CG - Lessons Drawn From Cybersecurity In The Rise of Privacy Tech

it's a cliche to say in security that privacy and security don't always play together um but fortunately we have an excellent panel up next to highlight exactly how privacy and security can play with each other and in fact how the privacy tech community can learn from the security world and so if you're interested in either of them please follow this panel so we've got a great group here uh we've got lord taretra who is the founder and ceo of pix we've got michelle danity who's the vice president and chief privacy officer at cisco and of course many of you know melanie ensign who's uh the founder of discernible and she spent a lot of time

thinking about the communication side of how we help users for facebook and uber and att so this panel really is going to capture this dynamic of how do we think about privacy from an innovation perspective and what lessons we can build from security so uh really looking forward to this panel uh and and make sure there's some insights that we can all glean from

hi everyone and welcome to b-sides las vegas 2021 i'm really excited to be here in this session we're going to talk about some of the lessons that we've learned in the cyber security industry and that we're transferring to the emerging privacy tech landscape we'll start with speaker intros mali and i will do our brief spiel of what we're doing currently in in privacy and security then we'll do some baseline definitions of what you know what privacy is what privacy tech is how does it intersect with security um how is it the same and how is it different and then we'll dig into some of those lessons before we wrap up and so melanie you want to go ahead with

introductions and i'll follow you sure thanks so much lourdes uh hi everyone thanks so much for joining us today uh my name is melanie ensign i am the founder and ceo of a security and privacy communications consultancy called discernible uh we are about uh coming up on our 18-month mark as a company so uh very excited about the the first year that we've had thank you uh previously i led security privacy and engineering communications for uber um i have done security communications for facebook and att and a couple of other companies in my previous consulting life as well and i also run the press department for defcon which is probably happening right now as you're watching this so really

excited uh to be here my comments and insights today will really be focused on how we communicate around the issues of security and privacy and the lessons that we've learned from from security that are applicable to the emerging space of privacy tech thanks mel and i'm lourdes tereza i'm the founder of the rise of privacy tech which is which has its mission of fueling privacy innovation and interest by the way melanie is also an advisor to us at the rise of privacy tech what we do with our mission to fuel privacy innovation we try to do this by bridging the tech capital expertise caps uh gaps in this space we try to bring together founders investors and

experts in in privacy tech i've also worked with infosec teams and in infosec teams trying to build privacy functions within them or alongside them and also have worked with cyber security companies and now focusing mostly with privacy tech startups um well mel to kick this off i think it's important for us to talk about definitions so that we don't talk past each other and then try to just have those baseline you know definitions that were of what we're even talking about so when you talk to someone a journalist for instance or someone who's not within privacy and security and when trying to talk about different solutions and trying to avoid uh any misunderstanding how do you how do you define privacy

versus security the the how do they intersect how are they different uh obviously you know those two are well defined domains but it's also you know sometimes it's important to kind of put it in in eight-year-old terms when you talk to people who aren't from the industry yeah and truthfully when i'm talking to folks who aren't in this space um a lot of times the person who has to adjust is me um in terms of how i talk about it because a lot of the stakeholders that i'm talking to whether it's media or consumers or executives or other business units a lot of times they don't see a difference between security and privacy and frankly there

isn't a huge difference to them between security privacy and even safety right particularly when we're talking about online experiences so a lot of the times when i'm hi mickey uh when i'm talking to those stakeholders uh i'm i'm talking in terms that they will understand in terms of their experience and sometimes that means that i have to let them say security when it you know from a practitioner's perspective it may be privacy it's less important the words that they are using and it's more important that they're understanding the concepts now internally inside organizations with practitioners it's actually important that we be able to differentiate those things for ourselves to make sure that operationally we have enough focus enough resource and

enough attention on all of those areas having security and privacy as an undefined mishmash of concepts makes it very difficult to pragmatically do the tasks and fulfill their responsibilities um from an organization perspective so you know and i think a lot of companies um and organizations may define things a little bit differently depending on their specific business or culture there are some companies that are very engineering focused and so they actually have privacy engineering as kind of the lead for their privacy effort has a lot to do with controls and technical solutions and then there are other companies that are um less engineering heavy um and so they are really looking at privacy from perhaps a policy perspective or

business model perspective right i actually wish more organizations would look at it from a business model perspective but so internally within our organizations it does matter that we have some definition just to make sure that everything is getting covered but in my work when i'm talking to a non-expert or somebody who just doesn't work in the space professionally it's less important to the term that they are using and i will use the language that is comfortable and familiar to them the one exception to that is policymakers where it is absolutely important that we are specific and precise when we are drafting legislation um but particularly if it's a consumer audience um i'm going to use the language that

they are comfortable with regardless of whether or not that may be how we define it as practitioners yeah all good points there's so many ways that we could go from there but i see that michelle just joined us so welcome mickey and melanie and i just finished with intros and and melanie kick this off with you know the definitions and privacy and security the distinction and but if you don't mind before digging into how you yourself explain the you know the differences between privacy and security uh i know you have amazing analogies please tell you know please introduce yourself and tell the b-sides uh audience all about what you're up to and and where you've been

yeah definitely can you hear me okay yep yep all right so i'm uh calling in live from from the bermuda triangle so it's kind of a perfect place to talk about security and privacy and of course these two lovely ladies who are my frequent co-conspirators my name is michelle dennetty i've been in the privacy and security and intellectual property world since the 90s since last century um currently i run the services side of my world is called pravatus it's the provodus is your private self for the individual self gliding itself through the world and publicus is the public side of the self so the obligations we give to each other as a society so at pravatus we work on something we

call wicked privacy which is living in the bounds of having an individual self in juxtaposition with various cultures around the world whether we're online offline or beside and exactly as melanie was just talking about however you call them we call them so if you're calling something that i would call security privacy or if you live in china and the word privacy translates into dirty secret or shameful secret we will talk about data protection um it's all good unless you're a regulator and then we're going to have words about your words so that's my provided side on the other side of myself i'm in a stealthy startup right now as the ceo we're working on bringing

privacy to the requirements to the developers to the the supply chain so that we're not surprised by all the defects in our data life cycle and our data assets and and as mel was just talking about really looking at data as one of these core assets that will drive us forward into the next century um before these roles i've i've worked in a ton of infrastructure companies in the silk i called the ring of fire sun microsystems oracle uh mcafee intel and then my last big corporate gig with cisco um building in requirements and businesses and doing sort of testing experiments on on where does leadership lie in the privacy realm and doing sales in this realm of who

will buy and why aren't they buying um all of these experiments have really led us to where we are now and what lourdes is running is the rise of privacy tech we're probably 15 20 years behind the security world but i don't think it's going to be 15 to 20 years until we catch up to the privacy of figuring out how do privacy and security data asset management data governance all work and synergy together in in these soft systems so i'm excited thank you for thank you for having me and and sorry that it took me a while to connect thank you for that mickey well let's dig into let's complete the definitions portion so that we can

um then talk about the lessons that we've drawn from cyber security so you know melanie was saying it doesn't really matter you try to work with the language that they're using unless obviously if you're working with policy makers and regulators when it comes to the privacy tech space in general uh beyond the definition which which you know we as you know you you two have been part of the rise of privacy tech we we have an endeavor to define this space and and right now at its basis basic simplest level we define privacy tech as as tech solutions to privacy problems um but let's talk about the types then the biggest ones that we've been seeing

are the compliance ones when people especially in security talk about privacy they think law and policy and compliance and so a couple of the startups in this space have been mostly focusing on those but what are the other areas and mickey this is like a softball given what you're doing what are the other types of privacy tech and other beyond compliance that you guys are excited about that that you think you know this infosec audience the security audience might be interested in knowing more about yeah and i i think it's so my background is as an attorney i i was trained as an attorney in my first role as an attorney was as a patent litigator

so we were really looking at what are the monopolies that people have claimed by claim to ephemeral assets so if you think about that sort of disposition in my in my head of of where i've been and where we're going i think that compliance is great i think good privacy laws hopefully will incent better behavior or or make people fear consequences of bad behavior however if you're putting the worlds of technology and law together the way you start to study law and lordus has this background as well is you start with what cases case law and what is case law they are user stories user stories about things that we've already done things that have created a case or controversy

that is bad enough that we're going to waste our civic publica's time on adjudicating and creating rules around so if there's not already a law in place because so many people are already doing it like killing people if there's something new that's offensive like you're creating an offensive odor and it's going over to someone else's farm it doesn't feel like a physical harm you're not burning down their farm but that odor is coming across the odor of your badly collected disrespecting and not checking in with your customers employees that odor has created a big enough stank that there's the beginning of enough use cases or user stories in the law to say that's not okay now if that was

just enough all we would do is continue to kind of like hercule jerkily make mistakes until we had enough user stories to to really fill out what we want so what we're trying to do is really shift to the beginning of where the requirements begin how are we governing how are we setting up our teams how are we taking in requirements who gets to dictate what a system looks like is it the user is it the sort of old-fashioned 1970s the shareholder how many meetings have we all been in where it's like oh well you know i'd love to give you a budget for that security thing man but shareholders like like have these people

ever talk to a shareholder no the shareholder would probably say yes i would like no more ransomware thank you do something preventative so by taking those requirements putting them into a requirement setting strategy and having a strategy and then having requirements for systems and then having systems managers that understand that user stories are case law and case law is the primordial user story and then hacking at those things and having things like bug bounties for privacy phones i think that's where we're going to find some really interesting innovation going forward i just want to add quickly uh michelle that because you reminded me of something which is that in 2019 the business roundtable actually came out publicly to say that

shareholders are no longer the purpose of corporations so hello yeah so i mean the fact that business leaders and i don't mean leaders who are in business i mean leaders who are leading business as an industry and a collective group have already said that shareholders are no longer the the primary uh stakeholder um or purpose for corporation and so when i hear shareholders as you know the the reason why a security or privacy initiative cannot move forward um i mean for first i i roll my eyes as discreetly as i can um but but i think it's an indication of where that individual is in their own maturation as a leader and as an executive

um that they don't realize that what they're saying is in fact behind the eight ball in terms of where true business leadership is headed exactly because i don't think you can find data behind that old trope it's not even it's not even a hypothetical it's a trope um we love our shareholders of course we do they they own increments of our company and that's part of the democratization of of the security laws is is making sure that people can own the benefits of companies that's great but it's not definable in terms of what do we do what do we want to do and and here we are midway through 2021 the digital transformation has happened

i saw another ceo the other day from you know fortune 50 or 20 talking about how the digital transformation was about to happen was anyone awake during 2020 it's happened we're doing online uh telemedicine we're doing online learning or hello so now that we're saying it's not what the shareholder thought they were buying and holding in 2000 because you're a blue chip stock or it's not because i'm going to make some profit on this sort of market on hedge funds and whatever it's because we exist as cultural artifacts within a context as corporations as government entities as ngos and we do that because we have employees and we have customers and this is something from my dad from

you know navy guy mainframes 1950s you only have privacy concerns if you have customers or employees or citizens and if you don't have them cool cool you don't have privacy concerns if you do welcome you both touch upon the perfect um things to segue to the lessons part of this conversation so we talked about digital transformation and shifting left in general can you two talk about how what you're seeing in the privacy tech space in terms of shifting left and where you know how does that align with what you've seen in the past years in in the absence space similar conversations that we've been seeing do you see any any similar trends any alignments are are they the same conversations how

are they different when it comes to shifting uh privacy left i'll start and then mel can pick up because she's got a broader view i tell you what i was i was whining to these ladies earlier today because there's somebody who's like talking our talk on the shift left and i was like oh no um you know has this has this company scooped us or what and when i read into what they're doing it's it's different than our hypothetical and how we think that we're going to add value to our customers going forward on the shift left paradigm but i think the reality is that we've all realized there's a cluster of early companies solving early problems in compliance we

had a transparency problem because we weren't reporting swiftly enough to get in front of gdpr and other large fine based strategies by governments we have a mapping problem which is just astonishing to me because we're we're trying to walk up and go hey lourdes do you have any data and she's the head of marketing and she's like oh you're from legal oh good lord no i don't have any data in marketing wow and that's how we're reporting on stuff so that the early crop of privacy tech is saying i think the data will tell you what its structure is and where it's flowing and there's apis and blah blah blah so there's a huge cluster of companies

that are very very helpful doing things like mapping masking effemorizing data doing differential privacy and and getting getting at this compliance transparency paradigm the newer folks are getting to something that i think the vcs are a little bit wary of but are starting to understand which is if you get to the root cause of issues we we may have just lost mexico i don't know she'll be back but that's where we're going is you know how are you setting up the requirements how do you know what the requirements more let's start with transparency at the requirements workshops let's have requirements workshops let's bring out some of these more traditional models of data modeling data strategy before

you start to build or buy and then tracking what's required throughout the life cycle of the build that's involved developers i think my biggest pushback i've heard from the financiers in this space is that developers cannot adapt to privacy developers will not do anything different and and i think that's how today is such a shame right it's very it's very small thinking because if you actually talk to people who develop systems they want to do it faster they want it to last and they want users to use it the last thing they want is to spend all this time building things that no one uses or that things that the the lawyers because we never get names do we lord us

it's the lawyer right especially especially in the age of uh we're living in a time where privacy is synonymous to product excellence so you know the conversation with developers are the ones i've been having anyway they get it and they want to do the right thing when it comes to privacy so i'm really surprised that that some of the funders that you're talking to or just you know it's wild to me that is wild it's it gives someone as creative as a developer i mean you know every software language is a language it's creative it's like poetry right it does things it's functional it lives um it grows it's organic and i think the folks that

that engage in that kind of practice as a professional or as a hobby they kind of go sometimes they go both ways but you know you can hack people and sort of get a reaction out of them um which i find quite honestly sad unless you're a white hat hacker looking for vulners to fix them these ransomware people i i find i i feel pity for them because wow what talent has been lost to to doing something amazing that would be a legacy instead they're just kind of scumbags but the vast vast majority of developers are building things that work that last that run that that are essential and i think that that kind of pride in your

work and the ethic of work in getting your work done efficiently and well and and of goods quality is is a is a matter of pride with the developer community so shame on the investors that don't think developers can adapt or don't want to adapt and shame on us if we don't make privacy approachable enough that they feel like they're left out right it's not even a hard conversation to have given developers that are some of the most you know innovation-minded people out there there's so much opportunity to innovate in privacy especially in the privacy tech space and another lesson i want to jump into so we talked about shifting left you know we've seen that in security we're

seeing it happen in privacy tech and so that's one of the lessons we're drawing from cyber security another one is about bridging gaps with product and cross-functional teams i think it's even truer in privacy given the cross-functional nature of privacy but what can we learn from from the security space when it comes to bridging these gaps with product and other cross-functional teams uh mickey what do you think uh in terms of you know security is more mature are there things that throughout your 20-year career in security you think you know we can we should really do more of this in privacy this is something that we could pick up from from infosec or cyber security in general oh

absolutely i mean there's things i mean like varicode has been out for how long right i mean there's things like static analysis there are things like understanding the syntax the syntax of sharing i think i mean definitionally i think mel did a good job with this but i want to emphasize it and underline it and write stars and glitter around it which is privacy is not about secrecy privacy is not about encryption encryption is a wonderful tool for the type of sharing that is limited but privacy is about sharing with respect so when you're talking about sharing you're talking about flow it's either staying within my system from one app to the next or it's sharing between vendors that

serve it or it's sharing simply between you and i and and understanding how do we create enough transparency enough choice enough activity and the critical environment of timing to create that context that we actually have a respectful conversation and that's that's all any software really does it has a conversation either machine to machine or person to machine and so i think once that paradigm is understood the creativity starts to generate and you start to realize that sure you know creating secure enclaves important creating the whole cia triangle around traditional security you know what's the level of confidentiality you know all the rest right but if you add to that the dimension of time and the the

different cultural differentials it's like going from addition to differential equations and calculus and once you have differential equations and calculus you're no longer living in a 2d world you're living in a universe and i think that's exciting that i think that's the perfect analogy going from addition to differential calculus when we're talking about privacy and security obviously the two overlap but they're distinct i love what you said about clarifying that it's not just about secrecy privacy it's not just about secrecy privacy is not just about security either obviously we need security for privacy but like you said there are other conversations about sharing and transparency that have nothing to do with security that we need to address when it comes to

privacy um and even at the data level you know which we're talking about personal data when it comes to privacy whereas in security could be all sorts of data trade secrets ip you know all the crown jewels what not i i think this is a good way to kind of then when we're talking about these things when you come when it comes to selling and marketing these products what are some of the pitfalls we've seen some of those pitfalls that csos share on linkedin about how they're being marketed targeted by sales security salespeople what are some of the pitfalls that you think we can learn from in this security space when it comes to selling and marketing privacy products

uh you know i brought up a couple of them um but are there others that come to mind mickey especially as you build your own startup how are you yeah how are you guys gonna market these things and sell them in a way that that would resonate with privacy-minded people yeah we're now on the other side of the table right and so we're that annoying like hey just checking in right right i think you're always going to get some of that it's yeah you know sales are about relationships they're about getting attention they're about having a reason to get in the room i i helped lead a sales department at oracle so probably one of the most

aggressive sales forward companies with at that time and all apologies to all oracle players um not a lot of differentiation it was like hey guess what we still have a database and guess what you still data so you still need it um so for us to come up with a creative way to approach a customer and say hey how about that database huh um it was it was challenging so i don't think you're gonna get away from the hey hey let's have just 15 minutes first of all like you're not going to take just 15 minutes um i think that the reality is the mistakes that have are often made are one in focusing on a title so if you

think that the person that's going to be the the primary beneficiary of your product they may be the database administrator right it may be that's the person you want to approach if you're selling a database yeah the security person feels like the right person to sell encryption and dns and anti-ransomware and you know sandboxing whatever the reality is that some of these sales much to the chagrin of particularly the private equity tribe will not be a simple flatline sale anymore we are going to see more and more horizontal sales we're going to see more and more interoperable soft systems so it may be that you have to spend some time with the developers asking them how they like to play and

saying not what do you want or here's my thing i know you want it and i'll buy you a you know an ipad or a laptop or a bottle of wine to get it but instead we'll be saying how about having an experiment where we figure out which of these two features you like best which are the things that are going to help you with that kind of beautiful trifecta of maintaining your budget speed to marketplace getting lawyers off my back which sadly is universally in every single country i've i've done research and get the lawyers out of my office is like the number one complaint of developers so we have to work on ourselves as lawyers

because obviously for something that we're doing is really making these guys allergic but i think i think having in the understanding that a a lot of your cpos are going to come from the legal community lourdes and i are freaks so don't think that we are your target audience because i want to hear all about your technology i want to hear why you built it i want to hear what you think you're competing against i want to hear what you're replacing why did you take the time out of your world to create a new firewall when firewalls are old right so i want to hear that most of the lawyers out there i shouldn't say most many sadly

i think most most i think about absolutely i think most what they're used to buying is services they're used they've come out of law firms they like to buy services from law firms either on an hourly basis or flat fee basis per project getting them comfortable with buying a sas service over time is tricky so if you're a ciso and you're used to understanding how do you buy a sas service to have maintenance monitoring stuff or you're buying cloud bursting efforts so that you have bug bounty type programs internally or externally you have to teach your colleagues in legal how to buy that way so you're not giving up power by helping your co c level c-suite person

buy better and what in fact what you're doing is you're strengthening your soft system instead what i'd love to see more of is i would love to see folks saying what are the outcomes on the business level that we would like to achieve here would we like to have faster time to market for sales great so the metric might be what's holding this up i want to talk to my procurement and my contract negotiators not necessarily the header product lawyer what are the things customers are asking you that are tripping you up is it unlimited liability because you don't know what your product does and where your products data impacts or lives or protects blah blah blah

is it flexibility is it ask them they'll know like what what is the most irritating thing in anyone's email box at any given day figuring that stuff out and solving for that i think makes for a much happier sale oh yay melanie's back yeah we can go back i i think you're absolutely kind of how i go for it yeah you're absolutely right i and speaking of you know the selling and marketing of privacy products and and not all privacy pros being equal or graded having been created equal what are some of the things and and melanie oh we lost her again what it mickey what are some of the things that you think privacy pros who complain about not

getting the same budget that csos get what are some of the things they can do to get their privacy mandates funded because not like like you we're talking about most of them don't know how to do this yeah absolutely stop saying compliance yes that's one thing you know it's like what what do you want what is what's happening in your financial reporting you know in in the in the us's 10k report they're telling you what they're graded on this year what what areas are they focused on geographically are there laws that intersect there that will be a hindrance to sales there what pivots are they making so they had an interview with pfizer ceo that dude probably has access

to most of the world's information based on who's come and gone and gotten their vaccine and whatever there's gonna be a lot of pressure to resell that data so my question would be for them before that question comes to me as a support person whether you're a sister or cpo the business seems to me moving here how would i anonymize shape sell auction permission information in a different way that's where i would be and i and i insider ballgame happen to know some of those guys that is what they're doing they're very forward thinking so i didn't you didn't hear that from me but that's what i would be doing is is you know forget the analogy about

skating where the hockey puck is going there's only one puck hard to see but there's only one puck what you're trying to do is predict weather patterns you want as much data as you can as much context as you can and you want a lot of the information of the past but you also want to understand that like in the last three years look what's happened with wildfires i'm not looking for 100 years of data i'm looking for the last five years necessarily what is predictive how do we run experiments how do we how do we lean into what is present for the data for running this business always with your mindset of it's not

running this business is not just about generating cash or cash equivalents running this business means engaged employees they're going to get more expensive harder to cut get harder to keep and engaged and interactive customers so that's your target and so if you have metrics around those targets and they happen to match the geographies the types of business and the type of business transformations while protecting the store of your bread and butter customers and employees you're going to have a pretty happy time you may not get all the budget sitting in certain departments because you're a cost center but boy you're going to be able to share a pocket with your sales guys who will sell more

you're marketing people who want to expand their their reach your communications people who have a story to tell now because you've collected that data and so on so i think that's how i would i would do that play thanks for that mickey i i do want us to jump into comms and pr now that we have melanie so mel unless you want to you know comment on some of the sales and marketing lessons that you've taken from cyber security and and brought into the privacy tech space you're free to do that too i'd love to hear about some of the common pr lessons that you're now advising your privacy tech startups um that you've drawn from working from

your years in cyber security and working with infosec folks yeah of course so i think first and foremost when i think about what we've learned on the security side from a communications perspective is that your outward story and your inward story have to be the same there is no such thing as an internal narrative and an external narrative um i have interviewed four jobs where i've told them that i'm going to spend the first 90 days fixing what's inside their organization before we do anything externally and the companies that are not patient enough to do that it's definitely a red flag that they're looking for somebody put lipstick on a pig which number one is something i i don't

do but number two it doesn't last very long right uh it rubs off pretty quick and people notice that the emperor is not wearing any clothes so uh i think that's the first thing is it is incredibly difficult to tell a privacy story if you're not actually living it inside your organization and we're seeing that with a lot of companies um kind of venturing into the space of privacy washing where their marketing language or their pr story makes a whole bunch of privacy claims but fundamentally it's not really a priority for the company other than the fact that you know they're trying to avoid additional regulation or they're thinking that perhaps it's um like a temporary and cheap value add

from a marketing perspective but if it's not real it will come back to bite you in the ass um and we've seen that with you know security companies that have made all types of of claims that they can't back up right and security learns hard way yeah security learn the hard way that you have to show your work um and that is something that we can learn in now on the privacy tech side um so we don't have to learn it the hard way right show showing your work with every single privacy claim that you make is really important the second thing is that those of us that are in communications roles that are operating in this function and

that claim to have some type of responsibility for reputation or you know company narrative we need to be mindful that by the time the product team comes to us to do something external it's too late to fix the privacy problems um now if you're anything like me you're still going to try because you're at least going to document the fact that they up right but you know just as you know mickey is talking about moving to the left from a technical perspective those of us who communicate about these things also need to shift our guidance and advice early on in the process right there should be a communications person in every single product review meeting

there should be a communications person on the engineering review documents we need to be helping our colleagues make decisions with the advantage of knowing how things are going to land externally right i can very quickly off the top of my head rattle off the top dozen questions you're going to get from a journalist a privacy advocate a customer a regulator and that needs to be addressed in the development process not after the fact and that's why we end up with you know some pretty shitty statements and responses to companies when they get called out on things is because they truly haven't thought about it until somebody outside the company notices and communications professionals can do a lot to help

by bringing that perspective to the conversation before things get built thanks for that now i know there's a lot that we can do in you know when it comes to walking the privacy talk and earning credibility that way what about your points on teaching these startups to embrace accountability and and advance the field in general i know you like to talk about those things so i want to make sure that we share those with the audience as well sure so i will say one one advantage that we have in the privacy tech space is that our community even more so than uh infosec if you can believe it or not is more skeptical and more cynical and so

when you say something in the privacy space that when you make a misstep people notice and people talk um because and the thing that i'll add is that they may not always do it publicly and to your face but they are talking and it is impacting your reputation is impacting your ability to sell um and is impacting um your credibility um as a company and as a professional in terms of you know who's who's saying these things um and so we do have the benefit of having very very harsh critics um and that allows you know somebody like me or my team to come in and say these these are the boundaries they have been set

these are the expectations and so we have a lot less gray area which is actually helpful from a communications perspective because we can start using that shared language of the community very early on and we have a really good sense of what that community is expecting from us before we get there so we don't have to do a lot of iteration post launch yeah i i want to add to this because this is like mel's magic uh for discernible um a lot of people think they understand privacy because we use words like permission and consent and and and respect all of this stuff that sounds like oh well i'm a human i've had experience in the world i know what this means

security has had all these secret acronyms and they're really scary and i don't want to question them because i'm not like a security engineer so you get this dialogue with people that are using these terms colloquially that that may not be what we're trying to communicate so if you're a privacy person you have an even higher standard to be very clear in your communication and the tendency when we're talking about startups and i'm in this world right now myself is you want to say i'm doing everything i'm doing this i'm i'm you know i'm harnessing the moon the reality is that we're taking it one step at a time so i don't want you to

undersell your business but this is why you need a communications professional very early on in your development because you want to tell the truth you want to put your best foot forward but you also want to distinguish distinguish with you i can't even speak that's why i have a communications people to help me like mel i want to show people what's real yep absolutely and documenting all those steps will actually build a better story for you over time right and you don't want to turn off your potential customers by claiming all these things that you can't back up anyway i feel like we can go on talking for another hour but we are out of time

i do want to make sure that you guys have are able to say you know share last words or calls to action or or wherever folks might be able to find you after this um so nikki where you know any last words to the attendees or you know where can they find you online and how should they reach out to you yeah i'm really easy to find and i'm halfway through the the limit of my angel raise so hit me up if you've got a big check for me um i'm at identity i don't stick to privacy um i don't apologize for it it's your privacy choice it's my choice to share um but but we do

talk a lot about privacy security communications all of these things so hit me up on twitter at mdentity and watch the space we're just about to come out of stealth mel yeah so on twitter you can find me at i'm melanie spelled phonetically that's how long i've been on the internet i thought that was funny at the time um so that that's the easiest place to find me um you can also hit me up on linkedin and i'm the same at lourdes redshire and twitter you can also find me on linkedin uh you can also find you know me at rise of privacytalk.com or at privacytechrise on twitter so if you guys have questions about the emerging privacy tech

landscape please reach out to any one of us we are very much plugged in the middle of it and very passionate about fueling this space thank you for tuning in this has been a pleasure and have a good besides this year you guys thanks next year maybe in person hey hello everyone welcome to our q a session for lessons drawn from cyber security and the rise of privacy tech uh we have with us today melanie ensign lourdes turret uh

uh i also i think we've got a fourth contributor here that i i wasn't introduced to yet is that all right who's this hi steve this is steve [Laughter] awesome hello steve um okay so um and also uh just to check i i will you all be doing the thing where you keep turning off someone's stream and turning it back on throughout the conversation here is that just something you reserved for the the main event is that that was uh we had cameras that were going blank you lost mexico

[Laughter] we like being spontaneous okay well yeah i definitely got the sense that this whole conversation use has been a running conversation you've been having for a very long time and we were just lucky enough to perish kind of into the middle of it right um is there anything i i'd love to just hear you like just pick it up where you were and go on and uh maybe talk a little bit more about some of the the lessons uh from uh you know uh you got from uh the uh oh gosh sorry my eyes are giving out um sorry uh get uh further into the comms and in pr lessons uh from the cyber

incidents that you're dealing with sure so i i can take that as somebody who started my career um in this space working on security communications before i then uh adopted the the privacy work as well um one of the uh most important lessons that we learned is the technical credibility you have to actually have substance behind what you're saying and so as we've seen in the security space if you can't back up what you're talking about you don't just miss the opportunity to build a strong reputation and get your message across you can actually lose credibility and kind of get the merits um from a reputation perspective and the same thing is true on privacy

and we've seen you know a number of companies that try to go out with pretty strong privacy claims or at least strong positions and privacy and can't back it up with behavior um in actions um and again it's not just that the message falls flat is that you're actually um docked and you lose reputation points um for trying to you know privacy wash your way um through the conversation exactly and just the same way that it's terrible for a cyber security company to have terrible security it's not a good look for privacy tech startups to have bad privacy practices uh yes yeah very very much so so yeah it's definitely something we we i see a ton of conferences and things

screw up it's leaking out information from the people that they have coming to talk about these very issues and you just don't see those people come back yeah and i think it honestly it makes it difficult for the companies that are doing the right things when we're kind of diluting the meaning of a lot of the the language and messaging around privacy because it's being used used as marketing fluff rather than an honest attempt at communicating information to various stakeholders yeah oh yeah i think i just wanted to check on that real quick and and privacy should not be used as new and improved it's such a deep topic there's so much room for innovation is how the three of

us talk to all the time and there are things being built today that are automating best practices so understand how those things fit together and actually how they drive your data assets forward into your organization and you're going to have a much richer and detailed story around your activities and you're going to have a better marketplace for the privacy tech that is arising right now what do you think about that [Music]

maybe we should let steve go then i really really deeply appreciate you taking the time to have this conversation with us in front of us um we're very lucky to have you all so thank you so much for having us yeah thanks so much everyone for watching thanks guys