The Center for Data Innovation spoke with Christopher Muffat, chief executive officer and founder of Dathena, a data protection platform based in Singapore. Christopher Muffat discussed how Dathena helps organizations effectively secure their sensitive data while complying with data protection regulations.
This interview has been edited.
Eline Chivot: What made you start Dathena and what are some of the challenges that make systems like yours useful today?
Christopher Muffat: I had the idea to start Dathena in 2011 while I was leading the Swiss Leaks investigation, the largest leak in the history of Swiss banking. I had deduced that the root cause behind the massive data breach was the organization’s failure to first and foremost identify what it needed to protect. And throughout my career in information security threat and incident management I realized that the majority of organizations systematically fail to quickly and accurately identify and classify their sensitive information, therefore failing to secure their data protection systems and exposing the entire organization to harmful exploitation.
Data breaches have started to become frequent events. The financial impact of these breaches on companies is more severe than before. The need to accurately discover and classify our sensitive information is becoming more critical as we deal with an exponential growth in information—30 percent growth annually in data volume, 95 percent of which is unstructured data.
Today, information security managers are facing the daunting challenge of effectively securing data, as most simply do not know where it is, and who accesses, analyzes, and processes it.
On top of that challenge, data protection regulations are proliferating around the globe. Failure to comply with such regulations, like the EU’s GDPR, can subject organizations to significant fines and damage public relations.
Dathena was developed to address these challenges head on. By effectively and intelligently enabling end-to-end data protection and enabling regulation compliance, organizations can finally focus on their core business with peace of mind.
Chivot: You have integrated graphics processing unit (GPU) technologies in your software. How did this benefit Dathena?
Muffat: In 2013, I started to do research for Dathena around AI, machine learning, natural language processing, and in 2016 we started to explore deep learning, which GPUs are particularly able to support.
GPU is well-known for running deep learning algorithms, which provides speed and accuracy. We are one of the few using it for cybersecurity, so it is quite innovative. Originally, GPU was created to offload the central processing unit (CPU), which is “the brain of the computer,” if you will.
Displaying information, such as a video, is based on a series of many little tasks—calculations—which must be repeated again and again. That’s what GPUs were initially designed for. CPUs processes more complex tasks one after the other, while GPUs are capable of doing the same for many more simple tasks. As a result, any computing problem that requires parallel tasks and to repeat them a billion times over would require GPUs to efficiently process high volumes of calculations.
This brings great benefits to our technology at Dathena: some of the tasks we use in machine learning techniques such as deep learning cannot be completed by a CPU alone. GPUs for deep learning provides more accurate predictions and delivers faster results.
The latest data breakthrough for GPU is that we can store our database on the GPUs RAM (random access memory) to significantly improve the user experience. Users are now able to deep dive into millions of data points, drag and drop complex analytics, and access actionable results and intelligence instantly. For instance, if there are 10 billion documents within an organization, the user can filter them down by department, check the number of documents that appear for one single person or one department. The interface is not limited to providing a high-level view of the results. The user can dive into the details and know what to do to fix a problem or protect information.
Chivot: Have you learned anything interesting from the analytics you run on corporate data?
Muffat: We work with clients from different industries, different countries and different cultures. They may be based in France, Singapore, Switzerland, or Thailand, yet our findings are consistent across the board. People behave the same way. For example, we found that on average, every single organization’s information includes about 30 percent duplicated files. Another recurring pattern is that the living data represents less than 5 percent of the total amount of data that is stored.
These insights into how users consume and manage their data, as well as the type of data consumed, enabled us to create solutions for our clients that help them manage their data more efficiently and also decrease their costs significantly.
We also benchmarked organizations based on the types of documents they have, such as confidential, secret, or public information. Prior to being analyzed, many organizations tell us that their teams know exactly what their confidential information is, who accesses it, and where it is stored. But in 100 percent of cases, our system demonstrated that in fact, they were wrong, and do not have a clear understanding of the nature of their confidential information, or its location.
Finally, we have learned that the information security experience today is burdensome to users, incentivizing poor data protection hygiene and resulting in higher instances of data breaches. Here at Dathena, we are changing this prevailing perception that cybersecurity and information protection is burdensome and counterproductive. We are doing so by creating user-centric solutions that can be integrated seamlessly into any organization’s systems while providing proven results, so that users can focus on their core work with peace of mind.
Chivot: How does your technology support compliance, and how accurate is it?
Muffat: Compliance concerns us all. As soon as you retain personal data, you are subject to scrutiny. And for the first time, many companies have had to appoint data protection officers (DPOs) to deal with the new privacy law. However, in the current state of information visibility, DPOs are like a blind archer that is supposed to shoot a moving target. And there aren’t many tools to support their mission.
In order for a DPO to achieve his or her mission, the first step is to evaluate how much personal data the organization has, where it is stored, and who has access to it. But that first step is always missed. This is where our technology is invaluable for DPOs. Without Dathena, they would have to do this inventory of personal data manually—going through data that is unstructured for the most part. You can imagine how painful and ineffective it can be to go through every single file and to demonstrate why this information is stored. Excel spreadsheets are simply not adapted to dealing with today’s massive flow of information.
Not only does our technology fast-track regulatory compliance by doing the inventory in a fully automated way, it also makes this process much more consistent and cost-efficient. One hour of our AI equals 10,000-man hours.
The accuracy of our automatic inventory creation is 90 percent out-of-the-box, reaching close to 100 percent within four weeks of deployment. We monitor the accuracy through an embedded workflow within the tool. We take a sample and submit it to relevant stakeholders or employees—those we identified as having opened many files containing personal data or created a lot of personal information—and we ask them whether or not our analysis is correct. We then run a smart sampling of the data, for which we have filed a patent. Through this very limited sample check, we can confirm the accuracy of our system.
Chivot: You are based in Singapore, a booming scene for regtech startups like Dathena, but are also a French man engaged in global business. How well-equipped do you think European and other markets are for regulatory technology (regtech), and how is this space likely to evolve? Should Europe be doing anything differently?
Muffat: In my view, startups that have a chance to succeed in regtech are those that combine two elements: the provision of a regulatory-oriented, efficient workflow, and the use of AI-driven technologies to automate this workflow. And there are an increasing number of regtech startups that are both AI-driven and aim for compliance at lower costs.
The first obstacle faced by most startups is limited access to data, which restricts their ability to train their predictive model, to gain credibility with customers, and to ultimately scale. For example, compliance and regulations increasingly require organizations to perform KYC—“Know Your Customer”—which is getting more burdensome and expensive, especially in the financial services industry. Many startups have begun producing promising KYC solutions. However, financial services providers still find it difficult to give away their data to such young entities. There are not many success stories to be told yet, and as a result, the risk appetite of venture capitalists, and their motivations to invest remain limited.
Certain technologies are only emerging, which can also explain the high cost of entry for startups in this market. Startups will indeed have to provide multiple cloud-based solutions to facilitate the adoption of their products. To achieve this, they will have to set up technology partnerships with bigger firms such as Microsoft, AWS, and Google—that is, the big guys. If they don’t, they will struggle to scale. They will also have to collaborate with big data providers like Dow Jones and Bloomberg. Developing joint business relationships with these companies remains difficult, because they aren’t all ready to open their doors fully to startups either.
To unlock the potential of regtech as an industry for startups, this ecosystem will first need to mature, both from a strategic partnership perspective and a technology perspective. For now, there is still a significant gap between startups and traditional companies. I’d expect regulatory bodies like the Monetary Authority of Singapore (MAS) or the European Securities and Markets Authority (ESMA) to provide a regtech sandbox to startups and financial institutions. A regtech sandbox would provide a complex ecosystem including infrastructure, use cases, and data, which would certainly accelerate innovation.