Spotlight: Carolyn Schmidt Looks Inward to Protect NIST Privacy

If an attacker obtains a bit of key information about one employee and exploits it to get access, an organization’s entire computer network can become vulnerable. How does a large organization protect sensitive electronic information while still using it for legitimate daily tasks? Ask Carolyn Schmidt, who for years has been one of NIST’s chief privacy guardians. 

Carolyn didn’t come to NIST to become a cybersecurity expert; she started at NIST as a high-school student. She quickly grasped computing, and as her managers recognized her talents, they encouraged her to earn an undergraduate degree in information systems management and move onto a professional track. Two master’s degrees later, she is now a leader with over three decades of experience in the fields of information technology, cybersecurity, and — more recently — privacy. 

Unlike many specialists at NIST with her background, Carolyn does not spend her days working to develop standards. Instead, she applies her expertise to ensuring that information about NIST’s thousands of employees and associates is safeguarded. In practice, this means the details that could be used to identify employees only get used for legitimate purposes, and only by those who have a need to use them. In computer-speak, these details are called personally identifiable information (PII) — something that is perpetually coveted by hackers. In the fight against them, she’s where the proverbial rubber meets the road. 

Carolyn works with NIST’s chief privacy officer to make sure PII is used appropriately and protected accordingly. It’s a bit like keeping a dike from springing leaks. As computers and handheld devices are increasingly linked by networks and wireless connections, the risk increases too. Anyone can overuse information or make a mistake that could lead to an intrusion, so she spends a lot of time creating an awareness of cybersecurity and privacy threats and risks — think about those pesky emails from unfamiliar addresses that ask you to open or click on something — and how to report incidents so the agency can keep its defenses up to snuff. 

Working to protect privacy at an agency that is actively engaged in developing privacy standards is a bit of a two-edged sword. There’s certainly some pressure to implement new guidance quickly, and operational teams often serve as an informal testing ground for newly inked draft standards. On the other hand, having access to the high-level expertise of NIST’s broad group of privacy researchers means getting ahead of the curve in implementing new guidance. It’s a largely informal relationship that helps both sides. 

A lot has changed since Carolyn started working with NIST — she remembers the days when NIST had only a couple of large mainframe computers that required a user to go to a special room with terminals to access them. Computing has become more distributed, with data mirrored across multiple platforms, and thus management of risk has increased in importance dramatically since then, and Carolyn intends to keep being diligent in helping NIST with understanding and managing these risks.