In this Volunteer Spotlight, The Privacy Advisor caught up with Heather Sussman, CIPP/US, co-lead of Orrick’s Cyber & Privacy advisory practice in the firm’s new Boston office. As a frequent participant in the IAPP’s Privacy List Live web conference, speaker at IAPP conferences, former chair of the Boston KnowledgeNet chapter, and past member of the IAPP’s education advisory board, Sussman is no stranger to contributing in the privacy community. Her advice to other privacy pros? Take chances, and reach out. She said, “They say it takes a village to raise a family, but I feel like it also takes a village to raise a privacy program.”
The Privacy Advisor: Do you see common vulnerabilities that exist across clients?
Sussman: Vulnerability is such a loaded word. I see common challenges — time, resources and making the case for privacy and security. I’ve seen a shift on that front over the last five years where companies are viewing privacy and cybersecurity beyond a regulatory or compliance requirement. instead, they are more willing to view good data practices as part of their corporate philosophy, and part of the value proposition and exchange with customers. That’s helping for more professionals, who do what I do: Make the case for privacy and security.
The Privacy Advisor: What kinds of problems do you help clients face?
Sussman: Working with larger, more mature companies is helping to address some of the more complex issues. When you’re working with these companies, you’re often working with sophisticated individuals who are coming to you for help with issues that either fall outside their specific area of expertise or are too complex to manage internally. We get a lot of, “you’re not going to believe this one” from clients. I equally like that side of the practice because that can be the real intellectual challenge.
You have to take in the politics of the organization you’re working with, too. It's important to understand the culture, how the privacy office fits into the overall compliance office and then connects in with the security office. Pulling together those stakeholders, building consensus and driving change in an organization is another aspect of my job I really like. I love working with many different clients, types of technology, seeing the broad range across the market, dealing with a lot of complex issues and having the big team. For me, I really love the dynamic aspect of my job where I'm constantly taking on new challenges. It’s just a lot of fun.
The Privacy Advisor: What advice do you have for organizations as they look to build privacy programs that adapt to the varied privacy legislation cropping up globally?
Sussman: Every client is going to be different. You’ve got to focus on data governance, mapping and understanding your data flows, focusing on putting control in the hands of the user, focusing on security and hiring the right people and partners.
People often try to stay away from triggering one particular regulation — like the EU General Data Protection Regulation or Health Insurance Portability and Accountability Act — but that can be so limiting in terms of expansion and growth; I think that with the right strategy in mind, there are common principles across all these frameworks and no geography or industry should be off limits if there's a strong business case for taking it on. If you're developing a privacy program, it's not nearly as difficult or as expensive to develop a privacy and security framework right from the beginning. It will take a lot more to correct it down the road. In that context, I have yet to find cost or lack of interest to be a prohibitive factor that prevents us from being able to put in place the right program or set of controls when getting in with companies early in their maturity stage. When you can show the business case and the scalability, there’s energy in the room. It makes its own case.
The Privacy Advisor: You recently joined a new firm — what considerations went into the move, and what's it like now that you’re on the other side of the decision?
Sussman:We wanted to stay together as a team and had the good fortune to have a lot of opportunities when we looked to the market. In our view, Orrick was head and shoulders above the other opportunities for a lot of reasons. They had a strong existing team of practitioners and combining forces has made us one of the strongest, deepest benches in the business. It’s an incredibly innovative firm with a strategic focus on technology. The culture of this firm blows my mind. In terms of associate satisfaction, gender equity, work/life balance — it keeps scoring off the charts. Our combined team at Orrick is over 60 percent diverse in terms of gender, racial and ethnic diversity. We really think that makes us valuable to those who want to include diversity and incorporate a diverse opinion. We feel very strongly about the team component and think that we give better advice and handle complex security incidents better when we’re working like a well-oiled machine.
The Privacy Advisor: Any advice for privacy pros looking to strategically position themselves for the future?
Sussman: Go for it. Many doors open and opportunities present themselves. Never be afraid to step through that door and make a change. I'd also say this: Master the art of networking — look at every meeting, conference and event as an opportunity to grow and connect. Walk up to someone, and introduce yourself. Handing them your business card, asking them about their practice and what keeps them up at night, and developing those relationships in our business is key. I love connecting people with others I think could benefit them in terms of relationship building or bringing some other value add. Building a sense of community in the privacy field is so important. We operate in a very complex, evolving area, and there’s never going to be a perfect answer for anything we do. They say it takes a village to raise a family, but I feel like it also takes a village to raise a privacy program. Being able to have contacts, friends and colleagues whom you can bounce thoughts off of helps to make our practice and profession better.
If you want to comment on this post, you need to login.