Season 2 Episode 4: Dr Ian Oppermann: AI opportunities, data safeguards, and scientists in the boardroom
Dr Ian Oppermann GAICD is a co-founder of ServiceGen, plus the former Chief Data Scientist for the New South Wales Government. He speak to us about: artificial intelligence opportunities, governance safeguards around the use of data, and what scientists can add to the boardroom.
Transcript
Hello and welcome to Boardroom Conversations, a podcast from the Australian Institute of Company Directors. My name is Bennett Mason and thanks so much for joining us. In each episode will have candid conversations with some of Australia's top directors, leaders, and experts, delving into their background and discussing many of the key issues that boards are grappling with today. Our guest this time is data scientist Doctor Ian Oppermann. He’s the co-founder of an organisation called ServiceGen, which aims to help governments accelerate digital service delivery. Ian is also an industry professor at the University of Technology in Sydney. Board member at Standards Australia, and he previously spent eight years as the New South Wales Government's Chief Data Scientist. Ian, thanks so much for joining us on Boardroom Conversations.
IAN OPPERMANN
Great to be here.
BENNETT MASON
Now obviously today we're going to be talking a lot about data. So, let's begin with that term “big data.” What is it and what are some of its key risks and opportunities?
IAN OPPERMANN
Thank you very much, Bennett, for the question. Big Data has been with us for quite some time. We used to talk about data in terms of volume, velocity, and variety, and that was enough, really, to paint the picture that we were talking about more than just an Excel spreadsheet. We were talking about data from multiple sources. That's the variety part. Data which is really massive. That’s really the big part. But ultimately it was data that you could ask lots of questions of and give you different insights into a particular challenge that you had or a particular situation. Now over time, people have moved from doing essentially Excel spreadsheet data work to really bringing together vast quantities of data. We hear about data lakes and sometimes data swamps, and increasingly we're trying to use data for more and more important purposes. So, it's not just finding that needle in a haystack, finding that strange correlation, but really trying to use it for strategic purposes or trying to use it for things that really matter, helping to change the way we engage with customers. Where we start to get into trouble is when we try to use data for really important things, as opposed to just things that are interesting and curious. Where we get into trouble is when we start to use data for operational purposes or in administrative decision making, as opposed to writing reports that go to people who can think about it carefully and say: “Yes, I agree” or “No, I don’t. “So, I think we have all been on somewhat of a journey with big data. We no longer really refer to it as big data anymore. We typically talk about analytics or AI, but it's still about seeing the world differently, seeing the world through multiple lenses, and getting different insights into that challenge or situation, and being able to do something useful with those insights.
BENNETT MASON
I want to talk a little bit about your career now. We mentioned in the intro that you were the Chief Data Scientist in New South Wales. Can you describe what your role was in that position?
IAN OPPERMANN
Thank you. it's already bringing back memories. So, I was the first ever chief data scientist, New South Wales. It was an experiment. And really, it was an attempt to try and focus some effort inside New South Wales and bring government on somewhat of a journey. Governments all around the world use data, but the intention here was to use lots of data to really tackle wicked policy challenges and problems that are complex, subtle, and ultimately have people's behaviour at their heart. We looked at transport optimisation. We looked at where to put the next school. We looked at serious issues like domestic and family violence, and also helping to reform what's called the out of home care system for children identified at risk of significant harm. I joined in August 2015. That was a long time ago. I joined in August 2015, and for the first few years it really was helping people see the world differently. Do some interesting things, show some interesting insights, help people think a little differently about the sorts of data they use and the ways they can think about understanding problems. We worked with Fire and Rescue as one of our first ever projects, and ultimately what we were trying to do was tell a fire crew before they arrived, is it a real alarm, a false alarm, or an unwanted alarm when the automatic fire alarm goes off? And so, we deliberately set out to demonstrate that all sorts of data sets could be interesting and useful. So, we had, of course, the alarm data going off. And there were 48,000 odd alarms that went off the year prior. And Fire & Rescue by default, by law, must respond by default. That's 96,000 truck rolls and 97 per of the time, it's actually someone burning toast. So, we said, let's see if we can tell the crew before they get there. And it's about seven minutes, so we've got to do that. So, we took not only the alarm data, but we took information about the building, how it was used, the hour of day-to-day week, the, month of year. So, we had some seasonality components. We took air quality, we took lightning strike, we took cycles of the moon, and we took social media. And we built predictors slowly but surely, which got better and better over time. And all of those data sets were useful except one. All of those data sets gave some signal in the noise to help build a better predictor of was it a real alarm, a false alarm, or someone burning toast? It turns out social media has no impact whatsoever on the predictability, because people take their photos after the trucks get there, after the appliances get there. So, the first few years of being Chief Data Scientist really was helping people just wake up to the value, power, and ways of seeing the world differently through data. Every data set as a point of light, every data set is imperfect. Every data set doesn't give you full coverage. Every data set contains bias, but every data set is a way of seeing into that problem differently. And analytics and AI are a way of making sense of all of that data. Then Covid hit and Covid changed everything. So, the years of experimentation we'd done around building governance structures and showing how you can bring these different datasets together, suddenly people didn't think it was just an interesting curiosity. It was actually something which was essential to understand what was going on in New South Wales. What was the impact of Covid? What was the impact of the government response? What was the impact on business? What was the impact on vulnerable individuals? And so, we moved from generating insights that went to people, and people could look at them and say, yes, I agree. No, I don't, go back and do it again. To what's called situational awareness, the operational uses of AI and operational uses of data. So, it's the “show me” use case, show me what's going on right now or the “tell me” when something happens. And we moved from it being okay to use data sets that were months or years old to if the data set was more than 24 hours old, no one was interested. Those insights were really operational. So really it was an act in two parts or a game in two halves. I'm not sure I remember the analogy, but it was really something in two parts. There was the experimentation, working slowly but deliberately through increased use of data and analytics. Then to really taking big steps forwards and getting very serious about use of data analytics, AI in both operational and non-operational senses and then building out more and more formal structures around governance, around assurance and around ultimately, AI assurance.
BENNETT MASON
I want to talk more about Covid in a moment. but just getting back to the New South Wales Government, do you think that people within government became more accepting of data and the way we use data over the eight years you were there?
IAN OPPERMANN
I'd like to think so. I'd like to think that the eight years wasn't completely wasted. Again, all governments everywhere use data. What we tried to do was really push, push people's imagination and about the art of the possible, and also an understanding that non-traditional datasets can be quite useful. That example of deliberately including lunar cycles. I mean, we all kind of sort of think it has an impact. We showed it really did. That deliberate use of datasets, which were not traditional, conventional datasets that people would use really helped broaden people's imagination. And out of the volume, velocity, and variety, we really pushed hard on the variety because you really can see the world differently. And some problems, some challenges really are multi-jurisdictional or multi-agency. I mentioned briefly the children at risk of significant harm. We built life journeys for every child that had been in out-of-home care over a ten-year period, 22,000 at the time, 44,000 over the ten-year period. And connected those life journeys by through data from Education, Health, Justice and Family Community Services, as the agency was at the time. And then collected those 44,000 life journeys to 137,000 related persons as described by Family Community Services. That was a really ambitious thing to do and what we could say was, this is what life is like for this child in their family, as opposed to 50% of children and 20% of children and 5%, we could say girls are the 12, boys are the 12, regional versus remote, indigenous versus non-Indigenous. And this is what it's actually like for the children like this. And that was extraordinarily powerful. The problem, of course, is that it really shines a bright spotlight onto complex systems that multiple parts of government need to respond to. And in fact, in some cases, it's multiple NGOs need to respond to. So, we really pushed hard. We adopted the mentality of deliberate but cautious in terms of our movement forward. We didn't want to run fast and break things, the sort of perspective of some of the corporate world. But we knew that use of data was possible to not take it up. But we wanted to make sure we took it up ambitiously but deliberately and cautiously.
BENNETT MASON
You mentioned that caution. Governments have a huge amount of data on all of us, not just the public service, but customers, ordinary citizens. A lot of those people are vulnerable. You mentioned, children at risk. There's obviously many sensitivities around the way government uses data. What sort of safeguards did the New South Wales government put in place when you were there, around how data is used and analysed?
IAN OPPERMANN
So, I don't want to pick on New South Wales government. But the number one safeguard was just not sharing. And take that example of the children at risk of significant harm. There was a review done by an external person who was familiar with government, and they said the system is really not performing well. 22,000 children, $1 billion a year and really poor outcomes. And the recommendation was reform the system. And so, it was one of the early projects that I was given. And we reimagined the world in terms of outcomes. What do we really want to achieve? Not just a health or a justice or an education outcome. What do we want to achieve for children at risk of significant harm, or children who have been in the system? And what are those indicators? Hard indicators, numeric indicators. We mean this and this and not that. And then we reimagined that. We imagined the journey through data and then we said this is how we build it. Now even the thought of doing that didn't go down very well. But at the most senior level we had support from New South Wales cabinet. We literally had a letter from the Premier saying: you will do this. There was legislation that supported it. And of course, as the Chief Data Scientist, I had my gun on my badge. That's metaphorical, of course. And I went off to sea with support of the secretaries, with support of the deputy secretaries, with support of the executive directors, went off to see the data custodians literally holding a letter from the premier. And the answer was: “No, I will never give you that data.”
BENNETT MASON
Why not? Was it because it was so sensitive, so private, they’re children?
IAN OPPERMANN
It gets to the nature of what data is. And yes, it's sensitive. It's by definition sensitive. It's about children. Yes, it's sensitive. It contains information about really difficult circumstances. But the problem with data, the challenge with data is we don't know how to control it except in really open and closed situations. So, the most likely scenario is if ever data gets shared, it's for a very narrow purpose under very tight conditions and for very limited applications. And there are strong prohibitions or restrictions on what you can do with what you find in the data. Or we release it as open data, so we boil the goodness out of it and release it to the open, into the public, where there is literally no control over what you can do with it. So, over the course of the years, I tried to get really into what is it that that prevents data sharing? And it comes down to a relatively large but finite number of issues, all of which ultimately boil down to trust. But it's, do you have the right governance system? Can I trust you that you will handle the data correctly? Do you have enough competence in the domain to understand what this data actually means, or the circumstances under which it was collected? Do you have enough of an understanding of privacy? And there's all of those issues before you use the data. And as you use the data, do you have enough expertise to tell whether or not the data is fit for the purpose you want to use it for? And when you create an insight or you create an action, or you create something from a data product, can you put enough context around it? Restrictions, guidance, or even prohibitions to say this is how you use that data product appropriately and you should never use it in this way. And if you do use it in this way, you should consider it in this bit of context. So, all of those issues were slowly but surely what came out of eight and a half years of conversations with people. And it got to the point where I would go and see the data custodian and I'd say: “Hello, I'm from the data analytics centre. I'd like your data, please. Here's my letter of authorisation. And you're going to say no. And here are the top ten reasons you're going to say no to me. And if you've got a new one, I'd really like to know because that would extend my list. ”We got to 15 at the end. 15 reasons. And that's without commercial sensitivities. And what that led to was trying to pre-emptively address those concerns about context and sensitivity and governance and understanding and restrictions, guidance, or prohibitions. That led to a series of technical whitepapers which were produced, released by what's called the Australian Computer Society. They allowed me to marshal their members to try and produce technical white papers. And then ultimately, it has led to two international standards on data sharing and use. So, it's a big problem for everyone. Most people default to “no”. Or I'm going to make this data so uninteresting or so not sensitive or so not personal, that I'll release it to anyone. But it's the concern about not only you taking the data, but what happens next and what happens next, next and what happens next, next, next. Because unless you just say no at both ends, data has a potentially infinite life cycle, and the data products you create have an infinite life cycle. And that really terrifies data custodians. Reasonably so because you just don't know what's going to happen next after next.
BENNETT MASON
You mentioned Covid 19 a few moments ago. The pandemic obviously caused enormous upheaval, but it also prompted significant innovation. The New South Wales government used data in some very interesting ways during the pandemic. What do you think were some of the main lessons from that experience? And I suppose also for our listeners, what were some of the main governance lessons as well?
IAN OPPERMANN
That's a really good question. We learnt a lot during Covid and what became clear out of the all the reasons people don't share data, it's unwilling, it's unable, it's not allowed. People don't want to share for those reasons of concern and sensitivity, people may feel they're not legally allowed to because their legislation is either ambiguous or has been interpreted one way versus the other. But Covid change that. People really wanted to share data. There was emergency legislation in New South Wales. There was the intergovernmental agreement between the states and territories and the Commonwealth, where everyone wanted to and knew there were allowed to. The issue then was how do you do it? So that was the unwilling, unable, not allowed. We were left with the unable. And that really speaks to the data sharing frameworks. Most data sharing typically is preceded by months and months, possibly years and years of people writing memos and filling in the next little bit of an MOU. And if you printed it out, you could barely jump over it. And basically, it says that you're responsible. And for the audience, I'm doing that everyone else who's responsible gesture, which is a bit silly because at least within government, we all work for the same boss. It used to be the Queen, now it’s the King, we’re all officers of the Crown in some respects, and it's really unlikely that one bit of government is going to sue the other bit of government that is trying to do the right thing. So, I'm not a fan of all of MOUs. They can help, but typically they don't. So, what we really struggled with then was broadening the data sharing framework. So apart from narrow agreements which have been established. So, transport might share data with the Department of Industry, for example. Everybody wanted everybody else's data because it gave this powerful insight into what was going on. Moving through those, showing me, compare me, tell me when use cases. So, what we had to do was set up essentially these frameworks that we've been slowly but surely evolving.
IAN OPPERMANN
We had to set them up quite rapidly and stress test them. So, we developed what's called layers of control from a very high control environment, which really is that seriously locked down environment where you must be an expert, you must understand the domain, you must have the understanding of privacy. You must commit to doing or not doing a whole lot of things with the data. From very high to high I to moderate, moderate to low, and from low to no control. We'd also been experimenting with something called the PIF, the personal information factor tool, where we tried to understand within a link to a de-identified data set, just how much information was in there, what the risk over identification of someone in that data set was, and then how much data would be potentially released under the worst possible circumstances. And we use that as a measure of how much control we needed. So broadly speaking, more control if the data is either more sensitive and/or contains more personal information, even if de-identified. And so, we use these broad layers of control, acknowledging the sensitivities, acknowledging the levels of personal information and also the restrictions, guidance, or prohibitions on the data products, and then released data products or created data products for the higher, next level up level of control. So less controlled environment. I suppose, a real-world example, every single day we released data about Covid cases or confirmed cases and testing and a whole lot of other information. And our minister at the time said: “We are going to be transparent. We're going to really start a daily at a postcode level, and this is what we see New Zealand doing is what we see Singapore during this, what South Korea doing. So we should do something like that.” We effectively ran these governance processes and said raw data set has the certain level of personal information, the PIF. We know it's sensitive, it's about people. And even though de-identified, the sensitivities remain. We will create data products from that which this disassociates age from, from a gender or age from likely cause of transmission. And in doing so, we're able to reduce the level of personal information by an agreed ratio every day, looking back over the entire data set, right back to day one. And every day we looked at millions of rows of data and said, if we can reduce the level of personal information by an agreed ratio, we'll release it. And if not, we'll apply additional protections. So, what it meant was we created this tool, this thing called the PIF. We had these frameworks of very high, high and no control releasing the public. So, we use those frameworks. Now, this this poor guy had the data analytics every single day had to run the batch job and sit with me for to begin with a couple of hours and towards the end, just a few minutes every day. But we had to eyeball this data, look at the measurements, and then say yes or no. And if it was no, it went back to further processing. We only ever got three complaints, despite the fact we were releasing data at unit record level. First complaint, someone took our data and mapped it and put a pin in the middle of the postcode, and one person complained that that pin had hit their house. And we said: “Well, that's not us. We'll give guidance, recommendations to people using this data not to do that. Don't imply greater specificity than we are offering.” Someone else identified themselves to us and said: “I'm the only person in this postcode with Covid that you've identified me.” We said: Well, no, you've identified yourself to us, please don't do that.” And then we had another complaint on, I think it was the June long weekend when we didn't put the data up because we all wanted a break. And we will not put it out. And there was a complaint that we had not released the data over the long weekend. Maybe there was something to that. So, these frameworks that we'd been evolving took a big step forward, and it really did come down to what we needed to know and understand about the data before we use it, understanding it's fitness for purpose and then putting guidance, restrictions, or prohibitions around the data products we created. And this PIF tool has evolved a little bit further. The good folks at data 61 have taken it really to the next level in terms of what it can do. It's still not exact. We described it as our model T Ford. We had it. It was useful. You put your foot down, the car moves forward, turn the steering wheel left, most of the time it turns left. So, they've been evolving it over time, and it still has a lot of potential. But it's a tricky area just because of all the things you can do with data and the fact that context really changes the significance and sensitivity of the data and the data products.
BENNETT MASON
We talked a lot about government, but we should focus a little bit on some other sectors. Organisations of all shapes and sizes have enormous amounts of data now. If you're a supermarket, you've got data on your suppliers and customers. If you're an NFP, you've got data on clients and donors. So, what's your advice for organisations and specifically their boards? How can directors ensure that their organisations are seizing some of these opportunities that come from data? Either how can they make better use of data or if they haven't really started to use data, where’s a good place to begin?
IAN OPPERMANN
Great question. So very often people think of data as things that run through processes and spreadsheets and things like that. But data can be used for a range of different purposes. Data can be used for operational purposes. So, it is the lifeblood of almost all businesses. In fact, it's hard to think of one that is not the lifeblood of. It can be used for strategic purposes, and it rarely ever is. It can be used to generate insights; it could be used to create opportunities. And by that, I mean your data with someone else's data potentially could be quite valuable. It could also be sold possibly, or it could be used to look at the world differently. So, there are a number of dimensions about how you might use data for either really operational purposes or ways of leaning in and creating new opportunities. Most organisations don't. Most organisations think about cyber security now, which is good, cyber security good. But it really is about protecting the data inside the ship rather than thinking about how you might take advantage of it in an appropriate way by creating new insights or joining with other industries. There are some great examples of companies that do that well, and you talked about some who gain greater insights about their clients or gain greater insights about their products or about their services. But there's much, much more that can be done, provided it's done appropriately.
BENNETT MASON
Any examples, any bright ideas?
IAN OPPERMANN
I don't want to give too many plugs away, but Quanitum’s a great company that has done great work looking at data from so many different domains and built a really quite specific view of many of us. If you're in one of those supermarket loyalty card data sets, or if you have an airline loyalty card, you're in the data set. And the more dimensions they can see you with, the more accurately they can say preferences, actions and the sorts of things that would be of interest or the positive side of the ledger, much better targeting, much better ways of doing things which make my life better because I'm in the data set. And the issue always is how far to go with that. And I think, Quantium has been serving on the right side of that for quite some time. The risk always is organisations who suddenly realise they have similar levels of data, not necessarily putting as much care in thinking about appropriate frameworks, trying to take principles of operation, principles of ethics, and then working out how you map those principles right down to the bits in the data set.
BENNETT MASON
How does a board know whether their organisation might be using data inappropriately and what sort of guardrails should they put in place to stop that from happening?
IAN OPPERMANN
That's a really good question. So, most organisations have a statement of principles, ethics principles in some way, shape or form. The problem with ethics principles is when you're sitting in front of the keyboard or sitting in front of the data set, you have to ask yourself the question, how does this data set or my use of this data set line up the principles in the organisation? That's a very long, distant pathway you have to think about. So, without really mapping between the principles and the bits or the risk frameworks and the algorithms, it's really hard to do. And it's an unfair thing to ask someone with a keyboard or data set in front of them to say: “How are you lining up with that ethics principle?” In New South Wales, we developed the AI assurance framework, which is a thinly disguised data sharing framework which helps people think about use of data, happens to be for AI. Although we started broadening it more and more to be data driven tools, to think about the outputs, this data product that you create, what's the appropriate way to use that data product? Where do you point out how many times can you point it at the same person? What happens if you repeatedly point it at the same person? Then the algorithmic bit. We know algorithms do things to data. They typically have an element of bias. So how do you understand that bias? And then the data itself has biases. It will contain minorities or potentially contain minorities. What's the consequence of including or not including? It might contain sensitivities. What's the consequence of including or not including? We tried to step people through an in-context consideration of those ethical issues from the perspective of: what's the consequence in your context of doing or not doing this particular thing. And if the answer is, I don't know, which is very common answer. Giving people guidance as to what to do next. And in some cases, it's go look at a standard. And I love standards. So very often we say to people there are these great data standards or these great AI standards, you don't necessarily have to read it yourself, but someone in your organisation should. Someone in your organisation should be expert enough, a bit like dealing with electricity. We all know how to plug in a light. We all know how to make toast in a toaster. But if you're going to rewire your house, you'd get an expert to do it. You get an electrician. If you're going to build a power station, you get a lot of experts to do it. Data is not very different in that regard. And the frameworks you need to build, the safety frameworks you need to build around it. So, you don't need to be an expert, but you need to know when you need the expert. And preferably someone in your organisation has the next level depth of detail. So, going back to a board, how does the board know? It starts with asking the questions. How are we using data? How might we use data more strategically? How might we discover things? How might we better understand? How might we better create value with our data? But very quickly, beyond simple experimentation and the thought level experimentation, at the moment the doing starts happening, people need to get skilled up. Or get on the tools pretty quickly or recognise where the frameworks are and start applying this framework.
BENNETT MASON
You talked a bit about frameworks. We know that state governments and the Commonwealth are examining regulation and legislation in this space. Do you think we have the right measures in place now? Or do we need to reform our legislation and regulation around how we use data?
IAN OPPERMANN
So, I think that's an answer which will change over time, because what in particular AI can do is changing over time. Now my view of AI is that it's just the use of data. But AI is doing so many things and it's grabbed so much of the headlines, that that tends to be where the conversation is. But really much of it comes back to data and whether you can see the data and what restriction controls you can put around it. So, by analogy, when we did the New South Wales AI Assurance Framework, first of its kind, we often tested what we were doing with AI. We would substitute AI for a calculator and the safeguards we put in place. Do they still apply if we're talking calculator? We tried replacing it with a stapler. Can we build an assurance framework for a stapler? Absolutely. Don't run with a stapler. Don't staple other people's work. Don't staple money.
BENNETT MASON
Good advice.
IAN OPPERMANN
All good advice. But then the question is what's different about AI and AI, before generative AI and ChatGPT came along. AI is an accelerant. Or in fact, all digital tools can accelerate things. It can amplify systems. And that includes amplification, any wrinkles in the system, and really differently to a calculator or even a stapler is that it can adapt so it can learn and adapt over time. So, thinking about both the value you can create and also the protections you need to put in place speak to those special characteristics: amplification, acceleration, adaptation. Generative AI came along and all of a sudden it does that and it translates, it interpolates, it hallucinates. And all of those elements again, are capabilities which are quite unique to these new technologies. So, if you're thinking about both the benefits you can have and also the protections you need to put in place, it's really about those around those capabilities. When it comes to regulation. Regulation is slow. And so, thinking about regulation really needs to speak to the things that are important, that will not change rapidly over time, even while the technology is changing. So, one example is automated decision making. So, the New South Wales Ombudsman looked at an automated decision-making process that was happening in New South Wales and said this is not legal. There's a human being that must make the decision, even if every single time, if A and B then C, a human being must make that decision, it can't be automated. And what it says is that the decision-making point can't be hidden in the process. It has to be surfaced. So that a human being is always there, going, yes, yes, yes. But that wouldn't necessarily be a fun job for human being. But black letter law view, is that it must be the case that a human being decides, exercises their judgement, and exercises their authority. They can't be automated away. So, if there are issues like ensuring that there's a human in the loop, that human must be more than a rubber stamp, that human must be capable and competent and be prepared to say no occasionally based on evidence. Which is, for example, how the mobile phone detection while driving works in New South Wales. Camera takes an image, and an algorithm says passenger driver, driver holding something, driver holding mobile phone. Driver holding chocolate bar. It looks like driver holding mobile phone. I send this off to you, human being, please now decide. And that's a good example of human in the loop. Even though the process that the algorithm runs through is so complex that it's practically not explainable. So, it's not transparent. It's a convolutional neural network. And the data is an image. And we can explain the data to people. If they can test, you can send the photo to them and say: “Well, you know, that looks like you holding a mobile phone. And not you eating your lunch off your lap, but you holding a mobile phone.” So that's an example of AI done well for an outcome of making us all safer on the roads. But there are bits in that which are challenging. The principles of explainability is that the algorithm can't really be explained in any meaningful sense. With large language models, the data can't really be explained in any meaningful sense. Which datasets were really used for that particular outcome? So, all in all, there are ways of thinking about that data life cycle before we use it, as we use it, as we create data products, which are really specific to that issue of transparency and some of those principles around ethics and so on. But really, it's the difference that AI makes, compared to any other technology, where we really should be putting our attention and our focus.
BENNETT MASON
I wanted to return to something you mentioned briefly earlier in the discussion, and that's cyber security. We know that's a major concern for boards now, and data protection is certainly a key part of that. What advice do you have for boards and organisations on how they can keep their data as secure as possible?
IAN OPPERMANN
So that's a really good question. I think this is one of the big challenges we will have as we move through the back end of this decade and probably the next decade, and possibly a decade after that. We're all used to the idea of building big data sets and bringing it all together into what you might call a honeypot dataset. And that's madness. It's absolute madness. Because a honeypot data set is an attractive thing for people to go after. And it might not even be people going after. It could be algorithms going after things. Once upon a time, you had to be interesting to be the subject of a cyber-attack. You don't have to anymore. Algorithms, there are enough of them out there, enough essentially bots out there that we're all collateral damage. So, if we create honeypot data sets, we create a problem for ourselves. The very best thing to do is not build it in the first place. Leave the data where it is, build a data fabric and connect it virtually so that never ever really comes together in the sense of it all being on the one hard drive or being in the one solid drive. Sometimes you need to build such a data set, maybe for legislative reasons. In which case, if you do have to build it, put it in an air gap machine and put lots of protections around it.
BENNETT MASON
What is an air gap machine?
IAN OPPERMANN
Not connected to the rest of the world.
BENNETT MASON
Oh, right.
IAN OPPERMANN
Go off the internet. So, life before WWW. So, leave it there and put physical protections around it. And the dataset you use could be either an increasingly perturbed or synthetic version of the data set, or the data products that you actually need. Very often we don't need to know A and B to understand C. We want to ask questions like is A greater than B, is it less than B, is I equal to B? And that answer C can be derived based on that understanding of the logical operation as opposed to having to having to see A, having to see B, having to see C. So out of all of that, very often it's the answer to a question or a query that we want, as opposed to the underlying data itself. And the New South Wales equivalent was: are you old enough to go into this licensed premises? Not, what is your date of birth or all sorts of other things. So that giving too much information is problematic in its own right. The second approach, which is particularly with identity and identity is typically just data, giving people control of their own significant data elements such as identity. And then being able to ask the question, are you who you say you are? Not, are you this person? Are you John Smith? I don't need to know that in most cases, I just need to know whether or not you are who you say you are. And your licenses, which are related to John Smith, are related to the same person who you say you are. So, we can step away. But that's a really big leap for most people. Most people, I'm not sure if you've been outside New South Wales lately, but if you go to a hotel that will still take a copy of your driver's license. And you think that's crazy, you don't need that information to know that I'm over aged and I live in a different state, whatever the case may be. So, we have to break the 20th century mindset of building honeypot data sets and collecting too much data in the first place. Otherwise, we will see breach after breach after breach after breach. And it's crazy. The final point on this is there's so much data about each and every one of us already out there. Any data set we do create has to be seen in the context of that's already there. How do we ensure that we don't make it worse if current data set is breached? And that gets back to this, this principle of how much personal information is in a linked, de-identified data set, where some of it's out there in an uncontrolled environment. And what's the likelihood it could be linked? And that sort of stuff is a really difficult problem, but it's the sort of thing we really have to lean into in order to ensure that the way we think about privacy and the way we think about security doesn't completely disintegrate towards the back end of the 21st century.
BENNETT MASON
Ian, we don't have too much time left. But I wanted to talk a little bit about you and your career. We mentioned you've now left the New South Wales government. So, what are you doing now with Service Gen? And how does that company help governments deliver digital services?
IAN OPPERMANN
Yes. So, after eight and a half years with New South Wales government, I'm in a Start-Up, which is really exciting. But it's kind of like a Start-Up in the sense of being invited to join the Beatles. We've got Victor and Matt and David out there doing this incredible work, and I've come along, I think, to help people with their PowerPoint slides and to tell them where the exits are.
BENNETT MASON
So maybe you're the Ringo or the George?
IAN OPPERMANN
There's one of those that I'm aiming for. Let's see how we go. So, what ServiceGen is trying to do, because everyone of us have actually walked in the shoes, felt the frustrations, understood the limitations of what it's like to work in government, but still want to get things done. The objective is ultimately to help governments think differently and do things differently. Now, some of that really is the sort of thing I've been talking about. Use data in a more meaningful way or use data in different ways to understand problems differently. Some of it is bringing your mindset from the problem in front of me to I really can think about big real-world outcomes. And there's evidence, there's case studies, there’s examples of how you can really impact the real world by innovating in the digital world. And so, Service New South Wales was a great example of doing really amazingly powerful things by thinking differently, applying a lot of elbow grease, applying a lot of effort, but doing things differently. Service New South Wales responded again and again and again to the challenges brought forward by Covid. I mean, simple things like QR code check-ins and checkouts. But also, the voucher system stood up in record time. Digital driver's licenses. Very often when governments get elected, they come in having promised a whole world of new things. And the very first thing that the Treasurer says to them is you've got no money. So, all those things you've promised, you've got to do them within this very small or possibly shrinking budget. And between that level conversation that Victor can have to the “This is how you’ve got to build, this is how you can build it out from” from a service perspective. To the “This is how you use data and AI, and this is how you can use those different ways of understanding or thinking about your problem differently.” We've got a reasonably good package of offerings from; we could build out some of the fundamentals of what's inside Service New South Wales for you. We could offer you advice on strategies and so on, or we can just help you think differently about these problems. It's very exciting. It's keeping me very busy. I was trying to describe this to someone recently. It's a bit like being on the back of a camel as the camel starts to stand up. So, we're sort of going backwards and forwards a bit, but we're moving and it's really exciting. Not only to be in a start-up but be in a start-up where there's some pretty experienced individuals there.
BENNETT MASON
As well as being a data scientist, you're also a Fellow of Engineers Australia and Past President of the Australian Computer Society. What do you think STEM professionals like yourself can contribute as board members or directors? We obviously see a lot of lawyers, accountants, former CEOs, actuaries on boards, but sometimes not people from a STEM background. But what do you think those STEM professionals can add?
IAN OPPERMANN
So, I think Australia actually does really, really poorly in terms of having STEM qualifications on a board, formal qualifications on a board. If you look at Germany or France or anywhere in other parts of the world, there's a much greater representation of people with technical backgrounds. In fact, CEOs with technical backgrounds tend to be very, very common in Europe. I think people with STEM backgrounds, think differently about things. My wife is a barrister. She will swear to you, black and blue, that I think very differently to her. And I'm clearly wrong about the way I think. But that's neither here nor there. But with getting back to boards, it's a different perspective. The technical background or an engineering background requires you to embrace complexity. And when I joined the New South Wales Government, I would say: “We're going to deliberately re complicate these problems. We're not going to make it simple. In fact, that's the worst thing we can do. If we're dealing with a big problem, we're going to deliberately re-embrace the complexity of it or as much of it as we can cope with in order to address the right problem in there somewhere.” I think also it's a different emphasis on where you can make a contribution. So many organisations will rightly say cybersecurity is important, but most boards wouldn't know necessarily what the next level of detail is. You need to think about in terms of cyber security, or why you need to do some of the things you're doing. So, on the boards that I sit on, I'm typically the technical person. And increasingly boards are doing skills assessments to say we need technical skills, we need leadership, we need governance. We need all these different areas, domain specific areas, but we also need technical. So increasingly, I’m the technical person. But what it means is that when there's a conversation about, for example, there's elements of data and how I got to use them, I can speak meaningfully about them. When we talk about the importance of cyber security and whether we should follow this path or that path, increasingly, I can talk to them. And it's very positive that, as I said, increasingly boards are looking at their skills matrix and say, we've got to have that. We've got to have even emerging technology areas or one recently I was in discussion with is not only AI, but what's the next over the horizon technology that could impact us. Because the world is changing so rapidly. And I mentioned the word “accelerant” around AI. AI is accelerating the pace of change the world around us. The one consequence of that, of course, is that we will never see change this slowly again. It will accelerate further in the future, which also means this is the good old days. The period where music makes sense and children respect their parents and politicians are honest, we are living in the good old days right now. It's accelerating and that acceleration, the rate of acceleration, is also accelerating. So, thinking about over the horizon technologies, it's not a 30-year task anymore. It's what's going to happen by 2030. How different will the world be in 2030? And challenging linear thinking has been one of the most fun things that I do on board. But also, how would we respond to an exponentially changing world if what we're doing is increasingly applying linear thinking to that rate of change? So, I think it really is valuable to have people with STEM background and not say, therefore, all technical issues belong to you. But listening to people with a STEM background and quite often, believe it or not, people a STEM background are a little bit of the, INTJ personality type. They're a little quieter. They need to be encouraged to speak up, yet I’m offering no evidence of that today whatsoever. But they need to be encouraged to speak up. They we need to be invited into the conversation because they tend to be quieter voices. But that's also really important for boards to understand that it's possible to engage with different personality types and to listen differently and to think a little differently and then apply that to the real-world business problems, that real world strategy problems, real world governance problems, which bang on the door every day, but which are increasingly changing as the world changes.
BENNETT MASON
Ian, I know you’ve got to run but I think we've covered a lot of ground. Thank you for your time and thank you for speaking with Boardroom Conversations.
IAN OPPERMANN
Thanks for having me.
Latest news
Already a member?
Login to view this content