[00:00:05] Chris Sienko: Welcome to the Infosec career video series. This series of short videos provides a brief look at cybersecurity careers and the experience needed to get started. Today I'm going to talk to Infosec Skills author Chris Stevens about the role of the privacy manager. So let's get into that. Welcome Chris
[00:00:22] Chris Stevens: Hey, Chris. It's nice to see you again. I enjoy these discussions. I'm passionate about privacy and cybersecurity. I enjoy participating in your podcast.
[00:00:33] CSienko: Absolutely. You were the first person I wanted to contact on this subject. Let's start with the basics, Chris. What does a data protection officer do? What are the day-to-day responsibilities of a role like Data Protection Officer?
[00:00:44] CStevens: Well, it varies from organization to organization. But if we were to set these baseline values just to really understand the needs of the data protection officer or data protection officer, translate the external requirements into policy procedures and standards, and oversee the employees.
I wrote an article for IPP back in 2014 advocating a career path for privacy professionals. I've been thinking about this for a while. To engage entry-level privacy professionals. Familiarize them with some of the policy requirements. Teach them how to conduct PIAs. How to conduct risk assessments. And as they grow in the profession, start looking at them from a managerial perspective as well.
You have done a great job. I think one of my colleagues from another podcast, it was either Ralph or John, they teach a version of the Certified Information Privacy Managers course. IPP offers that. And it's a great course. It takes a fictional person to become the CPO, or data protection officer, of this giant global medical company. And it walks you through the challenges of not only building an effective privacy program, but how to maintain it.
I have always been a force of one. But I've also worked with other data protection professionals where the data controller had a lot to do, checking contracts. At a company that worked for federal agencies, the analysts themselves were asked to do things outside of their normal comfort zone.
I mean, that was the manager's responsibility when you're contracting, interpreting the client's needs, and then helping your junior privacy analysts or professionals adapt to these new requirements. In this case, it was risk management.
[00:02:54] CSienko: Okay. Now, here we are talking about the privacy manager. But of course this is not an entry-level position. Can you talk about some experiences and studies that someone would need to participate in to advance to privacy manager? Can you tell us something about the steps from data protection expert to manager?
[00:03:14] CStevens: Yes. In the career path I've outlined, I saw this maybe three to five years after you because there are so many different aspects of privacy. Big companies are able to distill that into these different buckets. However, if you are a smaller company, you may need an analyst to handle multiple tasks.
And so you get one of the quests. We always talk about the search. This gives you credibility as a data protection expert. Many of us start with one of the policy searches, whether it's a US or European Certified Privacy Professional. Learn the nuances of the law, these requirements. Learn how to write policies, procedures and standards. Understand how to become an effective communicator.
Because being a data protection expert was often like Sisyphus in Greek mythology. They roll big rocks up hills, and they roll down again.
[00:04:11] CSienko: Right back down. Yes.
[00:04:13] CStevens: So, three to five years to learn this risk management. How to conduct a data protection impact assessment? How To Work With It – And during this time also reach over the mirror and acquire another industry search. How you are doing a great job in preparing - How you prepared me for CISM over at Infosec.
And then after a while you look at the positions that require you to manage this process and your customers' needs - to be forward-thinking. Often you may not work as a core employee. You can be a contractor. And that requires a special nuance of how to support the organization.
I've had many friends who have worked in great organizations, many in the federal government, and some weren't particularly privacy conscious. You've looked at the Privacy Manager to understand what privacy is. It can be a difficult task, but it is an important task in all organizations. And they go by different titles too, Chris.
[00:05:15] CSienko: Right. Now for the qualifications on a resume and so on. We mentioned IAPP certifications as a measure of proven knowledge. Do most vacancies for a data protection officer also generally require a formal qualification? Or do you really get by with experience and certifications?
[00:05:39] CStevens: I think it's three tiered. You will gain experience. You will have the certificate. And then, if possible, you have an academic degree. But I think that instead of an academic degree, they will always go with experience and a certificate.
[00:06:17] CStevens: Chris, you are absolutely right. I am a vocational student. I have a PhD. I have a number of master's degrees, bachelor's degrees, you name it. And nobody cares. I have a Masters in Information Resource Management. But since I became a privacy professional, in interviews and then working with clients, not one person has asked me, "Hey, get your sheepskins out." They go straight to search and they go straight to experience.
[00:06:48] CSienko: Mm-hmm. They might take one look at the academic part and tick it off and say, "Okay, you got one." Yeah -
[00:06:54] CStevens: Yes, it's a balancing act where you have 50. But how are they going to translate what this privacy professor is going to do from – you know, Chris, that's one reason I had, at the Global Privacy Summit, Sunday and Monday, 126 students. Lawyers with advanced degrees. Others with advanced degrees. And yet they sat with me for hours trying to get that certificate because the certificate means something.
They did a great job of getting professionals to come in and create learning paths for you. I think you're great I have taught for IPP for many years. But I think that involving these practitioners - and that's what the Infosec Institute does so well in preparing entry, intermediate and advanced positions. They really teach these courses from the practitioner's perspective. Teaching from this perspective shortens the learning curve for many of the individuals looking to grow in these industries. You are doing a great job on this.
[00:08:03] CSienko: Great. Many Thanks. I appreciate that. Can you talk about hard or soft skills now? You mentioned communication and writing skills. Are there other things that a DPO needs to do their job well? Whether it's a technical ability or like you said a legal background or what do you have?
[00:08:20] CStevens: I'll tell you. Again, I had this said by attorneys in the course I just taught, the CIPP US. You do not necessarily have to be a lawyer to be successful in this professional field. I'm not a lawyer. I am a practitioner. But I have acquired depth and breadth in these various laws over the years.
So if you want to equate these hard skills, that's fine. It depends what you want to do. Like me, I'm eclectic. I don't mind writing guidelines. But I also want to help individuals shape the privacy up to their activities. Those are the hard skills.
I think one of the skills that privacy professionals need to have is that they need to be good communicators. You must be a good listener. You have to be proactive. Because often this customer does not even know what he wants as a data protection expert. And you have to be patient. And you shouldn't be thin-skinned. Keep in mind that many organizations consider value in dollars and cents. And it's kinda hard to equate that with privacy like I earned you another dollar or dime based on that tone of privacy. And that's why you need to find ways to establish that value proposition. You mustn't be afraid. You need to be able to find your peers in your organizations and constantly advocate for data protection. Those are the soft skills.
And once you establish that in good faith, it will take you far. You can't be the yes-no person either. Many individuals interpret the law literally, and it is not. And that's just going to put off that information security person, that risk owner, that business owner. You must find ways within the law and requirements to help them achieve the goals they are trying to achieve. Implement a new system.
Well, sometimes the law says, "Chris, you just can't do it." But until the law says, "You just can't do it," you have to find a way to help this business owner achieve those goals.
[00:10:29] CSienko: Right. Are there any common electronic or other tools used by DPOs for this purpose?
[00:10:36] CStevens: Yes, there are quite a few. I mean, I'm pretty partial to OneTrust. And this is how I use OneTrust. It depends on whether you are a risk manager whether there are a number of risk tools. They have methods like FAIR, the information risk factor analysis. There are a number of qualitative or quantitative risk techniques that you can use.
But if you want to talk about a data protection program, there are great tools like RSA Archer and some of them. But the one I champion the most is OneTrust, which can really help you build and maintain a privacy program.
[00:11:15] CSienko: Okay. Well, where do privacy managers typically work? Obviously, privacy is required everywhere. But what kind of job options are there from the point of view of management at companies, suppliers, consultants -
[00:11:29] CStevens: Well, we're out there as a Borg. We're like the Borg in Star Trek, the collective. The hive – the collective.
[00:11:34] CSienko: Okay. And. And, absolutely.
[00:11:36] CStevens: But no. They work. You have them in the federal government. Great agencies again like [garbled 00:11:42] Administration, Securities Exchange Commission. You will always have someone to oversee or assist the Data Protection Officer or Data Protection Officer in administering the program. You will often find us in contracting, consulting and recruitment. Once you get the job, bring in a privacy manager or privacy analyst. The privacy manager serves almost like the program managers in some cases. But he or she acts as an intermediary between the client and the team.
[00:12:15] CSienko: Now, can you talk about some of the other pivots that privacy managers could reach from here? What is the mobility like from this position? What are some common next steps for privacy managers?
[00:12:27] CStevens: Well, again, you can be a practitioner like me. You can work in an organization within several years. Become self-employed and carry out individual consultations.
For those who have a law degree, you will find yourself – Especially if you look at job postings, you will find yourself moving up the career path and becoming Director of Data Protection, Assistant Data Protection Officer, Data Protection Officer. And for the legal career - for myself I haven't been inspired - I mean, again, there are firms that will hire a non-lawyer for one of these senior positions based on his or her expertise.
For my track, I simply chose consulting again. It gives me the flexibility to move from short-term to long-term contracts and support an organization. Once I complete the contract, move on to another contract. Yes, I'm in a unique position, Chris. I retired from the military. I've retired from government. So I have that flexibility.
[00:13:30] CSienko: Yes. Yes, you saw it from all possible directions.
[00:13:32] CStevens: Right.
[00:13:33] CSienko: Well, for our listeners who are ready to get started and we are inspired by this video, what can they do now to achieve their goal of becoming a professional privacy manager? ?
[00:13:41] CStevens: Get the certificates first. And what you can find is that it's not exclusive to the privacy field. You can be a cybersecurity expert. They may be an information security professional who already has management depending on how privacy aligns with these activities. And find out how to improve the certificate. And then, over time, not only to become an information security manager who has data protection responsibilities, but also to morph into something else – do a short stint as a data protection manager. But it starts with acquiring expertise and knowledge.
You will not spring from the head of Zeus like Athena and be a data protection officer. It just doesn't happen that way. You acquire the necessary skills and then, as in any professional field, prove them over a longer period of time. And when you've done that, you've positioned yourself for a leadership position.
[00:14:40] CSienko: I love it. Good. Well, hopefully our listeners are ready to get excited about privacy as a career. Chris Stevens, thank you for your time and insight today. Really appreciate it.
[00:14:50] CStevens: Chris, thanks. Let's keep beating the drum on cybersecurity, privacy and information security. You've seen the ads. 500,000 vacancies. Why? Because they don't listen to Pied Piper Chris Sienko trying to get them headed in the right direction. But it's always a pleasure, Chris. Many Thanks.
[00:15:09] CSienko: We're just going to keep twirling this flute until everyone hears it. So for everyone who was listening in today, thank you very much for watching and listening. If you're interested in learning about other cybersecurity jobs, we also have others for you to check out. Please watch the rest of Infosec's career video series. And see you next time.