[00:00:00] Chris Sienko: Cyber Work listeners, I have important news before we dive into today’s episode. I want to make sure you all know that we have a lot more than weekly interviews about cybersecurity careers to offer you. You can actually learn cybersecurity for free on our InfoSec skills platform. If you go to infosecinstitute.com/free and create an account, you can start learning right now.
[00:00:58] CSIENKO: Today on Cyber Work, we’re talking privacy. We’re talking implementation privacy. We’re talking policy privacy. We’re talking all things privacy with privacy expert and InfoSec skills author and instructor, Chris Stevens, From his years in the Government’s Office of National Intelligence, he was multiple IAPP certifications. Chris is more than happy to tell you everything you ever wanted to know about careers in privacy, around privacy and careers that would be better with a heaping helping of privacy skills on top. Get into your cone of silence and join us today on Cyber Work.
[00:01:37] CSIENKO: Welcome to this week’s episode of the Cyber Work with InfoSec Podcast. Each week, we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of InfoSec professionals and offer tips for breaking in, or moving up the ladder in the cybersecurity industry. Chris Stevens has spent over 35 years as a data protection professional, an information privacy professional, a strategic intelligence manager and as a senior National Intelligence Service Senior Executive.
Chris possesses all seven of the International Association of Privacy Professional Certifications, that’s IAPP. He is an IAPP fellow of information privacy. Chris is an ISACA Certified Information Security Manager, certified in risk and information security controls and a certified data privacy solutions engineer professional. He has assisted numerous organizations in better managing their privacy and risk management programs. If you are watching our InfoSec career profile video series, you’ll notice that I recently spoke with Chris about the role of information risk analyst. Since we had such a great chat, I couldn’t wait to get him back on the show.
One of the things we should mention is that Chris is also – does our InfoSec skills learning path on information privacy essentials. We’re going to talk about that. We’re talking about a cybersecurity journey and his abiding and massive interest in the concept of privacy as it relates to cybersecurity and maybe more. Chris, thanks for joining me today. Welcome to Cyber Work.
[00:03:05] Chris Stevens: Hey, thank you. First of all, I’ve got to get my virtual fire extinguisher out and spray myself. Spontaneous combustion, because I enjoy talking to you about these topics that are near and dear to my heart.
[00:03:17] CSIENKO: Fabulous. Yeah. We’ll keep the ice bucket challenge near at hand. Fantastic. Just in case. Yeah, I always like to – I mean, especially here, I mean, I always like to find out about your superhero origin story. Where did you first get interested in computers and tech and get excited about cybersecurity as a calling? What was the initial draw?
[00:03:37] CSTEVENS: I was in the military. It was part of my job. I was a signals intelligence analysts, or a collector. I had to understand how to exploit – First of all, I had to understand the technology, which evolved into computing information systems, communication systems. then I had to develop or use tools to exploit it, to get access to data. That carried on after I retired from the military, working over 13 and a half years in the government, along the same lines. Then, I decided I was tired. I was going to take a deferred retirement from the government, my second retirement, and I fell in love with privacy. Or really, how do we protect data?
Allow that data as house, either an endpoint devices, and networks and systems. It helped me to acquire academically skills, but also, certification that enabled me to help organizations better understand the risk associated with processing data, from the time you collect it, and to the time you get rid of.
[00:04:41] CSIENKO: You just mentioned that you spent almost two decades working with the Department of Defense. Without breaking any rules, or clearances, or anything, can you talk about some of the cybersecurity related work you did while there? It looks like, a lot of it was centered around risk assessment, which I’m guessing is what led to your full-time move toward privacy, right?
[00:04:56] CSTEVENS: Well, if you talk about those two decades, a lot of it was the technology exploitation. Really working with a number of intelligence agencies supporting the military. I was in a special mission unit in the Department of Education – I mean, Department of Defense, that handed unique –
[00:05:19] CSIENKO: You are a green beret in the Department of Education.
[00:05:23] CSTEVENS: It had a unique mission, a global mission, strategic intelligence mission on how do we answer questions that decision makers might have to be in the military. We targeted, used very advanced tools to target these systems, foreign systems. People like to say, you targeted US systems now. Foreign systems themselves could access that data, and then bring that data back, so we could satisfy national and foreign objectives for the United States government.
[00:05:57] CSIENKO: Okay. Very interesting. We talked a little bit about your educational background, and I like to start my research on guests by going through their LinkedIn pages, because it always tells a story. Your deep study in computer science is obviously, it’s not too hard to see. I know that you’re enrolled in a doctorate of IT program with concentration in cybersecurity and information assurance. Also, it’s rare that I get to see the topic of someone’s doctoral dissertation, but the title is right there on the page, so I have to ask, can you tell me more about your dissertation titled Effects of Data Breaches On Sector-Wide Systematic Risk in Financial, Technological, Healthcare and Service Sectors?
[00:06:37] CSTEVENS: Well, again, I referenced in our last discussion, we talked about those vulnerable industries; financial industry, healthcare and others. I referenced a report that comes out every year, the pony mine, IBM, institutes the cost of a global data breach. One of the things I want to look at is, of course, we all know, some of the contributing factors that you’d have as a result of a data breach, or even a security incident. What are those long-term impacts that we were seeing on organizations, their profitability, their survivability, and then what are some of those things, or actions they can take, or forestall those before they threaten that profitability and survivability?
[00:07:25] CSIENKO: Okay. Whereas, [inaudible 00:07:28] weighing the financial consequences, you’re weighing the risk issues. Is that –
[00:07:36] CSTEVENS: The risk, again, if you look at it from a standard, in a risk forum, or whatever those threats, vulnerabilities, how do they translate the exploits, then how does that place an organization at risk? How does the management itself, given those inherent risks, make the right decisions to accept, or avoid to transfer risk?
At the end of the day, what will happen is the results of a dissertation like this should come up with a model. Organizations can, whether you’re a system owner, or a business owner, you can apply this risk calculus looking at your own – it’s customized to the organization itself and industry to better understand your risk associated, and then those actions you can take to deal with threats, like we’ve seen, like ransomware attacks and other attacks. Because we’re losing this battle, to use military jargon. We’re not winning the war. We’re losing this. We need to give business owners better tools to be able to win the war.
[00:08:51] CSIENKO: Right. From a research perspective, what is the material that you’re looking at to formulate this dissertation in this model? Are you working on previous research? Are you conducting your own research, or what –
[00:09:04] CSTEVENS: What you have to do – you always start with, you have to define what is the business question? What is the business, the research issue, the research question? Once you’ve defined that, then you have to go out and do a lit review. You look at literature on that topic, because you don’t want to just regurgitate dissertations of some. If they’ve written on this extensively, then you probably need a new topic. You go back and look at other dissertations. You look at peer-reviewed journal articles, to get a sense of what’s been written, and then where do those gaps?
[00:09:45] CSIENKO: Yeah. Make sure you’re actually contributing something new in the world.
[00:09:47] CSTEVENS: That’s exactly. Not just stealing someone else’s ideas. Now, some might call that plagiarism. In the end, just changing the title, but it reads the same as the previous dissertation.
[00:09:57] CSIENKO: Just doing it to get it done and get your –
[00:09:59] CSTEVENS: Exactly right. That’s exactly right. It’s just using a scientific model method really to walk this research methodology to where I can get to work and make findings and recommendations based on my observations.
[00:10:13] CSIENKO: Did you find some similar research models, dissertations in the field that made you have to pivot your focus?
[00:10:24] CSTEVENS: They’re out there. You have to understand, this is the $64,000 question.
[00:10:28] CSIENKO: Yeah, of course. Yeah.
[00:10:29] CSTEVENS: How do I prevent them? If I experience a security incident, or a data breach of such magnitude, how do I survive? Again, I’ve looked at tailoring it, looking at the healthcare industry, because the Ponemon Institute looks at all of these industries. Does a really great job looking at – I think, the last report it looked at over 400 countries, I mean, companies around the globe.
[00:10:56] CSIENKO: Yeah. It makes sense. Okay, that’s a very good start. I just like to hear about Iran. It’s always interesting to me, so.
[00:11:05] CSTEVENS: You have an interest in it now. If not so before then, you do now.
[00:11:09] CSTEVENS: Absolutely. Yeah. Yeah. To that end, when I had you on for the career profile to discuss information risk analyst and its role in cybersecurity, you immediately countered that privacy was your passion. That if I wanted to, you could speak for hours and hours about information privacy. Of course, that definitely sparked my interest and I wanted to know more immediately. To start with, and to route this discussion in your InfoSec skills, learning path, and instructor-led boot camps, can you tell me about the concept of information privacy, and also, the International Association of Privacy Professional certifications on this topic?
[00:11:44] CSTEVENS: Yeah. Sure can. First, I’ll start with my journey. It was much like you alluded to earlier in our conversation. I was sitting in my office. I had been a senior executive in government for 13 years. I didn’t see myself doing it for another 13 years. A thankless task. Felt like Ben-Hur ruin that ship.
I was searching on the Internet and I stumbled upon the IAPP website. Now, I was intrigued by this concept that we were going to create this cadre of privacy officers, data protection officers, help organizations show due diligence and due care every time they collect use, disclose, retained, exposed personal information. I was hooked. I left a job, where I was earning over a $150,000. I went from zero to 60 in the other direction. I got my first cert. Then, I was still waiting to start my privacy journey while I was driving for Lyft, driving for Uber. Don’t ever do that. Then working as a private detective. Don’t ever do that. That’s even worse.
[00:12:57] CSIENKO: I’ve just booked my next few episodes with you. Or, maybe those will be Patreon exclusives or something. Yeah. Anyway, go on. I’m sorry.
[00:13:05] CSTEVENS: Then I got a call from IAPP. They asked me to start teaching for it. My first certification was the US privacy course. I teach that extensively now. A matter of fact, I teach – I’ll be teaching at the Global Privacy Summit in DC for IAPP. I acquired over time, because I was hooked. What I wanted to be was I wanted to be an operational privacy guy. I didn’t want to just sit down and just beat people above the head and shoulders, arguing about the definition of PII.
I want to help them understand how to action privacy, to make organizations more effective and efficient, and so I had to acquire the other six certifications. One has been put on the shelf, because of interest. That was the government course, which I really loved. I acquired all for the policy certs and then the Certified Information Privacy manager, technologist certifications. Then that just – everything took off for me, Chris. I mean, it was my favorite poem in the world, the route not taken. I took that route not taken. It’s given me a third career in privacy, and it’s all I wanted to do.
I’m consulting now for an international law firm, where it’s privacy cyber, and privacy risk analysts. Every day, those skills that I acquired for not only on the privacy side. You asked me about IAPP, you still have to bring me back to InfoSec.
[00:14:38] CSIENKO: Sure, yes.
[00:14:40] CSTEVENS: It was the InfoSec that helped balance me from the privacy and information security risk management. Now I’m that operational privacy guy.
[00:14:49] CSIENKO: Yeah. I’ve done however many of these episodes. I feel like, we have a good sense of what a CISO does, what a CISSP encompasses. It’s the security. It’s also the physical security. It’s also fire and recovery and all these kinds of things. Can you put a big umbrella around what privacy in this context – What does privacy cover? Obviously, privacy data, but what are all the facets of privacy that you’re going to get into when you learn about just for a starting point, US privacy?
[00:15:24] CSTEVENS: Well, if you do it, right that privacy person is going to be sitting at the table, or supporting those positions that you talked about the CISCO. They’ll be supporting the CIO. They’ll be working with that CISSP, or that CISO, because again, it’s all about protecting those networks and systems, those activities that deal with processing, personally identifiable information.
I’ve worked as a privacy professional. I worked for the house of representatives. I was working for Google, for the office of cybersecurity. I was required to understand risk management from a privacy standpoint, privacy engineering, systems engineering, privacy people do that. We just don’t argue about definitions of PII. You can find yourself working in compliance, governance risk and conformance, GRC. You can find yourself working for organizations like Amazon, it was recruiting privacy people that really helped them with Alexa and Echo, because Alexa and Echo, I’d hear a lot of stuff. Whether the privacy controls in place?
It’s eclectic what I do now. I do risk. I do information security. I write policies, procedures, guidelines and standards. I review contracts. I’m not an attorney. I don’t do it from the standpoint of giving legal advice. I’m asked to look at it from my practitioner standpoint. Because of all these acquired skills, these organizations trust me to do that. Then, I hand it over to their attorney for the legal review.
The road is wide open for the privacy professional. First thing starts with, Chris, is you have to get the certifications. Whether it’s privacy, or information security, or risk management, because – I’ll give you an analogy. There a lot of shade tree mechanics. They profess to be good mechanics, but are you going to take your car to them, if they don’t have certifications? Are you going to trust them with your livelihood, your safety? The same thing with these companies. They want to see certifications.
Chris, I have a lot of academic credentials. I mean, I’ve been in school forever. I’m 57. I have more degrees than anyone else has. No one’s ever asked me about my degrees. They don’t care. They care about the experience, the certifications and the experience and knowledge and abilities. I’m sorry, Chris. Go ahead.
[00:17:56] CSIENKO: Oh, no. I was going to say, Mike Myers was on last week to talk about certifications. He was saying, with regards to, do you need a formal education? He said, yeah, get a bachelor’s. He’s like, “We want to know that you can get a degree and that you can follow it through.” Beyond that, it doesn’t matter. You get it and get in sociology, get in child psychology, whatever you want. The primary view, at least from a hiring perspective is just that we know that you can carry out a degree program. It’s not the thing that we’re actually looking for in terms of experience.
[00:18:29] CSTEVENS: It’s like the first job I got out of the military. I was hired by the Transportation Security Administration to be a risk management specialist. When I went in for the interview, great guy, one of the best bosses ever. He pulled out my resume, my CV and he says, “Man, you’ve been in school for a long time. You got a lot of degrees.” I said, “Yes, sir.” He says, “But I’m not hiring you for your degrees. Can you do the job? Walk me through why I should hire you to do the job.” We stopped talking about degrees. We started talking about skills, knowledge and ability and I got the job. It was a fantastic opportunity.
[00:19:09] CSIENKO: That’s awesome. I love that. I was going to ask you what your thoughts on certification and research study are. We pretty much got that. Can you talk about where you see certs like those offered by IAPP is fitting into the modern cybersecurity landscape? Even if you’re not in a privacy space, is this something that you think other cybersecurity people would benefit from studying towards, if not passing?
[00:19:33] CSTEVENS: They must.
[00:19:35] CSIENKO: They must. Okay.
[00:19:37] CSTEVENS: This is me like Moses, with the with the tablet, with the 10 commandments on it. You must. We can’t have siloed approaches to protect these organizations. That’s the reason why we need that CISSP and others to acquire these IAPP certifications, because it helps you better understand how to incorporate privacy into your day-to-day roles and responsibilities. Like I said, not so much understanding every law, but what are those law say about security? Administrative, physical and technical safeguards, responding to data breaches, because they do.
If you understand the privacy implications, it makes you better at your job. Why do you think I am – I went in reverse. I did all the privacy certs. Then I was unfulfilled. Because I couldn’t achieve my goal without the C risk, the C some and the CDPSE. Also, the IAPP, CIPT certified information products and technologies.
There was an article, Chris, that came out mid last year that said that organizations are scrambling to hire privacy technologies. It’s a lot easier to take a CISSP, or sprinkle him with privacy and have him, or systems engineer and have them perform those functions, and someone that is non-technical, and then has to acquire those over time.
[00:21:08] CSIENKO: Interesting. That’s proper, you think. It makes more sense to start with the security base and add the privacy? I’ll use that as a seasoning, rather than start in the privacy space, and then try to very quickly upskill yourself into the tech.
[00:21:25] CSTEVENS: I think, it begins on the person. For me, because of some additional skills I received in the military. Now, that parachute me to be able to go either way.
[00:21:36] CSIENKO: Yeah. Okay. Very good. You mentioned it briefly before, but your resume indicates that you instruct students on US privacy, sector privacy, Asian privacy, Canadian privacy, European data protection, US government privacy, privacy program management and privacy and technology. Can you talk about some of the fundamental differences in privacy for those different countries, continents? What is the difference in approach in terms of teaching? Is it like, if you learned Spanish, then you have a leg up in learning Portuguese, because they’re a similar language? Or is it, are they completely different in terms of –
[00:22:11] CSTEVENS: I can tell you, I did that. It’s not as easy as you think.
[00:22:14] CSIENKO: Yeah. I’m wondering.
[00:22:16] CSTEVENS: Yeah, it’s when you heard me talk, trained me in Spanish in Portuguese. Depending on where you are, you speak Portuguese and language can be different, same as with Spanish. If you’re talking about jurisdictional laws, you have to have an understanding of the basics. If you look at the US laws, they’re complex, they’re divergent. We’re seeing that now, a lot of the laws that like the European General Data Protection Regulation are now being brought to US shores. Although, we don’t have a national law, the states are marching ahead. If you can look at some of these privacy trackers, it looks at, we could have five to 10 states by the end of this year to have their own versions of the GDPR.
You have to understand the basics of the law, and then their applicability to your business model. Because you’re not going to be successful as a privacy professional, if you don’t understand the organizational goals and objectives, the business model. Then be able to translate that to senior leadership to know when they have to make those hard decisions. How do I comply with all these requirements? How do we build compliance plans, like I’m building now to comply with these new global laws for the organization I’m supporting?
Then once you understand those, and so for you, you asked a great question. I want to be the end all be all when it comes to privacy. I want to kill the competition. I want them to know that I’m the best privacy officer that you’re going to hire. On the way to do this, be fluent, like you said, you talked about Spanish and Portuguese. I have to be fluent in Canadian privacy law, European privacy law, Japan, the Middle East. That’s what makes me competitive. That’s what makes me good at my job.
Then you cross over divide and get some of those privacy technology certs. ISACA has a great one. Just started it a year ago. I think was put on hold, because the COVID, the CDPSC. They’ve done a great job with the CDPSC. Also, IPP is going back and revamp SCIPT, because that goes back to an earlier question. We have to get people across the divide to where we have a common discussion on what privacy information, technology information, security means, procurement acquisition toward an organization.
[00:24:49] CSIENKO: Yeah. Now, can you tease out the difference between the privacy certs as done by IAPP, versus these more technical privacy certs has done, like the CDPSC? What is the difference in learning? If you’re doing the tech side of it, does that require certain pre-existing knowledge within a computer science framework of things?
[00:25:17] CSTEVENS: No, it doesn’t. It’s just like me, Chris. When I started my privacy journey, I knew two things, and I was an executive in the government. This thing that they call, PII must be important, because it made me stop working to take a day to do training in it. I had to know something about this Privacy Act of 1974. That was it.
[00:25:39] CSIENKO: That was it.
[00:25:40] CSTEVENS: I started my privacy journey. I wasn’t steeped in privacy. I bought a book. I read a book. I study and I took an exam and lo and behold, I passed it. Then once I pass it, then I acquired that knowledge, and those abilities and skills. When you look at privacy, and you look at how we’re going to approach and how we develop these, whether you’re an old guy, old girl, young guy, young girl, just trying to be gender neutral here. It just starts with having an understanding of if you do the IAPP route, Chris, it’s going to start really with policy. That’s where you’re going to be well-steeped in the laws and the different aspects.
They teach you how to manage a program. Some, they touch upon technology. If you go the technology route, and ISACA is a great organization. It started with, we had COVID-5, COVID-19. You name it. CMMI. Now, they’ve taken that and added privacy to it. If you want to learn privacy in detail, you go to IAPP and start that that route. If you are an information technology security person, and you’re a ISACA certified person or an IC2, then you pursue the CDPSE, because it is true.
[00:27:12] CSIENKO: Tack that on to it.
[00:27:13] CSTEVENS: Technically focused. Yeah. That’s the reason why I have it.
[00:27:15] CSIENKO: Got it. Okay, so for listeners who currently subscribed to InfoSec skills, or might decide to subscribe based on today’s episode, you can check it out for free at infosecinstitute.com/free, and get a few good taste of it. What will they learn from your information privacy essentials for cybersecurity professionals learning path? What aspects of security should they already be familiar with, or working toward, start working on your learning path? Or is there no technical barrier to entry and they can just jump right in today?
[00:27:45] CSTEVENS: I’m getting my virtual fire extinguisher, because –
[00:27:47] CSIENKO: Here we go.
[00:27:47] CSTEVENS: – spontaneous combustion starting. InfoSec reached out to me. I talked for it for several years. They wanted their own course. They wanted a comprehensive course that really helped cybersecurity information technology, any other professional interested, having a grounded understanding in privacy. It’s a long learning path. I didn’t expect it to be that long. I think it’s 20 or so CPEs. I think, it’s 29 hours. It has 12 modules and it starts with a foundational discussion on privacy.
Because, you can’t build a house without a foundation that’s going to collapse. It starts with that foundation. It looks at privacy from just a evolutionary perspective. How do we define privacy around the globe? We start looking at some of those global laws. I’m going to update it, because I’m excited about teaching about China’s law, and some new laws have evolved. Then we come back and we start looking at the US. We look at it from the federal government’s perspective. If you’re working in government, then these are some of the things that you should know as a private professional.
Then it translates into looking at the private sector. What you should know about some of these laws. Then it ends with discussion on the states. If you’re here in the United States, these new evolving laws, the Virginia Consumer Data Protection Act, the Colorado Protection Act. Of course, California’s all important Privacy Rights Act. Then by the end of it, and one of the things I talked about to the InfoSec Institute was, we can only use open-source resources, because I didn’t want to touch, or have any copyright infringements with IAPP, because I teach for it. I taught it. I separated myself from my IAPP teaching experience and create it really the course from scratch.
If you take and complete this learning path, you’re going to have a great understanding of privacy. Then, depending on where you work, you can apply that. I think, it’s a great learning path. It took me a year. I had COVID. Bad case of COVID, so it derailed the development, but I think that everyone’s happy with it.
[00:30:13] CSIENKO: Yeah. Oh, no question. Chris, what types of positions – I mean, we talked about this a little bit, but you said, it’ll set you up for different sources in. What type of positions require knowledge of information privacy? Can you talk about some of the practical applications of it, and maybe map it to some of the job roles out there? I mean, I know, you said basically, anything would be better by knowing privacy. Obviously, it’s more important to someone than maybe a pen tester’s not using it a lot. What are some of the career spheres where privacy is a must?
[00:30:48] CSTEVENS: Well, if we’re going to talk about it from of course, if you’re working as a privacy analyst, and you support an organization from privacy policies, compliance, now the legal aspects, of course, that’s always going to be one of the roles that you can have in privacy. If you’re talking about information security, when we talk about things like the NIST cybersecurity framework, if we’re talking about ISO, ISC27-701, because ISO is pretty smart. We’ve talked about ISO 27-701s forever. Then they realize, we have these systems out here that process private data, personal data.
In 2019, they share it. It’s 27-701, that’s focused on privacy information management systems. If you are an ISO and you’re sitting there having discussion – when I was at the house, I sat in on the quarterly meetings where we set with business owners, systems owners. At some point in time, we’d have that discussion about privacy. Now, if you have to do risk assessments, privacy risk assessments in support of FISMA requirements, there’s a privacy aspect there you should understand.
If you’re an authorization official, and you have to comply with NIST Special Publication 853, revision 5. I did a comparative analysis between row four, row five and row five is truly integrated privacy. If you’re going to be implementing the risk management framework, you barely know privacy. If you’re an authorization official, procurement, if you’re a contracting official, and you’re responsible for these contracts, whether initial contracts, if we’re talking about the recompetes, and these contracts deal with processing personal information, you should understand the aspects. What contract clauses should be there?
I’ll tell you another thing, if you are engaged now, if you are in the private sector, and you’re having to comply with these laws, like the EU GDPR, if we’re talking about data transfer, it’s been turned on its head. I mean, right now, I’ll give you an example. They’re banning Google, Google Analytics. They say, that is in violation of the GDPR, talking about anonymizing data. Who’s going to do that? It’s going to be some information technology versus security person that comes up with that solution, but they have to understand privacy first, and the law because they can come up with a solution. No, you’re right. My nebulous comment about anyone. You’ll find yourself if you’re in those roles, you should have a basic understanding of privacy, because it’s touching your organization and you every day. You just don’t realize it.
[00:33:47] CSIENKO: Yeah, absolutely. Moving on from let’s say, students have taken and passed your information privacy skills path. What are some next steps you’d recommend, whether from an education standpoint, or an experience standpoint? Once you have this privacy knowledge, where do you go next with it? Do you take it to a company and say, “I want to be your privacy person?” Do you get experience locally? Do you need to pair it with some other type of certification info, or what’s the next step?
[00:34:22] CSTEVENS: Yeah. I think that I designed a course for Cybrary also, US Information Privacy Course [inaudible 00:34:27]. I think that when I design these courses, these courses weren’t designed as preparatory courses for any of the other industry certification organizations. I think that with this knowledge, you go and you acquire one of the certs. If you are a cyber security professional and information security professional, I think you take two paths. I think, that you go the CIPT route and make use of your technical expertise, or you go to CDPSC. Then, now if you got more bandwidth, you get to take the CIPM, the privacy management course.
I think that I love teaching the CIPP US, but it is a policy course. It doesn’t talk about technology. It’s just going to teach you about a multitude of laws. You’re going to feel like an extra on the first airplane movie. You just want to jump outside that seat, because there’s a lot of laws. The speed, your progress to your question, take the CIPT, or get the CDPSC, and then get the CIPM and then go to work. Start applying. Set up your job alerts. I do it on LinkedIn. I mean, LinkedIn is a well-kept secret. I’ve never had to do business development. A guy like you did. You went to my profile. I get called all the time about jobs and opportunities.
[00:35:59] CSIENKO: Yes, absolutely. Now, it sounds like, and I want to make sure that I’m hearing this correctly, but it sounds like, getting a job in this sphere is pretty – is going to work out if you can demonstrably show the certs and can demonstrably show that you know the answers to the questions of how to provide value to the company. This is not a job where they need to see prior experience. I mean to that end, if they do, is there a way of freelancing privacy stuff before you try to land the big fish of a job?
[00:36:35] CSTEVENS: You can always do volunteer IPPs, the local knowledge net chapters. They have a lot of volunteer, things that you can do to add to your resume, whether you – I sat on, I would say, a co-chair of the Baltimore-Maryland knowledge net chapters. They have several different types of boards and things you can volunteer for. I would say this, Chris. I mean, I started this journey. I’m that person you’re talking about. I acquired the knowledge. I kept studying as I was trying to get that first job. Then have no fear. You may have to take an entry level job.
I can tell you, if you do a job search on indeed.com, if you do want on LinkedIn, there are a lot of remote opportunities, of course, they want you to have experience, but you’ve just got to land that first job. Then get that first job as an entry level person. Get that on your resume, and that starts your journey. I’m not going to say it’s going to be easy, because remember, like I told you, I left a senior executive job in government and was driving for Uber and Lyft, and working as a private investigator before I got my first privacy job.
[00:37:57] CSIENKO: Now, I like talking to cybersecurity folks in terms of the – because I have a sense of what the steps are. You’re starting out – it’s a long way to CISO, but you’re starting – maybe you’re starting in the helpdesk, or you’re starting as a security analyst, and you’re reading log files, and you’re looking for abnormalities. Then you automate yourself out of your position and up to the next level. You become a manager, you become this, this and this. What does the day-to-day work of an entry level privacy person look like? What are your tasks, compared to someone who – I mean, it sounds like the top point is you’re setting policy, you’re setting a master framework around your company and so forth. What is the grunt level privacy person do for a company organization?
[00:38:45] CSTEVENS: I’m experienced. I’m doing grunt work now. It never stops.
[00:38:48] CSIENKO: Tell me about it.
[00:38:48] CSTEVENS: One of the things that, like you said, updating, understanding external requirements, helping the organization update their policies, procedures. Another thing that you’re going to find yourself doing and it’s in demand is privacy risk assessments. Privacy threshold analyses. Before organization acquires a new system, or implements new activity that’s going to process personal information, you got to do that privacy impact assessment. Now, you’ll see a lot of new privacy professionals performing those tasks, partnering with the ISOs, partnering with the businesses admission owners, functional and business owners to understand the systems, assess the privacy risk associated with them, come up with controls that mitigate those.
As part of that assessment authorization packet, be able to present that to the AO, so he or she can approve that system for use. You’re going to find yourself looking at compliance, especially if you’re working in industries like health care with HIPAA, finance and some of the others. Again, you’re going to be there doing compliance assessments, internal assessments of the organization. This is a continuous process.
Over time, you’re going to require those skills and understanding and then you start looking at more senior positions. Again, everyone’s not going to be that organizational chief privacy officer. It takes years to get there. Lots of times, that require you to be an attorney of sort in many organizations. You can find yourself, you do that for a while, get the experience and then consider consulting.
Now, there are some great organizations out there, like True Staffing recruited me several times, because they focus on privacy professionals from a security professionals. Looking at those, even if you can’t walk into a door and compete, trying to get one of the staffing organizations to place you. Build up your competence, build up experience, and then over time, like I said, the jobs are there. There are tons of jobs at Apple, Google. A lot of these healthcare organizations, a lot of them are remote right now. I work from home.
That job path itself, I was creating a business with a great friend of mine, Steve Holland. We were laying out for our business. What was our career path? Because we were both in the military. It started out with the privacy analyst. Then it translated into a privacy technologist, privacy manager, and then being able, once you’ve done that, that was what’s within our own organization. Then posturing yourself for deputy director privacy. A lot of people, too, if you have the bandwidth, you might even consider going to law school. I’m just too old.
[00:42:09] CSIENKO: Yeah, I was going to ask that. It sounds like, that would be a really good value add, or even go the other way around. If you’re in just strictly a lawyer, or in law right now, and you want to make a move toward the tech sector, it would make sense to understand privacy. It seems like, you would add a lot of value, if you were.
[00:42:25] CSTEVENS: You would. Or even if you just want to understand privacy from the legal standpoint. Because from an attorney, you’re going to find that attorney, they’re going to be fast-tracked over time for CPO positions.
[00:42:36] CSIENKO: For sure.
[00:42:37] CSTEVENS: Because of the legal implications. They still need people like me, the practitioner.
[00:42:42] CSIENKO: Yes. Yeah, totally. This is always $64,000 question. It doesn’t tell you had much of a problem, but you were pushing and you had a passion for it anyway, while you were driving Uber and Lyft, and so forth. Without a professor assigning weekly tasks, if you have a skills account, some people might have a hard time staying on track and meeting their learning objectives. Do you have any tips to help lifelong learners stay focused on training, and accomplish their goals in a timely fashion?
[00:43:12] CSTEVENS: You know what you do, they lay out a three-to-five-year plan. They write those goals for years, one, three, and five. Then you put them on a whiteboard, or dry erase board, whatever. You enroll in a program. Then periodically, you go back to that goals list and you see if you’ve done that. You do an assessment of where you are in life, because it’s not going to be easy. You have to be hungry, and you got to be able to persevere. Because the end state is to get that job, or jobs that you want.
Every day you waste and every second you take a break is deterring you from achieving those goals. You’re going to have setbacks. I’ve had people try to take certain research and failed three times. I had people working in senior privacy positions, taking the certs and failing them two or three times, which is terrifying.
When I mentor people, I tell them, you got to start with goals, whether you have – if you don’t have a dry erase board, get you a notebook. If it is, “I’m going to complete this degree, my bachelor’s, or my masters in this amount of time,” and you set that end state, that graduation date, and you have goals in how you’re going to get there. Then when you don’t, you have to explain to yourself, why I didn’t get there.
[00:44:41] CSIENKO: What happened.
[00:44:43] CSTEVENS: You have to persevere. People that persevere, they get there. They take that road not taken and they stay on track. They achieve their goals. It was a great question. It depends on the individual.
[00:44:59] CSIENKO: Yeah. I like all those. Mike Myers, our last week guest also said, schedule your examination, when you think you would realistically be ready and – because you can you can study abstractly for as long as you want. If you say in six weeks, I have to take the A plus, or whatever, that’s good. You’re more likely to be like, “I better get ready.”
[00:45:21] CSTEVENS: That was a brilliant response, because remember, we’re in an ever-changing industry. The version of the test that you took a boot camp for might have changed last year. It means, the questions are going to change. I try to encourage people taking my IAPP courses. For me, it took me about three weeks, four weeks to get ready for the exam. Don’t wait six months, because the exam will change and then you’re reaching out to Chris Stevens trying to get updated materials.
Stay on path studying. Set aside an hour a day. During football season, a lot of you take off Sunday. Stay on track. It goes back to those goals. Then, look out two months or so. That’s what I did from the CIPM. The only reason I passed the – I mean, the CISOM was because of your boot camp.
[00:46:17] CSIENKO: Oh, good. Okay.
[00:46:18] CSTEVENS: If I hadn’t taken your boot camp, I probably would have taken six months to a year to study for that exam. I was able to take your week-long boot camp, starting the 1st of November. I cast it out in December, and I did quite well on the exam.
[00:46:33] CSIENKO: Fantastic.
[00:46:35] CSTEVENS: I attribute that to the instructor into your course.
[00:46:38] CSIENKO: That’s great to hear. I love to hear that feedback. Thank you. Chris, as we wrap up today, where do you see cybersecurity education going, either in person or virtually in the years to come? I mean, more time is being spent at home with laptops and good Wi-Fi. Do you see career learning changing demonstrably in say, the next decade?
[00:46:56] CSTEVENS: I do. I see it delivered also. How do we deliver this content in an era of pandemics? How do make the training itself role-based, where individuals can truly understand how this training is going to help them do their jobs? We’ve seen a lot of training providers go to online formats. You’re going to see that. If you’re talking about it from your privacy perspective, it’s going to expand out new jurisdictions, jurisdictional laws. You’re going to need training for that.
I think, you’re going to see new certifications arise that are going to be important to individuals. For me as an instructor, I perceived that I’ll be well employed. Now, I’m talking about, I’ll be on my 70 soon. I don’t know if I’ll be teaching then. It’s been amazing, just over the last 10 years of looking how cybersecurity training has evolved, and privacy training, information security training, how we deliver it, the content. I think it’s phenomenal. I think that we’re educating a generation of new professionals. They’re going to help organizations, so due diligence and due care from a cybersecurity perspective, or from a security perspective, don’t forget privacy.
[00:48:19] CSIENKO: Don’t forget privacy. All right, that’s a perfect place to wrap up here. Last question, what’s next for Chris Stevens? Also, if our listeners want to know more about you and your many activities, where should they go online?
[00:48:30] CSTEVENS: Well, they can go to LinkedIn. LinkedIn is where I post a – I send out a – on Twitter, then go to Twitter. I produce a newsletter Cybersecurity Information Security and Privacy newsletter. That goes out Monday, Wednesday and Friday. If you’re at LinkedIn, connect, you’ll get that. Chris Stevens is old. Chris Stevens, this is probably be his last hurrah. I like the job that I have now. I put off taking a job. I like the freelance perspective, but I enjoy what I do. I’ll probably do that. Then next in my windshield is probably still security.
[00:49:10] CSIENKO: Yeah. Counting down the days.
[00:49:12] CSTEVENS: Count down the days.
[00:49:12] CSIENKO: You got to be putting the X’s on the calendar dates there.
[00:49:15] CSTEVENS: That’s exactly right. Those goals three, I don’t have a 3 to 5. I’ve got a 3 to 3 and a half.
[00:49:21] CSIENKO: Phenomenal. Well, you’re an inspiration to all of us who still have a lot longer to go on our journey here. Again, Chris Stevens, thanks so much for joining me again. I knew this was going to be fun, and it was a blast. It was also very enlightening. Thanks for your time.
[00:49:34] CSTEVENS: You’re welcome. Hopefully, my comments were relevant.
[00:49:36] CSIENKO: Oh, absolutely.
[00:49:38] CSTEVENS: I hope it helps someone out there. Chris, I can’t thank you enough. We should thank you for the good work you do, getting the word out, and you continue to do the great work you’re doing. Thank you.
[00:49:49] CSIENKO: Well, thank you very much. That’s nice to hear. I’ll sign off by saying as always, thank you to everyone listening to and supporting Cyber Work at their workplace. New episodes of the Cyber Work Podcast are available every Monday at 1 pm central, both on video at our YouTube page and on audio wherever fine podcasts are downloaded.
Thank you once again to InfoSec Instructor and InfoSec skills author, Chris Stevens. Thank you all so much for watching and listening. We will speak to you next week.