As part of our Captains of Industry Interview series, Lawrence Brown, Sr. VP Legal, Houston had the fortunate opportunity to connect with privacy, cybersecurity, and data governance leader Tim Nagle, Associate General Counsel (Privacy) at dentsu Americas. With a career spanning military service, national security, financial services, and global advertising and marketing, Tim brings a uniquely operational perspective to privacy, risk, and emerging technology. It is our immense pleasure to share Tim’s insights with you. Enjoy!
Q: Tell us your path to your current role as Associate General Counsel (Privacy) at dentsu Americas.
A: It has not been a straight line, but, in retrospect, has been a logical progression from security and technology to privacy and data governance to analytics and digital advertising, and now applying all of those considerations into the use of artificial intelligence. Each aspect of my career has drawn on prior experiences and knowledge and the relationships I have developed along the way. I have worked in a government agency, then to providing services to government clients at a large integrator, to private sector client service in financial services (and as a client) and at a global law firm. As a privacy practitioner, being at a large advertising and analytics holding company presents me with the most current, challenging and, frequently, vexing issues in that space.
Q: You have built a career across military service, national security, financial services, and now advertising and marketing. What core skills or perspectives have proven most transferable across such different environments?
A: Technology, as in the ability to (and enjoyment of) working with the business and technology teams as they develop new and innovative ways of accomplishing their goal, has always been part of the job. And the ability to translate between technologists, risk managers, business executives and policy-makers is an important skill. But the most important and constant aspect of my career – whether advising pilots flying combat missions on the rules of engagement, the NSA Red Team on guardrails in network penetration operations, financial services analytics and marketing teams, or ad tech product developers – has been framing my advice from the perspective of the “client” and their requirements and purpose.
Q: How has your leadership style evolved as you moved from command-and-control environments into highly matrixed, commercial organizations?
A: The common thread is people who are, by nature, curious problem solvers who enjoy building and demonstrating solutions, or functioning as a trusted advisor. If you show interest, challenge them with questions, and recognize their skills, everyone benefits. When I was head of Navy international law in the Pentagon, I led a team of outstanding military lawyers engaged in significant issues. When the admiral needed a briefing on an issue, I did not go with them; I allowed and encouraged them to have that interaction and demonstrate their mastery of the issue and directly engage with executives. Some were surprised I did not tag along, but all appreciated the implied respect. Supporting your people, allowing them to shine, and challenging them regularly are universal principles applicable in the military and private sector.
Q: What have you learned about leading technical, legal, and business teams who may have very different risk tolerances and incentives?
A: The ability to adapt to each role is important, but having background or awareness in the others is also helpful. As the program manager of a development team building a complex technology and software platform, I was careful not to constrain innovation or initiative, but also mindful of the need to always align on accomplishing the assigned task within the specified constraints; i.e. while a 95% solution may be aspirational, it is not a business specification and may not be efficient. Conversely, there is no risk-free activity. Working with regulators at a large financial institution, I came to appreciate that they did not expect or assume no issues would arise. What they did require was identification, documentation, mitigation and disclosure or risks or problems. Keep asking the “what if” questions, and a little paranoia is a good thing.
Q: Many of your roles required influencing senior leaders and global stakeholders who did not report to you. What approaches have you found most effective in building credibility and alignment without formal authority?
A: Speaking in their language and from their perspective and not mine, knowing the details, and delivering something of value to them. I was asked to create a role of legal advisor to an information operations development center at NSA. The last person those teams wanted to see in the room was a lawyer. I started slowly by absorbing the details and the culture, then began to ask questions which they had to answer in order for me to review and approve the capabilities they were developing. Every once in a while, I would ask a question that they had not thought of and was actually perceptive. Eventually, it became a game. They would say: “We know what you are going to ask, and this is what we built in to address that.” At one point, I had someone say that they were initially reluctant to speak with me as their counsel, but was now glad to have me in the room to help guide their work. That was gratifying.
Q: Privacy and security teams are sometimes seen as either blockers or rubber stamps. What practical steps have helped you become a trusted business partner without compromising judgment or integrity?
A: Privacy and security cannot function in a vacuum, but should complement and enhance the product, service or capability. CISOs and CPOs are, and should be, getting recognized as executives who support business goals. The good ones can brief the board or executives in business language and not an endless litany of spreadsheets and decks with lists of controls. But you are expected and, if you are successful, relied upon to be the subject matter expert and to identify and rank risk or options where present. Not all risks are equal, and neither are the options.
Q: From your vantage point inside a global advertising and marketing organization, what emerging data, privacy, or trust risks are not getting enough attention today?
A: The potential for too many tools to be collecting and analyzing too much information for too many purposes. The digital advertising industry has a good story to tell if it remains focused on presenting relevant, timely, and helpful information to consumers in a medium or channel the consumer prefers. But chasing precision on propensities, interests and preferences – even if the collection and use of consumer personal information are fully disclosed and privacy preferences are respected – could lead to elegant solutions which are objectionable to the public. All of which could be exacerbated by the prolific, and unbounded, application of artificial intelligence. Two government programs were developed around the time of the 9/11 attack. They were called “Carnivore” and “Total Information Awareness” and were intended to address a known threat. Neither lasted more than a few years – I assume the naming convention – which highlighted the privacy concerns - did not help.
Q: How do you see regulatory expectations and consumer trust evolving for companies whose business models are deeply data-driven?
A: This is a difficult, but important, question. Do privacy legislation and regulations truly reflect the average consumer’s viewpoint on websites collecting digital bread crumbs, deriving insight about interests, and presenting contextually-relevant information? And do surveys which appear to emphasize the potential privacy harms but minimize the benefit of information derived from the data really present the whole picture? I recall a discussion with high school students (whose use of digital devices is invariably constant) who were comfortable with a business (e.g. a bank) collecting their site visit information and using it for their benefit. If it is a first party that they know and, by implication, trust, they are accepting of the trade off.
Q: How do you measure whether a privacy or data governance program is truly effective rather than simply compliant?
A: By the level of adoption and awareness. Assuming the program contains all of the necessary components, if privacy considerations are a part of any business, product, risk or design process – preferably because it is considered to be helpful and not merely required, and anyone having questions knows who to contact for guidance, then you have an effective program. This is privacy by design – but also by preference. I need to get budget, I want to get privacy perspective. The reciprocal value add of the privacy program and team is to make that effort as organic, seamless and responsive as possible.
Q: What signals or metrics do you rely on to understand when risk is increasing, even before a formal incident occurs?
A: When the children are in the other room, and it is quiet, you need to go check. Known risk is usually manageable and can be factored into business decisions. Unidentified risk may percolate and either become a much larger issue to address through delay, or become known to customers, regulators or consumers. We meet regularly with our identity and data teams, participate in product and artificial intelligence capability reviews, and are closely engaged with the data governance and security teams. We also communicate regularly with our counterparts in other regions and markets to expand our sensor system to identify new initiatives, external inquiries or process problems.
Q: Many veterans struggle to translate military experience into language the civilian business world understands. Based on your own transition, what advice would you give military professionals on communicating their skills and value more effectively?
A: Avoid all jargon, which may have been an effective means of communicating in the military, but widens the gulf in a civilian setting. Where there are directly transferable skills, in my case technology and security, emphasize similarities in military and civilian applications. Where that is not the bridge, translate your accomplishments into similar challenges in a civilian setting; e.g. developing a new capability, installing a technology platform on a short time frame or under challenging conditions; changing an established process or practice. And weave in qualities such as accountability, judgement, decision-making, loyalty, and adaptability. And manage your own expectations.
Q: When you were transitioning between industries, what did you do to make your capabilities and value obvious to leaders who had never worked in government or defense environments?
A: I was fortunate, as my transition from a large defense integrator (a halfway house between the government and private sectors) to a financial institution was based on my subject matter knowledge and experience in security as well as my participation in a presidential advisory committee of which both the current and gaining employer were members. And the contacts I had made through security activities involving public and private sector participants meant I was essentially staying in the family through the transition. There are many situations where the familiarity with government processes is a desirable attribute.
Q: Do you currently use AI tools in your work, and if so, where do they meaningfully add value?
A: A suite of AI capabilities is provided and encouraged at dentsu – in the Legal Department and elsewhere. The best advice I received was to consider it a resource – similar to a junior associate – to be consulted or utilized, but never to be used or accepted without careful review. Although I am using it primarily for research, document drafting, and an alternate perspective, I see the biggest potential value in process automation and plan to explore the agentic possibilities.
Q: Many legal and privacy professionals are asking themselves whether they should be using AI tools. What guidance would you offer on adopting AI responsibly without introducing new risk?
A: I would begin with the baseline considerations; i.e. what data is being used in the AI tool and how is it being processed or retained. And I would always be the human in the loop to evaluate the output for two reasons; to assess the accuracy and utility of the product, and to be sufficiently familiar with the process and the result that I could answer any questions posed. The AI tool may be your agent, but you are still the principal.
Q: What are you working on that you’re excited about?
A: I am excited about collaborating with the dentsu teams that are developing products that return custody of their personal data to our clients while providing them with sophisticated capabilities to derive insight and revenue from that data. When the notional products were first described to me, I knew instantly that our clients risk posture was going to shrink considerably and my job as privacy counsel would get easier as I interacted with client privacy legal and compliance teams.
Q: What are you working on that worries you?
A: Everything else; not in the sense of concern, but primarily the need to focus on specific issues while maintaining a wide aperture. Many projects have privacy issues on the periphery which may not be readily apparent at first. And every time I hear a given product does not involve personal information, I get suspicious – not due to an intent to deceive me but mostly due to the evolving concept of what is “personal.” Is my AI agent either an extension of me or a device associated with me so that its actions become my personal data?
Q: Any other closing thoughts you’d like to share?
A: Regardless of what point one is in their career, they should be aware of, and open to, the 90 degree turn or opportunity out on the horizon. You may not choose that path, but at least consider it. I offer the same thought to those who are looking to add to your team. You may not always get what you want, but sometimes you get what you need.
Introduction & Background Q: You’ve had an extraordinary career spanning the privat...
Read More
Career Path & Transitions Q: You’ve built a remarkable career that spans private pr...
Read More
David Sclar is a seasoned in-house counsel and Harvard Law School graduate who has spent ...
Read More