Name: Beyond Borders: Achieving True Data Sovereignty in an Era of Geopolitical Uncertainty
Uploaded: 2026-02-24T11:30:07.039Z
Duration: 51 min 44 s
Description: Beyond Borders: Achieving True Data Sovereignty in an Era of Geopolitical Uncertainty

Transcript for "Beyond Borders: Achieving True Data Sovereignty in an Era of Geopolitical Uncertainty": Hello everybody and thank you so much for joining us for this webinar on Beyond Borders, achieving true data sovereignty in the era of geopolitical uncertainty. For the last decade, we were told the future was borderless, that cloud was relatively frictionless and data was global, and that infrastructure was abstracted from geography. But the world has changed, and geopolitics has re entered the technology conversation quite forcefully with wars in Europe, economic fragmentation, sanctions, tariffs, regulatory acceleration, and AI compressing governance timelines, we're suddenly facing a question that boards haven't really thought of before. It's how fast can we scale? That was normally the question, but actually where it's moving to is can we assert control under stress in the geopolitical landscape? And to explore this very in-depth, I'm delighted to be joined by somebody who has been analyzing and advising on geopolitical and digital risk long before it became mainstream. I'll let Sarah introduce herself, but before we dive into the discussion, Sarah, and before introduction, it would be great to also get a bit of an update on what you've been doing recently and some of the interesting meetings I know that we've spoke about that you've been having. Yeah, thank you, Richard. I'm absolutely delighted to be joining you today on one of my favorite topics. Have to say never a dull day when it comes to talking about cyber security, resilience, data and all the things that we're going to be digging into. So yes, that's Sarah Armstrong Smith. I'm the executive director at Secure Horizons. Prior to that, I actually spent five and a half years at Microsoft as chief security advisor. So what's one of those? My role in essence is to liaise with Microsoft's largest enterprise customers across Europe. So it's really to decouple the conversational way from talking about products and really understanding what are the biggest challenges that those companies are facing right now. And I think if I look back over those five and a half years, there were really three major things that I think really tipped the balance and I think we're going to dig into some of that. When I joined Microsoft, we were just going into lockdown with a global pandemic. So I actually spent the first eighteen months of my career on teams, believe it or not. And that really introduced a whole bunch of issues when it comes to hybrid working. All of a sudden you've got all these people working remotely, bring my own device. And then we kind of come out the global pandemic and we've just commemorated the four years since the Russian invasion of Ukraine. I know that's going to be a hot topic of conversation for today when it comes to just the issues that that's caused, not just in terms of the global conflict, but how geopolitics has played such a huge role into everything that we're talking about. The third thing that we can't escape has been AI. I think AI has been dominating a lot of the discussions and that again is really influencing a lot of those discussions on challenges. And I think the issue is whenever you have new technology or evolving technology, you have tech for good and tech for bad. So ultimately that means how are you utilising technology to improve control, improve identity data, again, all the things we're no doubt going to be digging into. But the reverse of that, ultimately, is whatever works well for us as defenders, also works well for attackers as well at the same time. So as much as we're evolving, they're evolving as well. Well, Sarah, thank you for that great introduction. You're right, we're going be covering a lot, if not all of those points in this discussion. I guess we should start with the geopolitical climate currently. And from your perspective, how has the European geopolitical landscape fundamentally changed the way that global organizations and regulators view data movement and cloud adoption? What does that look like? What are the conversations you're having? Yeah, well, I think the interesting thing, if we go back let's roll the clock back to those four years ago I think that's a big change with regards to geopolitics. I think we were to kind of sum up the issue for everybody. Whatever's going on in the outside world has a direct impact on what is going on within your organization, within your sector, within your country, it's influencing regulation, it's influencing technology, it's influencing everything. Now, if I was to just kind of roll that clock back, I want to kind of give you a few insights from a big tech perspective, but also what we've seen across those sort of four years since the Russian invasion. But to tell this story, I have to go even further backwards. Now, if you're familiar with Microsoft's technology, obviously a hyperscaler. So Microsoft has huge amounts of cloud infrastructure. It's got one of the biggest wide area networks in the world, approximately 400 miles of fiber and subsea cables, just huge amounts of data storage. And ultimately, when you kind of have all of that telemetry data, it gives you a lot of threat intelligence and it's how we put that intelligence to work. About six months or so before the physical invasion, Microsoft started to see an increase in threats coming from Russia, that was specifically targeting NATO, Ukraine, allied forces. Just to give you some perspective, Microsoft does, what we used to refer to as nation state notification. So in essence, what that means is you're looking at that vast network, all of that cloud infrastructure, it's an advanced notification that potentially we see an advanced threat on your door. I can't tell you what they're doing or why they're doing it, but we just kind of see this threat. At the time Microsoft was probably giving about 800 notifications a quarter and that's six months before it went to 21,000. So in essence, I mean something is coming, we know something's building up. And obviously in that next six months or so, it started to see an increase again. A high precision targeting spear phishing campaigns, looking at policy, looking at specific individuals, an increase in cyber attacks, and a lot of that intelligence was being shared with Ukraine governments across different entities. Typically, before the actual invasion, a lot of that intelligence would have been shared with intelligence agencies and other government entities. We kind of bring that right up to the actual invasion or at least a week before the invasion. I think this is going be really topical given the conversation today. So I think a lot of countries, a lot of entities have, data sovereignty. They have data residency requirements, particularly when it comes to public data, personal data, government data, regulated data, for example, and Ukraine was no different. So they were acutely aware that as a lot of these, troops were amassing on the border, They had challenges with regards to where's my data? So kind of the question gets asked all the time. Where's my data? How do I protect my data? And so one week before the physical invasion, Ukraine had to change the law, which enabled them not only to be able to move their data to the cloud, but move the data out of country. So as a result of that change of law, Microsoft, Amazon and others moved very, very quickly to just start moving data on mass to the cloud and out of the country. I think this is really important because I think one of the things that I identify very early on is your strategy in peacetime is very different to what your strategy needs to be in an active conflict. So in a peacetime, law abiding situation, might be very relevant to have your data close to you, to have your data within your own country, within your own region, within your own borders, so that you maintain control over that data. Now with that rising geopolitical tension, obviously we've seen an active conflict in Ukraine, but we have seen other active conflicts in The Middle East as well over the last sort of couple of years. And what that means ultimately that you're not only being a high value target from cyber attacks, You're also a high value target for kinetic attacks, so it's not just about where your data is from a digital perspective. It's also really important to understand where your data is from a physical perspective, whether you have copies of that data. Now again, in terms of we just think about that logically. So a lot of when you think about data sovereignty, particularly governments or federal or any of those requirements. If you can't put it in the cloud, where is it? You might have hosted data centers. You might have your own data center. You might even have a server in a server room in your own building. Now, if the enemy, so to speak, and that could be another state, it could be a cyber attacker, could be a disgruntled employee, any one of those. If they physically know where your data is, that means it's a high value target for destruction, not just compromise of that data. So it's kind of two things you're having to think about, not just the protection of a digital asset, but the physical asset as well. And so that was a rapid case of move the data. From Ukraine's perspective, not only did they move the data to the cloud, they moved it across multiple different countries. So now you've got that extra layer of protection if you like. And so following from that, Microsoft also enabled customers to begin control of their own data. And again, if you think about Europe, we think about the EU, there's always been that requirement under GDPR. We talk about personal data as being strict requirements for data transfers, how that data is handled, etc. So I think if I just talk a little bit from that big tech perspective, and I think from a Microsoft perspective, we think about a lot of companies might be using Windows as their primary operating system. They might be using Office, SharePoint, email, etc, etc. And so in essence, what Microsoft said is, well, this level of capability and control that we've put in place for Ukraine, we've also put in place for other customers. So in essence, that means if you're using something like M365, you can choose where your physical data resides, or you can have that data copied across multiple data centers. If you're then using something like Azure, which is more in your control, again, same principle, you can choose where your data is physically residing, the copies of that data. Ultimately, there's kind of another thing to be thinking about. There's no technical reason why your data cannot be copied multiple times over. So there's a technical issue. I'm sure we dig into a little bit with regard to technical controls. So what the scenario that we're talking about and still is relevant to a lot of countries who are not in an active conflict, but they're still in an active geopolitical situation, is that they're still bounded. They're still bounded by regulation, whether that's within the country, They're bounded by regulation, particularly if it's a sector. We've talked about GDPR from a personal data perspective. You might have financial data, you might have other regulatory data, and again that might impose specific controls and restrictions on data data sharing. And then you're going to have your own policy, your own organizational policy, particularly if you're an international organization, particularly if you've got highly valuable, highly sensitive data when it comes to intellectual property. Is it potentially a minefield? So we've really kind of looked at the geopolitical aspect of that. But ultimately, think it's a really great starting point for this conversation, Richard, because as we said, geopolitics shapes so much. It shapes regulation. It shapes actual policy, but it also drives technical innovation and capabilities that a lot of those entities and customers are going to be needing to adopt. Ultimately, even if there's a change in government regulation or principle coming, we can't be scratching our head thinking this new regulation is coming on Monday. Now what? We've got to be thinking so far ahead, but your ability to use this technology is dependent on the region and potentially the policy that you have to be able to utilize that technology in the first place. My goodness, that's a phenomenal introduction. You've touched on pretty much every critical point of awareness and knowledge that undoubtedly everybody at all layers of organization is aware of, from what happens geopolitically, what are the early warning signs and symptoms of that, And you talked about kinetic impact as well. I don't think enough organizations think about that. We did twenty years ago when we were focused on natural disasters, but actually, kinetic impact of cyber ops through nation states is a big, big challenge now, and lots of really good metrics around what Microsoft have seen and how they've sort of targeted and amended their services to reflect the current geopolitical landscape. But the theme I've taken from this, and one that I'd love to kind of bring back from a viewer listener perspective, is from a technical standpoint, given all that you've said, and we don't disagree with anything you've said, and we'll take that as gospel and say we now have to do something about it, What are the biggest hurdles that organizations suddenly need to jump over to deal with when they think about the geopolitical challenges that you raised? And I want to share some stories from my side as well on this, just to kind of operationalize a lot of what you've said. I mean, look back in February 22, right, when the situation escalated as you mentioned in Ukraine, I watched organizations, and I was working for one at the time that had operations in Eastern Europe, and we all faced a very immediate reality. And it wasn't just the regulators that were asking this question, it was also boards. Can we actually guarantee that our data isn't accessible by hostile actors? Technically, the answer is genuinely, typically, we don't actually know. And that's not a good enough answer. We know that isn't, and we've learned some lessons through the experience of what's currently going on, of course, in Europe. What tends to break first is not the data transfer itself. We're pretty versed at that. It's actually control when this geopolitical storm hits, and there are three traditional walls that tend to appear in my experience. First is what I call the metadata trap. So if we think about this too, DORA, other regulations, there's a lot of increasing focus on our operational resilience, the term we've all heard of. Your data might be in Frankfurt, but if the metadata, like the catalogue of actually what you have, who's accessing it, all the dependencies, is being processed through a control plane that's in a different country, potentially one that's geopolitically fueled or on fire, depending on how you look at it, then you've got a Cloud Act problem, haven't you? And we've seen this with financial institutions and DORA. You have to demonstrate critical operational data can be accessed by third country authorities, and you also need to able to understand that if your backup orchestration metadata flows through global infrastructure, well, you can't make a guarantee then that there's not going to be a risk to that. So that's the first thing, and the second is this dependency chain, and I think it's the most critical one. EU's adequacy decisions do change, And there's lots of updates to regulation and privacy policy. And in fact, SREMS too invalidates the privacy shield straight away, right? So when that happened, organizations discovered that their EU compliant architectures had dependency chains, which were authentication systems, management planes, all touching infrastructure that was subject to a jurisdiction that was outside of Europe. And that raises real challenges operationally, because you have control plane sovereignty problems, haven't you? You've got management orchestration that's entirely within your EU designated jurisdiction, but there might be dependencies in third country entities and those that are actively under attack at the moment. And so, to wrap up on this point, I think what leadership needs to be asking of businesses, can we prove not just to ourselves but to the auditors that no third country government that's a really tricky one to be able to prove that no third country government can compel access to our operational data or even the metadata. Can it be controlled? Can it be turned off? Can I be shut out from it? And if the answer isn't clear, then you have a lot of architectural work to do. So, I wanted to add that on before we move into the next question, because it's something you did mention. I'm glad you did. It's about peacetime versus wartime. And I often wonder, Sarah, are we ever in peacetime? I don't know if there's ever been a point in my career where I felt it's been a peacetime scenario. But on that basis, how, in your opinion and experience, can organizations build peacetime architectures that are resilient enough to handle the wartime dynamics and the regulatory shift that you talked about in your introduction? Any I think I just let me just touch into a little bit of those really great points that you've made, particularly some of the regulatory controls, some of the issues. I said it comes back to where's my data? Who's got access to my data? And you're quite right, you've got data about data. Again, if I just kind of bring that a little bit to some of the big cloud hyperscale kind of principles that people probably are so used to thinking about with regards to that kind of people were moving their data out of their data centers into a cloud. And obviously that came with a lot of questions about not just a physical location, but who is accessing, who's supporting it, where's the code, where's all of that metadata, threat intelligence, etc. So there was a couple of principles that Microsoft came out with and some of those that's continued to build and I'm just going to set that as a little bit of a backdrop. But first of all, you kind of think about the shared responsibility model. I think people might be accustomed to thinking about and I kind of like to think about it as a problem shared as a problem halved in essence. So part of the rationale and reasoning for moving it to the cloud in the first place was we were taking advantage of a lot of the innovation, the in built security privacy controls that were built into the platform itself. I think that's a kind of an important point to raise. When we're talking about those shifting dynamics, new controls, new regulations, it can be really hard for a lot of entities to stay on top of it, particularly if you're thinking about the overheads of building, managing your own infrastructure, even some of the complexities of just how to patch systems and everything else like that. But I think you then got a layering if you like with regards to who's responsible for what. So you've kind of got the underpinning platform dependent then if you've been building SAS services, you've then got the application layer, so you've got the application service provider. But I think the real kind of the basic basic thing that Microsoft, not another big tech and no doubt other SaaS service providers have kind of always held true, so to speak, is that you cannot outsource your risk. So yes, you've kind of can put your data here. You can put services there. I can outsource. I can have managed services, but ultimately you're always accountable for your data and you're always accountable for what your people are doing with that data. Ultimately, if we're talking about personal data, financial data, intellectual property, well, first and foremost is your data. You need to understand the legal requirements of that data. The repercussions of that data. Talked about the operational resilience of that data. So, what's the criticality, the sensitivity, the backup requirements, etc, etc. And obviously we talked about who's accessing that data, so you've got identity and everything else. The challenges are that's always held true, irrespective of the layering and everything else. There's a lot more capability that's being built said is the underpinning platform. You don't happen to scratch your head and think about a lot of these things. There's a lot of things that being built in by default and by design, but ultimately you have to take advantage of that. That's the kind of the fundamental thing which is always the case. And I think you brought up a few things with regards to, let's say, more authoritarian regimes, governments, etc. And we're seeing that a lot of that's shifting a little bit maybe in the last couple of years. If we were to look at some of the more authoritarian countries that are very strict with regards their right as far as they're concerned to have access to data, data, third party data. And that can be irrespective of where the country is. There's a couple of things that you therefore need to kind of think about and some of that we've touched on. What part of that is the physical location of the data itself. The second part to then think about then is the support and management of that data. So for example, we've touched on already that your, people who are designing, building, operating the service may not be in the same country. Your data might be physically located in a cloud platform in The UK or you use Frankfurt as a great example. The support of that may be coming from another country the engineering support, and everything else. So there was a little bit of kind of pushback a little bit, particularly when we think about EU mentioned about SREMS. And so a couple of years ago, Microsoft then developed the EU data boundary and in what in essence that was trying to give a little bit more assurance to EU countries. And at the time was also extended into The UK, and some of those other countries. And in essence it was providing principles that your data stays in the EU that includes support as well. Slowly but surely a lot of the engineering support that may have been provided across Asia or across America or whatever the case has actually been ring fenced and founded to the EU or within European borders. And so that's been a kind of a long ongoing principle. I think that kind of the underpinning that as well, is that kind of, reticence, if you like, that let's just talk, about the CLOUD Act as a great example that you also highlighted. And it kind of infers that the US government can compel another US cloud service provider or any provider to provide access into that environment if they're trying to gain access into a data or an entity, etc. And this quite rightly brings up lots of issues when it comes to privacy, control with data transfers, So the way around that and the way again providing assurances that is, I'd like just to talk from a Microsoft perspective, given my background. But in essence, Microsoft's position was your data is your data. So the tenant is your tenant. You control the tenant. You control all access to that tenant. And ultimately there's kind of some principles that came with that in terms of encryption keys. So we had double key encryption. So Microsoft has a key, you have a key and that kind of moved forward to having customer owned keys, which means that even if I had a court order, it does have to be a court order. It's not there's no back door access. I have to just kind of reassure that to any government entity at all. But ultimately, it kind of has a request from law enforcement. They have to kind of go to the court. They have to get a court order and there has to be justifiable. So there has to be legitimate reason why I need access and it has to be really refined. It can't just be I won't have all access to all data relevant to this entity Has to be a very specific reason. Maybe it's for a criminal investigation or something like that. But ultimately, then people are still uneasy about the fact that even if you've had a court order, how do I know who's accessing what and are they moving the data? Hence we have this kind of double key encryption or customer own key lockbox, etc. So in essence, what that means is that the control plane, if you like, is moving more and more into the customers hand as opposed to the cloud services hand or any other hand. I think it comes back to that kind of principle I sort of said at the beginning, which is you're always accountable for your data and you're always accountable for what people are doing with that data. Now you've got to be in control of your own people. Arguably you've got to have access controls etc. But as we sort of said, you've got third parties, some of those you'll manage third parties that you still have control of, but you might then have that entity that sits behind you like the cloud service provider who has to come and maintain servers. They have to maintain the storage and everything else. I think that's where the itchy feet kind of comes into play. I really have control? Do I really know what they're doing? So I think just to kind of sum that up a little bit, there's a lot of things that are happening, at that kind of cloud layer, so to speak. There's a lot of things that are happening at a government layer that might change policy, that might change regulatory control. I think that means you've got this kind of constant tension, if you like. Whatever the law of the land is today doesn't necessarily mean that's going to be the law of the land tomorrow and it could happen really quickly. So we've seen executive orders. We've seen changing of perspectives with regards to sort of sovereignty issue, data residency issue, etc. And I think that's going to continue to evolve. But ultimately, if we were then to bring that close to home with those organizations entities, that level of accountability control expectation has to then shift back to the organization itself. And I think this is where we then need to kind of what does that look like ultimately and how would you provide assurance that no matter where the end data is or the physical data is that you maintain that control? I think that's kind of where we're at the moment with regards to that level of assurance and what ultimately boards are looking for in terms of what does that really look like in principle. Yeah, but I couldn't agree more. We could have another two days worth of conversations in just those points alone. What I would love to do is one of the questions I hear a lot about, because everything you've said is absolutely spot on, is around jurisdictional boundaries. How do organizations if you're listening to this webinar, you're watching this webinar later after the live event, you'll be asking yourself these questions: how do I define jurisdictional boundaries? Especially within a global cloud environment. And a couple of comments I have on there, and feel free to chime in at any point, Sarah. You know, the SREMS2 decision fundamentally changed how EU organizations must think about cloud architecture. We know that, and you've mentioned it. And the court said adequacy decisions aren't enough. If third party surveillance or sorry, third country surveillance rather laws can access EU data, then you need technical measures to prevent access, and so now we're not really concerned anymore, although we still are to a large extent, about where the servers sit or the instances that we're using. We're really focused on who could be legally compelled to provide access. And we've seen lots of these cases with telcos, mobile phone providers, the list goes on. So, we're all aware of some stories. But for jurisdictional layers, there are kind of four things you have to control in conversations I've been having, and this is where I'm happy for you to tell me if you see it differently. So when EDPB and so if people don't know what that is, that's the European Data Protection Board When they set essentially a mandate of how things were to be done, they made it very clear that you must assess whether third country authorities can access data in practice. And so the layers that kind of matter around that, if we're thinking about this operationally, is first is physical. Where is the hardware? And let's not disassociate cloud from that because it isn't all physical. By the way, GDP Article three all talks about territorial scope there. Then you have operational. Who operates it? To your point, what restrictions does it operate in? It certainly won't be just within the EU or your source country. And under what legal authority? That's really important. And to your point, that's where you think about the Cloud Act considerations as well. And the data of the data, right? The metadata. Where does data and metadata actually reside? And this is often missed because metadata transfers are still transfers under Article 44. And then the final point is control. Who can be compelled to provide access? And that's a SCHREMS2 core issue, isn't it? So, what's interesting is really defining control by authority, not just location, is really what it's about, isn't it? It's about true jurisdictional control requires legal insulation, and you cover that fantastically operational insulation, right? Personnel who's got systems access? Is it within the country? Is it outside? And I know many of us in our current scenarios will realize after listening to this webinar that there's a lot of third party questions we're going have to go and ask and answer. And then the final point of that is technical insulation, as I call it. So, with no dependencies on third party infrastructure. Talking about some of the wonderful things Microsoft are doing to help ensure that control technically, operationally, and legally, and that's what's really interesting. So, just wanted to talk about the operational side of what you mentioned, because a lot of people are probably thinking about how do they layer that? What are the steps they should be taking to ask the right questions at board level and operational and functional levels? And if you've any thoughts on that or anything to add, I'd love to hear Yeah, I mean, I think the main kind of thing I would sort of say is it's very easy for a cloud service provider to kind of say you should trust me. I've done all the things you've asked for, but how do you know? How do you know ultimately? So I can only really speak on behalf of Microsoft, given my tenure there. One of the things that Microsoft have was transparency statements, in essence, and the trust center. So any customer, you know, rather than having to go and kick the tires and do their own audits and everything else. So Microsoft used to have independent audit certifications across different jurisdictions. So what is applicable to The UK versus Germany versus another country? And they were all available, to view online. So you could go look at the applicability statements. You could look at the test report. You could go and look at all of those so you can kind of have that level of assurance without you having to do your own audit. On top of that, within Microsoft's own data protection registration, so within there it would then say who are third party processors and where are they physically located. So again, I spoke before about kind of the engineering teams or support teams. And some customers can then dig deeper into that and say, well, who exactly not necessarily individuals, but where exactly is the lion's share of my services coming from? Now the challenge is, if you want to have extended services, so we talked about managed services, you might be follow the sun. You might have different language requirements etc. So if your requirements are really strict and it says, let's just use UK as an example. I do not want any third party processing. I want UK security cleared individuals only. I want everything locked down to The UK. I do not want any other third party, any other person, even though they work for the company to be logging in from Ireland or anywhere else. Without this control, that control and everything else that becomes a bespoke service. And it's incredibly expensive, so your justification for going to the cloud and having the benefit of global cloud managed services and all of the kind of the resilience and availability and everything else that kinda came with it. The more restrictive you are, the more restrictive it is in return. You've kind of got this double edged sword, I think, which basically says on one hand, as we kind of spoke about at the beginning, you want to have the level of assurances operational resilience that I'm not so restrained and so restricted, but I've now limited myself with regards to that availability and resilience because I've said I can only have it in this one country, in this one country only, which puts additional risk and cost and complexity into that because not only do I need to kind of restrict it, I also have to monitor it. I have to verify it. I have to do all of those things. And so we kind of have to have this balancing act, I think Richard as well. We kind of say, okay, we've invested in the cloud. We've invested in these various different applications and services. Know we've not even got into AI yet and the complexities of some of that in terms of where's my data and training data and everything else. But I think we've got to kind of think about, okay, so we know we've got all of these things. Are we really going to go backwards? Does actually help anybody? I don't really think so. So we kind of have to kind of have this assumption that we're going to have these different changing laws. We're going to have things that are coming out. The geopolitics is going to be up and down and all over the place, but ultimately I think it all comes back to the same point, which is how do you control? What is in your gift to control? How do you get assurance of that? And how do you keep that control and that level of assurance no matter kind of what's coming? So I think it is a little bit of a balancing act. Some of that might be resolved through the law of the land, for example. They may compel, or put in new laws that require, specific requirements or localized arrangements. Some of that we've talked about with the EU data boundary, SRAMs two, etc, etc. But I think the challenge is even when you have some of this new regulation and control, A) it takes a long time for that regulation to come into play. Two) it takes a long time for the controls to be adopted and then the assurance layers on top of that. You're always playing catch up to whatever the regulation policy or whatever else says. And so I do think it's important that staying dynamic, understanding the risk, being in control of the risk, being in control ultimately of your data. I think it is this kind of balancing act, ultimately of how much risk, how much control, how much assurance is going to be required at your kind of board level, at a government level layer, etc, etc. But I think it always comes back down to the same point is that level of accountability from your perspective, but also the level of transparency, that you're expecting of your third parties, to be able for you to attest to that level of assurance that you ultimately need. Sarah, you've talked about AI a little bit there and we have to cover it off. As time is drawing to a close, I'm going to wrap in two questions into one around AI, data governance, and a bit around leadership. Now, I know we've discussed in previous meetings, and I've heard you talk about AI acting as a mirror, and how AI at this level, at least from a sociology perspective and also general business data perspective, is exposing very deep seated issues like data hoarding and where your unclassified data actually sits. I want to tackle what you've seen and the things that you know to be working well, and maybe we need to be considering harder when it comes to AI. But from a strategic perspective as well, let's talk about the leadership side. How do you balance the need of all of these things? We've got sovereignty, jurisdiction control, legal controls. We've got AI, which we're about to talk about. How do you do all this and remain essentially digitally agile? How do you keep innovating as a business? I'll address the first point on the AI because it's kind of been quite interesting. But AI is exposing all of the risks that have already been there from day one. And I think we talk a lot about challenges when it comes to data governance, data access, data classification, confidentiality, all of those things. I think if I just kind of roll the clock back a little bit, So when we had chat GPT first came out, so was that three years ago? And there was a mess. There was kind of a movement to ban it, because people were concerned. People are copying and pasting corporate proprietary sensitive information into ChatGPT. So my argument is if it's that easy to be able to copy and paste any data out of any corporate system and put it into any cloud application, irrespective with AI or anything else, you have a problem with data loss prevention. That problem's always been there. It's just been amplified as a result of AI. And again, if I kind of think then, as you'll probably be aware, Microsoft's relationship with OpenAI has then led to CoPilot being embedded across multiple different services. And again, very similar thing. Humans can't help themselves, they're looking at how much does the boss get paid? How much does whoever get paid? And they can see that because they've always been able to see it. It's just the fact they didn't know that. So great example would be you've got a perfectly good HR system of all the controls, all the data governance, etc, etc. Somewhere along the line comes around to performance review. People are starting with the manager or whoever's copy and paste in the data out into a spreadsheet so they can look at who gets paid, who am going to pay a bonus to, whatever the case. They don't classify that data. They don't classify it as financial data, personal data, confidential data. It just sits on a spreadsheet. That spreadsheet might end up on OneDrive. It could be in their email or whatever the case, but because it's got no classification on it, when people then come to asking the question, it brings it all back. It will brings everything back, And that's the challenge is this is not being created by AI, it's being amplified. So in essence, it's a really great opportunity to put AI to work and flip it round in essence. So looking at where all the controls are failing, where's all my data exposure, where am I not classifying data, where am I hoarding data, where is that all that data that I was supposed to not have seven years that I was supposed to delete, was supposed to archive, was supposed to kind of have all these things and actually use it as a data governance tool? Because ultimately, if that data is exposed, whether it's through a threat actor or through a third party or a government who's coming in and asking for that backdoor or whatever, you are still answerable for why that data was exposed, why it was leaked, why you're hoarding it, why you're doing all of these things. So it's a really great opportunity, I think, to kind of look at the world we're living in, understand geopolitics, understand the technology capability, and then really kind of think about, as you quite rightly said, what is the kind of the minimum level of control level of assurance that we need to provide and how can we use AI or how can we use technology to our advantage? We talked a lot about the fact that there's disadvantages through utilizing some of this tech, but I also think there's a lot of really great advantages to be able to do this at scale because it's just expecting people to know where the data is and suddenly put all these controls in place. If they could do that, it could do it easily. They would have done it already. I think that's the long and short of it. But ultimately it's then how do we kind of catch up? How do we make sure that these things are coming whether we like it or not? And ultimately it's still accountable for the data. What people are doing with that data? How do we get ahead of the game? And how do we kind of then all this good control in place? Because ultimately you're going to want to adopt this cool technology. We don't want to stop people using AI and using the cloud and multiple other things that are coming. We want to make sure it's done in the right way and the right reasons and that level of accountability and control is maintained in the right place, which ultimately is through those entities that we've been talking about. Wow. Well, Sarah, I have to say this conversation has been absolutely invaluable. I know not just for me, for all those listening in and or watching. Your insights on the subject, the attacker mindset early on, the geopolitical early warnings, how organisations need to fundamentally rethink resilience in the current geopolitical climate. It's exactly what leadership needs to hear right now. There's no doubt about it. What strikes me most from the discussion we've had is that sovereignty isn't a destination. It's actually an ongoing operational capability, and it's not something that you achieve once and tick a box, and that was the old compliance of old, and gone are those days. It's something that you architect, and you have to maintain and adapt as the world shifts around you. And the point around that is the world is shifting. We know that borders are absolutely changing, and alliances between countries and nations are evolving. And what we have to think about is what was once a friendly jurisdiction yesterday or even today might not be friendly tomorrow, and data is increasingly being weaponized as a geopolitical tool. And so, for everybody watching or listening in live or following up in a post listen, there's three things I'd like you to take away from the conversation Sarah and I have had. First, you've to ask yourself some really tough questions, right? It's not where is our data? We've been asking that for the last couple of decades. That is important, but what's more important is who can exert control over our data and our metadata, right, the data of data, and more importantly, our recovery capability. Because if the answer involves dependencies and entities that you ultimately can't control, then you do have an architectural work in here to solve that. And the second point is understanding that sovereignty and security, it must work together. And that goes for all business units, right? Legal risk, compliance, etc. Don't work in opposition. You shouldn't have to choose between protecting your data and maintaining operational resilience, right? You shouldn't have to sacrifice threat detection just to maintain jurisdictional control, for example. And these are challenges we have. We have third party providers in certain countries. We may find these decisions we have to make. The architecture should exist to have all of these things, and we have to demand that at the business leadership level. And third and last point is minimum viable sovereignty. It is achievable, and it's what will keep us in business when geopolitical crisis is hit or the wartime economics that we're currently in, and if that escalates, we hope it doesn't, but if it does and these are the three core controls that we have discussed throughout the fabric of this webinar. First is immutability in terms of recovery knowing where your data and metadata sits is it within your jurisdiction? Can you control who and what access is it? And making sure that you have a sovereign compatible threat detection capability. To Sarah's point, you're looking at what's going on in the world. You're looking at the signals from threat intelligence feeds, competitive organizations, parent companies, sister companies, whatever it may be, you've got to make sure that you get this thing right because you've built the foundation for resilience in what is now an uncertain world. Sarah, thank you so much your perspective on cyber resilience, crisis leadership and how organisations should prepare for what could be their worst day. It's been a real privilege to explore these challenges with you. Thank you, Richard. Look, Rubrik, would love to continue the conversation with you. Please reach out to us. We'd love to talk about your specific environment or sovereignty challenges, help you understand resilience in the area of sovereignty, and also look at what jurisdictional boundaries mean to you, and exploring what data sovereignty looks like for your organisation in the era of geopolitical uncertainty. Because there's one thing I know from all the conversations I've had with CISOs and executives across Europe and Middle East and all these other countries, it's not just bound to the EMEA region, is that organisations, the ones that will thrive, aren't the ones with perfect plans. They're the ones that actually have the right resilient architectures, the strategic options to adapt when borders shift, or when geopolitical alliances change, and when the world becomes predictable. And the world is unpredictable. So Rubrik is about helping you build architectures that give you control, absolute control, and uncompromising ability to recover in the event of a crisis like this. So thank you all so much for joining us today. Beyond Borders Achieving True Data Sovereignty in an Era of Geopolitical Uncertainty has been the webinar and thank you so much again Sarah for your incredible insights and please do reach out for let's keep this conversation going. Thank you everyone.