[00:00:05] Chris Sienko: Hello and welcome to the first CyberWork Live episode of 2022. As you may know, from our weekly CyberWork podcast, we’ve talked with over 200 different industry thought leaders about cybersecurity trends, the way those trends affect the work of InfoSec professionals, and we offer tips for breaking in or moving up the ladder in the cybersecurity industry. And today, that is all happening live with you in attendance.
I am Chris Sienko, CyberWork Live host and InfoSec Content Acquisitions Manager. And as you already know from the title screen, today’s topic is a public discussion about privacy careers, training certification and experience.
And with that, I’d like to introduce you to our esteemed panel of guests today. So, we are having a little bit of technical problems with Chris Stevens, but I will read his bio and he can enjoy the accolades later on here. Chris Stevens has spent over 35 years as a data protection professional, an information privacy professional, a strategic intelligence manager, and as a National Intelligence Service Senior Executive.
Chris possesses all seven of the International Association of Privacy Professional Certifications. He is in IAPP fellow of information privacy. He is an ISACA certified information Security Manager, certified in risk and information security controls, and a certified data privacy solutions engineer professional. He has assisted numerous organizations in better managing their privacy and risk management programs.
Next, please welcome John Bandler, Founder and Principal of Bandler Law Firm PLLC and Bandler Group LLC, also an InfoSec skills author, as with Chris Stevens above. John Bandler is a lawyer, consultant, speaker, teacher and author in the areas of cybersecurity, cybercrime, privacy, investigations, and more. He is the founder of Bandler Law Firm PLLC and Bandler Group LLC, legal and consulting practices that help organizations and individuals with cybersecurity and privacy, prevention and investigation of cybercrime, legal compliance and more. John is online at johnbandler.com and on LinkedIn.
And third, but certainly not least, please welcome Global Privacy and Security Adviser in REINBO Consulting Ltd. And you guessed it, an InfoSec skills author, Ralph O’Brien. Ralph is a trusted adviser on Global Privacy and Security Compliance, Practice and Management. His experiences include strategic GDPR adoption programs, advisory services, and assurance delivery in global multinational environments. He has worked in a variety of industry sectors, including defense public sector, pharma and financial services, representing both multinational corporations and boutique specialist consultancies. So John, Ralph, and hopefully, Chris, very soon. Thank you for joining me. Welcome to CyberWork Life.
[00:02:56] John Bandler: Great to be here.
[00:02:58] Ralph O’brien: Pleasure is all mine.
[00:02:58] CSienko: Great to have you. So we’re going to be taking questions from the audience as they come in throughout the event. But to start with, we’ve compiled a number of questions about privacy by students and professionals via our newsletter. And so we want to start there. A lot of this is, as it suggests in the title, based around sort of career questions. So let’s start with the most broad and the simplest question. What is privacy as a career? It’s one, I’m sure, both of you have answered many, many times while teaching at industry events. So what does that mean especially? Because I think people think of privacy as sort of an intangible or a concept or a principle, but not necessarily as a career. So, John, do you want to start us off? And then Ralph?
[00:03:47] JR: Yeah, definitely, definitely. So I think of privacy and cybersecurity as overlapping. So if you think of that Venn diagram, where you have two different bubbles, they really overlap a lot. So to do privacy, you have to know cybersecurity and vice versa. Now, if cybersecurity is about protecting our information assets, that CIA, confidentiality, integrity, availability, obviously, that’s important.
Privacy includes all of that. Well, it includes the confidentiality. It also includes more about giving consumers choice, and transparency, and certain rights. So Chris Stevens actually had a quote I saw from an earlier event, but privacy always involves cybersecurity. And I just think they really complement each other. So the more people working in one field know about the other, the better for the people, the better for the organization and both fields.
[00:04:50] CSienko: Any thoughts to add on that, Ralph?
[00:04:53] RO: Yeah, I agree totally with what John says there. I mean, with that Venn diagram, especially that there is an overlap. And I kind of think of it all as information governance. These days, modern organizations have an awful lot of organization, and an awful lot of data, and an awful lot of information on individuals.
Obviously, I come from the EU. I come from just north of London here, where we actually don’t use the term privacy. We use the term data protection. Now, you could confuse data protection with information security, literally data protection. But actually, one of the things that I find interesting about the word privacy is, a lot of the times, an individual doesn’t have any rights to privacy. The organization already has their data and is using it for legitimate reasons or legitimate purposes.
So to me, the words data protection, the words information governance, it’s about how an organization manages the data it’s already got. Can it hold it legally? What can it do with it? That whole cradle to grave of the disposition. And while in security, we might focus on the protection or the CIA of that information, sometimes in data protection, we ask more interesting words like, legally, can we? Or ethically, should we be using the data in a certain way, especially when it comes to some very sensitive information that you’re collecting on private individuals?
As a career, it depends whether you’re looking at it from a legal perspective, from audit and compliance perspective, or whether you’re looking at it from a perspective of someone who’s got to manage a privacy or data protection program within an enterprise.
[00:06:41] CSienko: Okay. Well, that’s good. That’s a very good sort of framework. And it’s also interesting to hear the sort of distinction in terminology. But I’m guessing that when you say data protection versus privacy, Ralph, that they cover a lot of the same ground, but there might be some differences, like you said, with the sort of like ethical implications versus the security aspects.
[00:07:05] RO: Yeah. I mean, it’s interesting. From the EU perspective, there is a difference between your right to privacy and your right to data protection. They’re actually listed as two separate fundamental human rights. There’re some differences between the way the US and the EU look at things. Whereas in the US, we could perhaps say that privacy historically has been more of a consumer protection area where you tend to gain privacy rights or privacy because you’re a customer of a business, because you look at like the laws in California, like the California Consumer Privacy Act, where it’s all about your relationship with a business sort of governed by the FTC. Whereas over in Europe, I think we tend to look at data protection more as a fundamental human right, something you have not because you’re a customer, but something you have because you’re a person. And therefore, we look a lot more about governmental privacy, HR, human resources, the information you have collected, if you’re an organization, on anybody anywhere.
[00:08:11] CSienko: Right. Okay. Well, that’s also a great distinction and leads, I think, real nicely into our next question, because, again, it’s good to sort of know what the sort of range of things we’re talking about. But I want to sort of move from here. It’s the second most asked question we’ve gotten from people who are still trying to decide if privacy as a career is right for them. So we got over a dozen questions that basically boil down to this. What is the day-to-day work of a privacy professional within a cybersecurity career space?
So even with people who like the sound of working around privacy and implementing country or framework-specific policy to a company can’t quite get their heads around what the raw work looks like. So can both of you provide a quick summary of the most common daily activities for an entry to mid-level privacy professional?
[00:09:02] JR: Yeah, definitely. And something Ralph was saying triggered another thought, because as we’re talking, “Hey, what’s the difference between privacy and cybersecurity?” We got to realize, it’s always moving – People use different terminology. So for example, with this privacy certification, the IAPP may call something a privacy law. A cybersecurity professional might call that a cybersecurity law. So these things overlap so much.
So, Chris to answer your question, what type of day-to-day things? Some of it may be very similar to what a “cybersecurity professional” is doing. So we want to have a cybersecurity program. We want to have a privacy program, hopefully, like Ralph alluded to. Those who are part of a comprehensive information governance program where we’re not fragmenting it. So there’s going to be a lot of different roles. And depending on the size of the organization, maybe one person’s wearing multiple hats, or you’ve got separate departments for different things. So it’s going to include assessing risks and assessing the program for privacy with those overlaps as cybersecurity, training programs, liaisoning with these other departments. How do we translate between law, technology, the software, and practice, and informing employees and consumers what we’re doing, which leads me to documentation work? And some people here, documentation, and policies, and procedures, and kind of eyes glaze over. But for me, that’s actually pretty exciting. Because when you put things into written words, it helps you evaluate what your program is doing and what it’s supposed to do. Data inventories, figuring out data flows, consumer inquiries. I don’t want to cover everything, because I probably could go on because, there’s a lot. But, Ralph, what do you think?
[00:11:05] RO: Yeah. I mean, you’ve covered quite a lot of the day-to-day tasks. I think I’m going to be more esoteric with that. I think where we look at cybersecurity, we often look at how do we protect the organization? And I think where sort of data protection and privacy really changes the game, it’s how do we protect humans? How do we protect people?
And what’s quite interesting in a commercial organization is trying to find the balance. And to me, privacy and data protection is all about balancing acts. It’s not one of those careers where you can walk in and everything’s 3.2. You know? The laws that we face use words like necessary, and appropriate, and adequate. And it’s up to the organization to try and understand where they put their mark on that line.
I often tell my new trainees, here’s a naught, and here’s 100 on a spectrum. With naught being you can’t communicate with anyone. You can’t transmit data. And 100 being everything you know is out there, and everybody – You haven’t even got the privacy and the thoughts in your own head. Where do you put your line between naught and 100?
And I think organizations quite often have to self-assess. Organizations have to make decisions. And that can be an interesting role in an organization being a negotiator, being somebody who has to sometimes ask the hard questions and say, “Ethically, should we be doing this?” Or, “Legally, can we do this?” What technology features can we put in our platform to help the individual? Do we have that setting on by default or off by default? Do we have everything closed by default or open by default? Things like privacy by design work. Putting features and functionality to allow people to download copies of their own data or to understand where the data is going in a more transparent way, or access and give people options and preferences.
So there’s the real technology space in terms of design. And then there is, as you say, the more back office role in terms of really, truly understanding and performing assessments on what data you have, where it is, whether you legally comply with various laws around the globe, and how you build that into a continually improving program within your organization?
[00:13:26] CSienko: All right, I’m excited to see that it looks like Chris Stevens is here. Thank you for joining us today, Chris. So yeah, as you can see, we’re currently talking about the day-to-day work of privacy professionals within a cybersecurity career space. And John and Ralph have both sort of talked about their experiences. One of the things I liked hearing from both is it sounds like in comparison with cybersecurity, where it’s like install a firewall. Now the firewall is either installed or it’s not. Set this. It’s either on or it’s off. This is either working or it’s not working. There’s an interesting sort of range of customized things that you can do to sort of improve the privacy experience. And that involves some degree of discussion with the organization. Do you want this much? Do you want this little? Within sort of the constraints of GDPR, and regulations, and so forth.
But Chris, do you want to say hi, introduce yourself, and also talk a little bit about your experience of the day-to-day work of privacy professionals?
[00:14:33] CStevens: Of course. And I apologize. I thought that we actually were starting at 12:30. So I stepped away. But I work in this space. And so, for example, when the US House of Representatives brought me on board as a privacy professional, now I work in the office of cybersecurity. Rarely trying to help the office really operationalize privacy. And what do I mean by that statement? It’s transitioning from certain practices, certain NIST guidance, that had really incorporated expanded aspects of privacy.
And so from a privacy perspective, I helped the house integrate privacy controls into their privacy plans, security plans. I reviewed the privacy implications of implementing the NIST Special Publications 800-37 Revision 2 Risk Management Framework, because that’s where they were asking me for me for not just to focus on the policy aspects of privacy, but the actionable assets. Conducting those privacy impact assessments. Ensuring that privacy was a part of NIST, the Cybersecurity Framework and the privacy framework.
Even my duties today, and I’ll keep my comments short, in supporting King and Spalding. I’ve been brought in also in the same capacity to where, at work, my boss is a cyber risk manager. And between he and I, we integrate our security and privacy assessments. We look at certain systems, assets, vendors themselves, and rarely apply privacy to where we can have a better understanding of achieving goals like integrating privacy by design, privacy by default, into their business activities, systems acquisitions and of the like. And so I’ve spent a lot of time working in that space.
Thank you, Chris.
[00:16:35] CSienko: Very good. Very good. So we’re going to be moving towards sort of questions about certifications and professional sort of qualifications and so forth. And we have a couple of questions that have come in from the audience. And I think one is let’s use this as sort of our entrance into the next question. But Natalie Maharaj says, “Do you need a law degree to get into privacy?”
So I will start with John on this, because John clearly comes to this from a law side. And I don’t know if Ralph or Chris have the law background, but can the three of you talk about sort of the intersection of law degree versus tech degree and how they can sort of affect the work of a privacy professional?
[00:17:21] JR: Yeah, definitely. So my answer would be no, you don’t need a law degree. And look, I think it’s great to have a law degree. But I also think we got to realize lots of different skills and backgrounds go into doing things like privacy and cybersecurity, and lots of other things. And yes, we need to know something about the law. Yes, we need to be able to consult legal experts and lawyers. But we also need all kinds of other people with their skills, some with tech skills, some with writing skills, analytical skills, people skills.
So one of the things I love about what I get to do is teach about law to non-lawyers. Because I think we all need to know something about law to do privacy, to do cybersecurity. To be citizens and residents of our country, we need to know something about law. But no, we do not all have to be lawyers to do privacy, cybersecurity, and other things.
[00:18:22] CSienko: Cool. Anything to add, Ralph or Chris?
[00:18:26] CStevens: Well, I agree with John. I’m sorry. Ralph, I’ll defer to you.
[00:18:31] RO: Yeah. Again, I was just going to say that I concur. I mean, having a law degree can help. And it depends if you want to be privacy counsel or not. But equally, there are other roles beginning to emerge within the privacy community, such as a privacy auditor, or a privacy program manager, or a privacy engineer or a privacy technologist. So I think even within the privacy professional headspace, there are a number of different career path. And yes, privacy counsel or privacy legal adviser is one of them. But equally, as a consultant, engineer, auditor, program manager, there are other fields that relates to privacy as well.
[00:19:16] CStevens: And I would agree with both John and Ralph. I’m not an attorney. I don’t render legal opinions, just like Ralph just stated. I work very closely with attorneys. And just like John said, like he enjoys teaching non-attorneys. Well, I enjoy teaching attorneys. I had a number of those in a class that I taught over the last two days. And so you can be a practitioner and have great success as a privacy professional.
[00:19:49] CSienko: Yeah. What this is reminding me of a little bit is the way that, especially in terms of things like digital forensics or computer forensics, that you have this wide sort of scope from completely technical to completely non-technical people that each have something different. And interesting to contribute, whether it’s from a psychology angle or a tech work around angle and stuff to secure data and so forth. So I think that’s all very encouraging. And hopefully the listeners are realizing that it’ll be easier than not to sort of find their place within the privacy space.
So our third question here, again, because InfoSec students know that certifications are great mile markers to show potential employees some of your skills and abilities. Several people have asked what are some beginner privacy certifications I should be working toward? And what other cert options are there for advanced specialization? So I know that there are several different types of privacy certs out there, but can we start with some of the certs that our three InfoSec skills subject matter experts teach, and what each cert covers? So, Chris, I’ll start with you. You said you were just teaching a couple days ago here. Can you talk about some of the beginner level ones?
[00:21:01] CStevens: Yeah. So I was teaching for the International Association of Privacy Professionals at its Global Privacy Summit. I was teaching the US, CIPP US private sector, privacy courts. And that’s where I started my journey. For 35 years, I’ve been an intelligence professional at different levels. And I decided to walk away from that, become a privacy professional, having no depth or breadth and privacy. And so my first certification was the CIPP US followed by the CIPP European examination. You can always look to the IPP certifications. But InfoSec has done a great job.
A number of us have created privacy-related courses that can position you well to develop a foundational understanding of privacy. And I encourage the students and their attendees to look at those courses to build that competence over time, and then be able to demonstrate that later in a practical sense.
[00:22:05] RO: Yeah. Again – I mean, the IPP qualification. So there are a number of them. Great touchstones into sort of the way that a privacy professional thinks and deals for things. And they are sort of two-day courses. But you’re going to need to study for a little bit longer than two days to successfully pass the qualifications. But the existing IPP courses include one in US Foundational Law, CIPP/US. There’s the CIPP/E, which is the European Privacy Law. You might be wondering why he is European or relevant to me as a US. But if you’re working for a large global organization [inaudible 00:22:51] extraterritorial extent. The GDPR extends out from Europe to any country that happens – Or a company that has to happen to be doing business here. Then there is the CIPP/A for Asian Law, the CIPP/C for Canadian law, all of which are great foundational courses in sort of the respect of jurisdictional law.
On top of that, what I find quite interesting is they do a CIPT, which is great if you’ve been a technologist, and you’re looking at putting privacy into technology products that you might be designing. So the CIPT. And then finally, the CIPM, which is about managing a global privacy program. So it kind of forgets about the local law in Europe, or US, or Canada, and actually puts you in the process of – Well, in a case study, it says, “I’m a privacy manager. I’ve come into this case study organization in day one. How do I go about creating a privacy program from day one to continually improving after year one, two, and three?” So IAPP qualifications are a really, really good starter for 10 to kind of transition into a privacy cred.
[00:24:04] JR: Yeah, a lot to talk about certifications. And people asked me about it. So I wrote a blog on it on johnbandler.com. But CIPP/US obviously is my favorite. I built a study course for it for InfoSec. And what I like about it also, is even though the US is – They call it a patchwork of privacy laws. You got to learn all different laws, but also the body of knowledge gives you a great foundation and legal basics.
And the IAPP, like I said, calls it privacy law. But you should think of it as cybersecurity and privacy law. And I really enjoyed breaking it down and putting it in simple chunks. So that would be – If you’re in the US, CIPP/US, I would say, lays a great foundation. I’m biased. I admit it.
[00:25:00] CStevens: Hey, Chris, can I make another statement?
[00:25:02] CSienko: Please. Absolutely.
[00:25:03] CStevens: Also, look at ISACA. If you already have an information security background, one of those certs? You’re a certified information security auditor or one of these certs, ISACA also offers the certified data protection solutions engineer that also looks to merge information security, cybersecurity and privacy from an operational standpoint.
[00:25:26] CSienko: Got it? Oh, that’s very cool. Okay. That’s also good to know. There’s a hot tip for the sort of tech folks in the audience. So we’re getting some good questions in about – Specifically related to different sub-specialties of careers and so forth. But before we get to those, I want to stay on certs for just one more question here. Since IAPP is the privacy certification company and framework we’re most concerned with today, and since you’re all multiple IAPP cert holders, can you talk about some best practices for studying IAPP certs? What are some of the tips you’ve learned by passing, and especially if you’ve failed any of the exams that you have? Are there any common study or preparation errors that you’ve seen among students that would be useful for our attendees to know about?
[00:26:11] Chris Stevens: I think John mentioned one. Again, the IAPP offers you some free resources. When I started my study, I didn’t take a course. So I bought the textbook. But what was most useful for to me was that exam blueprint and that body of knowledge. And so in doing so, what I did was really structured my studies. I didn’t do any outside studying of other materials, because IPP gives you everything you need to pass the certs with those materials. And then, really, I’m just going to be frankly honest. It became rote memorization. Memorizing what was in that textbook, and then comparing that what was outlined in the body of knowledge, and the exam blueprint. And over time, I was able to pay off all seven of the IAPP certifications.
[00:27:04] RO: Yeah, I would agree. I think the IAPP do issue what they call the common body of knowledge, or CBOK. You can find it on the IAPP website. And actually, what that does is it breaks down the syllabus. It’s a syllabus document, essentially. So it kind of says, “Here’s what’s covered in module one. Here’s what’s covered in module two. Here’s what’s covered in module three.”
And I always encourage my delegates to go down there with literally a tick list and just say, “Do I know this? Do I not know this? Tick, tick, tick, tick, tick. Cross, cross, cross, cross, cross.” And that’s a great way to focus their revision.
Equally, the more you can do to immerse yourself in the privacy world, the better you’ll do. The privacy world does change, and it changes quickly. I always say when I’m delivering training for four or five days for a qualification, the world doesn’t stop turning. And therefore, to know the right people to follow. Because there’s awful lot of misinformation and myths out there as well. So choose your trainer carefully. Choose your course carefully. Use the material the IAPP put out there, including mock exam questions as well, to just make sure that you’re prepped before you go in and sit the actual exam.
[00:28:20] CSienko: Any tips, John?
[00:28:23] JR: Yeah, I’m going to offer one concrete tip, and then two places where you can get more information. Because I’ve actually thought about this. I’ve written about this. And I incorporated tips into my CIPP/US course. So my one concrete tip is something called a Pomodoro. That’s when you set a timer. And depending on your attention span, and what you can tolerate, it’s either 15 minutes, 20 minutes, or 15 minutes, and you do nothing else but focus on studying for that time. Because distraction is hard. And the two places you can find more – Well, I gave one away. I devoted a video segment to how to learn and how to study. But I also have blog articles on my website. One is called the how to learn and study. And the other is called how to take an exam. And there’s no magic secret tricks to help you do it with no effort. It’s really about effort and using that effort wisely.
[00:29:27] CSienko: So hopefully, I’m not bringing up bad memories here. I want to ask Chris Stevens. He was a guest on cyber work. And he mentioned briefly, either at the end of the show or in our private chat, that you took and failed a IAPP cert. And just because you felt like you already kind of – Can you speak a little bit about that, like the experience of sort of coming into the exam with the sort of like, “Well, if I know this, then I’m sure I’ll know that kind of thing?”
[00:29:58] CStevens: Chris, of course, he would bring up that discussion during this discussion. But it goes back to what John said. I loved what John just said about how to approach these examinations. I’d taken several IAPP examinations before I got to the Canadian test. And my head was so large that it could fill up a large size room. So I thought that I could purchase the textbook one day, and then take the Canadian exam the next day. I can tell you that was rife with peril. And I failed the exam. And I didn’t miserably, because I didn’t take the time and preparation to prepare for the exam.
The IAPP examining examinations are about time and preparation. And so my feelings were hurt. So I had to make a decision, Chris. We talked about this. Do I retake the test? Or do I stop there? But the cert was so important to me. I waited to 30 days. I had to wait to retake the test. I paid my $375. But during that time, I used an approach, much like what John said. I set aside time every day, an hour or two a day to where I focus solely on studying for that exam. And then I tested myself. I took the mock quizzes and things like that. When I retested, I did quite well.
And so what you have to do is you have to make a decision. Is this cert, or is this goal important enough for me to retest? If it is, you’ll put forth the effort, just like John said. If not, you will let that failure stop you and probably change your course objectives and dream forever, because you didn’t get past the point of failure. If I answered your question correctly, Chris.
[00:31:49] CSienko: Yeah. No. That’s great. And, again, because I bang this drum all the time on this show, but there’s a seems to be a real feeling among – Especially people just entering the industry that if they fail an exam, even A+, or security fundamentals, or something very simple. Somehow if I fail, that means this just isn’t the job for me. I can’t do it, or whatever.
And I think so many of our great professionals that I’ve talked to have said, “Sure, I failed a test.” Like you said, “I didn’t approach it correctly. Or I wasn’t studying hard enough. Or I figured I could just wing it,” or what have you. Or even I studied really, really hard and it still didn’t make sense. And then I tried it a second time, and this time it locked in. Just keep chasing the – Keep chasing your dreams. I mean, the failure is always an option, but it’s also doesn’t have to be a brick wall. It can be just a hurdle.
So our next question here dovetails nicely with several questions we’ve gotten from our audience here. So I wanted to mention getting experience within the privacy sphere. So if you’re young or new to the field, you can start researching a privacy career anywhere online through a class or by this webinar. But it might be a little hard to show an employer that you have experience in this regard. So, for example, listener, Meredith Echam says, “I would think that the combination of writing professional and degree, Master of Science, and Legal Studies, cybersecurity law, CIPP/US, and CIPP/EU, and CIAM certifications would be attractive to employees. But without experience, is it enough? Am I missing something?” And then also, Reginald Stinson says, “What’s the easiest path to transition into privacy and cybersecurity from an education and banking background?”
So I think we’re seeing something similar in both Meredith and Reginald here in the sense that people are feeling that it’s one thing to crack a book and start the timer, and learn, and pass, and another thing to have those certifications show to a potential employer that you’re serious about this and that you have actual raw experience. So can any of you sort of speak to getting experience before your first job or within a first job that allows people to sort of make mistakes as they go?
Ralph, you want –
[00:34:29] RO: I’d agree. Experience counts for a lot. Experience counts for a huge amount. And actually, what’s nice about privacy professionals is they – And I find this as a privacy professional myself. You end up having to motivate, and because data is everywhere, right? So you ended up having to manage a privacy program across a large enterprise. And you can’t do it by yourself.
A privacy professional has to reach out further into the enterprise. And there are positions, sort of semi-formal positions in most organizations called a privacy champion. And what that tends to be is, sadly, unpaid work that you do in addition to your normal job where you become the eyes and ears of your privacy or security division within that sort of division or directorate.
So reach out to your privacy professionals within the organization in which you’re currently working. Get to know the privacy team, the organization where you’re currently working. And they will thank you. They will fall over themselves that there might be someone out there who might be willing to listen to what they do, and to act as their representative within their local business directorate. And acting as that privacy champion or sort of privacy stakeholder, subject matter expert within your local business directorate, that will get you the experience you need.
[00:35:56] CSienko: Yeah. Chris, John, anything to add?
[00:35:58] CStevens: I concur with Ralph. If you’re working in a call desk, some other aspect in one of the operational units, again, serving us at privacy liaison will give you and help you develop over time. Because many times, depending on the size of the organization, the privacy office, or the compliance officer is extremely small. And they don’t have the resources to be able to interact with all aspects of the organization at every level. And to Ralph’s point, and so you volunteer to service that privacy liaisons. Over time, you develop that skill set. You might even have them pay for your training and look to bring you on board at a later time just to support those endeavors directly.
Another thing you can do also is, even from a different perspective, there are lot of [inaudible 00:36:53] out there that are based on privacy. You can participate in those. You can look at – I hate to keep going back to IAPP. Participate in their knowledge nets. Volunteer for some of their [inaudible 00:37:06]. They have a lot of volunteer groups you can participate in to really expand your knowledge on privacy before you actually start to apply for jobs and privacy. Set up job alerts on indeed.com, LinkedIn. Look at what employers are looking for in a skill set so you can start acquiring those skill sets before you apply for that first job.
[00:37:34] JR: I think you guys make great points. Yeah, great points. What do we need? We need knowledge, credentials, experience, networking. So to get experience, I really liked that volunteer idea. If you’re already working somewhere volunteering to take on some privacy type tasks. There may be other organizations you can volunteer with.
Now in my CIPP/US course, I have two practical exercises that if you listen to it, you decide if you want to do it. But it’s ways people can get a little hands-on experience. And if they’re already in an organization, it’s ways they can reach out in the organization and maybe meet people who might say, “Hey, this person’s interested in privacy. Let’s see if there’s an opportunity for them.”
[00:38:28] CSienko: Before I move on to the next question about interviewing, I want to ask, I know Chris Stevens, you’ve worked in military sector. Darryl Lewis asked, ‘How do I get top secret clearance to become a cybersecurity government contractor?” I assume within a privacy space. Do you have any thoughts on that?
[00:38:46] CStevens: I mean, I work in both the military and government, not from a privacy perspective, from an intelligence perspective. But if you’re working as a contractor, normally the contracting agency organization is going to help you obtain that training. Now, they might want you to come like Minerva springing fully formed from Zeus head and already have it, or they make that investment.
Lots of times also, if you have the skill set, and you already have completed certs. You have academic credentials. You completed bachelor level, master’s level degrees and information security, cyber security, then you just have to apply. And then you have to meet the requirements.
I had a top-secret security clearance for over 35 years. You have to apply. Apply for the job. You’ll go through the background investigations. Once you make it through that reinvestigation, then they’ll award you the top-secret clearance, which you have to maintain and do a reinvestigation after five years. And that’s the best way to do it. Find a job.
Again, you have to convince that hiring official that, again, you meet those prerequisites to have that clearance, submit the documentation, wait your six months or so to see if you’re approved. And then you began your entry level job in that space. And later on, because you maintain that clearance, it opens future opportunities for you as well.
[00:40:18] CSienko: All right. So we’re moving right along in the hour here. So I’m going to jump on to the next question here. We’re talking about interviewing. Security Sam227 writes, “What types of info Should I have in my head when I’m interviewing for a privacy job? Do I need to refresh my memory with my old study books? Or will I know enough just from doing my job every day?” And I’m guessing all of you have hired someone else in the privacy role? Can you talk about some preparation traits that separate interviewees you can see potentially versus those whose excitement simply shines through?
[00:40:54] JR: So I’ll lead off. I would –
[00:40:55] CStevens: I’m sorry. I’ll let you go, John.
[00:40:58] JR: I would say do not study privacy right before. I think, strategically, if you’re building your knowledge, long term, yes, study privacy. But now if you have an interview, I would study about the organization and the person interviewing you. You want to be able to ask them good questions. You want to know something about the organization? So questions would be, “Hey, can you tell me about your privacy program? What is your organization prioritize? What would you see my role would be?” So I think those are questions interviewers are looking for.
And looking even beyond that, if you’re looking for a job, it’s good to know people outside of the interview process. So when an organization is looking to hire someone, they get all these unknown people in a stream. But if you’re able to network and get to know people outside of that immediate interview process, that can give you a big leg up. That the interviewer is interviewing you, and you already know someone in the organization. That can be big.
[00:42:10] CSienko: Awesome, anything to add, Ralph or Chris?
[00:42:13] CStevens: And also make sure you read the vacancy announcement. Understand for what position you’re being hired, because many of the questions are going to be asked based on that vacancy announcement. And make sure you can answer those questions. And if you don’t know exactly have that certain qualification, you can also speak to how you can acquire that qualification over time should you be given the opportunity for that position.
[00:42:42] RO: Yeah. I think the people by people, which is a good start. So be a people person. Be passionate about what you do, but not overly passionate. And this is going to going to sound crazy. So how can I be too passionate? Because in privacy, we do suffer from some zealots out there. And actually, if you apply privacy law to its fullest extent, it can be to the detriment of business. You do get privacy professionals out there who will shut down the organization. It’s like with sort of security, you can over-secure and shut down the business, right? You can put in too much control and actually cause roadblocks and difficulty for the organization. And obviously, no business wants that to happen.
So really, you have to describe your approach, your passion for privacy. But at the same time, how you’re going to balance that against the business interest? And that’s what most organizations will be looking for, not just know your legals and your privacy, not just you’ve got practical experience, but you’ve got the right methodology and mindset for the organization to understand their culture, to be able to balance the needs of the organization against the needs of the individuals and ultimately serve both. I don’t believe the two are mutually exclusive, by the way.
[00:44:06] CSienko: Yeah, those are great questions. And I think it’s important to sort of emphasize the need to research the company and its needs and where you would sit within the company. I think, when I talk to people who are interviewing sort of beginner level cybersecurity people, there’s a lot more of those kinds of pop questions of how would you secure a firewall? How would you get the data off of the cell phone? How would you run a pen test? And those do require that kind of you’ll have to make sure that you kind of bone up on your skills or whatever. But here, I think it’s more important, like you said, stick with talking about the organization that you are hoping to meld with.
So now that we’re out of – That was a lot of great info there for career stuff. So we want to talk more abstractly about some current privacy issues on the current horizon or in the news. And I want to start with Ralph. Obviously, I want to hear from all three of you. But this is a GDPR question that we got here. So we had some interesting questions that are more granular. So Bob the Human Firewall, I love that name, says not only are you dealing with the question of paying or not paying a ransom. This is regarding GDPR and ransomware. But there are potential fines from data leaks to consider. So is that encouraging people to pay with the hopes that they’ll get data back and don’t have to face the pay or we release your data threat, which can lead to fines?
So I want to read a quote from the Morphisec Breach Prevention Blog here, “As a result, GDPR is paradoxically becoming a tool for financially motivated threat groups. For example, last year when cyber criminals came across unsecured MongoDB databases online, they not only threatened to leak the data found, but also to directly report impacted companies to the appropriate authorities if they didn’t pay up. Under the rules of law, you face a heavy fine or arrest reads part of their ransom note warning that the companies contacted had 48 hours to transfer Bitcoin.”
So in cases like this, paying a ransom can be an obvious choice for victims considering that non-compliance can result in substantial fines, say up to 20 million pounds or severe violations, or 4% of global turnover. What is – Whichever is greater? As GDPR fines and regulation powers grow further, your poles advice of not paying attackers ransom is becoming more difficult to follow. So is this an unintended consequence of GDPR? In which the importance of data privacy becomes an obstacle to a more ethical and feasible response to ransomware attack? Is there anything that these privacy standards could tweak or update to account for such eventualities? Can I start with you, Ralph?
[00:46:58] RO: Yeah, it sounds like more of a misunderstanding to me. I mean, article 32 GDPR, it says, “Take appropriate organizational and technological measures.” That’s all it says in the law about cybersecurity. Literally all it says. So you would do what you would do in any organization. You would do a risk assessment. You would determine what’s appropriate level of control for you. You would implement those controls you’d monitor and measure to see that they’ve been effective. Now, yes, elsewhere in the law, it does say if you do have a data breach, if it presents a risk to the individuals, you have to go and tell the regulator.
Now, actually, that’s no different to the US that has 50 states laws, which all require data breach notification under varying circumstances. So if you’re in the US and you get a data breach over a certain size, you’ve got to go to the Attorney General, and you’ve got to do data breach notification. The GDPR just says something similar. It says you’ve got to go to the regulator if you get a breach over a certain size that will present a risk of harm to individuals. Now, yes, there are going to be unscrupulous groups out there who are going to say, “Hey, I found you a security weakness. I’ll go and tell the regulator if you don’t pay me Bitcoin.” Well, let them. I mean, at the end of the day, I personally think as an organization you have to have a policy, and that policy is where you’re going to stand on these random threats that you’re going to get. But I think it’s don’t be scared. Know what the law actually says is a good starting point. Know when you do and don’t actually have to go to a regulator. Because the situation that you’re talking about here, if there’s been a breach where individuals are placed at risk, you’d have to go and notify anyway. So I don’t kind of see the issue here. If you found a vulnerability, right, fix it, much the same as you would do in any cybersecurity situation.
[00:49:03] CSienko: Right.
[00:49:04] CSienko: And I agree with Ralph. I mean, that was well stated. And that’s applicable both under the EU GDPR and the UK GDPR. I think the question would be more applicable if you’re looking here in the United States. President Biden just recently signed an act that said, if you’re identified as a critical infrastructure, and you experience ransomware attacks, then again, you have within 72 hours to notify. And then also, it says that if you decide to make that payment, you also have to notify. So it comes down to, if you fall into those groupings, then the loss explicitly tells you how you’re supposed to respond to these ransomware attacks. But that’s not standardized across every jurisdiction. So it goes back to what Ralph said. Truly understand the nuances of the law before you make that business decision, so that you don’t find by yourself a non-compliance or misunderstanding of what the law is actually requiring you to do.
[00:50:09] JR: Yeah. I agree what the other folks said. And I would reject the premise of that blog. I mean, it’s making a number of faulty assumptions and laying faulty blame for things. It’s basically saying that because of the inaction of GDPR, it somehow justifies companies to break the law in order to conceal that they broke the law. It’s like someone who runs from the cop saying, “Well, I only ran from you because it’s illegal to speed. If it wasn’t illegal to speed, you wouldn’t have been trying to pull me over, and I wouldn’t have had to run from you.” We can take this analogy further.
So if a cybercrime happened, and if the company had a duty to report it as a data breach, as a lot of these ransomware czar, then they’ve got a duty to report it. So they can’t justify paying a ransom as if the cyber criminal is going to securely delete the ransom just because – Or securely delete the data just because they paid the ransom. The company would be compounding their earlier cybersecurity lapse by now violating a data breach reporting law.
Now, Uber did something similar. They were like, “Oh, we’re going to negotiate with the hackers.” Well, that didn’t go well for Uber. In fact, there CISO got charged criminally. So I reject the premise of that blog. We’ve got data protection and reporting laws for a reason. I’m not saying you can’t ever pay the ransom. They might decide to pay the ransom. But that doesn’t mean the data breach didn’t happen, and they don’t have to report it.
[00:51:55] CSienko: Okay. So we’re getting close to the end of the hour. So I’m going to jump one question and jump to the last one I have here, in particular, because it is a quote from one of our guests today. So Chris Stevens, I’m quoting this back at you. From our previous conversation on the CyberWork podcast, you said, “An adage says you can have security without privacy, but you can privacy without security.” We can define PII and talk about compliance all day. But at some point, you’ve got to apply those security and privacy controls. That’s where cyber security information security experts come in. If you understand privacy through the cybersecurity lens, doors open.
So can we talk about that amongst the group as kind of a wrap up here? I mean, yes, there are privacy laws. But how are they getting implemented in an org level? And how is this affecting security positions? And how is the responsibility shared among people/departments now? Is the top security pro, the CISO, own that risk? Or are privacy and security risks separate orgs for ownerships that work together? I know there’s a lot to unpack here. But I want to start with Chris because he’s the one being quoted. Yeah. Oh, sure. Please.
[00:53:05] RO: I’m going to jump in. I know it’s Chris’ quote. But I’m going to jump in here because I feel so absolutely about this. When I meet organizations, there’s two sorts of organizations that I meet. One organization is quite low in maturity. They look at privacy laws as some sort of external threat. And they come to me and they say, “Hey, Ralph, how do I make the pain go away?” Right? “What’s the minimum I’ve got to do to get over the red line?” Right? And they look at this as if it’s some hassle or some one-and-done project they’ve got to do to get rid of this risk. And then there’s the other end. And the other end are people who look at things as more of an opportunity, I would say. They don’t just want to sort of get rid of the GDPR, because it’s some sort of risk to their business. But then they look at the principles contained there within in privacy law and go, “Well, what does this law really saying?” IT’s saying make sure you get rid of data we no longer need. Make sure the data we’ve got is accurate. Make sure that we tell people what we’re doing. Make sure that we’ve got a good reason for holding it. Make sure we give people options. And then they start to look at these and go, “Actually, this isn’t a bad business. This isn’t something we’ve got to do because the law says it. This is something we can do to gain competitive advantage. This is something we can do to actually increase trust in what we do and to use data more effectively.”
I mean, what business out there wants to run with out of date, irrelevant, excessive, inaccurate data? It just doesn’t make any sense. So actually, none of these privacy laws are asking you to do anything that isn’t good business practice anyway. So what I’m seeing is a real evolution, a real evolution away from looking at privacy as some sort of legal compliance problem and looking is a path towards good data management in the future.
You look at companies like Apple, and their advertising at the moment. They’re not advertising on our cameras better than our competitors’ camera, or our processor is faster than our competitors’ processor. They’re advertising on apple.com/privacy. We’ll keep you safe. And they think that that’s what’s going to win them to customers.
[00:55:32] CSienko: Anything to add, Chris or John?
[00:55:36] CStevens: Well, I mean, you cited me publicly. And again, my statement –
[00:55:42] CSienko: Hyper rebuttal here.
[00:55:42] CStevens: No. I stand by my stance. Again, at the end of the day, I’m more operationally focused. Now we can translate external requirements, laws, rules, regulations into our own internal policies and procedures. But in today’s age, privacy creates a competitive advantage. How do you translate that at the organizational level, mission, business level, and information systems level that you’re now starting to engineer? You’re going to assess risk, security and privacy risks. You’re going to identify those inherent risk. But at some point in time, you’ve got to mitigate that risk especially in a privacy sense.
And so you’re going to look at those privacy controls and security controls. You have a number of great references out there, ISO/IEC 27001, that looks at a privacy information management system. You’ve got NIST, NIST Special Publication 8-53 points out for us in that catalog. What are those privacy controls? Those security controls are going to help us mitigate that risk to where it’s at a level that’s acceptable so we can make informed risk decisions. That’s a part of our responsibilities also as a privacy professional. That’s why I made the statement, Chris?
[00:57:02] CSienko: Absolutely. All right. John Bandler, last words here?
[00:57:07] JR: Yeah, I like Chris’s quote. I agree with what they said. And I’ll just say every organization is different. And they got a history, and people, and departments. And a lot of organizations, if they have certain maturity, they already had an information security department. Now we’ve got increasing privacy requirements. So kind of trying to fit that in into an existing – I don’t want to call it bureaucracy, but every person has different understandings of what terms mean. Every organization is different. But ideally, the organization has one comprehensive plan to manage all of their information assets. And that properly includes privacy and information security. And we’re integrating things comprehensively. Not putting up silos, and bureaucratic barriers, and turf wars.
[00:58:01] CSienko: Oh, all right. Well, thank you all for answering that. I think that’s a really good place to stop here. And so with that, we’ve answered all the questions from our audience. Thank you for those. And we’ve gotten through the slideshow. So with that, I would just like to say thank you to everyone at home or work listening to today’s episode of CyberWork Live. If you enjoyed today’s event, and you enjoyed our guests, I’ll point out that new episodes of the CyberWork podcast are available every Monday at 1pm Central, both on video, at our YouTube page, and on audio, wherever you get your podcasts from.
You can also check out our past guests, including the episode with Chris Stevens where he had this quote. It’s at infosecinstitute.com/podcasts. And we’ve also posted direct links to Chris’s episode and some other supplemental materials in the resources section of this presentation. So now, here is the moment that I think everyone is looking forward to.
Before we wrap up, I want to announce our winner of a free year of InfoSec skills. All three of today’s guests have learning paths on the InfoSec skills platform, as we said. And your monthly or yearly subscription includes unlimited access to all of their courses, plus 190+ other learning paths. We also have light boot camps for IAPP certification prep, and other popular certifications from CompTIA, ISACA, (ISC)², and more.
So today the winner of a free year of InfoSec skills is Elliott G. from Venari Security. Congratulations, Elliot. We will be sending out an email with instructions soon on how to get access for that.
Due to the overwhelming success of our first year of CyberWork live, we’ll be continuing the series once per quarter in 2022. Thank you to all of you who have signed up, asked questions, shared audio and video feeds with your colleagues and your teams. So our second episode of CyberWork Live this year is coming up in a few months, and it features returning CyberWork Live favorites, Jackie Olshack and Ginny Morton, who are here talking about project management. And they’re going to talk more about project management. The first episode, we talked about breaking in, and selling yourself, and learning the trade, and in this follow up.
The two will talk about their day to day work in project management, and even show off some examples of past projects. So if you’re at all interested in getting into project management, you absolutely can’t miss this one. Ginny and Jackie are really opening up their project files and showing the receipts. So as always, if you want to learn more about this event, and many others upcoming, go to infosecinstitute.com/events.
And lastly, thank you to all of our wonderful panelists today, Chris Stevens, John Bandler, Ralph O’Brien. And thank you all for attending this live episode and submitting more great questions than we even knew what to do with.
So before we go, does anyone want to give their social – Or their social security number? Boy, that would be an exciting end here. But do you want to tell folks where they can find you online?
[01:01:07] RO: I mean, you can have my social security number.
[01:01:11] CSienko: Okay. Thank you.
[01:01:14] RO: You can follow on LinkedIn, or email@example.com. But not spelled how you think. It’s R-E-I-N-B-O. It’s a nanogram of O’Brian. So R-E-I-N-B-O, reinboconsulting.com. Yeah, and be great to carry on the conversation and look forward to hopefully be training or speaking to you in the future.
[01:01:39] CSienko: All right. Where can they find you, Chris and John?
[01:01:44] CStevens: They can always contact me via LinkedIn. I enjoy interacting with people on LinkedIn. So they can find my public profile. You’ll see I hit that takes up the entire screen, and that’ll be me.
[01:01:58] JR: You can find me, my website is johnbandler.com. You can find me on LinkedIn. Find me on Twitter. I’m trying to boost my Twitter. It’s kind of weak. But find me online. And thanks for having us.
[01:02:12] CSienko: All right. We’re all going straightaway to John’s Twitter here. At the end of the presentation, a very quick survey will appear. If you’d like to think just a moment and share your thoughts, it’s really appreciated and will help us produce more great content in the future. So far CyberWork Live, I’m Chris Sienko. Thank you again to John, and Chris, and Ralph. And have a great day.