Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Community > MacNN Lounge > Privacy and Data Protection as a Career

Privacy and Data Protection as a Career
Thread Tools
SSharon
Professional Poster
Join Date: Jan 2003
Location: Teaneck, NJ
Status: Offline
Reply With Quote
Dec 22, 2014, 12:33 AM
 
I work as a consultant for a large consulting company doing privacy and data protection risk assessments. Given the recent data breaches and media attention to privacy matters, the industry is obviously growing.

I'm curious if anyone else here is in a similar line of work. If so, how did you get into the field? If not, have you considered it as a career? The people I work with tend to fall into one of two categories (legal or IT), but have surprisingly diverse backgrounds.

I ask both out of curiosity and because the company I work for is hiring so if you or someone you know is interested in privacy consulting ask questions here or send me a PM if you want to speak privately.

(Anyway, I hope this doesn't come off as too spammy, and yes I asked a mod before posting just in case.)
     
mindwaves
Professional Poster
Join Date: Sep 2000
Location: Irvine, CA
Status: Offline
Reply With Quote
Dec 22, 2014, 07:57 AM
 
It does seem to be a more needed industry. I'm not in the field myself, but with all of the recent hacks, phone interception (international and otherwise), and data mining companies (Google, Facebook), I am taking added measures to protect myself and my privacy and data.
{{{ mindwaves }}}
     
OreoCookie
Moderator
Join Date: May 2001
Location: Hilbert space
Status: Offline
Reply With Quote
Dec 22, 2014, 10:07 AM
 
Just in case: SSharon has cleared posting this with us (= the staff) beforehand.
I don't suffer from insanity, I enjoy every minute of it.
     
osiris
Addicted to MacNN
Join Date: Sep 2000
Location: Isle of Manhattan
Status: Offline
Reply With Quote
Dec 22, 2014, 10:07 AM
 
I am not in this field, but my only opinion is that privacy and data collection (and related) protection will be huge. Once the current generation realizes that they've given up their souls for a facebook account or whatever, it will become the largest growing field in the history of technology.

Once upon a time the issue of privacy was relatively simple - just don't give out your email address or phone number. Now if you sit in a Starbucks and use their wifi, some guy snooping the airwaves could ruin your day quite easily. Most home networks are horribly insecure. Most businesses too....

The recent Sony hack is a perfect example of upper management not believing the threats or listening to the very people they hired to protect them.... sounds dark but it's a new frontier. People are going to make a ton of money building proper fortifications for consumers and businesses alike.

And may the force be with you.
"Faster, faster! 'Till the thrill of speed overcomes the fear of death." - HST
     
SSharon  (op)
Professional Poster
Join Date: Jan 2003
Location: Teaneck, NJ
Status: Offline
Reply With Quote
Dec 22, 2014, 10:25 AM
 
Originally Posted by mindwaves View Post
It does seem to be a more needed industry. I'm not in the field myself, but with all of the recent hacks, phone interception (international and otherwise), and data mining companies (Google, Facebook), I am taking added measures to protect myself and my privacy and data.

Where do you generally get your news and tips from? I get a fair amount of news from places like arstechnica and for technical background I've listened to the podcast Security Now since episode 1.

Originally Posted by osiris View Post
I am not in this field, but my only opinion is that privacy and data collection (and related) protection will be huge. Once the current generation realizes that they've given up their souls for a facebook account or whatever, it will become the largest growing field in the history of technology.

Once upon a time the issue of privacy was relatively simple - just don't give out your email address or phone number. Now if you sit in a Starbucks and use their wifi, some guy snooping the airwaves could ruin your day quite easily. Most home networks are horribly insecure. Most businesses too....

The recent Sony hack is a perfect example of upper management not believing the threats or listening to the very people they hired to protect them.... sounds dark but it's a new frontier. People are going to make a ton of money building proper fortifications for consumers and businesses alike.

And may the force be with you.
Count me as one of those people that sold my soul to Facebook since I was one of the first million users (only an impressive number if you think about how many there are today).

I have a slightly different take on personal data. I suspect that at some point in the not too distant future everyone will have an embarrassing picture online somewhere and so it won't be newsworthy as it is today. Right now employers, etc. might disqualify a candidate because of what they dig up online, but what happens when everyone has something to find online?

As for the Sony hack... breaches like that will always happen. No amount of educational videos will stop an executive from making foolish decisions regarding their personal electronic devices. Many are tech savvy and make the right decisions for the company, but personally are too busy to encrypt all their data and too overworked to spot the social engineering attack.
AT&T iPhone 5S and 6; 13" MBP; MDD G4.
     
subego
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Online
Reply With Quote
Dec 22, 2014, 10:38 AM
 
I haven't had a chance to check it out, but I hear good things about TechSNAP.
     
SSharon  (op)
Professional Poster
Join Date: Jan 2003
Location: Teaneck, NJ
Status: Offline
Reply With Quote
Dec 22, 2014, 09:38 PM
 
Originally Posted by subego View Post
I haven't had a chance to check it out, but I hear good things about TechSNAP.
Thanks for the suggestion!
I listened/watched to half an episode today and it wasn't bad. Definitely more on the news side and less technical than security now though that could just be the random episode I selected.
AT&T iPhone 5S and 6; 13" MBP; MDD G4.
     
subego
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Online
Reply With Quote
Dec 22, 2014, 09:54 PM
 
I actually heard about TechSNAP from someone who was trashing Gibson.

As much as I like Steve, the criticisms kinda rang true.

Take his clinging to XP. I get that as a concept, but it's a poor choice if your desire is to maintain relevance as a security analyst.
     
SSharon  (op)
Professional Poster
Join Date: Jan 2003
Location: Teaneck, NJ
Status: Offline
Reply With Quote
Dec 22, 2014, 10:05 PM
 
Originally Posted by subego View Post
I actually heard about TechSNAP from someone who was trashing Gibson.

As much as I like Steve, the criticisms kinda rang true.

Take his clinging to XP. I get that as a concept, but it's a poor choice if your desire is to maintain relevance as a security analyst.
At this point I think I've been listening for so long that I'm accustomed to his quirks. I'm not sure when you heard the criticism, but he has certainly changed quite a bit from the first episodes. While not an early adopter, I think he is much less rigid than he used to be. I think he's even on Windows 7 now. For some things, bitcoin being a great example, he was way ahead of the curve and had an episode explaining how it works months before I saw bitcoin mentioned in the mainstream media.

I also enjoy the episodes about fundamental technologies and how they work that don't rely on someone using the latest and greatest OS or hardware.

Anyway, I'm not defending him since I can see why some people might not like him, but for anyone that has never listened to security now as long as you know what you're in for (a bit too much off topic discussion of books, movies, TV shows, vitamin D, and the like) it is worth trying out.
AT&T iPhone 5S and 6; 13" MBP; MDD G4.
     
subego
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Online
Reply With Quote
Dec 22, 2014, 10:36 PM
 
That's the odd thing. I like him, so I like what should really be named "The Steve Gibson Show", but from a practical standpoint, you're getting quirky old fart security.

Sometimes he's way ahead of the curve. You mentioned Bitcoin. I thought his early analysis of Stuxnet was fantastic. Squirrel? All I could say was, "holy shit".

Likewise, if it's an old fart subject, like the underpinnings of TCP/IP, Steve's your guy.

On the other hand, sometimes he'll come to a "great revelation" and it will be something I realized on my own, 15 years ago.

I'm not even a security person.
     
subego
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Online
Reply With Quote
Dec 23, 2014, 09:17 AM
 
As a thought, I'd feel much more comfortable working security on offense.

Defense seems like it's just going to be a tougher and tougher row to hoe.
     
SSharon  (op)
Professional Poster
Join Date: Jan 2003
Location: Teaneck, NJ
Status: Offline
Reply With Quote
Dec 25, 2014, 10:56 AM
 
Originally Posted by subego View Post
As a thought, I'd feel much more comfortable working security on offense.

Defense seems like it's just going to be a tougher and tougher row to hoe.
At least in the US, the laws are pretty clear about offensive white hat hacking. Kind of a shame if you ask me.

The job I have isn't really offensive or defensive though. Many privacy risk assessments are performed proactively and not just reactionary like after a data breach.
AT&T iPhone 5S and 6; 13" MBP; MDD G4.
     
mattyb
Addicted to MacNN
Join Date: Feb 2008
Location: Standing on the shoulders of giants
Status: Offline
Reply With Quote
Dec 25, 2014, 12:36 PM
 
Subscribe to Schneier's Crypto-gram newsletter for privacy, data protection, IT security info. https://www.schneier.com/crypto-gram.html

Read his books, but start with Secrets and Lies. I would only recommend Applied Cryptography (I didn't get all the way through it) if the highly technical stuff interests you.
     
Chongo
Addicted to MacNN
Join Date: Aug 2007
Location: Phoenix, Arizona
Status: Offline
Reply With Quote
Dec 25, 2014, 02:00 PM
 
Does the Cyber industry follow Vegas' lead. The casinos tend to hire those that manage to figure out ways to cheat.
     
subego
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Online
Reply With Quote
Dec 25, 2014, 06:26 PM
 
Originally Posted by SSharon View Post
At least in the US, the laws are pretty clear about offensive white hat hacking. Kind of a shame if you ask me.

The job I have isn't really offensive or defensive though. Many privacy risk assessments are performed proactively and not just reactionary like after a data breach.
I'll admit, I'm ignorant.

You can't run a pen test on a network you've been hired to pen test?
     
SSharon  (op)
Professional Poster
Join Date: Jan 2003
Location: Teaneck, NJ
Status: Offline
Reply With Quote
Dec 25, 2014, 09:14 PM
 
Originally Posted by subego View Post
I'll admit, I'm ignorant.

You can't run a pen test on a network you've been hired to pen test?
I read the statement about offensive security more broadly and literally. For example, why don't we use a virus to inform users with hacked computers that they have been hacked and are part of a botnet. Depending on how you look at it, even that isn't really offensive since it isn't offensive against the bad guys the same way a pen test isn't offensive against the bad guys either.

In any event, I'm not the expert on security.

Chongo, most of the evaluations, assessments, and audits that I've done are based on published frameworks and guidelines by industry organizations. In other words, it isn't a free for all where I just go knocking on doors. The scope of the projects are well defined, oftentimes specifying exactly which people I'll be interviewing. Depending on the nature of the project sometimes we rely on the answers we're given and sometimes we ask for verification and do spot checks to confirm.
AT&T iPhone 5S and 6; 13" MBP; MDD G4.
     
subego
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Online
Reply With Quote
Dec 26, 2014, 01:25 AM
 
Originally Posted by SSharon View Post
I read the statement about offensive security more broadly and literally. For example, why don't we use a virus to inform users with hacked computers that they have been hacked and are part of a botnet. Depending on how you look at it, even that isn't really offensive since it isn't offensive against the bad guys the same way a pen test isn't offensive against the bad guys either.
You are absolutely correct. Offense is probably a misnomer for what I'm talking about.
     
mattyb
Addicted to MacNN
Join Date: Feb 2008
Location: Standing on the shoulders of giants
Status: Offline
Reply With Quote
Dec 26, 2014, 12:14 PM
 
Pen test <> risk assessment

In my experience, pen tests are done by technical people, risk assessments are done by procedure/standards/process type people.

Also (IMHO), Business Impact Analyses are FAR more important than risk assessments, but afaik, are much more difficult to quantify generically. The methodology is easy, its the cost to the business that isn't.

BIAs that I've done in the past have always shocked management in terms of the most important applications being used within the business : the application that manages the airconditioning for a data centre, the application that manages doors and gates for a group which has factories around the world.

P.S. I'd get back into IT Security stuff, in a heartbeat, but I doubt that your company would move me and my family from France to NJ.
     
subego
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Online
Reply With Quote
Dec 27, 2014, 09:30 AM
 
Originally Posted by mattyb View Post
Pen test <> risk assessment

In my experience, pen tests are done by technical people, risk assessments are done by procedure/standards/process type people.
Also correct. I was thinking the technical side for both "offense" and defense. I'm a technical kinda guy. Go figure.

My comment doesn't apply as much to the analysis side, so my random musing isn't ultimately that helpful.
     
SSharon  (op)
Professional Poster
Join Date: Jan 2003
Location: Teaneck, NJ
Status: Offline
Reply With Quote
Dec 28, 2014, 03:46 PM
 
Originally Posted by mattyb View Post
P.S. I'd get back into IT Security stuff, in a heartbeat, but I doubt that your company would move me and my family from France to NJ.
It's a big 4 consulting company so it isn't out of the question for them to pay moving expenses.... The group I work for is considered a national practice and since the consultants travel to the client sites they don't really care where in the US you choose to live (as long as it's close to an airport!). I know there are people in Europe, particularly in Belgium, doing similar work so let me know if you want to chat.
AT&T iPhone 5S and 6; 13" MBP; MDD G4.
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 05:30 PM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,