Below is an interview with Blair Campbell who is compliance, information security, and privacy professional with robust risk management experience. He holds an expansive understanding of outsourcing arrangements, data loss prevention, incident handling, and regulatory requirements and relationships. As a Senior Privacy Manager, Blair supports the development and execution of the Privacy Program components and assessment process, and manages the monitoring and testing operational reviews and training components of the program.

1. Firstly, thank you for taking part in this campaign. Can you tell us about your professional background and areas of interest, Blair?

It was while managing an art gallery my interest in information security took hold. During the earlier days of website creation, I found myself responsible for our online marketing presence and the protection of our network. It was my technical curiosity that pointed me in the direction of pursuing a career in data protection. My approach was to go to where those who do are by attended a SANS conference and met my future manager-to-be from a financial institution.

The bank took a chance on me, I ran with the opportunity, and my roles grew in responsibility: I built their first Network Operations Centre, then had enterprise-wide accountability for vulnerabilities, and lastly moved to internal audit to perform international data centre IT assessments.

I left the FI for a telecommunication firm to take an Information Security Advisor position. Shortly after joining, I was asked if I had any interest in privacy as the company didn’t have a privacy designate; I happily accepted the challenge. That was in 2007 and I’ve mostly been performing privacy-related activities since. 

An area of interest is the increasing sophistication of deep fakes and the potential implications of their use and deployment.

2. You are holding the position of Senior Manager, Privacy. Is there a typical workday for you and more specifically, what are some of your primary concerns on a daily basis?

The field of privacy has become quite diversified and along with this, I don’t know if there’s a typical workday; roles can vary greatly depending on the industry. On a personal note, much of my conduct was established and strengthened through compliance lessons learned.

What I have found no matter where I happen to be engaged, the greatest concern is not having a holistic perspective of an environment. Surprises in the world of data protection are rarely a good thing.

3. What do you see as the main challenges for our privacy today?

The current and anticipated regulatory regimes can be operationally challenging. The European Union’s General Data Protection Regulation (GDPR) gave us a great deal of runway to prepare but, in some instances, five-plus years hasn’t been enough. Layer the GDPR with additional jurisdictional legislation and marketing related edicts around personally identifiable information and some entities just fall over trying to manage their privacy posture.

Along with legal requirements, cyber vulnerabilities are always top-of-mind. You can’t have privacy without security and security is allowed no missteps. Complicating the situation is the dearth of information security talent.

I would also include vendor/third party management as another potential challenge. As nobody cares about your data more than you, it’s imperative to perform appropriate due diligence on all external partners. When things go sideways with your sensitive data, regulators just don’t care the incident occurred to a service provider working on behalf of your organization. At the end of the day, you cannot outsource accountability.

4. How do you see the field of privacy changing in the next 5 years?

Privacy is logically morphing toward a trust model with the consumer, customer, employee, etc. controlling their personal information via consent mechanisms. I view the term privacy to be an individual state applicable to one person. Whereas trust is a relationship requiring all parties being equally valued and collaborating to keep it moving along smoothly.

5. We are starting to hear about “ethical AI”, with individual privacy at the center of AI developments. What do you think of it? What component do AI developments need to include to be considered ethical?

Similar to privacy regulations, the approach being applied to ethical AI is principle-based. As what’s deemed to be acceptable and fair, ethical AI needs to be malleable and open to critique.

What’s exciting about ethical AI is the potential for it to benefit endless functions and activities from healthcare, transportation, environmental management plans to name a few.

Although U.S.-centric, the Data Ethics Tenets found in the Federal Data Strategy Data Ethics Framework (https://resources.data.gov/assets/documents/fds-data-ethics-framework.pdf) are an excellent leaping off point.

6. How do you stay up to date with industry news and updates regarding privacy and information security? Feel free to share your favorite sources with us.

For anyone in the area of privacy, the International Association of Privacy Professionals (IAPP) is the default source on all things data protection. Additionally, (ISC)2 and ISACA provide a solid data protection perspective coupled with excellent training that’s often free to members.

In no particular order, these are some of the sources I leverage:

• IAPP Daily Dashboard https://iapp.org/news/daily-dashboard/

• CPO Magazine https://www.cpomagazine.com/

• DuckDuckGo Newsletter https://duckduckgo.com/newsletter

• The Download – MIT Technology Review https://www.technologyreview.com/

• The Privacy, Security, and OSINT Show Podcast https://inteltechniques.com/podcast.html

• Threatpost https://threatpost.com/

• The Hacker News https://thehackernews.com/

• National Institute of Standards and Technology (NIST) News https://www.nist.gov/news-events/news

• Infosecurity Magazine https://www.infosecurity-magazine.com/

• CSO Online https://www.csoonline.com/

• Schneier on Security https://www.schneier.com/

• Krebs on Security https://krebsonsecurity.com/

• Naked Security https://nakedsecurity.sophos.com/

• Dark Reading https://www.darkreading.com/

• Wired https://www.wired.com/

7. Last question: what is the most important piece of career advice you would like to give to people who are just getting out of university and are interested in a career in data privacy?

It’s imperative they develop soft skills, these will come in handy both professionally and personally. It’s not uncommon for a privacy practitioner to interact with senior management, network architects, frontline staff, and legal in the same day with the jargon and nomenclature varying between each. Understanding how business and technology communicate within their respective areas and with each other will avail future opportunities.

Also, more often than not, technology solutions are involved and their value to their own career development and the organization means a foundational understanding of information security. There are a couple of paths I’d recommend: The IAPP CIPT Certification (https://iapp.org/certify/cipt/) or (ISC)2 SSCP (Systems Security Certified Practitioner) (https://www.isc2.org/Certifications/SSCP).

---

Click here to learn more about the Swiss Cyber Institute’s approach towards improving the digital safety and security of society and economy through education and weekly blog posts. Do you think you are a good fit to participate in our Security Expert Interview Series? Reach out to us for more information.