Rajeev: Sure. I think these days none of these conversations can be complete without talking about AI and gen AI. We started this early exploratory phase early into the game, especially in this part of the world. But for us, the key is approaching this based on the customer’s pain points and business needs and then we work backward to identify what type of AI is best suitable or relevant to us. In Cathay, currently, we focus on three main types of AI. One is of course conversational AI. Essentially, it is a form of an internal and external chatbot. Our chatbot, we call it Vera, serves customers directly and can handle about 50% of the inquiries successfully. And just about two weeks back, we upgraded the LLM with a new model, the chatbot with a new model, which is able to be more efficient and much more responsive in terms of the human work. So that’s one part of the AI that we heavily invested on.
Second is RPA, or robotic process automation, especially what you’re seeing is during the pandemic and post-Covid era, there is limited resources available, especially in Hong Kong and across our supply chain. So RPA or the robotic processes helps to automate mundane repetitive tasks, which doesn’t only fill the resource gap, but it also directly enhances the employee experience. And so far in Cathay, we have about a hundred bots in production serving various business units, serving approximately 30,000 hours every year of human activity. So that’s the second part.
The third one is around ML and it’s the gen AI. So like our digital team or the data science team has developed about 70-plus ML models in Cathay that turned the organization data into insights or actionable items. These models help us to make a better decision. For example, what meals to be loaded into the aircraft and specific routes, in terms of what quantity and what kind of product offers we promote to customers, and including the fare loading and the pricing of our passenger as well as a cargo bay space. There is a lot of exploration that is being done in this space as well. And a couple of examples I could relate is if you ever happen to come to Hong Kong, next time at the airport, you could hear the public announcement system and that is also AI-powered recently. In the past, our staff used to manually make those announcements and now it has been moved away and has been moved into AI-powered voice technology so that we could be consistent in our announcement.
Megan: Oh, fantastic. I’ll have to listen for it next time I’m at Hong Kong airport. And you’ve mentioned this topic a couple of times in the conversation. Look, when we’re talking about cloud modernization, cybersecurity can be a roadblock to agility, I guess, if it’s not managed effectively. So could you also tell us in a little more detail how Cathay Pacific has integrated security into its digital transformation journey, particularly with the adoption of development security operations practices that you’ve mentioned?
Rajeev: Yeah, this is an interesting one. I look after cybersecurity as well as the infrastructure services. With both of these critical functions around my hand, I need to be mindful of both aspects, right? Yes, it’s an interesting one and it has changed over the period of time, and I fully understand why cybersecurity practices needs to be rigid because there is a lot of compliance and it is a highly regulated function, but if something goes wrong, as a CISO we are held accountable for those faults. I can understand why the team is so rigid in their practices. And I also understand from a business perspective it could be perceived as a road blocker to agility.
One of the key aspects that we have done in Cathay is we have been following DevOps for quite a number of years, and recently, I think in the last two years, we started implementing DevSecOps into our STLC [software testing life cycle]. And what it essentially means is rather than the core cybersecurity team being responsible for many of the security testing and those sorts of aspects, we want to shift left some of these capabilities into the developers so that the people who develop the code now are held accountable for the testing and the quality of the output. And they’re also enabled in terms of the cybersecurity process. Right?
Of course, when we started off this journey, there has been a huge resistance on the security team itself because they don’t really trust the developers trying to do the testing or the testing outputs. But over a period of time with the introduction of various tools and automation that is put in place, this is now getting into a matured stage wherein it is now enabling the upfront teams to take care of all the aspects of security, like threat modeling, code scanning, and the vulnerability testing. But at the end, the security teams would be still validating and act as a sort of a gatekeeper, but in a very light and inbuilt processes. And this way we can ensure that our cloud applications are secure by design and by default they can deliver them faster and more reliably to our customers. And in this entire process, right?
In the past, security has been always perceived as an accountability of the cybersecurity team. And by enabling the developers of the security aspects, now you have a better ownership in the organization when it comes to cybersecurity and it is building a better cybersecurity culture within the organization. And that, to me, is a key because from a security aspect, we always say that people are your first line of defense and often they’re also the last line of defense. I’m glad that by these processes we are able to improve that maturity in the organization.