Livestreaming on 13 February 2024, #RISK Digital examines the changing risk landscape in a content rich, knowledge sharing environment. The one-day event sees over thirty expert speakers provide insight and guidance on how organisations can mitigate risk, reduce compliance breaches and improve business performance in the digital age.

An accomplished Data Scientist and Manager with over nine years’ experience in multiple industries, Khagesh Batra currently serves as Head of Data Science (Interim) at The Adecco Group, a world-leading HR Services firm.

Khagesh will be at #RISK Digital to discuss the 2023 data breach suffered by genetic testing company, 23andMe, which affected the personal data of nearly 7 million people.

Below, Khagesh answers questions on his professional journey and introduces the key issues of his #RISK Digital session.

Could you outline your career pathway so far?

My professional journey has been shaped by a combination of passion, practicality, and a constant thirst for learning. It all began with my educational foundation in computer science engineering, a common choice in India given the prevailing trends. Growing up, my fascination with computers led me to pursue this path, and I genuinely enjoyed the subject.

Upon completing my undergraduate degree, the reality of the job market in India became evident. While job opportunities were abundant, securing positions in high-paying companies was a challenge due to intense competition. I landed a position in Cadence Design Systems, as a paid intern, where I gained valuable experience despite the modest salary. It was during this time that I observed a colleague, with a MBA who was sales representative, utilizing data analysis to prioritize client concerns. This piqued my curiosity and set me on the path to pursuing a MBA.

Choosing a non-traditional MBA in Business Economics was driven by financial considerations, as it was the most affordable option for me. Little did I know that this decision would expose me to the emerging field of analytics, combining computer science skills with econometrics and statistics. This realization opened new doors, leading me to join Deloitte as a consultant.

Over the course of five and a half years at Deloitte, I delved deep into analytics, witnessing the evolution into machine learning. However, I recognized that the challenges and dynamics of consulting in the Netherlands differed significantly from my previous experiences. This realization prompted me to transition from consulting to industry, seeking a more comprehensive understanding of the entire process beyond project-based work.

The next chapter of my career unfolded at a prominent insurance company, where I spent over a year immersing myself in data engineering, pipelining, CI/CD, and cloud technologies. This phase expanded my skill set beyond data science, emphasizing the importance of a structured approach beyond model building. I navigated through regulatory constraints and business-driven models, gaining insights into prediction methodologies within the insurance sector.

Despite the valuable experience gained in data engineering and cloud computing, I felt a pull back towards my roots in data science. This led me to IKEA, where I served as a senior data scientist, contributing to projects focused on customer feedback and experience. My expertise in data engineering and cloud services proved instrumental in providing a more robust structure to the team.

Following my spell at IKEA, I ventured into a new role as an interim head of data science at The Adecco Group. Originally recruited to lead the data science team in the Netherlands, the position evolved into a temporary role within the corporate team, emphasizing adaptability in my career journey. Currently, I hold the position of a senior data scientist within the corporate team, showcasing my commitment to continuous growth and flexibility in navigating the dynamic landscape of data science.

What does the 23andMe data breach event say about the average online user’s approach to data privacy today, and what can people do to better protect their online information?

The recent 23andMe data breach sheds light on the prevalent attitude towards data privacy among average online users today. While many may prioritize safeguarding their credit card information, the breach underscores the significance of protecting other sensitive information, especially for those engaged in online activities apart from web shopping.

The breach itself originated from a phishing attack, revealing a critical vulnerability in users’ approach to password security. Analysis of the incident indicates that a considerable number of individuals shared common passwords, providing cybercriminals with an entry point to siphon off data from the database. This emphasizes the need for individuals to enhance their password practices as a fundamental step in bolstering online security.

Before the breach occurred, the password requirements were not excessively complex. Many websites and digital platforms generally do not mandate intricate password structures. This lack of stringent requirements, however, resulted in a vulnerability that cybercriminals exploited through phishing attacks. In essence, the breach underscores the critical role individuals play in fortifying their own digital defences by adopting robust password practices.

In a professional environment, individuals often encounter stringent password policies for their work laptops. These policies typically mandate complex passwords that include a combination of characters, special characters, caps lock, and numerical values. Implementing similar stringent password practices in one’s online activities can significantly contribute to a more secure digital experience. A complex password, comprising a mix of alphanumeric characters and special symbols, serves as a formidable barrier against unauthorized access. 

Users should recognize the importance of creating unique and intricate passwords, steering clear of predictable patterns that make it easier for cybercriminals to crack them. Simple and easily guessable passwords, such as numeric sequences or common words, pose a significant security risk. Adopting a proactive approach to password management is crucial, especially considering the multitude of online platforms that store personal data.

While 23andMe is unique in its specificity regarding genetic data, the broader lesson applies universally. Engaging in online activities, be it genetic testing or e-commerce, exposes individuals to potential breaches. For instance, even routine actions like Amazon shopping can reveal sensitive information about purchasing patterns, income levels, and network preferences. Therefore, irrespective of the nature of the online interaction, maintaining secure password practices is imperative to mitigate the risk of unauthorized access and subsequent breaches.

Are existing privacy laws fit for purpose when it comes to the need to protect huge swathes of highly sensitive DNA data?

The adequacy of existing privacy laws in safeguarding extensive volumes of highly sensitive DNA data raises important considerations. Firstly, the laws themselves may be lagging in terms of relevance to the unique challenges posed by DNA data.

The term “adherence” might be more fitting than “compliance,” as it reflects the aspect of following through with the law’s requirements. It’s plausible that the legislation is not entirely up-to-date in addressing the intricacies associated with DNA data, given its relatively recent integration into digital platforms on a mass scale.

The novel nature of DNA data on digital platforms, spanning across numerous individuals, families, and generations, introduces unprecedented challenges for privacy laws. Unlike isolated incidents involving a few subjects, this breach occurred on a large scale, affecting a broad spectrum of people. The implications extend beyond mere individuals, reaching into the realms of families and generational connections, presenting a complex scenario that may not have been adequately anticipated in existing privacy frameworks. 

Furthermore, the breach revealed a potential gap in privacy considerations, as DNA data, previously not publicly available or associated with products, faced compromise. This breach sheds light on the need for an elevated level of consciousness regarding the privacy implications of handling DNA data in the digital sphere.

In addition to the intrinsic challenges within the laws themselves, the issue of compliance adds another layer of complexity. The geographical disparity between the location of data servers and the application of data privacy laws introduces a potential loophole. Providers might operate with a web interface in one country while storing data in another, potentially subjecting them to different sets of privacy laws. This jurisdictional mismatching can lead to pre-trial challenges, where providers argue that the laws of the data storage location should prevail, creating a legal grey area that can be exploited.

Even if privacy laws are updated to address the specific nuances of DNA data, the effectiveness of these laws hinges on robust and consistent compliance. The presence of grey areas poses a significant challenge. It is akin to having tools that are rarely used, rendering the legal framework less potent in ensuring comprehensive protection of DNA data.

What can businesses learn from the 23andMe data breach event with regards to optimising cyber security?

The 23andMe data breach incident offers valuable insights for businesses aiming to optimize cybersecurity practices. One key lesson is the interconnectedness between cybersecurity measures and overall business decisions. Often, security considerations might be overlooked or deprioritized in favour of immediate business metrics, such as signup rates.

In many instances, discussions within a company’s R&D or security teams might involve emphasizing the need for robust data protection measures, including complex password requirements. However, when presented to the business side, conflicting priorities may arise. Business leaders may weigh the impact on signup key performance indicators (KPIs) against implementing stringent security protocols. This delicate balance between security and immediate business gains is a crucial aspect that businesses need to reassess.

The tendency to view security solely as a potential impediment to initial metrics can lead to a skewed perspective. Businesses, particularly those dealing with significant amounts of consumer or business data, should recognize the distinct importance of cybersecurity. It is not merely a cost but a long-term investment in preserving reputation, customer trust, and overall market positioning.

A critical aspect of the solution lies in assigning security the same level of importance as financial compliance. While financial regulations are often prioritized due to the clear consequences of non-compliance in the form of hefty fines, cybersecurity is sometimes treated with less urgency. The analogy emphasizes the need for businesses to recognize that neglecting cybersecurity measures can lead to severe consequences in the form of data breaches, reputational damage, and the challenging task of rebuilding lost market trust.

The key takeaway is to integrate cybersecurity into the broader risk management framework and prioritize it akin to financial compliance. Understanding that cybersecurity is not just a potential cost but a fundamental aspect of responsible business practices will position organizations to navigate the evolving digital landscape more effectively, ensuring the protection of sensitive data and maintaining the trust of their clientele.