S2E23: "Navigating the Privacy Engineering Job Market" with George Ratcliffe (Stott & May)

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
George Ratcliffe (00:01):
Any candidate that goes into interview for any
job should have, in my opinion,a really clear "why they want
that job and why they would begood at it.
If you can answer that questionor give a hiring manager,
interviewer, whomever it is areally clear and confident
answer, to me that's alwaysgoing to have them leave the
interview with a really goodfeeling.
Even if it's not the right fit,they're still going to leave

(00:23):
with a really positiveimpression of you.
For me, really specifically, ifyou're looking to make a jump
into a slightly differentindustry, having a really clear
'why' that you can articulateappropriately and share with
that person, it's always goingto put you in a really great
spot.

Debra J Farber (00:42):
Welcome everyone to Shifting Privacy Left.
I'm your host and residentprivacy guru, Debra J Farber.
Today, I'm delighted to welcomemy next guest, George Ratcliffe
, Head of the Privacy, GRC andCryptography Executive Search
practice at recruitment firm,Stott and May.
As you might imagine, we'regoing to talk about the field

(01:04):
for privacy technologists.
I'm really excited to dig deep.

Welcome, George.
Thanks, Debra! Great to be onand really looking forward to
what should be a great, andhopefully a really useful,
conversation for a lot of people.

Yeah, I think so .
I think there's a lot ofappetite from my audience to
better understand trends in thejob market.
I'm so excited you're here.
I know you have so muchfirst-hand knowledge about the
job market for privacy roles inparticular.
This discussion is going to bepretty enlightening for those
who are seeking new positionswith titles like "privacy
engineer, privacy architect,privacy researcher and even GRC

(01:41):
engineer, in addition tonon-technical privacy roles.
I can't wait to dive deeper onsome of the trends you're seeing
.
Let's start with some of thetechnical privacy roles in the
context of the current marketclimate.
About four months ago, in aprevious Shifting Privacy Left
podcast episode, I had MenottiMinutillo, a Privacy Engineering

(02:03):
Manager who had just leftTwitter at the time and is now
at, I believe Netflix.
We talked about his observationthat privacy engineers were
being laid off at a much higherrate than companies were hiring
for them, and his concern abouthow that will affect the hiring
pipeline for the profession.
I guess my first question toyou is are you seeing the hiring

(02:25):
trends pick back up fortechnical privacy roles?

I actually love this episode.
There's a lot of stuff that Itook from Minotti that's been
really helpful for myunderstanding of the space.
Firstly, I completely agreedwith Minotti's observations.
It was really concerning to seeit happening.
I think we've all seen plentyof tech layoffs before, but it's
the first time I've really seenpeople being laid off in

(02:51):
privacy.
And, coming onto a decade thatI've recruited in the space or
certainly on mass, it wasdefinitely really concerning at
the time.
The one thing I would haveadded to that is that the gap we
saw between the number of jobsavailable, the number of people
being hired and the people beinglaid off, I'd have said was
pretty uniform across tech.

(03:11):
It wasn't like we were much ofan outlier compared to everybody
else.
We just hadn't really seen itbefore.
In short, we're seeing amassive rebound here.
At the moment.
A lot of tech companies more inthat pre and post IPO stage of
development, as opposed to thereally big tech companies just
yet, are coming back to thetable with technical hiring

(03:33):
across all of the skill setsthat you mentioned.
We're not back to that volumeand that bump that we saw at the
back end of '21 and early '22.
For me at the moment, obviously,a huge part of my job is
keeping an eye on what's goingon.
It definitely feels like eachweek we're seeing a little bit
more.
There's a couple of newpositions coming out.

(03:53):
There's a few new companiescoming back to the table.
I think what's probably mostencouraging for me is we're also
starting to see companies thatI haven't traditionally
associated with having a privacytech function coming out and
looking to hire.
They're fairly broad and notentry- level, but fairly broad
in the first one or two hiresthey're making.

(04:14):
Coming to the table withpositions like that, which for
me, is really, reallyencouraging to see that world of
privacy tech growing not justin terms of people in certain
organizations but growing interms of the number of
organizations who are operatingwithin the field.

Oh yeah, that gives me a lot of enthusiasm as
well.
I just obviously love theprivacy tech market.
I'm a huge advocate for that.
I do agree.
I'm seeing that too.
I'm seeing not so much in thehiring, but a lot more privacy
tech companies.
It's good to hear that they'reexpanding and as they're
expanding, they're looking fortechnologists that have privacy

(04:51):
expertise.
Everyone seems to have theirown, slightly different,
definition of a 'PrivacyEngineer.
' I thought you'd be the perfectperson to ask, based on what
you're seeing across differentorganizations: what skill sets
and competencies are companiesseeking when they come to you
saying they're looking to hirefor a 'Privacy Engineering' role

(05:11):
?

Yeah, I'm actually going to revisit
another point Menotti made here.
We're still at such an earlystage, but I think when it comes
to privacy technology andspecifically on the engineering
side and I've even heard certainpeople make a fairly
rudimentary comparison, but onethat rings fairly true is that
privacy tech is where securityengineering was maybe eight or

(05:36):
even 10 years ago.
In a sense, we've got all thesedifferent skill sets and so
many different roles that areactually grouped under this same
job title of 'Privacy Engineer.
' Rather than go througheverything that somebody could
do within a privacy engineeringor privacy tech role, I do like
to break it down.
For me, there's three differentroles, the key roles here, that

(05:58):
are different in their own waybut do sit under that same
banner with the majority ofcompanies out there.
I'll run through some of thereally key competencies that I
see sit in each one mostregularly.
The first one is the 'PrivacyEngineer' - the job title that
everybody sticks on it, but thisone is the one I guess we most

(06:19):
commonly see in BigT ech.
It's the most common role wesee at Google, at Meta and a lot
of the other kind of FAANGbusinesses.
Also, a lot of largerorganizations who are still at
an early-ish stage in havingprivacy tech functionality as a
whole.
People who sit within this jobtypically do have a pretty

(06:39):
strong technical or engineeringbackground, but their focus is
predominantly for me onreviewing codes, reviewing
products that's brought to themby development and production
teams, looking to see if it sitswithin the organization's
privacy policies, looking to seeif it matches up with the
privacy- by- design or privacy-first parameters they've had set

(06:59):
out for them.
Another key thing that goes inthere is they're often working
in quite a large advisorycapacity as well.
They'll plug in and work reallyclosely with engineering and
design teams to work through anyproblems, any gaps they've
found, to make sure thateverything's redesigned
appropriately before it thengets signed off, if you like,

(07:20):
put into production and out infront of customers or consumers,
depending on which side you'reon.
The next one is I like to termit 'Privacy Software Engineer.
' I've been one that's reallyhappy to see this job title
getting out there a little bitmore regularly.
Probably not something we'dhave seen 18 months ago too
often at all, but it's certainlybecoming more common now.

(07:41):
Privacy Software Engineer oftenperforms some of that design,
review and advisory work that aprivacy engineer would, but the
differentiating factor for me isspending a lot of their time
focusing on physically designingand building their own privacy-
preserving code or products.
Obviously, without diving toodeep can be anything from

(08:02):
looking at writing ananonymization code or script, or
something on the deletion sideright on through to getting in
some of the really technical andadvanced pieces, like
differential privacy programsand so on and so forth.
The third kind, and I apologizeto anybody that feels like
they're being put into a buckethere - I'm just trying to keep
this as broad and general foreverybody - this is more on the

(08:25):
research side, 'Privacy ResearchEngineer.
' Again, something we'restarting to see become more
common, particularly withinadvanced consumer tech companies
and also within AI companies orpure privacy tech vendors as
well.
Like I said, more recentaddition.
So people in these rolestypically sit at that
intersection of academicresearch and production,

(08:47):
researching new applicationsthat can be, in some instances,
completely brand new for one ofthe privacy enhancing
technologies that are specificto the needs of their employer
or the specific product, beforethen going and obviously
applying that research.
In fairness, I think Amazon havehad Applied Privacy Research
Engineers for quite some time,but still, in a lot of other

(09:09):
companies, their going throughand actually physically putting
their research into production.
Some organizations, that's justlooking at putting together a
prototype or a proof of concept.
Other organizations, they'redoing the whole piece.
Right?
They're going right the waythrough to building that
specific piece and putting itinto production for their
company.

That's super helpful.
I really like that breakdown,hearing privacy software
engineer, privacy researchengineer.
That is definitely a slightchange into how we're seeing
people structure the titles ofthe job role.
I am curious though, forprivacy architects I'm getting
asked more and more if I know ofa privacy architect for a role,

(09:48):
are you seeing that in yourplacements as well, or is it to
a lesser degree than some of theprivacy engineering roles?

Yeah, that's a great question, Debra.
I think privacy architect isdefinitely a role I've recruited
for a good period of time.
The number of requests we geton that side is definitely
increasing.
I would say what's probablychanging more for me is the
number of - again, I'm probablygoing to split this into two
sectionsI just said two years ago, maybe

(10:18):
even three, pretty much everyrequirement or search we were
working on for a client that wasa privacy architect was, to be
honest, pretty much moresomebody that was like a
differentiate between a TPM andwhat I'm about to say, a
'Technically-minded ProgramManager.
' So not a TPM, very differentto that, but essentially a
program manager who could speakenough tech to work with

(10:40):
architects, work with people whoare sitting really deep into
that back end to help them plugthings together.
Definitely still get plenty ofthose coming through.
It's still a really hard job tofill because there aren't many
people who can do that.
What I'm seeing more of at themoment, and this really fits in
well with a lot of, I think alot of the things we'll probably
discuss as we move through, ismore technical-minded people

(11:03):
coming into this space.
So we're looking at genuinearchitects who can completely
pull apart data pipelines, theflows of an organization,
everything to do with that andrebuild it themselves, so more
in line with what we wouldconsider a traditional
enterprise architect within anyother area of tech.
So, that's what we're seeingmore of and I'm definitely

(11:25):
seeing more of a shift towardsthat.
And, again, frankly, like everyother area, it's a really hard
space to find people in,particularly people who can -
obviously, we can find all ofthose skills we've just talked
about, but then also match upwith the tech stack and the
requirements or the customerbase of that particular
organization.

Right, that makes a lot of sense, especially
as we start seeing the adventof an explosion of privacy tech.
It's like well, which techstacks, which new technologies
is the company using withintheir work?
So, I could understand why thatmakes it even harder for you
and your clients.

That's where things are a little bit
different to the engineeringside, because I think,
particularly with companies thatare a bit further down the line
, they can justify on theengineering side using which
languages they want or whichframeworks or packages to design
what they need.
But when we're getting into thereally nitty-gritty like
architectural side, it's likeyou kind of have to align with

(12:20):
what the company's already using, because you look at, let's
say, like 500, even 1,000company like that architecture's
been in place for such a longperiod of time.
It's just not gonna be feasibleto like pull in different
programs or anything like thatto stuff that's like so integral
to a company.
So yeah, that's where thechallenge is a little different

(12:41):
to things on the engineeringside.
But, we can make a case ofbringing in a new toolkit or
something like that.
So, definitely keeps us on ourtoes over here, I bet.

So, the IAPP's Privacy Engineering Section
Advisory Board, they recentlypublished an infographic that
defines privacy engineering, andit lists job functions that
work toward privacy engineeringgoals.
Those job functions aresoftware development, system
design, data science, physicalarchitecture, process design, IT

(13:17):
infrastructure and then humancomputer interaction (HCI) / UX
design.
Do you think this maps wellwith how you're seeing companies
approach hiring for privacyengineers today?
I'm just trying to get a senseof if this is aligned with what
you're seeing in the market orif this is more of a North Star
that the IAPP folks who put thistogether want to get to.

Yeah.
So I think a North Star analogyis perfect.
I think that to me that is kindof like the gold standard of
what the majority of companiesshould be sort of aiming to get
towards, and I think themajority of companies that we
work with, and obviously placecandidates with, are working
towards getting certainly closeto having each of those kind of

(14:01):
defined areas.
I think the challenge is that'sa journey, right, and everybody
is at their own specific pointon that and some people are
further on than others is how Iwould kind of say.
I would say outside of maybe acouple of organizations I'm
aware of are probably at a pointwhere there are too many that
have their privacy tech programat such an advanced level, or

(14:24):
privacy engineering specifically, where they've broken down into
each of these areas.
The average, I think, out ofcompanies that we would look at
that have a privacy techfunction, we're probably looking
at an average of maybe threepeople.
So, naturally obviously,there's got to be a good amount
of kind of consolidation here,and then there obviously are
plenty of companies that justhave like one or maybe two

(14:44):
people.
So, obviously these differentskill sets have to be like kind
of split out between a smallernumber of people.
I'd say the majority ofcompanies are at, that we kind
of work with who are kind ofhalfway through
this, is that most companies arestarting to kind of split into
two areas.
So we're starting to see a lotof the earlier kind of ones that

you mentioned there (15:04):
so software development, system
design and the UX kind of sidebeing grouped into one kind of
role; and then a lot of theother pieces kind of coming into
another, so data science,architecture, process design and
infrastructure kind of goinginto another skill set.
And there are plenty of goodexamples of San Francisco

(15:25):
companies at the moment who havekind of moved towards having -
yeah, they don't call it like afront end - but obviously having
what I would say more front endfocused, and then having a
privacy infrastructure team thatare focusing on, like we say, a
lot more of that kind of heavylifting and those back end
pieces.
So, that's what I'd say we'reprobably at.
I definitely agree with theIAPP, though I would love to see

(15:46):
in three, four years, themajority of companies out there
having really like definedfunctions across each of these
areas which are also importantfor a privacy engineering
function.

Absolutely, I agree with that.
I'm going to add theinfographic that I'm referencing
into the show notes, so ifanybody wants to check it out,
you can find it there.
And then, what are just somebasic other overall trends
you're seeing as companies hirefor privacy engineers and
technical privacy roles?

Yeah, there's a couple.
I'd say that the one thatstands out the most is probably
the move towards highertechnical capabilities.
So I think, similar to what wetouched on with the architecture
piece a minute ago, almostevery time we have a client
coming back to us we worked with, let's say, six or 12 months
ago, we're looking for a similarperson that sits within the

(16:38):
same team.
The jobs are just getting alittle bit more technical.
So, let's say like 12, 18months ago, we're looking at
like basic automation andscripting skills within Python
and a good background workingwith a cloud environment.
Now, we're looking at peoplewho can come in and write
production- level code in Pythonor potentially Go.

(16:58):
We're even seeing, in someinstances we're seeing like Star
kind of coming in a little bitas well, but that's definitely
really hard to find.
But, I'd say that's the sameacross the board.
So, if we just go back to thepiece we were talking about
earlier, where we split thoseprivacy engineering roles into
three sections, people in thatinitial privacy engineering spot

(17:20):
we're looking at being able toadvise at a higher- level of
technical capability to theengineering teams they're
working with.
We look at the research sideand where it might have been
just looking at someanonymization and deletion
things, now we're looking atreally detailed applications, so
differential privacy and,obviously, areas that are still
really kind of new.
So, I think the technicalupward curve is definitely the

(17:44):
biggest thing, I'd say; and Ithink, again, that's pretty
natural in terms of theevolution of what's still a
fairly immature space.
And, I'm not a securityrecruiter by trade, but I'm sure
if you speak to most people, mycolleagues, I guess you could
say on that side of the fenceI'm sure they'd say that's
probably similar to whatdirection security started going
in six, seven, eight years ago.

Yeah, thanks for that.
That's really helpful.
So, this is a two-parterquestion.
I have them separate, but Ithink they're kind of almost the
same question.
So, what capabilities docompanies desperately need or
want in candidates that theycan't seem to find?
Put another way, is there arole that is harder to fill
right now than others because ofa lack of candidates and skill

(18:29):
sets?

Yeah, that's another good one.
I think the biggest difficultywe probably have, and the most
common thing we hear regardlessof the skill set within privacy
tech, is the blend of technicaland communication skills.
So, I think certainly myphilosophy on it is privacy
technologists - whether it's anengineer, an architect, or a

(18:51):
researcher - will sit in areally unique position.
So, obviously we have toproduce really high-end
technical work that's fit forpurpose in some of the best and
biggest tech companies or inother industries out there on
the face of the earth.
But at the same time, obviouslywe're producing this work,
producing the products and thecode that go out to customers

(19:12):
and consumers around the world,you still have to be able to
talk to so many different people, which is such a big challenge.
I can't at the moment reallythink of any other areas (again
other than, possibly, security),where you can have some of the
brightest and highest- paidtechnical minds within an
industry.
They still then have to be ableto go out and speak to, let's

(19:34):
say, regular software engineers.
They need to speak to lawyers.
They need to speak tosalespeople and even, obviously,
business owners are completelydifferent areas; and, I think in
much bigger organizations, youcan potentially have a spot
where you can have somebody whodoesn't need to do a huge amount
of that, but particularly incompanies that have teams of 3
to 15 folks in privacy tech, youcan produce the best work

(19:56):
possible; but if, ultimately,you can't go out and then
educate people across yourorganization as to why it's
important, it's always going tobe a real challenge to get your
work out there and actually seeit have the end result on the
customer.
And so, I think for me,honestly, that's probably the
hardest thing.
There's always more digging wecan do.
There are always more stones wecan turn to find a specific

(20:19):
skill set, and that's achallenge.
But, the biggest one is findingthat balance of technical and
softer communication skills aswell.

Yeah, that makes sense because, you know, it's
one of those unicorn roles,right?
I guess one of the questionsthat I have is why does it have
to be one person?
Why can't you just hire someonewho likes to do the
implementation, the work, be inthe weeds, who works with
someone on the team, that is,the communicator?
I see myself as thatcommunicator kind of role, but

(20:48):
it doesn't exist independentlyfrom being the engineer when I
look at job roles.
So, any thoughts on that, likewhy are companies determined
that it is the exact same rolethat has both those skill sets
of technical and communicationscapabilities?

Yeah, I think it's more a matter of like
circumstance at the moment,Debra.
I think if we got togetherevery kind of CPO of a company
that has a privacy tech functionin some shape or another, I'd
like to think the majority ofthem would probably see that
role that we're talking abouthere being on the roadmap.
It's more a case at the moment,I think one of the biggest

(21:26):
cases probably budget.
To be perfectly honest, I think, particularly off the back of
the last 12 months in the techindustry, everybody is trying to
do more with less, and that'salways been the case.
But, that's really pertinentright now.
I think, as companies continueto shift from the mindset of
seeing privacy as a complianceor a legal kind of function into

(21:48):
it being a business enabler anda differentiator that will
continue to see teams andbudgets grow.
And for me, I think that has tobe a role that has a really big
future within the privacy techindustry.
It's just a case, and I guessif we go back to the IAPP
infographic that you're going topop in there, I think most

(22:10):
people would like to have atleast one person doing each of
those things; but, the realityis most companies need to at the
moment have to have one persondoing three or four of those.
So, it's just a case of, Ithink, maturing privacy,
continuing to become more of animportant topic for companies,
and, as we see that natural kindof evolution, I'd absolutely
see that as being a reallyimportant skill set for

(22:32):
companies to have.

Excellent.
Thank you for that.
So, you mentioned before - wetalked a little bit about
privacy researchers - and, I'mseeing some companies with large
research centers hiring forprivacy researchers and they
typically have PhDs.
So, a lot of them are doingtheir postdocs and coming out of
school and going straight into,as you said, becoming applied

(22:57):
engineers, basically in theprivacy space.
So, can you speak to whattrends you're seeing when it
comes to these positions?
Are they mostly for datascientists who research privacy
enhancing technologies on theirdeployment, or are there other
areas as well?
And, is it necessary to have aPhD according to your clients?
Because from what I'm seeing,all of them require a PhD.

Yeah, it's definitely a pretty high
technical bar to get into thatspace.
I would say at the moment, Ican think of a couple of people
off the top of my head thatdon't have a PhD and are in this
space.
I think the stumbling block foranybody that doesn't have a PhD
is that traditionally, you know, bachelor's and master's
programs just don't haveanywhere near the same level of

(23:44):
research within them.
So you're fighting a little bitof kind of an upward battle
there, in the sense that you'vegot people with a PhD who have
the best part of four or five orsometimes six years worth of
research experience that theycan apply straight into what it
is they're doing.
I think we'll probably continueto see that being a dominance.
I can't imagine that we'll seemuch of a shift, certainly in

(24:06):
the short term, where we'll seefolks without that really proven
research background making ajump.
There are definitelyalternatives to it.
I think MITRE, obviouslyaffiliated with the government,
is a great example.
I have seen people go and workwith a master - a technical
master, obviously - with MITRE,who've done a lot of research

(24:26):
there and have then got to apoint of going into an applied
research role with a techcompany.
So, it's absolutely possiblebut it's definitely the less
trodden path at the moment.
In terms of I think your otherpoint was around people coming
from that sort of data sciencebackground, kind of the same
thing.
W e predominantly see peoplecoming from a data science or a

(24:47):
more kind of pure computerscience background into that
space, largely because,obviously, those are the
programs that have the mostcrossover with privacy enhancing
technologies.
So again, probably about 60%,65% of the people that I've
worked with in that space havehad a part of their thesis or
part of their research has beenfocused on some form of either

(25:09):
privacy enhancing technology oran adjacent space.
But there are plenty of peopleout there who obviously have
focused on the fundamentals andare then able to make the jump
across and apply their researchbackground, their technical
knowledge and skill set to theprivacy space.
I'd say most often it's peoplewho've always had some kind of

(25:30):
interest in privacy, whetherthey've been impacted by a
breach at a company, or a familymember or a friend has had
something like that or could besomething completely different.
But yeah, that's, I'd say,typically what we see at the
moment.

Interesting.
Thank you so much.
That's really insightful.
There might be people out therewho are already technical and
want to grow into the privacyspace and maybe become a privacy
engineer or researcher orarchitect.
What advice would you give them?

So firstly, great news.
I'm like very confident we'regoing to see this transition
become easier and easier to make.
I guess on one hand, you cansay fairly simple economics and
supply versus demands; we'recertainly - other than that
couple of big layers we talkedabout earlier - we're not seeing
any companies decreasing thenumber of people they have in

(26:20):
their privacy function.
The vast majority are obviouslyincreasing it and there is a
limited supply of people comingin who've rolled off one of the
master's programs.
I'm also happy to kind of addto that; I've had a number of
conversations with clients inthe last two, three months where
they're already aware of thatand they're already quite keen
to start exploring hiring peoplewith really really strong

(26:43):
technical backgrounds who havesome skills that are adjacent to
privacy, some kind of reason orsome understanding of that
space, so just a baselineknowledge rather than coming as
sort of the ready-made candidatewho's done exactly the same
role elsewhere.
So, to appropriately answeryour question, Debra, in terms
of being able to, I guess,upskill in your own time and get

(27:05):
yourself ready for that jump,there're a few different avenues
that I've seen work really welland have helped kind of
candidates within the past.
So, the first one and I think Iwould suggest this for
everybody who's looking to makethis jump is the kind of formal
qualifications.
So the CIPT course that theIAPP rolled out, I think
probably about three years agonow, is a really great starting

(27:27):
point.
Obviously it's going to teachyou the fundamentals of the
privacy world, how to apply someof your technical background to
it, and it's just from what Isaid.
If nothing else, it's alsogoing to put something on paper
that shows you're reallyinterested in the space and
committed to kind of making thatjump.
Second piece, like less formalbut more achievable to anybody
in their day- to- day role, isgetting more privacy exposure.

(27:51):
So, that can be like seekingout privacy- related projects or
changes in your current role.
I'll happily, tell you, I can'tthink of anybody I know,
certainly high up in the privacytech world, that wouldn't be
happy to have an extra pair oftechnical hands on a specific
project.
So, trying to find out wherethose are, get them at the top
of your resume and make surethey're really clear when you're

(28:13):
speaking to people, you know,when you're applying for that
next role, what it is thatyou've done.
The other piece, I guess I'dsay on that and more for the
kind of engineers, butspecifically, is again just
being involved in the privacyspace.
So, if you've got a GitHub,start playing around with
writing privacy code orpotentially even like privacy
preserving products of somedegree.

(28:33):
Now that can sound quitedaunting to somebody that's
never done it before, but Idon't think it needs to be.
You don't need to go in andbuild the finished product right
away.
Just being able to display tosomebody and pop your GitHub
link on your resume that showsyou're playing around, you're
interested in that space andyou're already putting your own
time into developing a skill setthere is going to set you above

(28:54):
so many people out there.
Certainly, from my perspectiveand again I firsthand have seen
that work really effectivelyover the last couple of years.
And the last thing is, for alittle bit further down the line
, but having a really clear 'why.
' So we can even take like astep back from this.
I mean, any candidate that goesinto interview for any job
should have, in my opinion, areally clear 'why' they want

(29:17):
that job and 'why' they would begood at it.
If you can answer that questionor give a hiring manager,
interviewer, whoever it is areally clear and confident
answer, to me, that's alwaysgoing to have them leave in the
interview with a really goodfeeling.
Even if it's not the right fit,they're still going to leave
with a really positiveimpression of you.
For me, really specifically, ifyou're looking to make a jump

(29:38):
into a slightly differentindustry, having a really clear
'why' that you can articulateappropriately and share with
that person, it's always goingto put you in a really great
spot.
To me, it doesn't matter toomuch what that why is.
As long as it's clearly likesomething that's important to
you, then for me that's alwaysgoing to put you in a really
good spot and hopefully give youa really good chance of making

(29:59):
that jump.

Yeah, that's a really good point.
It also makes me think ofnetworking.
Right?
Going to events where there'sprivacy engineering folks there
and building those relationshipsso that, even if there's not a
position for you right now, ifyou make a good connection, like
you were saying in an interview, but here in a networking
capacity, they might think ofyou for another role in the
future, whether on their team orif they move to another company

(30:23):
and have a new hiring mandate.
So, you leverage your network -you don't go build a network
because you want a job right now.
You build a network so that youhave a network to go to when
you are seeking that job in thefuture.
That forethought, I think, hasreally done well for me in my
career, just generally.
So, I would extend thatsuggestion to anyone who's

(30:46):
listening and seeking any jobrole.
Go to where the people are whoare hiring managers and so you
could learn from them and buildrelationships.

100%.
Yeah, I completely agree, Debra.
I think, obviously the twobiggest ones are the two that
the IAPP run within the U.
S.
Right?
If you're based in theNortheast, get yourself across
to the conference in DC at thestart of April next year.
If you can get down to SanDiego for the PSR Conference.
Is that in October?
I want to say it's the start ofOctober.

I think so.

Yeah, October.
If you can get yourself down tothose events, then that's
brilliant.
You don't often even need apass, like just being able to be
around there.
Send a few messages to peopleon LinkedIn who've posted about
going, and try and grab a coffeeor a drink with them is a great
thing to do.
I've definitely seen peopleleverage those conferences into
helping them get jobs in thefuture.
So, yeah, that's a great bit ofadvice.

Yeah, yeah.
Then there's all of theseprivacy engineering conferences
popping up around the globe aswell - some of them connected to
research universities, othersthat are a little more show and
tell and cross-functional, likethe PEPR conference, the Privacy
Engineering Practice andRespect conference.
It's a USENIX conference inSeptember in the Bay Area.

(32:01):
That's a really good one, too.
There's so much out there.
Just don't sit behind yourcomputer and just apply for jobs
all day.
Instead, get out there and gowhere practitioners are that you
can meet.
So, here is a question that I'mdefinitely excited to hear you
talk about.
It's about salary ranges,because anyone who's paying

(32:23):
attention can see that there's avery wide range of salary
ranges for these differentprivacy roles.
Right?
Privacy Engineer, code review,Privacy Software Engineer,
Privacy Research, like youmentioned before, and Privacy
Architect.
What are the typical pay rangesacross these different
technical privacy roles?
What companies are looking atthe lower range?

(32:46):
What are the higher range?
What are the pros and cons thatapplicants should be thinking
about?

Yeah, I'm definitely going to get a few
messages about this down theline, aren't I?
Somebody who's got way morethan I said they could get?
I'm always happy to have peoplechallenge me on that.
So, yeah, no worries.
Yeah, as you put it, it's sucha wide range.
It's a really tough one to naildown, but I'll definitely do my
best.
I think the first thing I'd say,particularly anybody at an

(33:14):
earlier stage in their career isreally sit down and think about
what the non-negotiables arefor you.
And, for me, whenever somebodysays 'total package' in inverted
commas, for me, I thinkobviously this is like cash is
always important, particularlyin a high- cost area; but, start
to think more about things likescope for growth.
Like, where have people gonewhen they've joined this team at

(33:36):
the same stage that I'm at?
Where have they moved to after?
Is this really taking me in theright direction?
So, yeah, I'd always say get areally good list of those things
there.
Make sure you're really clearon what's important to you
before you start to jump intothis, because, as you put it
there, Debra, there is a rangefor all of these roles, but it
typically will be differenttypes of companies and a
different level of requirementthey're asking from you at the

(33:59):
different ends of it.
What I would typically say, andagain this is a bit of a
generalization, is that ifyou're looking at more
enterprise- type firms (so,companies that have been around
for a little bit longer -they're a bit bigger, not
necessarily an Amazon or aFacebook or a Google or a
Reddit, something like that),you're probably going to be
looking towards the first halfof the ranges I'm going to give

(34:21):
you here.
If you're looking at moreadvanced companies, or, let's
say, like an Open AI, somebodywho's really on the cutting edge
, then typically you're going tobe looking at the higher ends.
But, just make sure you balanceup what they're asking from you
in terms of input to get whatyou're getting out.
So, as a real broad- brushthough, I'd say it's like that
first Privacy Engineer wediscussed - probably, you're

(34:41):
looking at like $130,000 to$210,000 on the base side, at
the top end, and around $170,000to $300,000 total comp.
Privacy Software Engineer,probably $175,000 to around
$300,000 base and around$250,000 to $450,000 total comp.
Privacy Research - this iswhere it gets really broad.

(35:03):
So, anything from $175,000through to mid-$300,000s on the
base, and then $300,000 topotentially $650,000 in terms of
total comp.
I'd say, the top end of that isgoing to be tough if you're
just rolling off a PhD.
That's probably somebody thathas been through a couple of
roles there.

(35:23):
On the Privacy Architectureside, slightly different;
probably looking at $170,000 to$270,000 / $275,000 base, and
around $250,000 to $400,000,maybe $450,000 at the top end in
terms of total comp.
So, yeah, really broad ranges,and if anybody wants a bit more
detail on that, the IAPP guidesare pretty good.

(35:46):
But, I'm also happy if peoplewant to reach out.
I'm always happy to have a chatand see if I can steer them in
the right direction on those.

Yeah, that's really insightful.
I am curious, though, becausewe are talking about, like just
broadly, a Privacy Engineer.
But, what about like a aManager Let's say, a Privacy
Engineering Manager versus aIndependent Contributor (IC)
kind of role?

Yeah, that's a great question, Debra.
So, in terms of that, I wouldsay your best bet on that one,
because this is where it does,similar to the research, when it
gets really broad.
The best bet for anybody whowants to understand that for a
company they're looking at is, Iwould probably go and use Blind
or Levels or FYI.
Have a look at the SoftwareEngineering Manager banding, so

(36:31):
the companies that you'relooking at, that will give you a
really accurate readout;because again, those bandings
become so broad and so wild, Idon't know if it's necessarily
gonna be great for me to put anumber on that right now.

Okay, yeah, it could be high.
Like, it could be really high,which is good.
I just want the listeners toknow the career path ing if they
they choose to go a PrivacyEngineering route and want to go
up the chain that right now itcould be pretty lucrative; but,
it also could be a lot more workand a different kind of
environment than theynecessarily want to work in.
So, there's always pros andcons.

(37:04):
Could you describe what theBlind app is for those who
aren't aware?

Sure, yeah, so Blind and Levels are the two
that I use kind of like mostregularly.
They're just web apps you can goon, pick out a particular
organization, and then it willgive you a readout of basically
the Crowdsourced information anddata, so data on what people
get paid at those specificlevels, particularly in tech;

(37:30):
you know, it's not as relevantfor a banking community, for
example, because those bandingsare so well established and have
been there for so long.
But, you think, like aMicrosoft, for example, have
like 50 different levels withinthe organization.
So, it's really good justbreaking down what band you can
expect for a base salary; abonus, if there is one; and from
an equity perspective.
So, yeah, super helpful.

(37:51):
It's also, every companystructures their packages
slightly differently.
Some companies, way moreslanted towards the stock
element, some companies moretowards like base and bonus.
So, it's, for me, a reallyhelpful way just to try and
understand how a package isstructured, what you can expect,
and what sort of banding youshould be within if you're
applying at that particularorganization.

Excellent.
I really appreciate that.
I think that's gonna be reallyhelpful, and I'll put a link to
the Blind app In the show notesas well.
So, are your clients seekingany true entry level positions
for technical privacy roles, orare they kind of saying it's an
entry level role but it reallyrequires a ton of prerequisite
experience?

So, we yeah, we don't typically get engaged
too often on entry levelpositions.
A lot of companies will try anddo that themselves wherever
they can because they'reobviously outlay on employing a
search firm like us.
It's not cheap, and so they'lltry and find graduates where
they can themselves.
We do occasionally, maybe likea couple a year, I would say,

(38:58):
certainly from what I see - andagain I'm very happy to be kind
of challenged on this by people- we don't have the same problem
that you have in security,where companies look for entry
level candidates or that youknow they say they're looking
for entry level and then lookingfor like three or four years of
experience or X, Y or Zqualifications that people
normally get down the line.
So, a lot of the time when Isee, again, entry level roles

(39:22):
out there, I think they'rebanded around the right type of
level.
The trouble is always going tobe - most companies will try and
do that directly.
If you go and click on 'Apply'on LinkedIn, yeah, you could get
lucky.
You can get in front of theright person at the right time,
but so often there are so manypeople, it's a really high
chance you'll just get lostamongst people who are just

(39:43):
unqualified.
So, I think, yeah, maybe onebit of advice, if you don't

mind, Debra (39:48):
I'd say, for anybody who is rolling off, you
know, one of the mastersprograms or looking for that
entry level role within privacytech, go and have a look on
LinkedIn.
See if you can find the talentacquisition people who focus on
privacy.
Try to build a relationshipwith them.
Even if those companies aren'thiring right now, those people

(40:08):
are always going to beinvaluable in your career and
helping you get through thedoor, and also make sure you're
not one of three or four hundredresumes for a position.
You're somebody that's actuallygetting pushed forward.
I'd say, do the same withagency recruiters, as well.
You know, there aren't loads ofus in the privacy world, and
we're less likely to be able tohelp you right now; but, any

(40:29):
decent kind of agency recruiterin the privacy space, we'll try
and build that relationship withyou for three, four, five years
and should be in a good spot tohelp you at some point during
that period of time, if not acouple of times.

That's great advice.
Thanks for that.
What's the best way for privacytechnologists to stay up- to-
date on hiring trends?
What resources do you use or doyou suggest they tune into?

I'm actually going to defer back to your bit
of advice from a few minutes ago, Debra.
I think the best, like the bestway is always going to be face
time with people in the industry.
So, if you can get yourself tothe conferences - I know you
mentioned a couple that areslightly newer there and focused
on privacy tech - all thelarger ones getting to those
conferences, getting along totheir, whether it's the happy

(41:15):
hours or the dinners and justtrying to get as much face time
with people as you can.
For me, it's always going to bethe best, like the best way to
kind of stay up to date on that.
I'd also say, especially if youhaven't done much of that
before, go in with like two orthree questions that you've
jotted down on a piece of paperor on your phone that you can
just drop into conversation totry and understand a bit more.

(41:37):
Obviously, try not sound toorobotic with the delivery, which
I've definitely done a fewtimes, but just try to ask
people, you know, what kind ofinitiatives they're working on;
what are the big kind of focusesfrom a privacy engineering
perspective is always a greatway to just sort of absorb and
learn as much about what otherpeople are doing.
The other thing I'd say isnewsletters.

(41:58):
Most of the conferences we'vementioned, the companies that
run them have newsletters andthey're always one of my biggest
resources.
So, yeah, getting signed up tothose, reading them when you're
having your coffee in themorning, is a great way to do it
and a great way just to stay upto date with general things
that are happening.
So yeah, to be the honest,those are probably the two
biggest ones that I use, andjust yeah, just kind of chatting

(42:19):
to people as much as I can,which I'm sure you can tell by
now and I love to do.

Same.
Awesome.
Well, you know we're nearingthe close.
I just want to make sure thatpeople can reach out to you if
they have questions or if theyare seeking, you know, either to
hire you to help place peoplein their companies for privacy
technology roles, or if they arelooking for jobs.
What's the best way to contactyou?

Yeah, sure, so always happy for anybody to
reach out.
Yeah, always happy to have aconversation, and help wherever
I can.
Best way is always throughLinkedIn.
So, yeah, just just pop me anote on LinkedIn and we'll be
able to find some time to catchup.

Awesome.
Any last pearls of wisdom youwant to leave the audience with
today before we close.

I don't think so, Debra, but, thank you so
much for having me.
It's been been great to talk alittle bit about these things
and, yeah, I really hope it'shelpful for people out there.

Yeah, likewise.
I definitely want feedback fromthe audience if you're finding
this helpful, so feel free toreach out and, you know, let us
know, because we we'd like tobring more content like this in
the future as well.
George, thank you so much forjoining us today on Shifting
Privacy Left to discuss hiringtrends for privacy engineers and
other technical privacy roles.
I definitely hope to have youback in the future to update us

(43:39):
on trends.

Thanks, Debra.
Yeah, anytime has been anabsolute pleasure.
Would love to come back.

Excellent.
Until next Tuesday, everyone,when we'll be back with engaging
content and another great guest.
Thanks for joining us this weekon Shifting Privacy Left.
Make sure to visit our website,shiftingprivacyleft.
com, where you can subscribe toupdates so you'll never miss a
show.
While you're at it, if youfound this episode valuable, go

(44:08):
ahead and share it with a friend.
And, if you're an engineer whocares passionately about privacy
, check out Privado, thedeveloper- friendly privacy
platform and sponsor of the show.
To learn more, go to privado.
ai.
Be sure to tune in next Tuesdayfor a new episode.
Bye for now.

All Episodes

Episode Transcript

Popular Podcasts

Dateline NBC

24/7 News: The Latest

Therapy Gecko

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}S2E23: "Navigating the Privacy Engineering Job Market" with George Ratcliffe (Stott & May)

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}Dateline NBC

24/7 News: The Latest

Therapy Gecko

All Episodes

S2E23: "Navigating the Privacy Engineering Job Market" with George Ratcliffe (Stott & May)

Dateline NBC