Working as a privacy manager

[00:00:05] Chris Sienko: Welcome to the Infosec Career Video Series. This set of short videos will provide a brief look inside cyber security careers and the experience needed to enter them. Today, I’ll be speaking with Infosec Skills author, Chris Stevens, about the role of privacy manager. So let's get into it. Welcome, Chris.

[00:00:22] Chris Stevens: Hey, Chris. It's good to see you again. I enjoy these discussions. I’m passionate about privacy, cyber security. I enjoy participating in your podcast.

[00:00:33] CSienko: Absolutely. You were my first person I wanted to contact on this topic. Let's start with the basics, Chris. What does a privacy manager do? What are the day-to-day tasks of a role like privacy manager?

[00:00:44] CStevens: Well, it varies by organization to organization. But if we were to baseline those just to really understand the needs of the director of privacy, or the data privacy officer, of the chief privacy officer, translating external requirements into policy procedures and standards, overseeing the staff.

I wrote an article for IPP back in 2014 that advocated for a career path for privacy professionals. I’ve been thinking about this for some time. To bring privacy professionals in at a entry level. Introduce them to some of the policy requirements. Teach them how to do PIAs. How to do risk assessments. And then as they grow in the profession, start having them also at a management perspective.

You've done a great job. I think one of my colleagues from another podcast, it was either Ralph or John, they teach a version of the Certified Information Privacy Managers course. IPP offers that. And it's a great course. It takes a fictional person that's become the CPO or director of privacy for this huge global medical company. And it walks you through the challenges of not only building an effective privacy program, but how do you sustain it?

I’ve always been a force of one. But I’ve also worked with other privacy professionals, where the person in charge had to do a number of things, review contracts. In one company, working for federal government agencies, the analysts themselves were being asked to do things outside of their normal comfort zone.

I mean, that was the manager's responsibility of if you're contracting, interpret the needs of the client, and then helping your junior privacy analysts or professionals growing to those new requirements. In this case, it was risk management.

[00:02:54] CSienko: Okay. Now, we're talking about privacy manager here. But obviously, that's not an entry-level position. Can you talk about some experiences and study that someone would need to engage in to move up to privacy manager level? Can you talk about like the steps from privacy professional to manager?

[00:03:14] CStevens: Yeah. In the career path I outlined, I saw that maybe three to five years down the road after you, because there's so many different aspects of privacy. Large companies are able to distill that into those disparate buckets. But if you're a smaller company, you might require that one analyst do a number of tasks.

And so you get one of the search. We're always talking about search. That gives credibility to you as a privacy professional. Many of us start out with one of the policy search, whether that's a certified information privacy professional for US or Europe. Learn the nuances of the law, those requirements. Learn how to write policies, procedures and standards. Understand how to become an effective communicator.

Because, oftentimes, being a privacy professional was like being Sisyphus in Greek mythology. You roll big rocks up hills, and they roll back down over.

[00:04:11] CSienko: Right back down. Yeah.

[00:04:13] CStevens: And so, three to five years learning that risk management. How to conduct a privacy impact assessment? How to work with – And during that time also, reaching across the transom and acquiring some other industry search. Like you do a great job in preparing – Like you prepared me for the CISM over at Infosec.

And then after a while, start looking at those positions that require you to manage that process and to manage – Being anticipatory and the needs of your clients. Lots of times, you may not be working as a core employee. You may be a contractor. And so that takes a special nuance of how to support the organization.

I’ve had a lot of friends that worked in great organizations, lots of that in the federal government, and some were not so focused on privacy. They were looking at the privacy manager to help them understand what privacy was. It can be a difficult job, but it's an important job in all organizations. And they go by different titles as well, Chris.

[00:05:15] CSienko: Right. Now, speaking in terms of qualifications on a resume and so forth. We mentioned IAPP certifications as a benchmark of demonstrated knowledge. Is a formal degree generally also required in most job listings for a privacy manager ? Or can you really get by on experience and certifications?

[00:05:39] CStevens: I think that it's three-tiered. You're going to have experience. You're going to have the cert. And then, if possible, you have some type of academic degree. But I think that in lieu of the academic degree, they'll always go with experience and the cert.

[00:05:53] CSienko: Yes. Yeah, I imagine at a certain point, the academic degree, it doesn't really matter what it's in. As long as you're sort of demonstrating your ability to sort of carry through an academic degree of study. Whether it's law, or psychology, or humanity, or whatever, I’m sure it all sort of hits at the same spot in terms of usefulness on the resume.

[00:06:17] CStevens: Chris, you're absolutely right. I’m a professional student. I’ve done doctoral work. I’ve got a number of master's degrees, bachelor degrees, you name it. And nobody cares. Ii do have a master's in information resource management. But since I’ve become a privacy professional, on interviews, and then working with clients, not one person has asked me, "Hey, break out your sheepskins." They go right to the search and they go right to the experience.

[00:06:48] CSienko: Mm-hmm. They might glance at the academic part and they sort of check it off and they're, "Okay, you got one." Yeah –

[00:06:54] CStevens: Yeah, it's a balancing act where you got 50. But how are they going to translate to what that privacy professor is going to do from – You know, Chris, this is a reason why I had, at the Global Privacy Summit, Sunday and Monday, 126 students. Attorneys that had advanced degrees. Others that had advanced degrees. And yet they were sitting with me for a period of hours trying to get this cert, because the cert means something.

You've done a great job of enticing professionals to come in and create learning paths for you. I think you're great. I’ve taught for IPP for many years. But I think that bringing in those practitioners – And that's what the Infosec Institute does so well, in preparing entry-level, intermediate and advanced individuals for positions. You really teach these courses from the practitioner's perspective. And so, teaching from that perspective really shortens the learning curve for many of those individuals that want to grow in those industries. You do a great job in that.

[00:08:03] CSienko: Great. Thank you very much. I appreciate that. Now, can you speak about hard or soft skills. You mentioned communication and writing ability. Are there other things that a privacy manager needs to do their job well? Whether it's a technical skill, or, like you said, a background in law, or what have you?

[00:08:20] CStevens: I’ll tell you. Again, I had attorneys say this at the course I just taught, the CIPP US. You don't necessarily have to be an attorney to be successful in this career field. I’m not an attorney. I’m a practitioner. But I’ve acquired depth and breadth in these different laws over the years.

And so, if you want to equate those, the hard skills, that's fine. It depends on what you want to do. Like me, I’m eclectic. I don't mind writing policies. But I also want to help individuals engineer privacy until their activities. Those are the hard skills.

I think that one of the skills that privacy professionals have to have, they have to be good communicators. They have to be good listeners. They have to be forward-thinking. Because, oftentimes, that client doesn't even know what they want as a privacy professional. And you have to be patient. And you can't be thin-skinned. Because, remember, lots of organizations look at value in terms of dollars and cents. And it's kind of hard to equate that from privacy of how I earned you another dollar or cent based on this tone of privacy. And so, you have to find ways to establish that value proposition. You can't have any fear. You have to be able to seek out your counterparts in your organizations and constantly being an advocate for privacy. Those are the soft skills.

And once you establish that bona fides, it'll take you far. You also can't be the yes-no person. A lot of privacy individuals interpret the law literally and so is no. And that's just going to turn off that information security person, that risk owner, that business owner. You have to find ways within the law, within the requirements, to help them achieve those goals that they're trying to achieve. Implement a new system.

Now, sometimes the law is going to say, "Chris, you just can't do it." But until the law says, "You just can't do it," you have to find a way to help that business owner achieve those goals.

[00:10:29] CSienko: Right. Now, to that end, are there any common tools, electronic or otherwise, that privacy managers use?

[00:10:36] CStevens: Yes, there are a number of those. I mean, I’m pretty partial to OneTrust. And so, I use OneTrust. It depends on, if you're a risk manager, there are a number of risk tools out there. You've got methodologies like FAIR, the factors analysis of information risk. There are a number of risk techniques, qualitative or quantitative, that you can use.

But if you want to talk about from a privacy program, there are great tools out there like RSA Archer and some of the ones. But the one that I advocate for mostly is OneTrust, that can help you really build and sustain a privacy program.

[00:11:15] CSienko: Gotcha. Now, where do privacy managers typically work? Obviously, privacy is needed everywhere. But from a managing standpoint, what type of job options are there at enterprises, vendors, consultants –

[00:11:29] CStevens: Well, we are out there as the Borg. We're like the Borg in Star Trek, the collective. The hive — the collective.

[00:11:34] CSienko: Okay. Yeah. Yeah, absolutely.

[00:11:36] CStevens: But, no. You find yourself working. You have them in the federal government. Again, great agencies like [inaudible 00:11:42] Administration, Securities Exchange Commission. They always have someone that oversees or assists the DPO, or director of privacy, in managing the program. You'll find us a lot in contracting, consulting, bringing on a staff. Once you're awarded the contract, bringing on a privacy manager or privacy analyst. The privacy manager serves almost like the program managers in some cases. But he or she serves as that intermediary between the client and the team.

[00:12:15] CSienko: Now, can you speak about some of the other sort of pivot points that privacy managers, where they might go from here? What's the mobility like from this position? What are some common next steps for privacy managers?

[00:12:27] CStevens: Well, again, you can be a practitioner like myself. You can work within an organization within several years. Branch out on your own and do singletary consulting.

For those that do have law degrees, then you'll find yourself – Especially when you look at vacancy announcements, you'll find yourself moving up the career path, becoming director of privacy, deputy chief privacy officer, chief privacy officer. And for the attorney track – For myself, I didn't inspire – I mean, again, there are firms that will hire a non-attorney as for one of those senior positions based on his or her expertise.

For my track, I just, again, chose to do consulting. It gives me the flexibility to move from short-term, long-term contracts, support an organization. Once I complete the contract, move on to another contract. Yeah, I’m in a unique position, Chris. I’m retired from the military. I'm retired from the government. So I have that flexibility.

[00:13:30] CSienko: Yeah. Yeah, you've seen it from all the different directions.

[00:13:32] CStevens: Right.

[00:13:33] CSienko: Now, for our listeners who are ready to get started and we're inspired by this video, what's something they can do right now that'll move them toward the goal of becoming a professional privacy manager?

[00:13:41] CStevens: First of all, get the certs. And what you can find is it's not exclusive to the privacy domain. You can be a cyber security expert. You can be an information security expert that already has management, depending on how privacy is aligned against those activities. And find yourself up-training the cert. And then over time, becoming not only an information security manager that has privacy responsibilities, but also transitioning other than become – Take a short stint as a privacy manager. But it starts with acquiring the expertise and knowledge.

You're not going to spring fully formed from Zeus's head like Athena and be a privacy manager. It just doesn't happen that way. You acquire the requisite skills and then demonstrate those over a period of time like in any career field. And then once you've done that, then you've postured yourself for a managerial position.

[00:14:40] CSienko: Love it. All right. Well, hopefully, our listeners are ready to get excited about privacy as a career. Chris Stevens, thank you very much for your time and insights today. Really appreciate it.

[00:14:50] CStevens: Chris, thank you. Let's keep getting the drum on cyber security on privacy and information security. You've seen the ads. 500,000 jobs unfilled. Why? Because they're not listening to the Pied Piper, Chris Sienko, trying to get them to walk in the right direction. But it's always a pleasure, Chris. Thank you.

[00:15:09] CSienko: We'll just keep tootling that flute until everyone hears it. So for all of you listening today, thank you for watching and listening. If you'd like to know more about other Cyber Security job roles, we have other ones that you can check out as well. Please check out the rest of Infosec's Career Video Series. And we'll see you next time.