Forbes Newsletters

Plus: How To Uphold All Jurisdictions' Data Privacy Laws

Forbes
Governance is increasingly more important as cybersecurity risks grow in number, capabilities and scope, but even companies that have excellent governance in some areas might not be covering everything. A new report from data security platform Kiteworks found that several companies are failing at managed file transfer protection—and many of the vulnerabilities are relatively easy to identify and solve. Nearly six in 10 companies had a file transfer security incident in the last year, but priority is not placed on the steps to protect them.

“Organizations check compliance boxes while missing fundamental governance,” Kiteworks Chief Strategy Officer Tim Freestone said in a statement. “They can’t tell you where sensitive files are stored, who accessed them last week, or how they move between systems. Without this visibility, even sophisticated security tools become expensive decorations.”

Many enterprises are missing out on places to add security that don’t necessarily require new tools or knowhow, Kiteworks found. Three-quarters use end-to-end encryption for data that is in transit, but just 42% use an AES-256 encryption standard for data that is in storage, making it easier for bad actors to steal and exploit. Only about a third have integrated file transfer with their security team and its systems. And only a quarter test their file transferring security regularly.

How can these holes be plugged? Kiteworks recommends companies stop buying new tools and instead come up with comprehensive data governance standards that cover files and transfers. This kind of governance is not just helpful from a security perspective, but it also helps enterprises keep better track of all of their data. Paying closer attention also helps identify where cybersecurity risks are lurking, enabling the enterprise to get ahead of threats, which is vital in today’s business environment.

Another vital aspect of business is online privacy—a sometimes thorny topic because different states, countries and geopolitical zones have their own distinct sets of laws. I talked to Andy Sambandam, founder and CEO of data privacy platform Clarip, about how companies can stay in compliance everywhere and still do business. An excerpt from our conversation is later in this newsletter.

We are currently accepting nominations for the Forbes CIO Next 2025 list. We’re looking for innovators who have had significant impacts both at their own companies and for other tech leaders on the whole. (And yes, you can nominate yourself.) Nominations are accepted until 5 p.m. ET on October 30.

If you like what you read here, you can easily share it online and on your social media pages. This newsletter, and all previous editions of Forbes CIO, can be found on our website here.

Megan Poinski Staff Writer, C-Suite Newsletters

Follow me on Forbes.com

In today’s CIO newsletter:
  • Bits + Bytes: Why customers should be your north star in privacy compliance
BIG DEALS
Getty
It seems that 2025 is the year of the AI megadeal, and it’s getting difficult to keep track of who’s investing in or partnering with whom. Just this week, Oracle Cloud Infrastructure announced it will deploy AMD’s Instinct MI450 chips starting in Q3 of 2026. A consortium of Big Tech investors—including Nvidia, Microsoft, BlackRock and xAI—plans to purchase Aligned Data Centers for $40 billion. And OpenAI entered what’s likely a multimillion-dollar deal to roll out a custom AI chip with Broadcom.

While some of the tech giants have enormous revenues, they’re still taking on debt to bolster their offerings and build infrastructure, like data centers. OpenAI, for instance, is not expected to break even for years to come. The enormous amounts of cash involved and huge investments around AI have inspired comparisons to the dot-com stock market bubble in the late 1990s and early 2000s. Forbes senior contributor Peter Cohan writes about the similarities between both periods of tech growth and enthusiasm, and predicts what fallout might look like for the economy. The bigger question, Cohan writes, is whether the economy is ready for it.

Another question worth asking is whether this approach to AI will actually help the U.S. stay ahead in the race to dominate the technology. Forbes contributor Vivian Toh writes that while the U.S. is forming several capital—and debt—heavy alliances for AI, Chinese firms are focusing on open-source and easily adaptable technology. Toh writes that the AI race looks less like a sprint for maximizing intelligence and is now more about infrastructure. The biggest question is who can balance scaling the technology and maintain its resilience, she writes.

ARTIFICIAL INTELLIGENCE
AI is everywhere, and Oracle is unveiling its new starring role in its ERP and operational work at its AI World event this week—known as CloudWorld until this year. Forbes contributor Robert Kramer writes that Oracle is bringing AI agents into many of its enterprise cloud software suites. A payables agent automates invoicing in Oracle’s Fusion Cloud ERP and EPM. A ledger agent provides accountants with continuous insight. A planning agent supports event-driven forecasting. For supply chain, agents now automate several planning, fulfillment and compliance processes that could take hours to resolve manually.

Oracle’s new agents, Kramer writes, are focused on intelligent and accountable AI. At the event, they’re demonstrating how to trace and review agent decisions for compliance, which can especially help companies in highly regulated industries. Kramer writes this stance on AI agents is intended to meet companies where they are, integrating new capabilities into the functions they’re already using.

CIO STRATEGY
Much has been said about how AI-powered coding can transform the programming industry. But is AI-generated code any good? Forbes senior contributor Adrian Bridgwater took a deep dive into this question, asking Yrieix Garnier, vice president of product at Datadog for his observations. So far, many of the problems between expectations and output come from prompting. Better code, Bridgwater writes, comes from more structured and detailed instructions of what it needs to do and how. The only context that should be included is that which is immediately relevant—extra context may lead to coding errors. But with access to the right data and in the optimal setup, an AI coding app can be a valuable collaborator, he writes.
Clarip founder and CEO Andy Sambandam.   Clarip, Getty
BITS + BYTES
How To Thread The International Data Privacy Needle
Data privacy is becoming an increasingly more important topic, especially as different countries and states roll out different privacy laws. I talked to Andy Sambandam, founder and CEO of AI-powered data privacy company Clarip, about how companies can ensure that they are in compliance wherever they operate. This conversation has been edited for length, clarity and continuity. 

When privacy laws in Europe went into effect, there were different instances of some social media platforms that complied with those jurisdictions’ more stringent privacy requirements. Are the platforms still working on multiple versions, or are they figuring out how to make one system that follows privacy laws? 

Sambandam: We are a data privacy platform. We’re right in the middle of this thing, and we have a lot of customers that have presence in the EU, in Germany and Spain and in Italy and France and U.K. Companies still, even to this day, take an approach where they [decide], ‘Hey, if a visitor’s coming in from the EU or to our site in the EU, then we’re not going to track this data. Or if it’s coming from America and a certain state, we’re going to not do anything. We’re going to collect all the data and share it freely.’

This has actually given a raise to a pretty interesting subset of services. There are companies using IP address to understand where you’re coming from, which city or country you belong to. You can make a call to understand where that user is coming from: Is [a person] coming from Germany or is she coming from Virginia? Those types of calls are happening seamlessly behind the scenes. These providers are growing tremendously because companies started using some of these tools behind the scenes. 

The tools, whether it’s ours or other tools, have technology to tweak or configure their platform so that they can decide where somebody is coming from and then track or not track, or use third-party cookies or not use third-party cookies.

Tech companies are made up of people who create the tech part, but then there are different departments, like legal and marketing. Do they understand exactly what the ramifications are between privacy laws and what they mean to all countries?

The simple and honest answer to your question is not at all. They don’t understand. I see this personally in many of the large Fortune 100 companies that I engage with. 

The person in the IT world, for example, they’re not really thinking about privacy. If you’re a CIO, you are a business person saying, ‘Hey, I need this feature to be built.’ The developer, the engineer, they’re just going and writing a piece of code. Especially in the last 10, 15 years, software development has almost become like Lego building blocks. If you want to build something, you go download some existing library and then build things on top of it. By nature, software is collecting and sharing data downstream. 

The IT person or the engineers, they’re not really thinking privacy that much, but the legal and compliance people are. 

At the same time, I’ve seen marketing and sales team members, for them, data collection and analytics is super important so that they can do retargeting. You’ve probably seen this: You’re looking for something or talking to your friend about a certain thing, and all of a sudden you start seeing ads for that red sweater or shoes or ticket to the Caribbean. It’s a complex issue. The marketing team [can go to] extra lengths to find ways to circumvent these privacy laws. 

But then the privacy teams are like, ‘Hey, no, you’re not supposed to do this because we have these laws.’ I’ve seen companies where if the chief compliance officer or legal officer [comes from] a much larger state, those companies’ privacy programs will be more strict and stringent. Where the marketing rules, you’re going to see they have the upper hand.

What do you suggest that a company working in this space do to make sure that they are complying with all applicable laws everywhere without being too careful?

Try to do what’s in the best interest of your customers. If you have consent from your customers to share data, then do that. But you have to be upfront about it. How often do you actually read terms and conditions or a privacy notice top to bottom? Never, right? It’s simplifying that and telling people what data are you collecting, who are you going to share with and how are you going to use it. 

If you can show that true value proposition, people are willing to share. If you want to receive coupons for Black Friday, $25 off or 25% off, but you’ve got to give an email address or sign up for a newsletter, then you’re going to do it. You’ve got to avoid dark patterns. Don’t try to sneak something in the middle of your privacy policy that’s 4,000 words long.

Sometimes, the company is challenged on what they say in the project policy is one thing. What’s actually happening behind the scenes is something else. Legal people don’t understand technology evolving, and they may have returned a project policy 12 months ago that’s no longer valid. Now, something’s changed in that technology ecosystem.

Doing annual checks or quarterly audits, and being transparent, getting consent are some big common sense things you can do that could get you out of trouble and that would help you in the balances.

COMINGS + GOINGS
  • Fast food restaurant chain Whataburger appointed Rohit Kapoor as its executive vice president, chief digital and technology transformation officer, effective October 27. Kapoor most recently worked as the executive vice president and chief information officer at Claire’s, and has also held leadership roles at Starbucks and YUM! Brands.
  • Business process outsourcing firm ibex selected Michael Ringman to be its chief technology officer. Ringman joins the company after a 13-year career at TELUS International, and TeleTech Holdings prior to that.
  • E-commerce solutions provider Cart.com tapped Arjun Sainath for its chief technology officer role. Sainath most recently worked at Blue Yonder, where he served as corporate vice president of platform engineering. 
Send us C-suite transition news at forbescsuite@forbes.com.
STRATEGIES + ADVICE
While AI can work harder than a person, it can also fail harder. Here are some tips to maximize the assistance you get from the technology and prevent the deepest pitfalls.

In order to lead to growth, AI innovation needs safeguards and governance, but it also needs to be able to compete—something proven by the recipients of this year’s Nobel Prize in Economics. 

Quiz
Two financial apps experienced outages this week. Which of the following was one of them?
A.Zelle
B.PayPal
C.Apple Pay
D.Venmo
Check if you got it right here.
More From Forbes