Subscribe
Share
Share
Embed
Welcome to The Boardroom Path, the essential podcast for aspiring and newly appointed Non-Executive Directors navigating the journey from executive leadership to the boardroom. Hosted by Ralph Grayson, partner at Sainty Hird & Partners, each episode offers insightful conversations with industry leaders, seasoned board directors, and governance experts. Our guests share practical strategies, valuable perspectives, and actionable advice on how to effectively transition into board roles, maximise your impact, and build a rewarding NED career.
[00:00:03] Ralph Grayson: Welcome to The Boardroom Path by Sainty Hird & Partners. I'm your host, Ralph Grayson, a partner in the board practice. In this series, we'll offer practical steps and useful perspectives for aspiring and newly appointed NEDs. Throughout its 30 year history, Sainty Hird has recruited senior board members across the City, Industry, the Public Sector and NGOs.
We're now also evaluating those boards, as well as coaching and mentoring those seeking to transition from an executive career into the boardroom. So we'll be speaking to some leading figures in the board advisory and NED world. Specifically, we'll seek their counsel about how and where to spend time and energy to make an effective transition into the boardroom. The goal is to equip recent and aspiring NEDs with tips, tactics and strategies to be most effective and build a successful career as a board director. In the process, we aim to help you to think more about who you are, how you operate and how you can make this work in the boardroom.
My guest today is Danny Lopez, who's exceptional blend of financial, diplomatic, and tech industry experience uniquely positions him at the crossroads of cybersecurity and risk management. His leadership at Glasswall underscores a forward-looking, culture-driven approach to mitigating increasingly sophisticated threats. Fluent in both boardroom strategy and technical nuance, Danny has a track record of building resilient, trusted institutions in sectors where risk and opportunity intersect, crucial to today's board agenda.
His professional journey began at Barclays in 1996, where he spent a decade in international banking roles across London, New York, Miami, and Mumbai, shaping his early understanding of global markets and risk dynamics. In 2006, Danny transitioned to the UK government's trade arm later becoming the inaugural CEO of London and Partners, the Capital's international promotional agency established under the Mayor of London's office. From 2011 to 2016, he served as the British Consul General in New York, becoming the youngest ever to hold that role. In that capacity, he managed the UK's economic profile, foreign policy, and national security priorities across North America.
After his diplomatic tenure, Danny joined Blipper as COO, where he helped drive innovation in augmented reality and AI from 2016 until 2018. In 2019, he took the helm of Glasswall, a pioneering cybersecurity company, specialising in file-based threat protection technology. Under his leadership Glasswall has cemented its position in government, defense, financial services, and other critical sectors championing proactive risk-first approaches to cyber threats.
Danny brings a unique blend of strategic insight, operational acumen, and a deep understanding of disruptive tech. His roles across diplomacy, finance, and cutting edge tech have honed his proficiency in identifying and managing systematic risk, especially in cybersecurity, AI and geopolitics. He speaks regularly on topics including cybersecurity strategy, building a security aware culture from the boardroom down, managing cyber risk at the executive level, and the evolving impact of AI and geopolitical shifts on security frameworks.
In his own words, his varied career has taught him that effective cybersecurity hinges on internal communication, training, and proactive organisational culture, not just reactive tools. Danny remains actively engaged with a number of boards beyond Glasswall. He's a board member of the Aquis Stock Exchange, pro bono advisor to the City of London Corporation, and until recently Danny was also non-executive director at Innovate Finance, where he championed the UK's global FinTech industry and was an advisor to FinTech Collective, a leading New York based VC firm. In June of this year, he was awarded the MBE for services to trade promotion and to the City of London.
Danny, a fascinating spectrum of experience and perspective. Perhaps you can put a little colour on that and talk us through how your career has evolved.
[00:04:50] Danny Lopez: Sure. Thanks Ralph, and great to be here with you today. As I listen to you describing my career is what in your industry is called frequently a very non-linear career. But to me it's always made sense, right? Because I think for me it's been a sort of combination, at every point, of risk management and growth. You know if I think of my banking days, you lent money to companies to make sure that they grew, and you took risk management extremely seriously as an enabler. Not as something worse than that. Then my time in government was exactly the same. I sort of got to understand geopolitical risk, international growth risk, the source of big challenges that companies who expand on the global scene face. And then most recently, of course, in tech. Incredible risks that are, in many ways, mitigated by really good innovation. So risk management and growth is, to me, what my career has been about, underpinned by a very strong culture. If you don't have the right culture, then you know you can't really achieve the growth you're after.
[00:05:45] Ralph Grayson: So, where does cybersecurity touch on all of that? What led you to be such an expert that you are now viewed on cybersecurity? Was it the tech, was it the business, and for our listeners who are new and aspiring board members, where does cybersecurity fit within that paradigm?
[00:06:04] Danny Lopez: For me, one of the main drivers behind getting involved in cybersecurity is that I sort of see it as the it's kind of the defining risk of our time. You know again, thinking about risk management, being at the centre of my own career. This is the biggest risk that we face right now because all businesses are data-driven. All businesses are digital. The most important thing that businesses need to do or organisations need to do is to safeguard their data and that's what cybersecurity is about. So, in a way, when I talk about it being the defining risk of our time, it's really the sort of enabler of having trust and maintaining a reputation. That's really what interests me because I never see cybersecurity as something that you should find scary or that's all about fear. It's actually a sort of strategy enabler as a growth enabler and that's what drove me to it.
You know, and this is not about being really into coding or having an incredibly vast and strong engineering base. It's not about that. It's risk management. And when people ask me all the time, what's cyber? Cyber is risk management.
[00:07:06] Ralph Grayson: What is Glasswall then? Let's just touch on that for a second.
[00:07:08] Danny Lopez: Look at Glasswall we play a really important role in protecting organisations across both the public sector and the private sector and we do so by ensuring that file-based threats, so these are the threats that you find in files and attachments, are mitigated. You know, around 70% of the sort of nasty malware that comes into organisations is asa result of a very innocent double click on a file or attachment that ends up having all sorts of bad stuff in it.
Traditionally antivirus technology has been the way we have relied on making sure that threats and files and attachments are taken care of. But actually what we do is something very different. We don't sort of look at what's bad in files. We look at what's good in files and we recreate them and we essentially break them apart and rebuild them into a safe format. So look, I think for us, it's all about taking risk, back to risk again, right? This is going to be the theme. We take risk off the table and make sure that the threats that organisations face and files are taken care of.
[00:08:04] Ralph Grayson: Glasswall has recently beenacquired or had a major investment by a PE company, US based. So you're a global company, your clients are global, they're corporates?
[00:08:15] Danny Lopez: Yeah. Yeah. So look, we very recently went through a process that resulted in a strategic investment from a Boston headquartered private equity firm with a very strong presence and office here in London called Providence Strategic Growth. Exactly the sort of partner that we were after for this next stage of growth.
And we as a company, you know, we might be a small British player, but 90% of our revenue plus is actually in the US. We sell a lot into the defense and the intelligence space and more so that's starting to translate now also into successes in the commercial space. You know, I sort of always joke that in a way we've done it the other way around, right?
It's kind of difficult to sell into the US government, but that's really how we started and it's been the main driver of our growth, and I sort of joke now and say, well, because we work in the intelligence community. If it's good enough for Bond, then it's good enough for everybody else and we're taking that work now into the commercial space.
But ultimately, it goes back to my main theme, right? Any organisation that takes risk seriously, and any organisation that has a large volume of files, is exposed and our solution plays a very big role in taking the risk off the table.
[00:09:12] Ralph Grayson: I don't know whether I'm troubled that your major market is the US. Should we be proud that this is a UK headquartered business breaking into the US or should we be troubled that the US perhaps are taking cyber more seriously?
[00:09:27] Danny Lopez: It's a very good question actually and obviously as a British cyber player, I think it's a source of pride that we are chosen by the US government repeatedly you know, against the number of competitors as a premier provider of solutions thatin this case helps the defense and intelligence US space as we do. Of course we also work here in the UK and we also do work in Canada and Australia. But I think it is fair to say that the US obviously there's more volume,there are more risks to take care of. It's a fast moving market, right? One of the things I think we're sort of starting to see the change now, but the US has traditionally been a market where they care less about the size of the company. They care more about the quality of the solution. If we are up against a major player, the US buyer will say, well, we'll choose Glasswall. They might be 10 times smaller than the other competitor, but we prefer their solution and they'll move forward with that. And I think that's something we should learn from it here in the UK.
[00:10:17] Ralph Grayson: Interesting, can we maybe start with how your experience relates directly to the board? So non-execs can't be experts in everything, nor should they be, so how do they make sure they have sufficient and relevant knowledge to enable them to undertake their oversight function effectively? But also be confident that they're aware of the risks and opportunities facing the organisation?
[00:10:40] Danny Lopez: Yeah, I mean, look, we could spend so much time talking about this. I think the sort of first thing to say is that I've always felt that to be an effective NED you need to be intellectually curious and it's no different with cyber. And I think cyber actually is one of those areas where people have felt rather vulnerable talking about it because they feel exposed and part of the reason is that cyber has sort of been put in the box of this is a tech issue, it's an IT issue, and it's the wrong approach. It's not a tech issue, it's not an IT issue, it's a risk management issue, and therefore it's related to all aspects of the organisation and therefore NEDs should have a significant stake in any cyber based discussion.
It goes two ways, I think, the information that comes up to boards needs to be presented in a way that is digestible and I think, many security teams have failed at that by thinking, well, if we sense stuff in language that nobody's going to understand, then maybe they just won't ask many questions and we'll go from there. That's mistake number one, because you need to have a a really strong two-way relationship when it comes to these sorts of discussions. So there's a responsibility for the security teams to present a lot of the information, as I was saying, in like in a digestible way. But then NEDs have that responsibility to challenge, to probe, not to feel exposed and to keep thinking about how any issue they are covering, from a cyber perspective, relates to the wider risk register strategy or the wider strategy that an organisation or company faces. So I think that's sort of number one. It's not a tech conversation, it's a risk management conversation.
But I think NEDs also need to invest heavily in making sure that they understand the space, right? I mean, I don't think any NED suddenly being expected to you know, go and join a coding course. But you can't really challenge or question what you don't understand conceptually and strategically. So I think there's a real responsibility to make sure, and boards need to help NEDs with this, that they kind of understand the basics, particularly at a strategic level, to be able to have those good discussions.
[00:12:32] Ralph Grayson: And it raises that central question for all boards of technology, master or servant, threat or opportunity?
[00:12:41] Danny Lopez: Yeah, I'm not a sort of, you know, black and white person on anything, frankly. Any question you ask me on this, if it's two extremes, I never feel that an answer is one or the other. I think in this question it's very much a balance. In a way I'd turn that around and say, which one I do I find more scary and I think I would find it more scary if technology is the master. But ultimately the board needs to have a good view on what its strategy is. Full stop. And technology is going to be a very important part of that discussion. And then technology should be viewed as an enabler. Because that's ultimately what it is. Whether you want to call it servant or not. It's essentially enhancing, it's enabling, it's aiding an organisation with its growth strategy, and that's what it's about.
So for me, if you ask me the question, master or servant? Enabler.
[00:13:25] Ralph Grayson: So first key takeaway is that cyber and AI is not purely a technology issue, it's a business issue. So how would you advise boards to frame how they should approach that subject?
[00:13:39] Danny Lopez: Well, I think you need to sort of see all of this holistically. It's all part and parcel of the same thing, which is, you know, safeguarding your data, ensuring that you have the right level of trust with your customer base and how the technology is able to help you on that journey. If you think about AI, it presents a whole bunch of opportunities from a security perspective, which are great for an organisation, and it also presents a whole bunch of threats and that's where cyber comes in. Is it good that AI has arrived at a time when cybersecurity is so important? Absolutely. Because there's more progress and there are more opportunities. But have the threats increased? Yeah, totally.
The learning points for NEDs and Boards is that they have to educate themselves on, these advancements that we're now seeing. But they need to look at it holistically as all part and parcel again about you know, that organisation strategy.
[00:14:30] Ralph Grayson: I guess I'm still struggling with how the very distinct threats can be looked at holistically. Is that about asking the right questions of the xcom or the xcom having the right individual roles? ie a lot of people are speculating now about the role of the AI officer. and is there a seat on the board beyond being a member of the risk committee, if the company's big enough to have a separate risk committee to need that specific technology and risk management, connectivity and expertise.
[00:15:05] Danny Lopez: Look, it's important to have a good level of knowledge within a board and at least one NED who understandsthe subject matter of cyber and AI. I think that is important. But if you think about a lot of the questions that are being asked, you could be on a board and have a discussion about risks that an organisation faces and the CIO let's say, is presenting to the board and you know, would have a list as long as my arm in terms of all the various security risks that an organisation has. All very valid,or potentially,a real hindrance to the organisation. But actually as a NED you'd probably say, well, that sounds terrible, but let me throw it back to you, security team. What are the crown jewels of this organisation from a data and digital perspective? What is it that this organisation has without which we would be on our knees? And then if you asked that question, you'd probably say, oh, actually it turns out that it's, this 7% of our digital landscape that are really the sort of the crown jewels of the organisation. Then as a NED you'll say, well, that's what I want to see protected more than anything else.
Now, do you need a whole load of technical knowledge to be able to ask that question? No, you need a strategic mind and a strategic brain, and I think security teams really welcome that because a security team's job isn't to decide what the crown jewels of the organisation are. That is a strategic board conversation. So you can start seeing there how that two-way conversation is absolutely key. Because then as you're deciding or you know, approving budgets that are spent on security, you might end up saying, well, so it turns out that, let's say 5 to 7% of our entire landscape is the most important part. I think I'd like to see 50% of our security spent on that, and I don't want to see equal distribution across our entire threat landscape. So, that's a curious mindset that is an incisive strategic brain trying to understand where the risks are in an organisation and how that's going to impact potential reputational issues that are absolutely, in a way, the license to trade that an organisation has.
[00:17:03] Ralph Grayson: I hear a lot from NEDs when it comes to this subject of known unknowns and unknown unknowns, ie having that comfort to ask the right questions perhaps where you don't have competence or familiarity other than reading The Economist of what's going on in geopolitics at the moment. What do you think the most pressing issues are today around cyber and data risk? What's the current position and I guess how are boards adapting, in your experience, or how are your clients adapting and are they doing it well?
[00:17:36] Danny Lopez: It's definitely better, right? Than it was. If you think about the journey for a lot of boards, we've gone from a sort of tick box exercise where we're sort of trying to show that you're doing the right things on cyber, because that's what Compliance has asked us to do. Into, as I say, sort of more meaningful, substantial conversations that are just very pertinent to the organisation. So I think that that has improved.
You know, a word we haven't spoken about yet, which is key, is resilience and the resilience that an organisation has really is borne out of, you know, having the right level of stress testing and that's going to involve those dreaded days where you are sort of running scenarios of some doomsday potential threat that an organisation faces and how you would react. We are seeing more of that now, but I don't think we're seeing enough and that is key and I think as an agenda that boards should be pushing more and more.
As I say, this can be a drag, right? A lot of people just go, I don't want to waste four hours every three weeks sort of going through some nonsensical scenario that's never going to happen. Well, it probably won't happen, but it'll be something similar and it might be more, or it might be less. But if you run through it properly, not as a sort of compliance exercise, but a real life scenario, you will learn a lot from it. And what do you learn? It's not just about the impact that it'll have on your customers or your suppliers or whatever it might be. What you learn also is what role does everybody play?
When that moment happens, what's the CEO doing? What's the CFO doing? What's the COO doing? What's happening below, 2, 3, 4 layers below that? And there's a lot of mistakes that will come out from that, and there's a lot of learnings and if that's handled the right way, you are very much on the way to building resilience within an organisation. That will also relate to the overall level of culture that you have as an organisation, Are you taking security seriously? Are you not? Are you celebrating the successes or do people feel scared to raise their hand if, you know, some piece of malware has potentially entered the organisation? Should they talk about it? Should they not? There's a very sort of important piece there is this sort of constantly figure out ways of ensuring that individuals in an organisation are faced to the realities of what could happen and how you would react. That's the part where I think we've got better, but there's still quite a long way to go and I would really encourage boards to request their executive teams to bring thatup the agenda.
[00:19:52] Ralph Grayson: That resonates very much with some conversations I've been having with heads of risk committees who are asking for away daysor standalone periods for war planning and scenario planning on the board. I know you've talked a lot about threat vectors and risk being dialed up massively. Are we in a new paradigm? People talk about paradigms all the time. But geopolitics, economics, trade wars, tariffs, the Great Calm's behind us, right? So, are we in a new period? I mean, resilience is the all encompassing word, right? But has the world just changed?
[00:20:28] Danny Lopez: I think it really has, right? I mean, a lot of people argue that it hasn't, and that there's always been big events that you know, throw you a little bit off course. But I mean, you know,we don't need to say how many years my career has spanned, but it's quite a while and I can't remember anything like the last five years. A global pandemic, the invasion in Ukraine, the arrival of AI. I mean, you know, these are huge moments that have had a massive impact and they have all come at once.
So, yeah, I think this is a new reality and any sort of team that thinks, well, that was probably 2020 to 2025 and now we've got a period ahead of normality. They really are kidding themselves. But at the same time, I also have great confidence in the human nature, right? And we adapt very quickly and we go from having a period where we expect the change to happen every few years to, we expect the unexpected on a daily basis. And that's fine.
I mean, it's no different to jobs that we have. Some jobs feel quite sort of plain sailing and other jobs are 17 challenges a day. You can still excel at both, and I think that's kind of where we are right now. There's no need to sort of dramatically call it anything. It's just this is where we are right now.
[00:21:34] Ralph Grayson: I heard a chair the other day talk about swan stacking, right? So we talk about black swans coming along once in a lifetime. Now they're like London buses. How do board members train themselves to be resilient? When the tone is set from the top and you have a culture that is risk sensitive how, as a board and a board member, do you make sure you are on top of that, and then how do you drive that down the culture of the organisation?
[00:22:01] Danny Lopez: I do go back to the sort of practical scenario planning. I think that's, extremely important. I think we need to sort of almost shock our boards with practical examples of what could, or could not, happen and it's the best way to train and it's the best way to learn.
I mean, I also think that's the whole point of having strong boards is that NEDs accumulated experiences from all sorts of other walks in life that they bring to the party when they get together. And there's something around making sure that as you, you know, select your board, you're able to look for those moments too, right. I mean, this is obviously your world, Ralph, but I think There's probably going to be an element now where testing a NEDs experience on resilience is going to be absolutely key and maybe that wasn't the case before. You're looking for a whole bunch of other things and we've had enough years now where if you ask an NED give you an example of where you dealt with a shock or you excelled in resilience, if they don't have an example over the last five or six years, then you know, I'm not quite sure they're the sort of individual you want, right?
So I think it's a combination of practical experience and being able to demonstrate it. But then being super open to just learn and be shocked by effective resilience planning and scenarios planning, in a practical way.
[00:23:07] Ralph Grayson: So you wrote a great paper. " How Will the AI Arms Race Impact Cybersecurity?" And you outlined how AI amplifies both cyber risks like automated phishing, zero day exploits, deep fakes and the defensive capabilities that you can put in place as a board, such as anomaly detection, realtime containment, virtual advisor tools. You talk in that about how AI is transforming both the opportunities and the threats in cybersecurity.
So in a world of escalating cyber risks and increasing AI enabled attacks, it's clearly key to outthink adversaries with the same tools that they're deploying. So in a world, as we've touched on, the stakes have never been higher for boards. What drove you to write the article and any key takeaways you'd share?
[00:24:01] Danny Lopez: People ask me all the time, is AI good or bad for cyber? In my mind, anything that entails technological progress is a good thing. That's what AI brings to the party. But unfortunately, in cyber AI has become both burglar and alarm system. There aren't many areas where that happens in this way because the bad actors now have way more tools to be able to hit organisations. And actually before you could argue that, you know, you needed a really, really strong knowledge of technology and wanting to be a bad person or a bad actor. That sort of gave you what you needed to start a career in being abad actor in cyber. Now you don't need that knowledge of technology. You just need to be a bad actor. Full stop. The tools are there for you to be able to inflict harm on organisations.
But then, the defence side of things has improved dramatically and what AI has brought to the table is an ability to recognise patterns and analysejust millions, millions of examples that will allow you to sort of come up with a whole bunch of threat detection modeling. That plays a very, very impactful role in helping organisations detect this and I think many times, I'm not saying that every bad actor is lazy or looks for the sort of easy route, but because a lot of bad actors are attacking at such scale they are not necessarily always choosing the most sophisticated threat. They're actually choosing kind of a simple, easy way into an organisation hoping that the organisation, the victim, has been a little lazy and not taken cyber seriously.
So actually what you're trying to make sure is that, as a race, you are staying ahead of the game when it comes to competitors or other players in the market and that if you have to, you know, hand on heart as support, say, where do we stand versus our competitors in the space from a cyber and an AI enablement defence capability. Do we think we're at the top? And if the answer is yes, then actually you've significantly improved your ability to be able to defend your organisation. And if the answer is no, then you've got a lot of work to do. So, for me, this is about making sure that you see it as a tool, it's enhancing, but you've got to definitely see that this is a race and you're constantly battling against the bad actors. We at Glasswall will see this all the time, right? Because what we're dealing with is threats in files and attachments. It's not like they're coming in daily, they're coming in hourly, every minute. There's always something that the security space hasn't seen before and you need to be ready, you need to be able to act on it and mitigate it as fast as possible.
[00:26:30] Ralph Grayson: But just thinking of those patterns and looking back historically. Any examples spring to mind of where AI would've maybe not stopped the attack, but would've mitigated against it? I guess I'm thinking of the SolarWinds cyber attack in 2020, for example.
[00:26:47] Danny Lopez: That's a very interesting one because what happened there was that it was an accountancy software package that SolarWinds was using, and they were just sort of doing their kind of regular patching not SolarWinds, the accountancy package that they were using, and they hadn't done their security as well as they should and there was a back door and the bad actors were targeting SolarWinds. I mean, this is such a sort of cyber, security kind of case study. You know, they wanted to get into SolarWinds and they thought, well, the easiest way to get into SolarWinds is to get in through one of their suppliers.
They found a supplier that had a weak spot and in they went and,within, I think months for SolarWinds to realise that they had a bad actor in their network that was, stealing dataat scale, and not just from them, but with all their clients. Would've AI played a role there? Yeah, absolutely. I can't sort of tell you, a hundred percent for sure. But when you are running AI based defense platforms that are looking for anomalies and looking for patterns, you are essentially taking all of the kind of history if you like that you've seen over the last few years with all of the attacks that have taken place, and you're finding that correlation where if X and Y happens, then you know Z is probably happening and AI is doing this at a scale that we've never been able to do before. We're seeing this within Glasswall, taking data that we've taken away from files and attachments over the last few years. Within minutes, you're able to process data, as I say, at a scale that is unimaginable just a year or two years ago. Those patterns are being identified and they're being used every day to stop attacks.
So it's a very long way of saying, yes, AI plays a huge role in threat detection by identifying patterns and anomalies. But the key is that to do so, you are hyper scaling your ability to be able to process data.
[00:28:32] Ralph Grayson: Can AI also exacerbate that threat? I'm thinking about the recent M&S online attack where M&S, if I remember correctly, they tried to blame it on AI. It wasn't our problem, it was the AI.
[00:28:44] Danny Lopez: Well, I mean, this is where my point on the race comes, right? Every time a bad actor comes with an AI based threat, you need to be able to counter it with an AI based defense mechanism. It's never going to be a sort of match for match. Sometimes you'll get it right, sometimes you'll get it wrong.
But that goes, you know, again, back to the point of cybersecurity players having the responsibility to invest very heavily in R&D. What you're now starting to find is a bunch of cybersecurity players that are AI native, right? So they were born as a cybersecurity tool over the last two or three years. AI is all they know. That can be extremely powerful, but you know, like everything, it's not enough.
So there's always going to be a balance. the sort of legacy cyber players need to absolutely embrace AI on all fronts. If not, they will die, and the AI native players need to recognise that the world does extend beyond 2021.
[00:29:33] Ralph Grayson: Let's just turn to the ethics of AI and how boards need to think about that beyond the reputational risk that we just touched on. So I read a quote, recently, Hemant Taneja, who some people might know, he heads venture at the General Catalyst AI Fund and just the old 8 billion under management and he said, quote, "organisations that have the culture and courage to transform themselves will be strengthened by AI. organisations that don't, will be left behind." Where does that resonate with you?
[00:30:05] Danny Lopez: Yeah, that resonates massively with me because I think if you say, Hey, every organisation has access to this technology and then every organisation you would argue has a different culture than you would say that the differentiator is not the technology, the differentiator is culture. Because every organisation has access to the same tech out there, right? But it's kind of what you do with it and how you go about implementing it and the reasons why you're implementing it in the first place.
So it resonates totally because culture has to drive it. Culture, as I say, has to be the differentiator. Culture decides why you're using it in the first place. Culture decides what ethics you absolutely stand by as an organisation, and it has to be the driver. It goes back to your question earlier. If you let technology be the driver, then you know, ethics will get in the way and that's a problem. So the culture is key. Culture is key.
It comes from the top, it sets the scene, it'll definitely lead the board in how it undertakes a strategy implementation and it has a massive impact on what happens across the organisation.
[00:31:02] Ralph Grayson: Let's just focus on that alignment between board strategy and AI. So how does AI enable board members to ask better questions? It seems to me there's a bit of a dichotomy between the important diversity of thought leadership on a board, but if people lean in too much on AI as that solution, then it's potentially, to my mind, leading to group think, it's compounding blind spots, and it's negating that oversight accountability of risk and governance.
[00:31:36] Danny Lopez: Okay, so we're doing this podcast today. Did you use AI, in any way, to prepare the podcast?
[00:31:42] Ralph Grayson: In some way.
[00:31:43] Danny Lopez: Yeah, and I used AI in some way to help me with potentially how I might frame some of my kind of discussion points, anticipating what was going to come my way, right? Now,if we had happened to work off the same script, which of course we didn't, we would've found ourselves in a really tricky situation today where you would've asked me questions and I would've had answers that you already knew and I would've been expecting your questions and it wouldn't have been a great podcast, right?
And I think this is the key issue here. What are we using some of these tools for? Are we looking at this as a decision making kind of player, or are we using it more as a thought enhancer / thought partner? I mean it's definitely the latter as far as I'm concerned. I think we go into very dangerous territory if we sort of get carried away and think, well, this is the answer to all my problems. I just need to be able to type a few questions in here and I'll get a real steer on what we need to do. I mean, well, that's a problem and that we definitely can't have.
But you know, does it increase efficiency? Does it allow me to probe and challenge in a better way because I've used a sort of conversation pre a board meeting that is, as I say, very much framed as a sort of thought partnership engagement? Then I think that's extremely powerful. I think boards will come unstuck very quickly if they don't do that because they will realise that their board discussions are basically useless. I think this is the interesting thing, right? Because even people who are not very into AI, but have sort of suddenly discovered Claude or ChatGPT or whatever it might be, and we will ask that sort of question of, Hey, here's the material that has been sent my way. What questions do you think I should ask?
If that board member just takes those five questions and doesn't question them and just goes, well, that's great. I can turn up at my board meeting and here we go. The life of that NED won't be very long. It'll be very obvious, very, very quickly and I think over the last three or four months now you've started to sort of get to that point where you might receive an email or you might receive a memo and you think, yeah, that was not written by that individual that was written by ChatGPT or whatever it might be. That's happening right now. People are realising and therefore I think we're sort of going through that shift at the moment where, because it's becoming so obvious, the relationship needs to change. And as I say, for me, the key is it's a thought partner, it's a thought enhancer, and that's how it adds value.
[00:33:57] Ralph Grayson: We haven't got time here to get into the question of whether AI can be a NED or take a NED seat.
[00:34:05] Danny Lopez: Not yet.
[00:34:05] Ralph Grayson: But it's coming, right? I heard this morning Microsoft are coming up with a tool whereby chairs are going to be able to put into some AI, from the board agenda we have and the board pack we have, knowing what questions various board members have asked in the past, can we gamify the questions they're likely to ask of these board papers? On the one hand it enables the chair to chair the board meeting better, but on the other hand, I think, potentially stiflesthe diversity and the human nature of the board questions.
Also, there was a lot of speculation, in this conversation I was having around this tool, as to the ability then for the chair to sit down with the CEO and say, how do we make sure we've got all the right data in place to answer those questions that are going to come up? And again, you can see that pros and con, dangerous or advantageous, as you wish.
But is there a way that AI can negate good governance?
[00:35:07] Danny Lopez: Yeah, I mean, based on that scenario you've just told me, by the way, you can just see how the sort of flip side of that straightaway will be for NEDs to have a tool that says, my chair is likely to have taken all of this data and come up with a prediction of what questions I'm going to ask.
Can you sort of go around that and do the complete opposite? And you sort of get to that point where AI is being induced on both sides and you know, I think that becomes quite unhealthy. I think from a diversity perspective, it actually enhances the need for greater diversity to be able to sort of, get around these loopholes. Yeah, I just think it's the only way to be able to sort of get through the impacts of what we've seen over the last few months. So I think it's dangerous. This goes back to my point. I think it's dangerous territory to rely on AI as a sort of decision maker in a board environment. I don't think we're there at all. I think, greater diversity of thought will in many ways become far more important than it is right now.
But that doesn't take away from the fact that it's an extremely valuable tool. From a board efficiency perspective, it should absolutely, you know, 5, 10, 20 exit. It should allow boards to have way better discussions. It should allow board members to be far better prepared. It should enhance their own curiosity as to how AI can have an impact on an organisation. But it should not drive it in any way and the moment you're into driving territory, then I think a board's got a problem.
[00:36:23] Ralph Grayson: Scarlett Brown, who's head of thought leadership at Board Intelligence, previous guest, gave me an example where they discovered that a board member had been putting the board pack into ChatGPT, I mean, open source. It was like 101 risk, right? How naive, dare I say it, are board members still in terms of how they should be implementing AI andwhere do they get the education from to be their own risk managers?
[00:36:51] Danny Lopez: Yeah, I think that's a really good point and it is a lot of naivety. But it's almost like somehow people feel like there's a sort of total trust relationship and they don't realise that the danger is that if the LLMs are hacked, then it's all out in the open, right? That's the big danger.
So I think that's down to some 101 that boards need to be able to put in place through their own security teams and boards needs to ask the question to their security teams, what risks are we facing in terms of our own engagement with AI? That's the responsibility of the security team to present to the board and have that discussion. Ask the experts to tell me what risks I'm facing and what I should do about it and what I should do and what I shouldn't do and that's an absolute must. I mean, I can't believe, frankly, how many examples I've heard of very seasoned C-suite leaders who have now become NEDs who, as you say, feel entirely comfortable putting a whole bunch of confidential data into an LLM. It's crazy.
[00:37:48] Ralph Grayson: Briefly, let's just touch on talent then. So do we need an AI? Is AI going to be a title in an xcom?And how should, setting the tone from the top, how do you percolate down both the opportunity and the risk of AI in any business? I spoke to another board member this week. They've now got seven or eight ambassadors, as they call them, AI ambassadors embedded in each division, in each product area.
So there's a two-way information process, both top down from the board, this is what we're going to do and why, therefore, don't be frightened of it. But also the board then getting that feedback from the shop floor, if you like, of this is what worries us, this is how I think it might impact my job, my compensation, my employment.
How do you see that information channel working?
[00:38:35] Danny Lopez: Yeah, look, we're seeing lots of new titles with an AI somewhere in them. You know, that's just sort of part and parcel of where we are. There are two key themes that an organisation needs to understand typically on AI. Number one is how is it making us more efficient? How is it making us more competitive? How is it helping us or enabling our strategy implementation? How is AI improving what we do as an organisation, or how we operate as an organisation, right? Number one.
And number two is how are we engaging with our customers in a better way as a result of AI? And that might mean how have we changed our entire product deployment or suite of solutions. So it's a sort of, it's an internal question, how is AI helping us as an organisation operate more effectively? And its external question, how is AI helping us with our customer base, with our growth story?
Those, to me, are the two questions that need to be asked and understood by any board. Then you just, to your point, yes, you need people in place throughout the organisation where you have a two-way flow of information. But those are the questions that the boards need to ask and those are the questions that they need to feel comfortable with, and those are the questions that they need to feel like they're getting data from to be able to evaluate whether AI is improving their strategy implementation or whether it's something they need to push further on. It's that.
Now, do you need AI talent in an organisation? Absolutely. I mean,you need to bring in people who understand, both from knowledge perspective and an implementation perspective, what that means. You need to bring in people from a culture perspective that can help with advocacy and answer the questions that people will feel uncomfortable about. Because there's a lot of that right now. A little bit like I was talking earlier on feeling exposed or vulnerable. There's so much chatter about AI that people feel almost embarrassed to ask a question, and you don't want that, right?
You need to make sure that people feel very comfortable. So I think the sort of advocacy and knowledge sharing perspective is very important and that comes down as we've already said, down to culture. It's set from the top and people need to understand from the top about what AI means for them.
[00:40:31] Ralph Grayson: I spoke to a company secretary the other day about this. They were talking about a Deloitte, recent Deloitte survey. It said I think it was something like two thirds of all board members admit that their most obvious blind spot is their knowledge of AI. So if you can't challenge what you don't understand and you don't understand how to challenge it. Where does somebody who's listening to this thinking, gosh, I've got to get more up speed on this.
[00:40:53] Danny Lopez: Ironically you can use ChatGPT, right, and Claude and Gemini and others to understand case studies. I think there's sort of practical examples of where AI has been implemented successfully in a space that is similar to whatever organisation we're talking aboutis a really good way. I think, you know, networking. Yes, absolutely. there's a lot of reports out there that are essentially knowledge enhancing, and I think that's important too. But I also think that culturally there's a sort of, you sort of know what you don't know, or no, you don't know what you don't know, and people, because they realise it's such a big topic, they will always say that they feel exposed or vulnerable or don't have enough information.
To me it's make a point of being curious and understand as much as you can and then just go straight into the practical conversations that your organisation has. Make sure, yes, you've got a few experts around you and the rest will go from there if you ask the right questions. I think if you sort of spend the next year or two saying, I just don't know enough about it, it's not the way to go about it. Because actually what you are doing is asking a set of strategic questions that provide a sort of direction of travel for an organisation and that's the key part of it. There's too much emphasis of, AI has arrived and it's dominated our entire space. It's not. What makes it different, I think, is that with the arrival of mobile or the arrival of cloud, you know, there were pretty sort of distinct tracks and they impacted a part of an organisation. AI is a general capability and therefore it has an impact on everything, like literally everything in an organisation, and that's the whole point of a general capability. So you're never going to understand everything. But if you, you know, have a sort of generic understanding of what's changed over the last few years and where this is going, that's enough, and then make sure that you have access to experts when you have those questions. But ultimately, it doesn't take away from the importance of good leadership, good culture setting, good experience, curious mindset, and making sure that the strategy is a strategy that makes sense for the business. It's not a technology driven strategy, it's a technology enabled strategy, and that's no different to where we were a few years ago.
So I'm torn on this. You know, on the one hand I see it as an incredible moment for businesses, for leaders, of course it is. On the other hand, I think we're sort of slightly overdramatising, where we are. It's transformational, but I don't think it's transformational in the sense that over the next 12, 24 months, our entire worlds have changed. I think we'll look back on this period and go, oh yeah, the 2020s. Yeah. That's where sort of AI was kicking off and this happened in 2025 and this happened in 2027 and that sort of shapes, how, business went on from there in the thirties. It's like everything, we're going step by step. It feels very fast. But we're still, I think in that sort of step by step moment.
[00:43:28] Ralph Grayson: Time has run on, so we're going to have to be very brief. But you sat on the board of Innovate Finance. You are still on the board of the Aquis Stock Exchange, which has been recently acquired by the Swiss Stock Exchange. Your perspective on the crisis, my words rather than anybody else's, of scale up capital in this country and the role of public markets?
[00:43:52] Danny Lopez: Yeah, look, I think primary public markets will play a very big role in the medium to long term. There is no doubt that the last few years have not been goodin the space and it has been challenging, for particularly growth companies, to see it as a sort of strategy or a choice that they should make as they think about how they scale.
I think it will change. I think there's a responsibility on the players in the space to make it easier for growth companies to choose the avenue. Far less onerous. The liquidity of course needs to be, it needs to be there for this to be exciting. And I think that if you look at what Aquis has done over the last few years, it's played a big role in starting to think about how it becomes a next gen stock exchange. Big increases in innovation, making it far easier for growth companies to choose public markets. But of course for that we need a sort of macro shift and change.
That will happen. I mean, we've already seen that this year. Of course, it's not what it was years ago, but the numbers in 2025 have been far better than they have been over the last two or three years. With Aquis in particular, it's interesting now, obviously now owned by SIX the opportunity is massive, right? Because with SIX behind us now we're talking about primary listing venues in the three major financial centers across the European landscape, so Switzerland, the EU and the UK. That will present some super opportunities for UK companies looking for a pan-European venue. And I know there's a lot of work going on behind the scenes, which I cannot talk about today.
But there's a lot coming down the track and I genuinely think that in the medium to long term public markets will again become, at scale, an area of choice for scale ups.
[00:45:37] Ralph Grayson: So the IPO jungle drums are starting to beat a little louder.
[00:45:42] Danny Lopez: I think so.
[00:45:42] Ralph Grayson: That's fair to say, yeah. Where's that innovation going to come from? Because it's got to be partly policy and we've seen Rachel Reeves pontificate on some of the regulatory stuff. Aquis has tried to differentiate around some elements of corporate governance. We then just come back to the primary and secondary liquidity that a pan-European market might offer. Does innovation drive public markets or is regulation going to drive innovation?
[00:46:09] Danny Lopez: Super question. I think it's a combination of both. If you don't have the regulatory piece stitched properly, then of course it can be a huge barrier to ensuring that public markets take off as we want them to. And in fact, you can see that in the difference between the European landscape and the US landscape right over the last 10, 20, 30 years.
So yeah, the regulatory piece is, I think, absolutely key. I think again, sort of having that sort oflink between Switzerland, EU, and the UK really plays to Aquis' strengths because it sort of opens that up far more. And of course you need harmonisation, but I think the direction of travel is there. But it's a balance because if as a listing venue you are not driving innovation culturally you're not going to attract growth markets because a growth player is going to want to be part of an ecosystem that they feel that they can relate to. You're not going to find an exciting growth company, say, well, I'm going to choose a stock exchange that feels really sleepy and it hasn't taken its technology seriously, for example. So the innovation is key, right? Really, really good tech, which we are seeing with Acquis and with SIX, make it far easier for me. I don't want to be torn apart in bureaucracy because why would I become a public company? But if you make it straightforward, then you know, this could be interesting. And to your point, the liquidity needs to be there. But if you have a pan-European listing venue, the liquidity pool suddenly becomes far, far greater. Combination of both for me, but I still maintain that medium to long term, as we start seeing the shift, which is coming in confidence in public markets, then I think Aquis is extremely well positioned to take advantage of that with a backing of SIX.
[00:47:39] Ralph Grayson: Fascinating. Danny, we've covered a vast amount of ground. I'm sure there's another whole episode we could easily have put on the back of this. But for now, thank you so much. I think that has been hugely informative on so many different levels for our listeners.
[00:47:53] Danny Lopez: Thank you. Enjoyed it greatly.
[00:47:55] Ralph Grayson: I hope that you've enjoyed listening to this podcast and have found it helpful when thinking about how to approach your own path to the boardroom. If you would like to push this a little bit further, Sainty Hird runs a bespoke one to one programme designed specifically to this end. For more information, please visit our website, saintyhird.com, follow us on LinkedIn, and subscribe to the Boardroom Path to receive new episodes. Thank you for listening.