Just give it up, no one cares about security

As I walked into that office, a heavy sense of pressure seemed to hang in the air.

A slim yet dignified middle-aged man personally poured me a cup of tea. The one receiving me was the deputy factory manager of this client, who had his hands in nearly all operational matters of the factory. He seemed a leader who liked to oversee things himself. Even in the brief moment it took to pour tea, he was signing a document for a security guard who had come to apply for funding. This level of hands-on involvement surprised me for a client leader of his stature. He carried himself with approachability and always made sure to handle things in person, His down-to-earth style left an impression of a leader who preferred rolling up his sleeves to getting others to do the work.

This was the first time in my life visiting an enterprise of such scale and renown. Its reputation throughout the country was deafening, even though it was just one subordinate factory within the larger conglomerate. Yet even as a subsidiary plant, its economic influence over the local area was immense, almost monopolistic. I could sense the enormous importance and weight this factory carried in the region as I walked through its expansive facilities. Being granted a tour of such an consequential operation was truly an impressive experience I will not soon forget.

As a developer-born entrepreneur, I confess such an experience left me feeling rather tense and stiff.

"So..what's your company, again?"

It's the third time he asked so. In just 10 minutes.

Our conversation was occasionally interrupted as he needed to either sign documents or give verbal instructions. Yet he was always adding more tea to my cup, even before I'd had a chance to take a sip, It seemed he used the act as a subtle yet deliberate signal to refocus our discussion. Then ask me the same question one more time.

"We're a startup focused on AI-Infra. We provide on-prem private AI solution based on opensource large language model, maybe you've tried ChatGPT…"

Acting swiftly to seize this unexpected opportunity, I retrieved my IPad Mini from my bag and set up the pitch deck I had prepared in advance. Placing it before him on the table, I began introducing our company as he listened attentively.

The font size is dammit small on the 7.69 inches iPad Mini screen!

I uttered a silent curse in my brain.

However, he did not seem concerned with the size of the text on screen. Instead, he leaned in closely with tea cup in hand, listening intently while carefully reading every word on the slides.

"…that's how we make it work, and we've learned about the certain sceanario in your department may need an automated solution to reduce the human interfere…"

5 minutes! He didn't stop me. That's the chance I can come to the unique feature of the product!

"If what you said is true, there may indeed be some applicability for this approach."

Sitting up straighter and leaning forward slightly, he offered, "We've been getting a lot of pitches for similar offerings lately. In fact, many that have come across my desk don't seem entirely sound."

"We actually considered privacy and data security for enterprise customers, please see this graph…"

Finally! This is the part of our story that I take most pride in. From the beginning, my vision was to build a cloud-native AI-Infra company focused on empowering organizations with privately held, yet responsibly governed AI. One of our founding principles acknowledges that in the future, not only will everyone have their own private AI, but these systems must respect privacy and ensure data security. The rationale is quite simple - once humans digitize their experiences into AI avatars, the security of these creations will become a threat not just to individuals and families, but societies at large.

From my perspective, for companies investing substantial time and financial resources to digitize core data and worker experiences into proprietary AI systems, wouldn't diligently protecting those assets be only prudent? Surprisingly, he did not respond to this point directly, but instead inquired about other aspects of our proposal.

I couldn't help but gently point out to him that privacy compliance and data security should be mandatory investment priorities, not optional considerations. To emphasize my point, I briefly recounted a few salient examples where lapses in these areas negatively impacted companies. My aim was not to lecture, but to highlight risks our solutions are designed to help mitigate. While respecting his wisdom and authority, I felt a duty to bring additional relevant perspectives to the discussion. By weaving real-world instances into our dialogue, I hoped he would see both strengthened commercial rationale and societal importance for the protections we advocate.

Suddenly, he turned to me with an impassive expression and spoke in a tone seeming to test for sales gimmicks: "My data resides in-house. Why would there be security issues if we already have robust systems in place?"

I offered a relevant example in response. There was a case, I explained, of an disgruntled employee at a company who was laid off. Seeking revenge, the individual maliciously deleted the company's entire database, crippling their operations. While the perpetrator was eventually brought to justice, the company nevertheless collapsed as a result of being unable to recover quickly from such a catastrophic breach. With this example, I attempted to demonstrate that while many security measures can defend against outside attacks, they may not always protect against insider threats. Merely keeping data in-house cannot singularly guarantee safety. No protective systems are infallible, as clever adversaries will exploit unforeseen cracks, whether external or internal.

"That's bullshit!"

He seemed caught off guard by the example, abruptly responding before rising to fetch water and refill our tea cups. Upon sitting again, he repeated the phrase in an contemplative tone.

"That's bullshit!"

Well, it is impossible to persuade someone who refuses to accept factual reality. In the case of such a prominent organization with an exceptionally low employee turnover rate, this town's residents would give anything for a job there in a heartbeat. The local government itself must stay in their good graces. Under such conditions, he seems to be confident enough to reject the fact.

However, no one can thrive without respecting the facts.

I think I should stop while I'm ahead. Since they are only interested in the AI core, I should just let them be and give the customer what they want. After all, I'm here to do business, not to baby-sit them.

I promptly steered the conversation toward aspects he was more interested in. Eventually, he arranged for his IT manager to liaise with me, allowing us to delve into more in-depth discussions.

Yet I still believe in my ideals - that sooner or later, people will realize that constructing a truly valuable AI system goes hand in hand with privacy protection and data security. They are an integrated whole, otherwise it could never become a successful product. Without them, it remains merely a shoddy, temporary draft.

But before the day come, I have to say, just give it up, no one cares about security.

Unless they feel painful someday.