Growing up with a deep passion for sharks that left her wanting to “spend all day everyday with them,” Melanie Ensign pursued a college degree in marine biology. About halfway through the program, Ensign realized she was not particularly excited by jobs in the field, so she changed course, a decision that ultimately led her to cybersecurity and privacy.

“If you were to ask me, was it a waste of time for me to study marine biology if this is where I was going to end up? Absolutely not,” said Ensign, Founder & CEO of Discernible, which helps organizations adopt communications strategies to improve security and privacy outcomes. “I learned how to talk to people effectively about things that scare them and things they don’t understand. That is literally what my company does today.”

With a growing presence before company leaders and the public, particularly amid the COVID-19 pandemic, and with data protection legislation in place and emerging around the world, the privacy field is maturing to new heights while facing expanding challenges.

For TRU Staffing Partners Founder and CEO Jared Coseglia, these trends have created the "highest demand for privacy professionals” he has ever seen.

‘Massive musical chairs’

When the pandemic hit, Coseglia said it “retrograded the market and put us in a state of recalibrating leadership from the top down.” He called it “a massive musical chairs” of “COVID-reactionary job movement” with an “enormous increase in smaller companies investing in leadership for privacy as it became a focal point during the pandemic.”

Hiring of mid-market professionals has seen steep growth, he said, for instance regional program managers with five to 10 years of experience, particularly in the areas of health and technology privacy. The challenge and opportunity, he said, is the need for professionals “capable of doing specific things in the privacy program model” for programs to operate, mature and grow.

“That’s where we need more people. Not because that’s where the jobs are today, but because that’s where the jobs will be in the next six months,” he said. “For that middle market, there’s going to be an explosion of program managers, privacy analysts. In that lower to middle end of the marketplace there’s just going to be so much opportunity, and particularly household name brands that we know, that we’re wearing or are eating or whatever, and there’s some excitement in brands we’ve come to love as humans or as Americans. Now you’ll have the opportunity as privacy professionals to go and make an impact at those organizations. We’re seeing a lot of that right now.”

Additionally, a lack of U.S. privacy legislation points to increased state legislation, which Coseglia said is “not great news for organizations, but it’s great news for privacy professionals.”

“The complexity, level of organization, the diversification of skill sets needed to stay organized and manage the complexity of the regulatory environment over the next four to eight years is going to be a boon of opportunity,” he said.

Privacy gets ‘more cross-functional’

Ensign said identifying skills from other disciplines and experiences is something those seeking a privacy career should consider, and something employers should embrace in recruiting privacy talent. The privacy field today, she said, presents an opportunity to adjust hiring perspectives, think more creatively and strategically about staffing teams around the work that needs to get done, and recruit individuals from diverse cultures and backgrounds, with varying experiences and viewpoints to address privacy challenges.

As the privacy field continues to grow and mature, Ensign said it becomes “a lot more cross-functional” and while interpreting laws and how they apply to an organization is the first step, companies need more than just attorneys. Skills are needed in program and product management, engineering and more, to move a project from start to completion, and to oversee ongoing maintenance, as well, she said.

Forrester Research Principal Analyst, Security and Risk Enza Iannopollo, CIPP/E, agreed, saying privacy today is a “multifunctional discipline.”

“People who want to grow in this field, generally, I think need to curate their expertise to be able to become that multifunctional expert and develop technical skills, on data specifically,” she said.

Instead of looking for candidates who have done a certain job before, or who have set experience requirements in a particular area, Ensign said candidates with relevant experience can “breathe new life” into a program.

“You’ll actually get a better candidate with that mindset because you’ll get people who are a lot more excited, people who are looking for growth and learning experience,” she said. “You’re just not going to find people with a decade of experience implementing (the EU General Data Protection Regulation). That’s an impossibility. What you need is somebody who can demonstrate the types of skills you need to accomplish these objectives, and those people can come from anywhere.” 

Iannopollo said she worries privacy could suffer from entry-level positions requiring five or more years of experience and a range of specific qualifications.

“This is something we see all the time in cybersecurity for example, where entry-level positions that have requirements that really are unreasonable to ask,” she said. “We are skewering opportunities and that would be a loss for everybody.”

‘A dynamic, multi-disciplinary field’

Last spring, the U.S. National Institute of Standards and Technology created its Privacy Workforce Public Working Group to create materials to help organizations develop a workforce capable of managing privacy risk.

“Privacy is a dynamic and multi-disciplinary field, requiring broad knowledge and skills that range from compliance to IT to communications. In that sense, it extends beyond traditional notions of a ‘privacy workforce,’” NIST Privacy Policy Advisor Dylan Gilbert said.

The working group is made up of 600 members from the private and public sector, academia and civil society. Two active project teams are working to identify and document tasks, knowledge and skills associated with privacy risk assessments, data inventory and mapping, while aligning with the NIST Privacy Framework categories, Gilbert said. The groups are also identifying tasks, knowledge and skills that capture the collaboration and communication necessary to achieve privacy risk management outcomes and activities. Work of a third project team will be forthcoming, focusing on privacy policies, processes and procedures, Gilbert said.

“This gets back to the idea of a workforce capable of managing privacy risk and the interdisciplinary nature of a privacy workforce,” he said. “We think this information will be very helpful for both job seekers and privacy programs.”

Ensign, a co-chair of the working group, said the “huge” demand for non-legal expertise has been a key theme emerging from work thus far.

“Of course, lawyers are a critical part of any privacy program, but the majority of privacy work that needs to be done inside an organization happens after a legal analysis has been made by counsel and doesn’t require a legal background,” she said. “This means organizations shouldn’t limit their talent search to lawyers. There are a lot of transferrable skills from other disciplines that can complement lawyers on the team.”

Iannopollo said the value of privacy extends beyond the legal side, where there’s a focus on enforcement and steering clear of regulatory fines, and she challenges those in the field to tell a different story which will benefit job seekers, employers, and the privacy field.

“We need to be able, as privacy professionals, to actually tell a story to our executives, to our board, the market, which is not only about how many data breaches or how many incidents or how many data subject requests you dealt with this month. It’s about value, customer retention, loyalty, trust, redemption, innovation within the organization,” she said. “We need to improve the way we talk about the value of our program and our work. We need to be able to also then use the work of privacy to show how we can make a difference in how businesses perform and operate while having strong ethical and privacy practices.”

Photo by Eric Prouzet on Unsplash