It’s a very different world that we’re living in from the one in which we published the NIST Privacy Framework this past January. These changes have demonstrated that the need for effective privacy programs that can adapt to new risks has never been more important.
A skilled workforce is a key pillar of an effective privacy program. As the framework roadmap stated, “Further development of a knowledgeable and skilled privacy workforce (to include privacy practitioners and other personnel whose duties require an understanding of privacy risks) is necessary to support organizations in better protecting individuals’ privacy while optimizing beneficial uses of data.” Unfortunately, we’ve heard consistently that recruitment and development is a challenge. Now is the time to make headway on this challenge by creating a workforce taxonomy aligned with the Privacy Framework.
Maybe we should first ask: what is a privacy workforce? Personnel in all parts of the organization such as IT, cybersecurity, legal, product development, human resources, and marketing may not consider themselves to be “privacy professionals,” but can still have a role to play in managing privacy risk. Perhaps then we should not talk about a privacy workforce so much as a workforce capable of managing privacy risk. If that’s the case, we believe that developing a taxonomy that is aligned with the Privacy Framework will enable us to categorize and describe a workforce capable of managing privacy risk, and in turn, help organizations to better achieve their desired privacy objectives. In addition, it could support recruitment with more consistent position descriptions and inform the education and training of professionals to produce a more skilled and knowledgeable workforce.
We’re coordinating with our National Initiative for Cybersecurity Education colleagues so that this effort will align with the new, streamlined structure of the Workforce Framework for Cybersecurity, introduced in July 2020 as Draft NIST Special Publication 800-181, Revision 1. Since NIST’s approach to privacy and cybersecurity is to recognize their independence as disciplines as well as their overlap, the end result of both initiatives is intended to be listings of tasks, knowledge, and skills and examples of organizing them into work roles and competencies that organizations can use in a modular fashion to address their workforce needs for privacy and cybersecurity.
Building these modular resources will be as “easy” as it is for a privacy professional to answer the proverbial question, “So what is it that you do?” We need your help to understand the many nuanced aspects of your work, operational insights, and workforce challenges. To start, please attend the virtual workshop Help Wanted: Growing a Workforce for Managing Privacy Risk that the International Association of Privacy Professionals (IAPP) will host on September 22-24, 2020. This workshop is free, open to the public, and designed to fit into your busy schedules and maximize the opportunity for participation from around the world. We’ll be facilitating working sessions where you can share your feedback and ideas about what you think is needed to achieve the Privacy Framework’s outcomes and activities. The working sessions will have limited capacity, so don’t wait to register.
Following the workshop, we will take your feedback and use it to inform the development of a draft taxonomy that can include sets of roles, tasks, knowledge, and skills that we will share with you for your input. We see this process unfolding over the next several months, with the goal of releasing these resources in 2021.
With that, we’re hanging up a virtual “help wanted” sign: we need input from a wide range of roles (e.g., technical, business, policy, legal). If you want the job, here are your first tasks:
We hope to “see” you on September 22, but if not, there will be more opportunities to collaborate with us in the coming months to support the growth of a workforce better able to produce systems, products, and services that provide equitable benefits while minimizing the risks to our privacy.
I shall apply🙋♀️
Looking forward to learning
I have recently seen the request from NIST to support the “Growing a Workforce for Managing Privacy Risk”. This is a great initiative bring together the backing of your two organisations to address part of the risk puzzle. So many organisations I work with are confused over the boundaries, functions and responsibilities that link these two business critical risk domains; Security and Privacy, even before addressing the link to ERM.
Many organisation I work with feel they have been protected having taken legal advice on privacy and DP, yet when we (as Security SMEs) review threat and vulnerability scenarios we find core failures to address some of the most basic CIA risk controls needed to keep critical client data secure! The Security and Privacy domains need to work together hand in hand, and a functional RACI needs to be crystal clear to support both clients and practitioners.
Given my role in client advisory on the Cyber and IS side of this conversation (I dont mean technical) I would be very interested in participating in this activity as the confusion between these two critical domains has needed ironing out and aligning for some time. It is a little unclear if this exercise is focused on just DP professionals or both DP and IS&C professionals, and if its going to be a US focused discussion, or a more macro ERM to global Privacy discussion.
Please could you let me know your thoughts.
Thank you for your comment. The workforce workshop is open to both data protection and information security/cybersecurity professionals, and we hope that you’ll participate and share your insights on the importance of collaboration between privacy and cybersecurity teams.
Regarding your question about geographic scope, the taxonomy will be developed to align with the NIST Privacy Framework, which is designed to be an enterprise risk management tool usable by any organization around the world. With that goal in mind, we encourage broad participation. We look forward to virtually meeting you next week.
The NIST Privacy Engineering Team
No comment, but I would be happy to be aboard.