean, people just want to store the data. So, it's going to be there. So, if you encrypt your data, and you store it, and it's someplace, when somebody gets through to it, they're going to be able to steal it, and eventually they're going to get through. And they may not break your encryption, maybe they just steal the encryption key because somebody left it around someplace. So, it's kind of one thing after another snowballing that just makes storing sensitive data a huge, huge risk.

Oleg

Very interesting. Thanks for the details and for the insights from the future.

Matthew

Yeah, as you can tell, it's something we're pretty passionate about here.

Oleg

Yeah, I can imagine. Are there any professionals or leaders in your network who inspire you in your professional journey?

Matthew

You know, I've never really followed those sort of trendsetters. One thing I recognize is that when you see somebody from afar, even if you read their writing or something else, it's the tip of the iceberg. I know from my own experience and trying to run my own company is that what other people see, there's 90% under the water that are not seen. And there're the challenges, and there're the compromises that you have to make, and all the rest of it. So, never being one to have been able to march to somebody else's drumming. I pretty much have approached if I look at the problem, I see how I think it should be done, whether or not that is the conventional way. And that's the way I go. So, great question, but I really don't look to others to guide me. I do have some really good advisors that I use for advice. But I don't look at industry leaders.

Oleg

Okay. In addition to your professional life, do you have any personal interests or hobbies that you're passionate about? And how do they complement your work or provide balance in your life?

Matthew

Well, I think it's that last part that's really important is it's the balance. Like a lot of lifelong nerds, I can kind of just get tunnel focused and tunnel vision into what I'm doing and into technology and how cool these things are, but you have to be able to step away. You have to have people that ground you. You know, I've just got a great family, love them tremendously. I know they support me. I also love to just get outdoors, and I like to hike. I try to get out and do at least six miles of really fast walking every morning, and it's usually out by 6 a.m. to get this thing done because I've got a lot to do every morning.

Oleg

Six miles every morning?

Matthew

Yeah.

Oleg

On a regular basis?

Matthew

I did it every morning for over six months till I got an injury, and then I had to wait till the repair, and now I'm back at it again.

Oleg

Amazing! That's great! Does it help you to clear your mind and think or bring some ideas?

Matthew

It absolutely does. Because when I'm not around the computer, and it's the things and the 'Oh, I've got to do this' and, you know, the papers on my desk, I break it up kind of 50/50 of I just disconnect entirely, and I listen to an audiobook, or I'm just enjoying the scenery. And then, the other part is 'Okay, let me just think about what's going on. What do I have to do? What are different ways to achieve it?' And especially first thing in the morning, that's when I'm just the most creative. And so, that's when I can come up with simple solutions to problems that can found me late in the afternoon. So, I just put them away, and I'm going to think about it in the morning, and then things get more clear. So, that's kind of how I balance out, you know, just quality of life.

Oleg

I make a conclusion that you're a morning person.

Matthew

That is absolutely true. Do not try calling me and getting a coherent answer late at night. Not gonna happen.

Oleg

Can you share any lessons learned from your experience in leadership and management with the context of building and scaling Anonomatic?

Matthew

Yeah, absolutely. I've always had the philosophy that people do best what they like to do. And so, there's like a 10% that you have to push them beyond what they're comfortable with. Because everybody wants to grow, everybody wants to be challenged. And so, when you find the people that you want to work with, and you can give them things that they like to do and where they feel challenged, you're going to get the best results. They're going to be happier, they're going to feel good about it, and you're going to get what you need. If you try and put somebody into something where they just, they don't like it, I mean, who wants to work a job they don't like, right? There's too many people who have to do it. So, never in one of my organizations. So, basically, I like to hire professionals – you know, professional adults – and let them do their jobs.

Oleg

Simple and the most efficient way.

Matthew

It's also easier for me, right? If I've got somebody who loves what they're doing and can do it, I don't have to spend the time watching over them. I can just tell them, 'Here, this is what I'm looking for.' And, you know, stay away from telling them how they have to do it. This is what I need you to accomplish, and let them do it. And they know that they are trusted to do it. And they know they can come to me with questions. So, yeah, it's just plain old easy.

Oleg

In your opinion, what are the most critical aspects organizations should consider when addressing data privacy concerns?

Matthew

Well, you know, it's funny because it's more than just data privacy. Data protection is really worth this. Deep privacy is this component of data protection, and you need to protect your data, right? There's more and more data every day than there ever was before. What we've learned is that basically about 40% of an organization's overall budget can be attributed to there being identifying values in the data. Once again, if there were no identifying data, throw it on a billboard, but you can't really use it. Historically, you could only use deidentified data for aggregations, and you can't do much with it. So, that's why people say, 'Oh, anonymous data, I can't use it.' Well, that's all what we call dumb anonymous data. So, when your organizations are looking for, you know, how they need to protect data and how they have to handle data privacy, the most important thing they need to do is realize that this is not a simple solution where they can just have a clipboard, and they mark it off the checkbox. Have I encrypted my data? Yes. Good. I'm fine. Whew! Because that's not just going to work. They have to actually look at what the problem is, look at what the threats are. And when degenerative AI is attacking, the first thing that's going to fall are those checkboxes. So, If they can't make the data useless to a hacker, then they really haven't accomplished anything. And so, what we really believe they need to do is look long and hard at Anonomatic. Because we're the only ones who take this polyanonymization approach. And instead of trying to lock down the data, right?

Because let's go back to that post-quantum thing, as you put more and more protections on the data, and you make it harder and harder to use, it's just the ripple costs of the developers and everything else just reduce your ability to iterate, increase your time to market, increase your costs. But when you can accomplish 100% of your tasks that you want to out of your data and get full value out of it, but you don't have any of that risk, then your life gets easier because you just don't have to deal with those other problems. Let me give you a for instance. So, we talk about encryption a lot, and people do that. So, you've got a production system, and you've encrypted your data there, and customer calls in, and you've got a customer support, and they can't solve it. So, they send it to a developer. Developer has access to all that information.They've got to bring up medflex, medical record, my financial record. And so they see all the business data with me as well as my identifying information because that data gets decrypted as it comes out, right? With today's global environment, where is that developer? Where is the system tester? What is their issue? You may be able to protect your network, but can you protect someone from taking their cell phone and taking a click of the screen? No, you can't. So, none of those things can be solved with legacy data protection. Let alone data privacy solutions. But we handle all of that. We can make all of those things absolutely secure.

Oleg

It makes perfect sense to me. What potential challenges – we already defined quite a few – but what other potential challenges do you foresee in maintaining the security and reliability of AI-driven type of privacy solutions?

Matthew

Yeah, well, AI is such a ripen environment because the promise of AI, and not in data privacy but just in AI in general, is deeply personal results, right? You want, a medical recommendation – it has to be exactly for me, and it has to be well-informed. Financial, you know, even an ad, it should be absolutely clear to me. And so, if you're going to do AI-driven privacy for good or ill, people fear all of that because what happens when the AI is not trained correctly. And you're probably going to think about it more Terminator-type vision. But when it comes down to it is how do you train those models. And if you're just taking historical data and legacy approaches, what you're doing is you can absolutely permeate historical inconsistencies in your data, inconsistencies in how you do it. So, unintentional bias in the data, they can just easily, very easily, get permeated throughout your data. And so, the way to handle all of that is to make the AI be able to be trained, and be able to generate results, and then be able to act upon those results without the AI ever being exposed to any of these identifying values. It's the only way to do it. And it really just cuts the Gordian knot of all these problems of being able to solve an intentional bias, be able to deliver on security, be able to deliver on privacy, and basically make it so that organizations aren't afraid of PAI anymore. So many companies that we talk to, and we hear about, are afraid to use AI to its fullest because of identifying values in their data. So, get rid of those values, and then you don't have those issues.

Oleg

Thanks for the response. Data privacy and compliance might be perceived as unique niche, how do you attract tech talents and what qualities do you look for in potential team members?

Matthew

You know, I didn't come from a data privacy background, basically, saw a problem, came up with a way that I thought was the most efficient way to solve the problem. Basically, I look for people in the same way. I look for people who are talented and able to think on their feet, solve problems, learn what they need to do. There's been this trend, and I get it. But I think it's self-defeating in that when organizations don't want to hire and train. They just want somebody who can step in right away. And what you're getting is people who are very targeted and limited in what they have exposure to. Whereas we really never know what kind of organization, what company, what industry we're going to be meeting with next. So, having people just bringing in from a broad background. And are you smart? Are you hardworking? Are you honest? Can we get along with you? Can we trust you to get done? These are the things that we look for. And not surprisingly, that's a very attractive approach to top-quality talent. They want to be treated like an adult. They want to learn more. They don't want to do the same thing they've been doing for the last 5 years at the last company. And so, it actually makes it really simple.

Oleg

Yeah, simple and efficient, as I said. Have you ever outsourced your tech needs to an external vendor?

Matthew

We have. And, we look at those as projects come up. So, I try to keep a nice tight team, but when we look at something that's going to need to scale, or I need extra resources, then, yes, we look outside for other help. It just makes sense. You know, throughout my career and in other organizations, we've worked with offshore teams quite a bit. So, I've had a lot of experience with that. And there's just different ways you deal with those sort of people for those projects to get the results you need. And if you can build a lasting relationship, and they build up the knowledge of what you're doing, then you can keep using them and get great results constantly.

Oleg

What are the factors that prompted you to consider IT outsourcing?

Matthew

First off, it's going to be the, you know, what is the size of the project. Our ability to handle it inside our existing backlog of work to do because software is never finished. So, we're always building new capabilities. But when we have something, it's like, 'Okay, this is a chunk that I can break off to somebody.' I want to find a team that communicates well. What I have found works best for me in my experience is when we do a kickoff, I will typically go there and meet with the entire team, and work with them, and do this big knowledge transfer straight off the bat. Here's not only what we're doing and what we want you to do, but here's why. Here's everything that's around it. Because these people are smart, just as, you know, I hire folks, but these offshore teams that hire, you know, great developers, and product managers, and UI people, you know, it doesn't matter where in the world they are, they're still smart, they're still capable of doing a lot, but they have to understand. And there's so much that is contextual when you don't work for the company directly, that's solving the problem that it's just better if you've given that background, and so I found that that is a critical success factor.

Oleg

Thanks for the answer. What are the benefits and drawbacks of IT outsourcing?

Matthew

Well, the benefits are, you know, it's kind of like cloud computing. You can scale quickly, right? Scale up, scale down, and get something done. The drawback is you need to make sure that, unlike hiring somebody and knowing how good their code is, and letting them do it, and maybe a cursory review, when you have an entire subsystem or product capability that's been outsourced, our resources need to go through there and make sure that what's been developed is going to mesh not only at the front end level but also back end, and that all is going well. The country where it's being done, and, you know, a lot of times it's outsourced is important because some of our customers are very sensitive about and actually restrict where the work is being done, and what citizenship, and so on. So, because we're in the data privacy world and data security world, there are some countries where we just can't get things, you know, we couldn't use.

Oleg

How do you measure the success of collaboration with an IT outsourcing vendor?

Matthew

In the end, it's going to be ‘Did they deliver based upon what we agreed?’ But before you can get there, you have to be able to work with them to come to those agreements ahead of time. And there's always going to be changes. So, how flexible is it? How easy is it? How much more is it going to cost if I say, 'Listen, we just heard that we can't do it this way. We have to do it that way. You know, it's just an extra 10% of time, in my estimation. What's it going to change?' So, it has to be a living, breathing relationship within a skeleton that's pretty damn rigid. You know, it can't deviate too far, but it's gotta still deliver. And so, in the end, it's like, 'Did they do what they say they're gonna do?'

Oleg

Got it. And my last question – what advice would you give to other companies considering IT outsourcing?

Matthew

Just look at them. Look at the people. In my view, it's never good to just hire heads, or hands, or whatever else it is. You've got to look at the team. You've got to understand the team, and you've got to be willing to work with the team, and they've got to be willing to work with you. And that is that's critical.

Oleg

Matt, thanks for your time. The insights you provided for sure were useful. Amazing conversation, amazing episode. I'm sure my auditory will like it. If you enjoyed the discussion and want to stay updated on future episodes, don't forget to subscribe and hit the notification bell. That way, you will not miss out on the latest insights and conversation from the Devico Breakfast Bar. Thanks, Matt.

Matthew

Thank you, Oleg. It was a pleasure. Appreciate the invitation.

Watch previous episodes

Contact us for a free
IT consultation

Fill out the form below to receive a free consultation and find out how Devico can help your business grow.

Get in touch