|
|
Privacy and Data Protection as a Career
|
|
|
|
Professional Poster
Join Date: Jan 2003
Location: Teaneck, NJ
Status:
Offline
|
|
I work as a consultant for a large consulting company doing privacy and data protection risk assessments. Given the recent data breaches and media attention to privacy matters, the industry is obviously growing.
I'm curious if anyone else here is in a similar line of work. If so, how did you get into the field? If not, have you considered it as a career? The people I work with tend to fall into one of two categories (legal or IT), but have surprisingly diverse backgrounds.
I ask both out of curiosity and because the company I work for is hiring so if you or someone you know is interested in privacy consulting ask questions here or send me a PM if you want to speak privately.
(Anyway, I hope this doesn't come off as too spammy, and yes I asked a mod before posting just in case.)
|
|
|
|
|
|
|
|
|
Registered User
Join Date: Sep 2000
Location: Irvine, CA
Status:
Offline
|
|
It does seem to be a more needed industry. I'm not in the field myself, but with all of the recent hacks, phone interception (international and otherwise), and data mining companies (Google, Facebook), I am taking added measures to protect myself and my privacy and data.
|
|
|
|
|
|
|
|
|
Moderator
Join Date: May 2001
Location: Hilbert space
Status:
Offline
|
|
Just in case: SSharon has cleared posting this with us (= the staff) beforehand.
|
I don't suffer from insanity, I enjoy every minute of it.
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Sep 2000
Location: Isle of Manhattan
Status:
Offline
|
|
I am not in this field, but my only opinion is that privacy and data collection (and related) protection will be huge. Once the current generation realizes that they've given up their souls for a facebook account or whatever, it will become the largest growing field in the history of technology.
Once upon a time the issue of privacy was relatively simple - just don't give out your email address or phone number. Now if you sit in a Starbucks and use their wifi, some guy snooping the airwaves could ruin your day quite easily. Most home networks are horribly insecure. Most businesses too....
The recent Sony hack is a perfect example of upper management not believing the threats or listening to the very people they hired to protect them.... sounds dark but it's a new frontier. People are going to make a ton of money building proper fortifications for consumers and businesses alike.
And may the force be with you.
|
"Faster, faster! 'Till the thrill of speed overcomes the fear of death." - HST
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Jan 2003
Location: Teaneck, NJ
Status:
Offline
|
|
Originally Posted by mindwaves
It does seem to be a more needed industry. I'm not in the field myself, but with all of the recent hacks, phone interception (international and otherwise), and data mining companies (Google, Facebook), I am taking added measures to protect myself and my privacy and data.
Where do you generally get your news and tips from? I get a fair amount of news from places like arstechnica and for technical background I've listened to the podcast Security Now since episode 1.
Originally Posted by osiris
I am not in this field, but my only opinion is that privacy and data collection (and related) protection will be huge. Once the current generation realizes that they've given up their souls for a facebook account or whatever, it will become the largest growing field in the history of technology.
Once upon a time the issue of privacy was relatively simple - just don't give out your email address or phone number. Now if you sit in a Starbucks and use their wifi, some guy snooping the airwaves could ruin your day quite easily. Most home networks are horribly insecure. Most businesses too....
The recent Sony hack is a perfect example of upper management not believing the threats or listening to the very people they hired to protect them.... sounds dark but it's a new frontier. People are going to make a ton of money building proper fortifications for consumers and businesses alike.
And may the force be with you.
Count me as one of those people that sold my soul to Facebook since I was one of the first million users (only an impressive number if you think about how many there are today).
I have a slightly different take on personal data. I suspect that at some point in the not too distant future everyone will have an embarrassing picture online somewhere and so it won't be newsworthy as it is today. Right now employers, etc. might disqualify a candidate because of what they dig up online, but what happens when everyone has something to find online?
As for the Sony hack... breaches like that will always happen. No amount of educational videos will stop an executive from making foolish decisions regarding their personal electronic devices. Many are tech savvy and make the right decisions for the company, but personally are too busy to encrypt all their data and too overworked to spot the social engineering attack.
|
AT&T iPhone 5S and 6; 13" MBP; MDD G4.
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status:
Offline
|
|
I haven't had a chance to check it out, but I hear good things about TechSNAP.
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Jan 2003
Location: Teaneck, NJ
Status:
Offline
|
|
Originally Posted by subego
I haven't had a chance to check it out, but I hear good things about TechSNAP.
Thanks for the suggestion!
I listened/watched to half an episode today and it wasn't bad. Definitely more on the news side and less technical than security now though that could just be the random episode I selected.
|
AT&T iPhone 5S and 6; 13" MBP; MDD G4.
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status:
Offline
|
|
I actually heard about TechSNAP from someone who was trashing Gibson.
As much as I like Steve, the criticisms kinda rang true.
Take his clinging to XP. I get that as a concept, but it's a poor choice if your desire is to maintain relevance as a security analyst.
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Jan 2003
Location: Teaneck, NJ
Status:
Offline
|
|
Originally Posted by subego
I actually heard about TechSNAP from someone who was trashing Gibson.
As much as I like Steve, the criticisms kinda rang true.
Take his clinging to XP. I get that as a concept, but it's a poor choice if your desire is to maintain relevance as a security analyst.
At this point I think I've been listening for so long that I'm accustomed to his quirks. I'm not sure when you heard the criticism, but he has certainly changed quite a bit from the first episodes. While not an early adopter, I think he is much less rigid than he used to be. I think he's even on Windows 7 now. For some things, bitcoin being a great example, he was way ahead of the curve and had an episode explaining how it works months before I saw bitcoin mentioned in the mainstream media.
I also enjoy the episodes about fundamental technologies and how they work that don't rely on someone using the latest and greatest OS or hardware.
Anyway, I'm not defending him since I can see why some people might not like him, but for anyone that has never listened to security now as long as you know what you're in for (a bit too much off topic discussion of books, movies, TV shows, vitamin D, and the like) it is worth trying out.
|
AT&T iPhone 5S and 6; 13" MBP; MDD G4.
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status:
Offline
|
|
That's the odd thing. I like him, so I like what should really be named "The Steve Gibson Show", but from a practical standpoint, you're getting quirky old fart security.
Sometimes he's way ahead of the curve. You mentioned Bitcoin. I thought his early analysis of Stuxnet was fantastic. Squirrel? All I could say was, "holy shit".
Likewise, if it's an old fart subject, like the underpinnings of TCP/IP, Steve's your guy.
On the other hand, sometimes he'll come to a "great revelation" and it will be something I realized on my own, 15 years ago.
I'm not even a security person.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status:
Offline
|
|
As a thought, I'd feel much more comfortable working security on offense.
Defense seems like it's just going to be a tougher and tougher row to hoe.
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Jan 2003
Location: Teaneck, NJ
Status:
Offline
|
|
Originally Posted by subego
As a thought, I'd feel much more comfortable working security on offense.
Defense seems like it's just going to be a tougher and tougher row to hoe.
At least in the US, the laws are pretty clear about offensive white hat hacking. Kind of a shame if you ask me.
The job I have isn't really offensive or defensive though. Many privacy risk assessments are performed proactively and not just reactionary like after a data breach.
|
AT&T iPhone 5S and 6; 13" MBP; MDD G4.
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Feb 2008
Location: Standing on the shoulders of giants
Status:
Offline
|
|
Subscribe to Schneier's Crypto-gram newsletter for privacy, data protection, IT security info. https://www.schneier.com/crypto-gram.html
Read his books, but start with Secrets and Lies. I would only recommend Applied Cryptography (I didn't get all the way through it) if the highly technical stuff interests you.
|
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Aug 2007
Location: Phoenix, Arizona
Status:
Offline
|
|
Does the Cyber industry follow Vegas' lead. The casinos tend to hire those that manage to figure out ways to cheat.
|
45/47
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status:
Offline
|
|
Originally Posted by SSharon
At least in the US, the laws are pretty clear about offensive white hat hacking. Kind of a shame if you ask me.
The job I have isn't really offensive or defensive though. Many privacy risk assessments are performed proactively and not just reactionary like after a data breach.
I'll admit, I'm ignorant.
You can't run a pen test on a network you've been hired to pen test?
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Jan 2003
Location: Teaneck, NJ
Status:
Offline
|
|
Originally Posted by subego
I'll admit, I'm ignorant.
You can't run a pen test on a network you've been hired to pen test?
I read the statement about offensive security more broadly and literally. For example, why don't we use a virus to inform users with hacked computers that they have been hacked and are part of a botnet. Depending on how you look at it, even that isn't really offensive since it isn't offensive against the bad guys the same way a pen test isn't offensive against the bad guys either.
In any event, I'm not the expert on security.
Chongo, most of the evaluations, assessments, and audits that I've done are based on published frameworks and guidelines by industry organizations. In other words, it isn't a free for all where I just go knocking on doors. The scope of the projects are well defined, oftentimes specifying exactly which people I'll be interviewing. Depending on the nature of the project sometimes we rely on the answers we're given and sometimes we ask for verification and do spot checks to confirm.
|
AT&T iPhone 5S and 6; 13" MBP; MDD G4.
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status:
Offline
|
|
Originally Posted by SSharon
I read the statement about offensive security more broadly and literally. For example, why don't we use a virus to inform users with hacked computers that they have been hacked and are part of a botnet. Depending on how you look at it, even that isn't really offensive since it isn't offensive against the bad guys the same way a pen test isn't offensive against the bad guys either.
You are absolutely correct. Offense is probably a misnomer for what I'm talking about.
|
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Feb 2008
Location: Standing on the shoulders of giants
Status:
Offline
|
|
Pen test <> risk assessment
In my experience, pen tests are done by technical people, risk assessments are done by procedure/standards/process type people.
Also (IMHO), Business Impact Analyses are FAR more important than risk assessments, but afaik, are much more difficult to quantify generically. The methodology is easy, its the cost to the business that isn't.
BIAs that I've done in the past have always shocked management in terms of the most important applications being used within the business : the application that manages the airconditioning for a data centre, the application that manages doors and gates for a group which has factories around the world.
P.S. I'd get back into IT Security stuff, in a heartbeat, but I doubt that your company would move me and my family from France to NJ.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status:
Offline
|
|
Originally Posted by mattyb
Pen test <> risk assessment
In my experience, pen tests are done by technical people, risk assessments are done by procedure/standards/process type people.
Also correct. I was thinking the technical side for both "offense" and defense. I'm a technical kinda guy. Go figure.
My comment doesn't apply as much to the analysis side, so my random musing isn't ultimately that helpful.
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Jan 2003
Location: Teaneck, NJ
Status:
Offline
|
|
Originally Posted by mattyb
P.S. I'd get back into IT Security stuff, in a heartbeat, but I doubt that your company would move me and my family from France to NJ.
It's a big 4 consulting company so it isn't out of the question for them to pay moving expenses.... The group I work for is considered a national practice and since the consultants travel to the client sites they don't really care where in the US you choose to live (as long as it's close to an airport!). I know there are people in Europe, particularly in Belgium, doing similar work so let me know if you want to chat.
|
AT&T iPhone 5S and 6; 13" MBP; MDD G4.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|