50 Shades of the Privacy Profession
Note: This is a piece I wrote for the International Association of Privacy Professionals Privacy Tech blog.
I was asked the other day by a reporter to define “privacy professional.” I provided some over-long response describing how those within an organization who touch personal data—regardless of their title—are considered privacy professionals. There is nothing incorrect about that answer but it’s so broad, so abstract and can be applied to so many roles that it’s essentially a useless response for anyone looking for guidance.
I could have described a professional that interprets legal and regulatory language, possesses strong communications skills, provides risk analysis and strategic direction as well as manages cross-function teams—the types of skills often required by a Chief Privacy Officer (CPO). However, while that certainly describes the skills possessed by the prototypical CPO, it excludes many individuals in positions I would also consider privacy professionals—specifically a wide variety of technologists, engineers and information security professionals.
The primary driver behind the phenomenal growth of the privacy profession over the past decade resides in the fact that organizations are finding increasing value in personal information as advances in technology uncover new ways to collect and process data. And while the aforementioned skills of a CPO certainly facilitate the functions where organizations can safely extract the most value from the data they collect, it is technology that’s enabling this environment to become more complex. Consequently, technical skills are emerging as critical components of a privacy professional as well. These skills include software engineering, systems administration and information security—each a unique discipline in their own right.
The reality is that no single person can now possess all of the skills required to manage privacy for an organization. Rather, what we are seeing emerge as a result is an increasing variety of privacy professionals (or “shades” of privacy professionals as I unapologetically added to the title for its click-bait effect). As a technologist myself, I’m familiar with this evolution. This is precisely what has happened within the information technology profession. As technology becomes more complex the jobs necessarily become more specialized and new facets of disciplines emerge.
At this moment in time the privacy profession itself is becoming faceted.
Who is today’s model privacy professional? It could be someone like Jim Byrne with a legal and business background as well as a long and distinguished military career now serving as the chief privacy officer for Lockheed Martin. It could be someone like Ashkan Soltani, a writer and researcher who is currently serving as the chief technologist for the Federal Trade Commission. It could be Moxie Marlinspike, a well-known software developer and privacy advocate working on Open Whisper Systems, or Bruce Schneier, one of the world’s leading cryptographers and information security experts.
Each of these individuals is at the top of their profession and all are privacy professionals, but each career and skillset is vastly different from one another. The origins of the privacy profession as primarily a legal and compliance discipline has clearly changed, and while the arm of privacy professionals who are legal and compliance experts continues to grow and mature, technologists, as relative newcomers to the profession, play an incredibly important role in ensuring organizations are properly protected against privacy risks as well.
For further evidence of this trend, look at the explosion of products and services emerging to assist technology professionals with their privacy responsibilities. There are privacy products aimed at information security and technology professionals from the major players like IBM and Hewlett-Packard; from mid-size organizations like AvePoint and Informatica, and we see countless startups such as Resilient Systems flush with venture capital funding rushing to this market opportunity.
In addition, standards bodies and regulatory authorities around the world are adding technical controls and requirements to their work. NIST added privacy controls to their 800-53 security standard, ISACA just announced the addition of privacy controls to the COBIT framework, and ISO offers a variety of technical and security standards that include privacy considerations. All of these efforts are primarily aimed at the information technology and security communities.
It’s an exciting time to be working in privacy. The rapid acceleration of technological innovation is enhancing the value of personal information and that is resulting in an explosion of opportunities for the privacy profession. These opportunities continue to expand for those in the well-established legal and compliance privacy roles but are also blossoming into a variety (or shades) of opportunity for technologists of all stripes.