This week, I welcome Jared Coseglia, co-founder and CEO at TRU Staffing Partners, a contract staffing & executive placement search firm that represents talent across 3 core industry verticals: data privacy, eDiscovery, & cybersecurity. We discuss the current and future state of the contracting market for privacy engineering rols and the market drivers that affect hiring. You’ll learn about the hiring trends and the allure of 'part-time impact,' 'part-time perpetual,' and 'secondee' contract work. Jared illustrates the challenges that hiring managers face with a 'Do-it-Yourself' staffing process; and he shares his predictions about the job market for privacy engineers over the next 2 years. Jared comes to the conversation with a lot of data that supports his predictions and sage advice for privacy engineering hiring managers and job seekers.
Topics Covered:
- How the privacy contracting market compares and contrasts to the full-time hiring market; and, why we currently see a steep rise in privacy contracting
- Why full-time hiring for privacy engineers won't likely rebound until Q4 2024; and, how hiring for privacy typically follows a 2-year cycle
- Why companies & employees benefit from fractional contracts; and, the differences between contracting types: 'Part-Time - Impact,' 'Part-Time - Perpetual,' and 'Secondee'
- How hiring managers typically find privacy engineering candidates
- Why it's far more difficult to hire privacy engineers for contracts; and, how a staffing partner like TRU can supercharge your hiring efforts and avoid the pitfalls of a "do-it-yourself" approach
- How contract work benefits privacy engineers financially, while also providing them with project diversity
- How salaries are calculated for privacy engineers; and, the driving forces behind pay discrepancies across privacy roles
- Jared's advice to 2024 job seekers, based on his market predictions; and, why privacy contracting increases 'speed to hire' compared to hiring FTEs
- Why privacy engineers can earn more money by changing jobs in 2024 than they could by seeking raises in their current companies; and discussion of 2024 salary ranges across industry segments
- Jared's advice on how privacy engineers can best position themselves to contract hiring managers in 2024
- Recommended resources for privacy engineering employers and job seekers
Resources Mentioned:
- Read: "State of the Privacy Job Market Q3 2023”
- Subscribe to TRU Insights
Guest Info:
- Connect with Jared on LinkedIn
- Learn more about TRU Staffing Partners
- Engineering Managers: Check out TRU Staffing Data Privacy Staffing solutions
- PE Candidates: Apply to
Privacy assurance at the speed of product development. Get instant visibility w/ privacy code scans.
Shifting Privacy Left Media
Where privacy engineers gather, share, & learn
Disclaimer: This post contains affiliat
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Jared Coseglia (00:01):
AI is going to have a very dramatic impact on
how engineers of any style orfashion, much less privacy, are
valued.
So, understanding thecomplexities of AI is going to
be a differentiator that bothcommands a higher salary and,
over time, will broaden theamount of opportunity that you
(00:22):
will be competitive for.
So, understanding - whetherit's regulatory frameworks or
best practices or competitiveintelligence or creative
ingenuity - baking AI into yourknowledge base is going to be
advantageous.
It remains to be seen how orwhen, but I think that
(00:46):
inevitability is nigh.
Debra J Farber (00:53):
Hello, I am Debra J Farber.
Welcome to The Shifting PrivacyLeft Podcast, where we talk
about embedding privacy bydesign and default into the
engineering function to preventprivacy harms to humans and to
prevent dystopia.
Each week, we'll bring youunique discussions with global
privacy technologists andinnovators working at the
(01:13):
bleeding edge of privacyresearch and emerging
technologies, standards,business models, and ecosystems.
Welcome everyone to ShiftingPrivacy Left.
I'm your Host and residentPrivacyg uru, Debra J Farber.
Today, I'm delighted to welcomemy next guest, Jared Coseglia,
the Founder and CEO at TRUStaffing Partners, a 14- year
(01:36):
old, globally- recognized,award-winning contract staffing
and executive placement searchfirm that represents talent and
opportunities in 3 core industryverticals: data privacy, e-
discovery, and cybersecurity.
Today, we're going to bediscussing what's new on the
horizon in the market forprivacy engineering,
specifically around contractwork.
Jared Coseglia (02:00):
Thanks for having me.
Great to be here on the coolestpodcast in privacy.
Debra J Farber (02:05):
Oh, you know how to flatter! I appreciate it,
though.
You know, I know my audiencereally has an appetite for more
information about the state ofthe privacy engineering and
privacy tech job market.
Obviously, I'm eager to haveyou on the show, Jared, it was
perfect timing meeting you atthe IAPP Privacy Security Risk
(02:26):
Conference in San Diego lastmonth; and so far, we've been
building a relationship and Ifeel like I've known you for a
long time.
I think it has to do with usboth being from the New York
area, but that's neither herenor there.
So, meeting you was wonderful,and I know from having talked to
(02:46):
you before recording thisepisode that you really do have
a finger on the pulse of thecontracting market for privacy
roles, including privacyengineering jobs.
So, what I'd like to do, ifyou're up for it, is to focus on
the current state of thecontracting market generally for
privacy jobs and then focus onwhat you're seeing, and what
you're forecasting for, theprivacy engineering market
(03:09):
specifically.
Does that sound good to you?
Jared Coseglia (03:11):
Sounds like an amazing plan.
I have lots of information toshare.
Absolutely.
Debra J Farber (03:15):
Awesome, okay, great.
I guess the first up is (03:16):
can you compare and contrast for us
what the contracting market islike from the market for
full-time placements generally,but also, you know, if you want
to contextualize, with privacyjobs.
Jared Coseglia (03:31):
Yeah, I may kind of give you a little bit more
than just an answer to that,because it's a complex ecosystem
.
Right?
What happened in Q4 of 2022 wasa bit of a shock to the system
for privacy engineering, meaningwe saw the stock market - after
(03:52):
nearly 24 months of meteoricrise on the NASDAQ - crash
pretty hardcore.
That crash led to a significantamount of layoffs in BigT ech,
but generally across the Fortune500 and beyond.
Those layoffs, for the firsttime maybe in a decade,
(04:12):
dramatically affected theengineering community,
particularly the privacyengineering community; and that
hasn't necessarily come to afull stop yet.
As we just saw, I think twoweeks ago, LinkedIn / Microsoft
laid off 700 employees.
About half of those wereengineers and many of them
(04:32):
involved in privacy and securityengineering.
So why?
Why did they all get laid off?
Mostly because these BigT echcompanies needed to improve
their profitability, and inorder to improve profitability
and get their stock prices to goback up, they needed to fire
(04:55):
people.
Headcount is the most expensiveline item in any business and
certainly with very expensive,very skilled privacy and
security engineers, they becamean easy target.
Now, what happened at the sametime in Q4 of 2022 is the rise
(05:16):
and birth of what we now see asAI in a new and enriched way.
So, a couple of things happenedafter those events.
Right?
Zuckerberg lays off 10,000people, the rest of BigT ech
slowly follows over the next 3to 5 months, and then the rest
of corporate America followsover the next 6 months.
(05:37):
A lot of those people were paidvery well.
A lot of them are doingadvanced privacy engineering in
a way that a lot of companieshadn't even begun to
institutionalize in theirprograms.
So, what we started to seehappen at the beginning of this
year, in 2023, were a lot oforganizations trying to take
(06:00):
advantage of all these RIFedprivacy engineers becoming
available - some for the firsttime ever in their careers - on
the market.
Here's the problem.
Most companies couldn't affordto pay the full-time salaries
that privacy engineers werecommanding in BigT ech at their
(06:21):
organizations that were not partof BigT ech, and that
dissonance between what aprivacy engineer was commanding
from their former employer, interms of a full-time base and
total compensation, and whatother employers were willing to
pay was a pretty wide gap.
So the rise of privacyengineering contractors was
(06:44):
given birth for the first timein the privacy industry's entire
history.
For the last decade or more,what we've seen is an extreme
drought of supply, despitewhatever the high demand may be
for privacy engineers; and, inQ4 of 2022, there was now a
(07:04):
supply available.
But, they couldn't afford tohire them at the same rates that
they were being hired by BigTech, or they weren't willing to.
What they have been willing todo is bring them on in either a
fractional or a part-timecapacity as contractors, to come
on board and impact theorganization.
That has become reallyappealing to a lot of job
(07:27):
seekers that are privacyengineers.
A lot of times, there is agreater sense of satisfaction by
making an impact rather thanlooking for something that's
going to be stable.
Stability has never really beenthe cornerstone of why people
joined BigT ech companies, norhas it been the historical
trajectory of their career.
I'm going to go to work atTwitter and spend the rest of my
(07:49):
life there.
I mean, some people may havethought that.
But they were also verysurprised when that company had
a change of control, and thatalso led to a lot of layoffs, as
we know, and that was not justeconomically- based, but just
because of a massive change ofcontrol in a company that had
really been an apex of a lot ofprivacy engineers either getting
their start or thriving.
So, now we're seeing companiesbring them on in fractional
(08:11):
capacities, and that supplyequilibrium to demand has now
enabled a vast amount ofcorporate America and beyond to
utilize these very seasoned,skilled privacy engineers in
their programs, but notnecessarily in a full-time
capacity.
And, this is a trend that webelieve we're going to continue
(08:34):
to see for probably the next 6to 12 months, with an
expectation that the full-timehiring market for privacy
engineers is likely to reboundtowards the end of next year.
Debra J Farber (08:48):
Wow! So, I've got definitely a few questions
there; one being at the end ofnext year, why do you see that
as a boon in hiring for privacyengineering?
Jared Coseglia (09:00):
Well, if history tells us anything, it will be -
because privacy full-timehiring versus contract hiring
tends to go in waves every 2years.
So, let's flash back to 2015-16, when hiring was pretty quiet.
Not everyone really knew whatprivacy engineering was.
It was still very undefined.
I mean, to some it still isvery undefined, though it's much
(09:21):
more defined than it was nearlya decade ago.
Then GDPR got announced and 2017and 2018 was a massive ramp in
full-time hiring of peopletrying to get ready to be
compliant or take new productsto market with the proper
compliance and privacy- by-design baked in.
So, there was a massiveincrease in full-time hiring.
(09:43):
Then 2019 came, things gotstabilized and then 2020
happened, where things crashedand burned.
Unemployment went up to 14%.
People were getting laid offleft and right.
We saw contracting go throughthe roof.
Nearly 60% of the jobs filledin 2020 were contracting; and
that's across the entire privacyvertical, but certainly that
(10:04):
included engineers.
Then, 2021 and 2022 happenedand things went through the roof
again.
Full-time hiring went sky high.
Competition was extreme,salaries increased by anywhere
from 10% to 40% at the point ofhire.
So if you were a privacyengineer making $100,000 (which
is low, but just as an example),chances are, if you moved jobs
(10:24):
in '21 or '22, you went up to$130K to $140K.
If you were making $200K, youprobably went up to $280K.
And so, we then hit Q4 of 2022,and that all crashed again.
Well, if every 2 years we havethis kind of cyclical contract
versus full-time modalityoccurring in the marketplace,
(10:45):
it's likely to say that in 2025and late 2024, the lights are
going to come back on in ameaningful way; and that also
makes sense when we look atstock prices.
Right?
Most of the companies that arehiring privacy engineers are
publicly- traded companies, atleast in the volumes that would
drive market trends.
Even today, LinkedIn Insightsindicates that 38% of open
(11:06):
privacy jobs that are posted onthe internet are coming out of
BigT ech, despite them layingoff all these people.
We'll talk a little bit about -as you and I kind of prepared
for before this call -thedifference between firing people
and then rehiring them, justrehiring them as contractors
instead of full-time people andhow that changes the P&L reports
and the ledger and the lineitems and thus the stock price
of an organization, becausethat's happening a lot right
(11:28):
now, too.
But, yeah, I think time hasindicated to us that every two
years we go through this cycle.
A quick stat just to give you asense of what happened this year
- and we're almost at the endof it: north of 50% (so about
53%) of all the jobs that we'veseen filled, including ones that
we work on, were contracts thisy ear across the entire privacy
ecosystem.
That's the first time thatcontracting on an annualized-
level has actually exceeded,with the exception of 2020
(pandemic year), full-timehiring.
(12:00):
So, this is now no longer justusing contractors, particularly
privacy engineers, when marketconditions dictate it; this is
now slowly becoming a perpetualway in which programs have to
think about talent, and thatacquiring talent in full-time
(12:22):
capacities is no longer the wayall employees will get onboarded
into a program, nor is it themost fiscally responsible way
for an organization to augmenttalent.
They may not need a privacyengineer to come on board
forever.
They may need them for asuccinct 3 to 6 month project
and then phase them out.
(12:42):
Now they're able to go tomarket and find somebody with
really specific skill sets thatcan have the kind of impact they
need in that 3 to 6 monthwindow.
Debra J Farber (12:50):
So, that actually raises a question for
me.
In terms of fractional workhere, are we talking about
full-time work for a smallamount of time, like 3 weeks to
3 months, something like that;or does it also include maybe
part-time work, 10 hours a weekfor a year?
What are ways that you'reseeing the contracting being
(13:11):
deployed, whether as likefull-on staff augmentation, or
are we bringing people on tolead projects and lead the
business, even though they'refrom the outside?
Jared Coseglia (13:21):
So the answer is
We see examples of what we call"part-time impact, and
part-time impact may mean I needsomeone for three months, 40+
hours a week, have a big impact,and then I phase them out.
We also have seen a lot of,what we call, "Part-time
perpetual, which is "okay.
(13:42):
I don't really know how longI'm going to need them, so I'm
not going to set an end date tothe assignment.
But I also don't know if I'mgoing to need them 40 hours a
week.
I may need 10 hours this week,40 hours the next, zero the next
month, then five hours, then 10hours the next week.
And we call that Part-timePerpetual, where somebody can
come in at a fractional capacityand have a real impact with no
(14:06):
necessary end in sight.
So, it's not a high-impactproject, but rather using an
engineer with a specific skillset to have perpetual impact in
a variety of projects, just notin a full-time capacity.
That allows some of theseprivacy engineers to then work
for multiple organizations atthe same time, and that can be
(14:29):
really rewarding for the jobseeker.
A lot of the motivations thatwe see from privacy engineers
who come to us forrepresentation is "I'm bored,
I'm kind of working for the samecompany doing the same thing
over and over, and I'd like towork with different people or be
exposed to different kinds ofopportunities, and this approach
really does allow them to dothat quite literally.
(14:51):
But then, there's also what wesee as what we call Secondees,
which is more to the point I wasbringing up earlier of: you lay
off a bunch of full-time people, then you hire them back on
contract.
You're not necessarily hiringthe same people back.
Quite often they're hiring aless expensive person or people
back to replace the expensivepeople that they let go.
But, when they hire somebodyback, they may hire them back
(15:14):
and have them have the sameresponsibilities that they would
have had as a full-timeemployee.
But, they're not a full-timeemployee; they're not a direct
hire; they're a contractor.
Even though they're workingdirect hire, full-time employee
hours, they don't hit the booksand therefore affect the stock
price and the profitability ofthe company in the same way that
a full-time hire or a host offull-time hires would.
(15:36):
So, there is a lot of -particularly in BigT ech - the
utilization of contract as a wayto keep talent on board
perpetually and not part-time,but without being a full-time
employee.
Debra J Farber (15:51):
I love it.
I mean, that appeals to me, forsure.
So, I think that that allowssomeone to have a lot of varied
experience at multipleorganizations and be able to
kind of have a say on whatprojects that they take on and
then not get bored.
I think that's huge because injust .
(16:11):
.
.I think about some operationalstuff, like if you're in a
large company and you're leadingsomething like the onboarding
of data stores to data deletioncapabilities, I can tell you
from personal experience youmight really burn out from how
boring that can get.
So something like this.
You know, obviously I'mthinking operational privacy
(16:32):
here, but I can understand andthink of examples in the
engineering space as well.
So, I think that this is agreat solution for a lot of
people who are just feelingstuck, maybe, in their privacy
operations or privacyengineering job.
Currently, it doesn't reallyfeel there's enough jobs open
for them to move around.
Jared Coseglia (16:52):
Well, and not only that, Debra, but it also
allows them to maintain theirfinancial status in life,
because a big piece of this isthat there's a misconception
with a lot of, let's just callit, 'older executives' who've
got the expectation that whenpeople get fired and the economy
(17:15):
is in a slump, that people aregoing to compromise what they're
willing to take in terms ofcompensation in order to get
back to work.
But what we've witnessed happen,since the BigT ech layoffs of
Q4 2022, is that privacyengineers are not willing to
take $100,000 pay cuts in basecompensation just to get back to
(17:39):
work, because they know, likewe do, that this will rebound,
and likely much faster thanthings have historically
pre-pandemic.
So, they can wait it out 18 to24 months and, in the meantime,
do contract.
The reality is most of ourcontractors, who are what we
call 'perpetual' or 'lifestylecontractors' that aren't even
(18:01):
necessarily looking to go backto full-time work, wind up
working 7 to 9 months out of theyear and making the same or
more money than they wouldworking 12 in a full-time
capacity.
Now, they may get slightlydifferent benefits.
They may not get the equitythat they would get at some of
the large tech companies.
But, they wind up getting a lotmore time off.
They might wind up making a lotmore cash in pocket Day 1 that
(18:24):
they don't have to wait to vestat a BigT ech company, and they
get the diversity that you justdescribed, as well.
Debra J Farber (18:33):
Yeah, I think that's great.
I mean, you know, I've workedfor consulting firms in the past
and the diversity is alwaysthere at any consulting firm,
most consulting firms, unlessthey're like a specialized
vertical.
But, I have felt in the pastlike I was a 'resource to be
deployed' and not an autonomoushuman.
Right?
Like, "We've got someone got usthis project, our sales team
got us this project.
(18:53):
We need to match a human to it.
You're a human and available,we're matching you to it.
"Right?
That's sometimes how, at leastin the past, I've kind of felt -
like I didn't have enoughautonomy and flexibility to pick
what I want to work on or say,"This is a project we shouldn't
have even picked up in the firstplace because of X, Y or Z.
" So I do love this flexibilityof what you call "part-time,
(19:16):
perpetual work in a contractingsetting; it still gives you that
sense of "I'm not going to takea job or I'm not going to take
a project through TRU staffing,for instance, if I think the
project is going to be boring orif I don't think there's enough
buy-in from the executives, orwhatever my own personal
valuation is of the project.
I still feel like I can makeself-determination as to whether
(19:39):
or not it's a good fit, asopposed to like a consulting
firm; you don't always get thatchoice.
Jared Coseglia (19:44):
Well, one of the big differences, particularly
with working with myorganization versus working at a
consulting firm, is consultingfirms going out looking for
business and then pushing peoplethey have on staff into those
roles.
When working with us, we'regoing out and looking for
contracts that would beappealing to the people that
we're representing, who arelooking for lifestyle contracts.
(20:05):
And you're right - I mean, weused to have a marketing
campaign a few years ago thatwas "take control of your career
by being a contractor," becausein a lot of ways, moving from
full-time job to full-time joblacks some of the control that a
lot of very seasoned privacyengineers, or privacy
professionals in general, arelooking for to stay both
(20:27):
satiated and engaged in the workthat they're doing day- to- day
.
Debra J Farber (20:33):
That makes a ton of sense.
So, what trends have you beenseeing generally when it comes
to privacy job seekers, howthey're trying to find privacy
engineering roles?
Also, I guess in the sameanswer, you can also answer, how
do hiring managers typicallyfind candidates for privacy
engineering roles?
Jared Coseglia (20:48):
Yeah, so this is a big can of worms, but let's
go ahead and open it up, Debra.
[Debra (20:51):
Let's do it!] So, let's start with the latter part of
your question and then I'llprobably ask you to come back
and ask me the first part again,because the latter part, I've
got some really compellingstatistics for you.
Debra J Farber (21:02):
Oh, great! Everyone get your pen and paper
or get your notes ready.
Jared Coseglia (21:07):
The way that most people in corporate America
are looking to staff privacyengineering jobs is DIY.
And what do I mean when I sayDIY, 'DIY staffing?
' DIY staffing usually consistsof a couple of different avenues
with which to pursue.
.
.
Debra J Farber (21:23):
Let me just spell that out for any of the
non-native English speakers that.
.
.
well, you actually did spell itout, DIY is 'Do- It- Yourself.
'
Jared Coseglia (21:30):
Do- It- Yourself , which means you're not
engaging a company like me,who's sitting on a bench of
talent all the time andconstantly increasing that bench
.
We like to brag that whensomeone gives us a job order -
privacy engineer or any privacyprofessional - you're getting at
least 3 to 5 resumes in 48hours.
Here's what most people aredoing with the DIY.
They're either posting the jobon the internet, on their
(21:54):
company website; posting it on aLinkedIn job board, using their
own LinkedIn channel to solicittalent; using their internal
human resources or talentacquisition teams, many of whom,
just like a lot of engineers inQ4 of 2022, got fired because,
guess what?
If you're not going to hirepeople and you're firing
(22:15):
thousands and thousands ofpeople at your organization, who
are you going to fire?
Well, you're going to fire thepeople whose job it is to hire
people, and that's your internalrecruiters.
So, in addition to a lot ofprivacy engineers getting laid
off at the end of last year andthroughout the course of this
year, so too did a lot ofinternal recruiters who: A) had
a lot of institutional knowledgeabout the companies that they
worked for; but, B) also had alot of niche subject matter
(22:39):
expertise about the specificdivisions in those businesses
that they were staffing for, ala privacy.
Those people all got fired -not all of them, but lots of
them got fired - becausecompanies were not planning to
rehire for the next 12 months.
Then what happens?
They hire somebody that hasn'tworked at the company before
that is going to post the jobonline and essentially be the
(23:01):
lynchpin for sifting through, orparsing through, all inbound
resumes.
Here's the statistic that blowsmy mind and will probably blow
all our listeners' minds.
We did an analysis and we wentthrough the last 5 years - and
that's thousands and thousandsand thousands of applicants.
Tens, if not 100,000+,applicants that have applied to
(23:22):
jobs that we've posted online.
Of all the applicants - and weget 100+ a day conglomerate
between all the jobs that wepost in privacy - of all the
applicants who sent us theirinbound resume for a job we
posted, only 8% of thosecandidates actually get those
(23:43):
jobs.
Only 8%.
That means 92% of the time whenwe're filling a job requisition
from a client, it is not comingfrom someone that has applied
to a job posting and thus, wehave then reverted their resume
and candidacy to our customer.
It is coming from a millionother sources, like networking
(24:04):
at conferences, like hardcorerecruiting, like peer referrals.
Most corporate America isrelying on inbound resume
submission to fill their jobs,which is why 1 of 3 things is
happening" Either A the jobsaren't getting filled because
the quality and caliber of thecandidate is not matching the
(24:24):
desired hire.
Or B the right candidate isslipping through the cracks
somewhere in the process ofparsing resumes, because the
human resource professionalisn't necessarily an expert on
privacy or the company anddoesn't know a good resume when
they see one.
Or C) they're hiring somebodywho's less expensive; isn't at
(24:46):
the caliber that they want; andthen 3 to 9 months later,
they're having to replace thatperson because it's not the best
hire for the job that theyneeded because they're looking
at the people that are onlywinning 8% of the time, not the
92% that are passive job seekerswho are relying on experts in
the space to broker the nextmove for their career.
(25:10):
Privacy Engineers are verycalculated about the moves that
they make and the kinds ofcompanies that they want to go
to work for.
So, this DIY approach has notonly net people being
unsatisfied with the talentthey're getting, or people
missing out on talent becauseit's not being parsed correctly,
or people mis- hiring.
(25:30):
It's also led to a lot ofpeople saying, "I'm just going
to go contract, I'm not going tolook for these full-time jobs
because they're trying to get meat a discount, or this person
doesn't really understand thenuance of what I do, or my
(25:51):
resume got lost in the shuffle.
We see that happening day andday again.
The net of this is also thatjobs stay open for a really long
time.
We fill an average privacyengineering job in about 35 to
45 days and I see a lot ofcustomers that are trying to do
it themselves; and those jobshave been open for 120, 200, 220
(26:11):
days because they'reessentially waiting for the
right candidate to apply for thejob.
For the most part - 92% of thetime - the right candidate isn't
applying for the job.
They're waiting for somebody toapproach them about it.
Debra J Farber (26:23):
When you say approach them about it, are they
looking for somebody to seetheir LinkedIn and reach out and
say we need someone who's doingexactly what you're doing but
at our company?
Are the job seekers actuallygoing to networking events for
purposes of job seeking?
Or, is it something a littlemore on the down- low, where
it's like "I'm looking but I'mnot actively applying?
Jared Coseglia (26:44):
It's a little bit of all of them, but let's
take networking at conferencesas an example.
Most of the people who arehiring managers for privacy
engineers are going toconferences and generally
socializing with other hiringmanagers for privacy engineers.
They're not necessarily, unlessit's a few very choice events,
getting surrounded by a pool ofpotential people that will be
(27:04):
subordinates.
You go to a lot of theseexecutive leadership conferences
and it's peers.
It's not necessarilysubordinates.
So, I don't know how effectivethat going to conferences has
been for leaders in privacyengineering unless it's a very
few targeted events.
Also, because of the pandemic,so many events have moved
(27:25):
virtual.
One thing that does nottranslate from an in-person
conference to a virtualconference, though I think
knowledge sharing and knowledgetransfer does, but networking
does not.
It is not the same getting on aZoom or getting on a Teams call
where you're presentinginformation that you would at a
panel at a conference and thenbeing able to have one-on-one
(27:46):
interactions during cocktailsafterwards or on the vendor
floor the way that you and I didat PSR.
It's just not the samevirtually, when you have virtual
events.
Because so many people havemoved to that, it's very
difficult to recruit without thehelp of a recruiter on a
virtual event.
And, add to that - wheneverybody thought we were going
to go into a recession this yearand everybody started getting
(28:07):
laid off in Q4 of 2022, guesswhat else got pulled?
Not just headcount, but budgetto go to conferences.
Most of the people that you'relooking to hire are mid-market,
which means 3 to 8 years ofexperience; and those are the
people who lost the budget to goto conferences.
You and I are both at PSR.
It was filled with a lot ofhigh-end people.
It was not filled with what Iwould consider the masses of the
(28:31):
middle market for privacyengineering.
It was filled with a lot ofsales, executive, leadership
professionals with some middlemarket professionals in there;
but those people didn't get thebudget to go to these
conferences.
That's not really been aneffective recruitment tool for a
DIY approach.
Debra J Farber (28:48):
Right.
That actually tracks with whatI've seen, too.
Although, I know there's aPrivacy Engineering Section, but
I don't feel like IAPP is thechampion of engineers or
anything.
So, it's not exactly likeprivacy engineers are flocking
to a conference predominantlyabout privacy law, consulting,
privacy ops.
Right?
That's mostly what IAPP is for.
(29:11):
While they're trying to capturesome of the privacy engineering
market and build communityaround it, I wouldn't say that
they've fully succeeded inbringing in those engineers into
the fray, where they'respending their precious budgets
on going to an IAPP conferencerather than engineering-focused
conference.
Jared Coseglia (29:27):
I also think the engineering managers are smart
enough to know not to send theirhighly desirable employees to
go get poached at a conference.
I've had a lot of my customerssay it outright.
"No, I'm not going to send mypeople to that.
Why?
So that they can go get poachedby one of my competitors?
".
Debra J Farber (29:44):
That's a fair point I hadn't considered.
It makes sense that you wouldthink about that.
So, I've seen salaries and jobrequirements for privacy
engineers that are all over theplace, right, depending on
company size, the type ofcompany, BigT ech versus
anything else, based on location, industry vertical.
(30:05):
.
.
.
Can you unpack for us why yousee these discrepancies all over
the place and maybe give ussome insight into how salaries
are calculated for privacyengineers?
Jared Coseglia (30:19):
The first 2 buckets that I think are the
easiest to help define thediscrepancies in compensations
are regulatory scrutiny andbusiness opportunity.
Sometimes those go hand- in-hand.
If there's an organization thathas tremendous regulatory
scrutiny - but also tremendousbusiness opportunity by bringing
(30:40):
in skilled engineers that canhelp take products to market or
improve the enterprise in a waythat drives client acquisition,
client retention, or justoverall revenue growth - that's
where you're going to seeinflated salaries compared to
peers in the marketplace.
For example, if you're a retailcompany, but you do not use any
customer data, you do notrepurpose that data, you don't
(31:03):
market that data, you're afamily company and you are a
subscription-based organization,you're not be selling ad tech,
you may not pay a lot for aprivacy engineer because the
impact on the business may notbe dramatic enough to warrant
paying the same amount that aBigT ech company who is making
lots of money on ad tech would.
(31:23):
Now, in the same token, ifyou're a bank or a healthcare
company who is under tremendousregulatory scrutiny, but may not
have the same businessopportunity that a BigT ech
company have, you may wind uppaying a premium for a privacy
engineer because the riskassociated with a failure to
have good privacy- by- designbaked into your products or your
(31:45):
process could be disastrousfrom a financial perspective,
much less a reputational damageperspective.
Therefore, salaries would beincreased in those verticals.
Now, I'll also say this this ispart of the reason why the
birth of privacy engineering incontracting has been such a boon
- and will continue to be as wesee it for the next 6 to 12
(32:07):
months - is because so many ofthese companies want to use some
of that great expertise thatcomes out of these highly-
regulated companies in theirorganizations.
They just don't need thatexpertise forever.
They need it for this moment intime when a new product, or a
new service, or an annualized orbi-annual revision to a piece
(32:32):
of technology needs updating.
That's where the impactopportunity comes in for a
contractor.
Those are the main drivingforces.
Look, the other is geographic,and this is something we haven't
dived deep into yet, but it'sworth mentioning.
Part of what has changed foreverin the workforce is we will not
all be required to work in anoffice 5 days a week ever again.
(32:56):
Most companies are pushing forhybrid and the ones that are
pushing for fully in- office arestruggling to retain their
people with those changes inpolicy.
So, as certain people chooselifestyle over financial success
or the desire to be at a bigcompany and in their office and
(33:16):
have the ping-pong tables andthe catered lunches and all the
other perks that come with goinginto a campus-like environment
- which Big Tech has built areputation of attracting and
retaining talent with - may nolonger be the cultural appetite
for job seekers, particularly inthe privacy engineering
vertical.
Being able to work remotelyfrom home may supersede some of
those previous incentives thatdrove people to go work for
(33:40):
organizations.
That's a real change in ouroverall global culture, but
definitely in our domestic U.
S.
culture.
I think a lot of organizationsare struggling to mandate an
in-office policy.
Some of them may be doing it,in fact, in hopes that people
will quit, because sometimesit's easier when people quit
than it is to fire them and payseverances and buy out
(34:03):
employment contracts or whateverthe case may be, and instead
get people to quit and then youdon't have to pay unemployment
either.
But, a lot of people will say,"listen, I'll take $10,000 or
$20,000 less a year or on thiscontract in order to be able to
work remotely from home and havethe flexibility I'm looking for
, and that's a bigger prioritythan even base compensation.
(34:23):
The number one motivator for jobseekers for the last 3 years in
a row has been remote work-from- home flexibility.
So, when candidates come to usfor representation - and we
probably talked to 50 to 60different candidates a day
across my organization - wealways ask them what's
motivating you to considerseeking opportunities?
(34:43):
The #1 motivator for the last 3years has been remote
flexibility, because of eitherpeople changing their policies
or people wanting moreflexibility; and, the #1 way way
to get people to quit is tochange your work- from- home
policy.
That can go in a lot ofdifferent ways.
Right?
It doesn't just mean 5 days orno days.
You could be working no days inthe office and your company
(35:04):
says you've got to come in 2 to3, and now you have a whole
segment of your employeepopulation that is going to go
looking for work because they donot want to come in 2 to 3.
You could be 2 to 3 days a weekand say now you got to come in
4 to 5, and you will have asegment of your population that
is going to go look foremployment elsewhere because
they do not want to adhere tothose in- office policies.
(35:24):
Keep in mind, a lot of theseengineers, who are making solid
salaries, often well north of$200,000 a year in total
compensation, if not basecompensation moved further away
from the epicenters of thepandemic during 2020 and 2021.
And, they're not moving backbecause the cost of living is
too high, especially whenthey're not getting paid, if
(35:46):
they were laid off, the sameguaranteed base compensation
that they were prior to thepandemic.
So, this has also created atremendous amount of dissonance
in the marketplace and; yes,people will have to pay a
premium to get people who arenot currently working in an
office to decide they're goingto change their lifestyle and
(36:07):
start coming into an office.
Before 2020, we were paying youthis and now I have to pay you
20 to 30% more to get you tocome back into an office that
you were comfortable coming intoprior to the pandemic.
" Well, I hate to break it toyou but yeah; yeah, you are, and
that's about the percentage ofincrease in base compensation or
(36:28):
hourly rate that a contractoror a full-time employee -
whether it's privacy engineeringor any other kind of privacy -
asks for when they say, "okay,I'd be willing to go into an
office, but I need to see mycompensation go to this level.
To even consider it, it's about25 to 30% more than whatever
they were making before.
Debra J Farber (36:47):
I can understand that, too.
I mean, I don't want to justsay that priorities have changed
, but I think people haverealized during the pandemic and
being remot, that there's acertain power that they have
over there.
Like, "Hey, I could do my jobremote.
You as my manager now know thatbecause you've seen it happen
and I'm efficient and it's goodand you want things to change
(37:09):
and me to come back in,
Jared Coseglia (37:19):
Well, and not only that, but companies have
always been able to bank on,when things go into recession or
seemingly into a recession, jobseekers who are out of work or
willing to take less than whatthey were making in order to get
back on employment.
That's not the case anymore.
It's just not.
They'd rather go contract andthey'd rather wait out the
market.
And you know, we're not talkingabout people who are making
(37:39):
$50,000 a year and need to putfood on the table making money
somehow.
We're talking about people whoare making hundreds of thousands
of dollars a year, generallyspeaking, and these people can
wait it out 6, 12, 24 months tosee if the market rebounds and
take that gamble.
There are plenty of contractsavailable in the interim and
there are going to be even morein next year, because the
reality is people have not wonthe battle of getting sufficient
(38:03):
headcount to grow theirprograms, specifically in
privacy engineering, even in2022.
The E&Y IAPP report says theyonly grew by 12% in 2022, and
this was the busiest year in mycompany's history for data
privacy staff.
We placed more people in 2022than we have any other year; and
even that indicates that therewasn't enough growth in privacy
(38:26):
programs to really meet thedemand of what the business
needs from privacy professionals.
And, that's gone down, not up,in 2023.
Debra J Farber (38:36):
So, I was going to ask you what are your
predictions regarding theprivacy engineering and privacy
operations job market for 2024and beyond?
You started to answer some ofwhat you, before I even asked
the question, started to talkabout what you kind of see for
the future a little bit.
But, I want maybe a fulleranswer, because you were waxing
philosophical, and now I wouldlove for you to make some
(38:56):
predictions.
What do you foresee, and whatkind of advice would you give to
folks looking for privacyengineering roles based on your
predictions for 2024?
Jared Coseglia (39:05):
Yeah, so I'll start with some stats that kind
of drive the predictions thatwe've been making, one of which
is nearly 82% of all open jobrequisitions in 2023 have been
in corporate - meaning not inlaw firms, not in third- party
consulting firms, and not insoftware companies.
I think software companies wereprobably hit the hardest during
(39:27):
the down economy and laid offthe most amount of people.
OneT rust laid off, I think, afourth of their staff, something
like that, or an eighth oftheir staff.
What we've seen is, you know,they haven't hired them all back
.
They're running much leaner,and so a lot of these
opportunities are in corporateand they're in programs.
As that increases the amount ofopportunity to go in- house
(39:52):
increases in privacy, it isputting increased pressure on
the people who work at law firmsand consulting firms and
software companies to do morewith less, and that includes
fewer people.
So, the quality of life for alot of people working at law
firms and consulting firms andsoftware companies over the last
12 months has reallydeteriorated; and a lot of
(40:13):
people coming out of thoseverticals are coming to us
saying I am burnt out and I wantto go in- house because I do
not have the resources (in termsof human capital) to
sufficiently service mycustomers, and so I'm really
working the job of 2 to 3 people.
What we're going to see iscontinued attrition from those
employer verticals intocorporate America, in addition
(40:35):
to the increase in corporateAmerica getting buy-in to
attract and retain that talent,whether it's in a contract or a
full-time capacity.
So, in terms of a prediction, Ithink what we're going to see
is more people bringing privacyengineering in- house, leaning a
little less aggressively onoutside third- parties to help
them with those agendas because,quite frankly, they can't get
(40:58):
the service; or they're notgetting the quality of the
service they want; or it'staking too long for them to get
the service, which is also whypeople are coming to us
aggressively to hire contractors.
Hey, we didn't talk about thisearlier, Debra, but one of the
differences between contract andfull-time hiring is speed to
hire.
The average timeline forplacement for a contractor in
privacy is about 14 days rightnow, and in two of 2022, in the
(41:22):
peak and height of hiring frenzy, it was 7 days, so less than a
week.
So, if you're looking forsomeone to come and impact your
program as a privacy engineer,it'll take you 14 days or so
with my organization to getsomebody hired from the time we
send a resume to the timesomebody gives a verbal
acceptance.
That's what we call 'speed ofhire.
' But, if you're trying to DIYstaff it yourself and you're
(41:44):
trying to hire it in a full-timecapacity, and you're 30% to 40%
below market of what peoplewant in terms of compensation,
and you don't know how to parseresumes that come in bound to
your organization and that's theprimary means with which you're
trying to recruit, your searchcould stay open for 200 - 300
days.
I mean, I know a couple of bighousehold name companies that
have had the same job open theentire year, and at a certain
(42:09):
point they're either going tolose that headcount or they're
going to have to engage athird-party agency and stop
being penny-wise pound foolishabout paying an agency fee to
get that person hired; orthey're going to have to turn to
hiring a contractor becauseeventually the work has got to
get done.
As I like to say, over the next6 to 12 months "the levy is
going to break and it will breakright around Q4 of 2024.
(42:33):
And that's when we're going tosee competition increase
dramatically and whencompetition increases
dramatically, so do salaries.
That's what we saw in 17, 18,.
That's what we saw in '21 and'22.
That's what we're going to seein '25 and '26: lots of people
needing to hire because theywaited 2 years to do so; lots of
(42:54):
people coming to market; lotsof competition.
You're not going to always getyour first candidate.
You may not get your secondcandidate.
Job seekers being able toentertain 3 to 5 full-time
offers, as opposed to 1 or 2,which is what it's been more
like this year.
A quick sidebar (43:09):
the 'offer acceptance rate' is one of the
things we track here at TRU,meaning if a job seeker gets
multiple offers, which one dothey take?
What we found in Q1 and Q2 andQ3 of this year is that nearly
80% to 75% of people were takingthe first offer that they
received.
So, if you were fast, if youwere quick, you were more likely
(43:32):
to get a yes than if you tookyour time.
Now, part of that is becausejob seekers weren't getting a
second, third and fourth offer.
But, if you go back to Q2 2022,when we were at the peak of
post-pandemic hiring, only 45%of the job seekers we were
working with were taking the 1stoffer they received.
They were waiting to get thatsecond.
They were waiting to get thatthird, sometimes a fourth and a
(43:55):
fifth, either to use as leverageagainst the one that they
really wanted or because theythought they could get a better
offer later on.
People haven't been thinkingthat way.
People right now generally - 3out of every 4 - are taking the
first offer they receive, ifthey're an active job seeker.
So, going to market now andbeing fast is going to give you
competitive advantage.
You may not have that sameadvantage in '25 and '26, when
(44:17):
competition increases, whensalaries then also increase and
inflate as they did in 2021 and2022.
I mean, look, according to theIAPP Salary Survey, people got
raises to the tune of 7%, whichis the highest year- over- year
percentage of raises.
This is not moving jobs; thisis just staying in the job
(44:38):
you're at.
A 7% increase is almost unheardof.
The average is somewherebetween 2% and 3%, but the point
of higher salary increase in2022 for mid-market between 3
and 8 years was between 20% and40%.
So, that's probably what'sgoing to happen in 2025 and 2026
.
If you're looking to get greattalent accepting quickly at a
(45:01):
reasonable price, my advice isgo to market now and get the
budget and buy- in that you neednow to hire in 2024 before
things get crazy again.
Debra J Farber (45:12):
That's actually perfect timing.
We're at the end of this year.
I know it's usually October fora lot of companies, maybe
November, where they're lookingto get their budgets approved
for next year towards the end ofone year and the beginning of
the next.
So, that's really great advice.
I had intended on asking youlater what words of wisdom you
(45:33):
might want to leave the audiencewith, but I think that's
actually a really good one (45:34):
plan for next year now.
I'm not sure if we actuallycovered this, but what are some
of these annualized compensationranges that you've been seeing
this year?
Obviously they're all over theplace.
But then next year, given whatyou're seeing and like what you
said - you saw 7% raises to stayin the same job for instance -
(45:56):
what do you think 2024'scompensation ranges would be?
To stay the same?
Jared Coseglia (46:02):
Well, I can categorically tell you we're not
going to see a 7% bump inraises for people between 2023
and 2024.
[Debra (46:09):
I think that makes sense].
They're not going to get bigraises, if at all, are going to
get raises.
So, if you want to make moremoney - as always, but certainly
this will be exacerbated inthis annualized cycle - you're
going to get more money bychanging jobs than you are by
asking for a raise.
Having said that, I still thinkwe'll probably see low single
(46:29):
digit raises across the board inprivacy, because privacy people
are valued and they are uniqueand they are special in the
ecosystem of corporate America.
But I think, in terms of salaryincreases, what we saw in 2023
as a counterpoint to 2022 wasabout a 12% to 24% increase at
the point of hire.
So, despite it even being adown economy, job seekers are
(46:50):
still commanding 12% to 24%increases in base compensation
compared to what they weremaking in their current
positions, which is still a verysizable increase.
That's mainly for people in the3 to 8 year window.
What I would say in terms ofsalary ranges is it really
depends on industry, and youhave to look at both base comp
and total compensation.
With the Fortune 500 - andthere are outliers that are
(47:14):
exceptions to the numbers I'mabout to give you - and BigT
ech, if they're not in theFortune 500, though most of them
are,we're seeing anything for
privacy engineers between $175Kand $300K on base compensation.
But, those total compensations,depending on the size, scale,
and complexity of the role -whether they're managing people,
processes, technology, or allof the above - can range
(47:35):
anywhere from $250K total compto a $600K a year total
compensation.
When we move into banking orfinancial banking and brokerage
or healthcare or healthcare tech, it's less by about 25% to 30%.
So, we've seen engineersanywhere from $130K, $150K base
(47:56):
all the way up to $200K, $225K.
Total compensations at a bank: sometimes you can double your (47:57):
undefined
base at a bank, but usually it'sabout somewhere between 25% and
75% bonus on top of your base.
So, somebody making $150K mightmake $300K, might make $225K,
$250K; it really just depends.
Then, I think we go into thisnext tier, which we'll call
(48:17):
"elecom, food services, retail.
Those engineers often can makesimilar to big banking and
healthcare on the base, butoften do not see nearly as
lucrative of bonus.
So, base salaries can rangeanywhere from $130K to $200K in
those areas, but often the totalcomp hovers around $160K to
(48:42):
$250K on those high and low ends.
Debra J Farber (48:46):
That's fascinating.
I was sitting there just takingin those numbers and thinking
about my own experience workingin different verticals.
I guess I could see why some ofthe highly- regulated verticals
would pay a little more, givenhow, if you're a payment
processor or a bank, you need tohave high fidelity of your data
(49:09):
.
There's just a lot moreregulators that are breathing
down your neck.
I could see why there'd be awillingness to pay more versus
retail, which has a lot ofprivacy issues but might be a
little more immature when itcomes to compliance and
engineers that are integratedinto the compliance life cycle,
(49:31):
so to speak.
Jared Coseglia (49:32):
I think that's very accurate.
I would also add that when youstart hybridizing those
industries, for example FinTechor healthcare tech, that's where
you start to hybridize thosesalaries, too; and certainly a
healthcare tech company is goingto pay more than a healthcare
company.
Fintech company is probablygoing to pay more than a bank.
I would also add this, thevolume of jobs is going to be
(49:55):
bigger in BigT ech - despite thesalaries maybe seeming aligned
- than it is in the banking,brokerage, and healthcare space.
You just won't see the samenumber of human beings doing
privacy engineering and thehealthcare community as you will
in the technology community.
So, the amount of jobsavailable is very different,
even if the salaries aresomewhat aligned.
Debra J Farber (50:16):
Yeah, it's also making me think about the
privacy regulations that kind ofdrive these things.
HIPAA doesn't have as muchuncertainty in it.
There's processes and ways ofaddressing risk in privacy and
security that are very specificin HIPAA; and where you see
something like GDPR, there are alot of requirements there but
(50:37):
some of it is principle-based,then it needs a lot of legal
interpretation.
Because it's still such a newglobal framework that business
are trying to deal with, there'sa lot more uncertainty about
whether or not approaches arecorrect or will stand up to
legal scrutiny.
(50:58):
So, I could see that it'd beeasier to maybe scale something
in the healthcare space withoutas much risk.
You can quantify it betterwithout as much unknown risk, I
guess.
I could wax philosophical.
You just have me thinking aboutmy own background in different
industries and so I'm justthinking about them as we're
(51:20):
talking today.
As we near the end of this year, what's your advice for privacy
engineers who will seekcontracting roles in the new
year to best position themselvesto hiring managers?
Jared Coseglia (51:34):
I'll give a twofold piece of advice, the
first of which is AI is going tohave a very dramatic impact on
how engineers - any style orfashion, much less privacy - are
valued; and so, understandingthe complexities of AI is going
to be a differentiator that bothcommands a higher salary and,
(51:56):
over time, will broaden theamount of opportunity that you
will be competitive for.
So, understanding whether it'sregulatory frameworks or best
practices or competitiveintelligence or creative
ingenuity, baking AI into yourknowledge base is going to be
(52:18):
advantageous.
It remains to be seen how orwhen, but I think that
inevitability is nigh.
The second thing I would giveadvice and guidance for privacy
engineers when seeking jobs isyou've got to focus both on your
resume and on interviews intalking about what you've done,
(52:38):
not about what you know.
Where we often find our privacyengineering candidates
faltering or not getting thejobs is because too much time is
spent during the process,either on paper or in person,
speaking about the hypotheticalinstead of talking about the
actual and the practical.
People really want to hear whatyou've done, how you've done
(53:00):
it, and what your process is orwas on those projects; and often
, I think engineers -particularly privacy engineers
who like to wax poetic - oftentalk about the things they know
and not the things they've done,and that's where things tend to
get off track in the interviewprocess.
So, really focus on goodstorytelling that is historical
and not hypothetical.
Debra J Farber (53:21):
That's really good advice.
Thank you.
What resources do you recommendfor privacy engineering job
seekers?
I know you have some resourcesthrough TRU Staffing.
Are there ones you'd like todirect people to?
Jared Coseglia (53:32):
We have a ton of resources.
We have our Annual Data PrivacyJobs Report, and that gives you
insight into Speed of Hire.
That gives you insight intoVolumes of Jobs and what
industries they're in.
It gives you insight into Pointof Hire Compensation, which is
very different from the IAPPSalary Survey - which we
sponsored and co-developed thisyear with the IAPP - because all
(53:54):
of that is what people tell youthey're making.
Our data really comes from whatwe're actually placing people
in, or what we know people areaccepting in terms of offers,
and those numbers are verydifferent.
So, I would check that out.
Our Annual Data Privacy JobsReport comes with lots of
valuable information and marketintelligence about what's
happening in our community.
If you've never been a privacycontractor or you've never hired
(54:16):
privacy contractors, we havetons of resources available
about what you can hire, what'savailable out there, how you can
silo your experience to becomea privacy contractor, how to
maneuver in the ecosystem as acontractor or as a hiring
manager looking to hirecontractors.
You can find all of that attrustaffingpartners.
com.
It's all available there andfree for all to consume.
Debra J Farber (54:41):
Awesome.
Thank you so much.
I'm going to put thoseresources, links to that, in the
Show Notes so that everyone hasaccess to them.
Do you have any closing wordsof wisdom you'd like to leave
everyone with today?
Jared Coseglia (54:53):
Privacy is an amazing industry.
It's an amazing community.
If you've found your way intoit, either by accident or
deliberately, you're blessed.
Don't leave.
We need you.
There's high demand for yourskill sets.
Thanks for having me, Debra.
I really appreciate it.
Debra J Farber (55:09):
Oh, it was my pleasure.
Thank you so much for joiningus on Shifting Privacy Left to
talk about contracting forprivacy engineering roles.
Until next Tuesday, everyone,when we'll be back with engaging
content and another great guestor guests.
Thanks for joining us this weekon Shifting Privacy Left.
Make sure to visit our website: shiftingprivacyleft. (55:29):
undefined
com, where you can subscribe toupdates so you'll never miss a
show.
While you're at it, if youfound this episode valuable, go
ahead and share it with afriend; and, if you're an
engineer who cares passionatelyabout privacy, check out
Privado (55:46):
the developer-friendly privacy platform and sponsor of
the show.
To learn more, go to (55:50):
privado.
ai.
Be sure to tune in next Tuesdayfor a new episode.
Bye for now.
AI is going to have a very dramatic impact on
how engineers of any style orfashion, much less privacy, are
valued.
So, understanding thecomplexities of AI is going to
be a differentiator that bothcommands a higher salary and,
over time, will broaden theamount of opportunity that you
(00:22):
will be competitive for.
So, understanding - whetherit's regulatory frameworks or
best practices or competitiveintelligence or creative
ingenuity - baking AI into yourknowledge base is going to be
advantageous.
It remains to be seen how orwhen, but I think that
(00:46):
inevitability is nigh.
Debra J Farber (00:53):
Hello, I am Debra J Farber.
Welcome to The Shifting PrivacyLeft Podcast, where we talk
about embedding privacy bydesign and default into the
engineering function to preventprivacy harms to humans and to
prevent dystopia.
Each week, we'll bring youunique discussions with global
privacy technologists andinnovators working at the
(01:13):
bleeding edge of privacyresearch and emerging
technologies, standards,business models, and ecosystems.
Welcome everyone to ShiftingPrivacy Left.
I'm your Host and residentPrivacyg uru, Debra J Farber.
Today, I'm delighted to welcomemy next guest, Jared Coseglia,
the Founder and CEO at TRUStaffing Partners, a 14- year
(01:36):
old, globally- recognized,award-winning contract staffing
and executive placement searchfirm that represents talent and
opportunities in 3 core industryverticals: data privacy, e-
discovery, and cybersecurity.
Today, we're going to bediscussing what's new on the
horizon in the market forprivacy engineering,
specifically around contractwork.
Jared Coseglia (02:00):
Thanks for having me.
Great to be here on the coolestpodcast in privacy.
Debra J Farber (02:05):
Oh, you know how to flatter! I appreciate it,
though.
You know, I know my audiencereally has an appetite for more
information about the state ofthe privacy engineering and
privacy tech job market.
Obviously, I'm eager to haveyou on the show, Jared, it was
perfect timing meeting you atthe IAPP Privacy Security Risk
(02:26):
Conference in San Diego lastmonth; and so far, we've been
building a relationship and Ifeel like I've known you for a
long time.
I think it has to do with usboth being from the New York
area, but that's neither herenor there.
So, meeting you was wonderful,and I know from having talked to
(02:46):
you before recording thisepisode that you really do have
a finger on the pulse of thecontracting market for privacy
roles, including privacyengineering jobs.
So, what I'd like to do, ifyou're up for it, is to focus on
the current state of thecontracting market generally for
privacy jobs and then focus onwhat you're seeing, and what
you're forecasting for, theprivacy engineering market
(03:09):
specifically.
Does that sound good to you?
Jared Coseglia (03:11):
Sounds like an amazing plan.
I have lots of information toshare.
Absolutely.
Debra J Farber (03:15):
Awesome, okay, great.
I guess the first up is (03:16):
can you compare and contrast for us
what the contracting market islike from the market for
full-time placements generally,but also, you know, if you want
to contextualize, with privacyjobs.
Jared Coseglia (03:31):
Yeah, I may kind of give you a little bit more
than just an answer to that,because it's a complex ecosystem
.
Right?
What happened in Q4 of 2022 wasa bit of a shock to the system
for privacy engineering, meaningwe saw the stock market - after
(03:52):
nearly 24 months of meteoricrise on the NASDAQ - crash
pretty hardcore.
That crash led to a significantamount of layoffs in BigT ech,
but generally across the Fortune500 and beyond.
Those layoffs, for the firsttime maybe in a decade,
(04:12):
dramatically affected theengineering community,
particularly the privacyengineering community; and that
hasn't necessarily come to afull stop yet.
As we just saw, I think twoweeks ago, LinkedIn / Microsoft
laid off 700 employees.
About half of those wereengineers and many of them
(04:32):
involved in privacy and securityengineering.
So why?
Why did they all get laid off?
Mostly because these BigT echcompanies needed to improve
their profitability, and inorder to improve profitability
and get their stock prices to goback up, they needed to fire
(04:55):
people.
Headcount is the most expensiveline item in any business and
certainly with very expensive,very skilled privacy and
security engineers, they becamean easy target.
Now, what happened at the sametime in Q4 of 2022 is the rise
(05:16):
and birth of what we now see asAI in a new and enriched way.
So, a couple of things happenedafter those events.
Right?
Zuckerberg lays off 10,000people, the rest of BigT ech
slowly follows over the next 3to 5 months, and then the rest
of corporate America followsover the next 6 months.
(05:37):
A lot of those people were paidvery well.
A lot of them are doingadvanced privacy engineering in
a way that a lot of companieshadn't even begun to
institutionalize in theirprograms.
So, what we started to seehappen at the beginning of this
year, in 2023, were a lot oforganizations trying to take
(06:00):
advantage of all these RIFedprivacy engineers becoming
available - some for the firsttime ever in their careers - on
the market.
Here's the problem.
Most companies couldn't affordto pay the full-time salaries
that privacy engineers werecommanding in BigT ech at their
(06:21):
organizations that were not partof BigT ech, and that
dissonance between what aprivacy engineer was commanding
from their former employer, interms of a full-time base and
total compensation, and whatother employers were willing to
pay was a pretty wide gap.
So the rise of privacyengineering contractors was
(06:44):
given birth for the first timein the privacy industry's entire
history.
For the last decade or more,what we've seen is an extreme
drought of supply, despitewhatever the high demand may be
for privacy engineers; and, inQ4 of 2022, there was now a
(07:04):
supply available.
But, they couldn't afford tohire them at the same rates that
they were being hired by BigTech, or they weren't willing to.
What they have been willing todo is bring them on in either a
fractional or a part-timecapacity as contractors, to come
on board and impact theorganization.
That has become reallyappealing to a lot of job
(07:27):
seekers that are privacyengineers.
A lot of times, there is agreater sense of satisfaction by
making an impact rather thanlooking for something that's
going to be stable.
Stability has never really beenthe cornerstone of why people
joined BigT ech companies, norhas it been the historical
trajectory of their career.
I'm going to go to work atTwitter and spend the rest of my
(07:49):
life there.
I mean, some people may havethought that.
But they were also verysurprised when that company had
a change of control, and thatalso led to a lot of layoffs, as
we know, and that was not justeconomically- based, but just
because of a massive change ofcontrol in a company that had
really been an apex of a lot ofprivacy engineers either getting
their start or thriving.
So, now we're seeing companiesbring them on in fractional
(08:11):
capacities, and that supplyequilibrium to demand has now
enabled a vast amount ofcorporate America and beyond to
utilize these very seasoned,skilled privacy engineers in
their programs, but notnecessarily in a full-time
capacity.
And, this is a trend that webelieve we're going to continue
(08:34):
to see for probably the next 6to 12 months, with an
expectation that the full-timehiring market for privacy
engineers is likely to reboundtowards the end of next year.
Debra J Farber (08:48):
Wow! So, I've got definitely a few questions
there; one being at the end ofnext year, why do you see that
as a boon in hiring for privacyengineering?
Jared Coseglia (09:00):
Well, if history tells us anything, it will be -
because privacy full-timehiring versus contract hiring
tends to go in waves every 2years.
So, let's flash back to 2015-16, when hiring was pretty quiet.
Not everyone really knew whatprivacy engineering was.
It was still very undefined.
I mean, to some it still isvery undefined, though it's much
(09:21):
more defined than it was nearlya decade ago.
Then GDPR got announced and 2017and 2018 was a massive ramp in
full-time hiring of peopletrying to get ready to be
compliant or take new productsto market with the proper
compliance and privacy- by-design baked in.
So, there was a massiveincrease in full-time hiring.
(09:43):
Then 2019 came, things gotstabilized and then 2020
happened, where things crashedand burned.
Unemployment went up to 14%.
People were getting laid offleft and right.
We saw contracting go throughthe roof.
Nearly 60% of the jobs filledin 2020 were contracting; and
that's across the entire privacyvertical, but certainly that
(10:04):
included engineers.
Then, 2021 and 2022 happenedand things went through the roof
again.
Full-time hiring went sky high.
Competition was extreme,salaries increased by anywhere
from 10% to 40% at the point ofhire.
So if you were a privacyengineer making $100,000 (which
is low, but just as an example),chances are, if you moved jobs
(10:24):
in '21 or '22, you went up to$130K to $140K.
If you were making $200K, youprobably went up to $280K.
And so, we then hit Q4 of 2022,and that all crashed again.
Well, if every 2 years we havethis kind of cyclical contract
versus full-time modalityoccurring in the marketplace,
(10:45):
it's likely to say that in 2025and late 2024, the lights are
going to come back on in ameaningful way; and that also
makes sense when we look atstock prices.
Right?
Most of the companies that arehiring privacy engineers are
publicly- traded companies, atleast in the volumes that would
drive market trends.
Even today, LinkedIn Insightsindicates that 38% of open
(11:06):
privacy jobs that are posted onthe internet are coming out of
BigT ech, despite them layingoff all these people.
We'll talk a little bit about -as you and I kind of prepared
for before this call -thedifference between firing people
and then rehiring them, justrehiring them as contractors
instead of full-time people andhow that changes the P&L reports
and the ledger and the lineitems and thus the stock price
of an organization, becausethat's happening a lot right
(11:28):
now, too.
But, yeah, I think time hasindicated to us that every two
years we go through this cycle.
A quick stat just to give you asense of what happened this year
- and we're almost at the endof it: north of 50% (so about
53%) of all the jobs that we'veseen filled, including ones that
we work on, were contracts thisy ear across the entire privacy
ecosystem.
That's the first time thatcontracting on an annualized-
level has actually exceeded,with the exception of 2020
(pandemic year), full-timehiring.
(12:00):
So, this is now no longer justusing contractors, particularly
privacy engineers, when marketconditions dictate it; this is
now slowly becoming a perpetualway in which programs have to
think about talent, and thatacquiring talent in full-time
(12:22):
capacities is no longer the wayall employees will get onboarded
into a program, nor is it themost fiscally responsible way
for an organization to augmenttalent.
They may not need a privacyengineer to come on board
forever.
They may need them for asuccinct 3 to 6 month project
and then phase them out.
(12:42):
Now they're able to go tomarket and find somebody with
really specific skill sets thatcan have the kind of impact they
need in that 3 to 6 monthwindow.
Debra J Farber (12:50):
So, that actually raises a question for
me.
In terms of fractional workhere, are we talking about
full-time work for a smallamount of time, like 3 weeks to
3 months, something like that;or does it also include maybe
part-time work, 10 hours a weekfor a year?
What are ways that you'reseeing the contracting being
(13:11):
deployed, whether as likefull-on staff augmentation, or
are we bringing people on tolead projects and lead the
business, even though they'refrom the outside?
Jared Coseglia (13:21):
So the answer is
We see examples of what we call"part-time impact, and
part-time impact may mean I needsomeone for three months, 40+
hours a week, have a big impact,and then I phase them out.
We also have seen a lot of,what we call, "Part-time
perpetual, which is "okay.
(13:42):
I don't really know how longI'm going to need them, so I'm
not going to set an end date tothe assignment.
But I also don't know if I'mgoing to need them 40 hours a
week.
I may need 10 hours this week,40 hours the next, zero the next
month, then five hours, then 10hours the next week.
And we call that Part-timePerpetual, where somebody can
come in at a fractional capacityand have a real impact with no
(14:06):
necessary end in sight.
So, it's not a high-impactproject, but rather using an
engineer with a specific skillset to have perpetual impact in
a variety of projects, just notin a full-time capacity.
That allows some of theseprivacy engineers to then work
for multiple organizations atthe same time, and that can be
(14:29):
really rewarding for the jobseeker.
A lot of the motivations thatwe see from privacy engineers
who come to us forrepresentation is "I'm bored,
I'm kind of working for the samecompany doing the same thing
over and over, and I'd like towork with different people or be
exposed to different kinds ofopportunities, and this approach
really does allow them to dothat quite literally.
(14:51):
But then, there's also what wesee as what we call Secondees,
which is more to the point I wasbringing up earlier of: you lay
off a bunch of full-time people, then you hire them back on
contract.
You're not necessarily hiringthe same people back.
Quite often they're hiring aless expensive person or people
back to replace the expensivepeople that they let go.
But, when they hire somebodyback, they may hire them back
(15:14):
and have them have the sameresponsibilities that they would
have had as a full-timeemployee.
But, they're not a full-timeemployee; they're not a direct
hire; they're a contractor.
Even though they're workingdirect hire, full-time employee
hours, they don't hit the booksand therefore affect the stock
price and the profitability ofthe company in the same way that
a full-time hire or a host offull-time hires would.
(15:36):
So, there is a lot of -particularly in BigT ech - the
utilization of contract as a wayto keep talent on board
perpetually and not part-time,but without being a full-time
employee.
Debra J Farber (15:51):
I love it.
I mean, that appeals to me, forsure.
So, I think that that allowssomeone to have a lot of varied
experience at multipleorganizations and be able to
kind of have a say on whatprojects that they take on and
then not get bored.
I think that's huge because injust .
(16:11):
.
.I think about some operationalstuff, like if you're in a
large company and you're leadingsomething like the onboarding
of data stores to data deletioncapabilities, I can tell you
from personal experience youmight really burn out from how
boring that can get.
So something like this.
You know, obviously I'mthinking operational privacy
(16:32):
here, but I can understand andthink of examples in the
engineering space as well.
So, I think that this is agreat solution for a lot of
people who are just feelingstuck, maybe, in their privacy
operations or privacyengineering job.
Currently, it doesn't reallyfeel there's enough jobs open
for them to move around.
Jared Coseglia (16:52):
Well, and not only that, Debra, but it also
allows them to maintain theirfinancial status in life,
because a big piece of this isthat there's a misconception
with a lot of, let's just callit, 'older executives' who've
got the expectation that whenpeople get fired and the economy
(17:15):
is in a slump, that people aregoing to compromise what they're
willing to take in terms ofcompensation in order to get
back to work.
But what we've witnessed happen,since the BigT ech layoffs of
Q4 2022, is that privacyengineers are not willing to
take $100,000 pay cuts in basecompensation just to get back to
(17:39):
work, because they know, likewe do, that this will rebound,
and likely much faster thanthings have historically
pre-pandemic.
So, they can wait it out 18 to24 months and, in the meantime,
do contract.
The reality is most of ourcontractors, who are what we
call 'perpetual' or 'lifestylecontractors' that aren't even
(18:01):
necessarily looking to go backto full-time work, wind up
working 7 to 9 months out of theyear and making the same or
more money than they wouldworking 12 in a full-time
capacity.
Now, they may get slightlydifferent benefits.
They may not get the equitythat they would get at some of
the large tech companies.
But, they wind up getting a lotmore time off.
They might wind up making a lotmore cash in pocket Day 1 that
(18:24):
they don't have to wait to vestat a BigT ech company, and they
get the diversity that you justdescribed, as well.
Debra J Farber (18:33):
Yeah, I think that's great.
I mean, you know, I've workedfor consulting firms in the past
and the diversity is alwaysthere at any consulting firm,
most consulting firms, unlessthey're like a specialized
vertical.
But, I have felt in the pastlike I was a 'resource to be
deployed' and not an autonomoushuman.
Right?
Like, "We've got someone got usthis project, our sales team
got us this project.
(18:53):
We need to match a human to it.
You're a human and available,we're matching you to it.
"Right?
That's sometimes how, at leastin the past, I've kind of felt -
like I didn't have enoughautonomy and flexibility to pick
what I want to work on or say,"This is a project we shouldn't
have even picked up in the firstplace because of X, Y or Z.
" So I do love this flexibilityof what you call "part-time,
(19:16):
perpetual work in a contractingsetting; it still gives you that
sense of "I'm not going to takea job or I'm not going to take
a project through TRU staffing,for instance, if I think the
project is going to be boring orif I don't think there's enough
buy-in from the executives, orwhatever my own personal
valuation is of the project.
I still feel like I can makeself-determination as to whether
(19:39):
or not it's a good fit, asopposed to like a consulting
firm; you don't always get thatchoice.
Jared Coseglia (19:44):
Well, one of the big differences, particularly
with working with myorganization versus working at a
consulting firm, is consultingfirms going out looking for
business and then pushing peoplethey have on staff into those
roles.
When working with us, we'regoing out and looking for
contracts that would beappealing to the people that
we're representing, who arelooking for lifestyle contracts.
(20:05):
And you're right - I mean, weused to have a marketing
campaign a few years ago thatwas "take control of your career
by being a contractor," becausein a lot of ways, moving from
full-time job to full-time joblacks some of the control that a
lot of very seasoned privacyengineers, or privacy
professionals in general, arelooking for to stay both
(20:27):
satiated and engaged in the workthat they're doing day- to- day
.
Debra J Farber (20:33):
That makes a ton of sense.
So, what trends have you beenseeing generally when it comes
to privacy job seekers, howthey're trying to find privacy
engineering roles?
Also, I guess in the sameanswer, you can also answer, how
do hiring managers typicallyfind candidates for privacy
engineering roles?
Jared Coseglia (20:48):
Yeah, so this is a big can of worms, but let's
go ahead and open it up, Debra.
[Debra (20:51):
Let's do it!] So, let's start with the latter part of
your question and then I'llprobably ask you to come back
and ask me the first part again,because the latter part, I've
got some really compellingstatistics for you.
Debra J Farber (21:02):
Oh, great! Everyone get your pen and paper
or get your notes ready.
Jared Coseglia (21:07):
The way that most people in corporate America
are looking to staff privacyengineering jobs is DIY.
And what do I mean when I sayDIY, 'DIY staffing?
' DIY staffing usually consistsof a couple of different avenues
with which to pursue.
.
.
Debra J Farber (21:23):
Let me just spell that out for any of the
non-native English speakers that.
.
.
well, you actually did spell itout, DIY is 'Do- It- Yourself.
'
Jared Coseglia (21:30):
Do- It- Yourself , which means you're not
engaging a company like me,who's sitting on a bench of
talent all the time andconstantly increasing that bench
.
We like to brag that whensomeone gives us a job order -
privacy engineer or any privacyprofessional - you're getting at
least 3 to 5 resumes in 48hours.
Here's what most people aredoing with the DIY.
They're either posting the jobon the internet, on their
(21:54):
company website; posting it on aLinkedIn job board, using their
own LinkedIn channel to solicittalent; using their internal
human resources or talentacquisition teams, many of whom,
just like a lot of engineers inQ4 of 2022, got fired because,
guess what?
If you're not going to hirepeople and you're firing
(22:15):
thousands and thousands ofpeople at your organization, who
are you going to fire?
Well, you're going to fire thepeople whose job it is to hire
people, and that's your internalrecruiters.
So, in addition to a lot ofprivacy engineers getting laid
off at the end of last year andthroughout the course of this
year, so too did a lot ofinternal recruiters who: A) had
a lot of institutional knowledgeabout the companies that they
worked for; but, B) also had alot of niche subject matter
(22:39):
expertise about the specificdivisions in those businesses
that they were staffing for, ala privacy.
Those people all got fired -not all of them, but lots of
them got fired - becausecompanies were not planning to
rehire for the next 12 months.
Then what happens?
They hire somebody that hasn'tworked at the company before
that is going to post the jobonline and essentially be the
(23:01):
lynchpin for sifting through, orparsing through, all inbound
resumes.
Here's the statistic that blowsmy mind and will probably blow
all our listeners' minds.
We did an analysis and we wentthrough the last 5 years - and
that's thousands and thousandsand thousands of applicants.
Tens, if not 100,000+,applicants that have applied to
(23:22):
jobs that we've posted online.
Of all the applicants - and weget 100+ a day conglomerate
between all the jobs that wepost in privacy - of all the
applicants who sent us theirinbound resume for a job we
posted, only 8% of thosecandidates actually get those
(23:43):
jobs.
Only 8%.
That means 92% of the time whenwe're filling a job requisition
from a client, it is not comingfrom someone that has applied
to a job posting and thus, wehave then reverted their resume
and candidacy to our customer.
It is coming from a millionother sources, like networking
(24:04):
at conferences, like hardcorerecruiting, like peer referrals.
Most corporate America isrelying on inbound resume
submission to fill their jobs,which is why 1 of 3 things is
happening" Either A the jobsaren't getting filled because
the quality and caliber of thecandidate is not matching the
(24:24):
desired hire.
Or B the right candidate isslipping through the cracks
somewhere in the process ofparsing resumes, because the
human resource professionalisn't necessarily an expert on
privacy or the company anddoesn't know a good resume when
they see one.
Or C) they're hiring somebodywho's less expensive; isn't at
(24:46):
the caliber that they want; andthen 3 to 9 months later,
they're having to replace thatperson because it's not the best
hire for the job that theyneeded because they're looking
at the people that are onlywinning 8% of the time, not the
92% that are passive job seekerswho are relying on experts in
the space to broker the nextmove for their career.
(25:10):
Privacy Engineers are verycalculated about the moves that
they make and the kinds ofcompanies that they want to go
to work for.
So, this DIY approach has notonly net people being
unsatisfied with the talentthey're getting, or people
missing out on talent becauseit's not being parsed correctly,
or people mis- hiring.
(25:30):
It's also led to a lot ofpeople saying, "I'm just going
to go contract, I'm not going tolook for these full-time jobs
because they're trying to get meat a discount, or this person
doesn't really understand thenuance of what I do, or my
(25:51):
resume got lost in the shuffle.
We see that happening day andday again.
The net of this is also thatjobs stay open for a really long
time.
We fill an average privacyengineering job in about 35 to
45 days and I see a lot ofcustomers that are trying to do
it themselves; and those jobshave been open for 120, 200, 220
(26:11):
days because they'reessentially waiting for the
right candidate to apply for thejob.
For the most part - 92% of thetime - the right candidate isn't
applying for the job.
They're waiting for somebody toapproach them about it.
Debra J Farber (26:23):
When you say approach them about it, are they
looking for somebody to seetheir LinkedIn and reach out and
say we need someone who's doingexactly what you're doing but
at our company?
Are the job seekers actuallygoing to networking events for
purposes of job seeking?
Or, is it something a littlemore on the down- low, where
it's like "I'm looking but I'mnot actively applying?
Jared Coseglia (26:44):
It's a little bit of all of them, but let's
take networking at conferencesas an example.
Most of the people who arehiring managers for privacy
engineers are going toconferences and generally
socializing with other hiringmanagers for privacy engineers.
They're not necessarily, unlessit's a few very choice events,
getting surrounded by a pool ofpotential people that will be
(27:04):
subordinates.
You go to a lot of theseexecutive leadership conferences
and it's peers.
It's not necessarilysubordinates.
So, I don't know how effectivethat going to conferences has
been for leaders in privacyengineering unless it's a very
few targeted events.
Also, because of the pandemic,so many events have moved
(27:25):
virtual.
One thing that does nottranslate from an in-person
conference to a virtualconference, though I think
knowledge sharing and knowledgetransfer does, but networking
does not.
It is not the same getting on aZoom or getting on a Teams call
where you're presentinginformation that you would at a
panel at a conference and thenbeing able to have one-on-one
(27:46):
interactions during cocktailsafterwards or on the vendor
floor the way that you and I didat PSR.
It's just not the samevirtually, when you have virtual
events.
Because so many people havemoved to that, it's very
difficult to recruit without thehelp of a recruiter on a
virtual event.
And, add to that - wheneverybody thought we were going
to go into a recession this yearand everybody started getting
(28:07):
laid off in Q4 of 2022, guesswhat else got pulled?
Not just headcount, but budgetto go to conferences.
Most of the people that you'relooking to hire are mid-market,
which means 3 to 8 years ofexperience; and those are the
people who lost the budget to goto conferences.
You and I are both at PSR.
It was filled with a lot ofhigh-end people.
It was not filled with what Iwould consider the masses of the
(28:31):
middle market for privacyengineering.
It was filled with a lot ofsales, executive, leadership
professionals with some middlemarket professionals in there;
but those people didn't get thebudget to go to these
conferences.
That's not really been aneffective recruitment tool for a
DIY approach.
Debra J Farber (28:48):
Right.
That actually tracks with whatI've seen, too.
Although, I know there's aPrivacy Engineering Section, but
I don't feel like IAPP is thechampion of engineers or
anything.
So, it's not exactly likeprivacy engineers are flocking
to a conference predominantlyabout privacy law, consulting,
privacy ops.
Right?
That's mostly what IAPP is for.
(29:11):
While they're trying to capturesome of the privacy engineering
market and build communityaround it, I wouldn't say that
they've fully succeeded inbringing in those engineers into
the fray, where they'respending their precious budgets
on going to an IAPP conferencerather than engineering-focused
conference.
Jared Coseglia (29:27):
I also think the engineering managers are smart
enough to know not to send theirhighly desirable employees to
go get poached at a conference.
I've had a lot of my customerssay it outright.
"No, I'm not going to send mypeople to that.
Why?
So that they can go get poachedby one of my competitors?
".
Debra J Farber (29:44):
That's a fair point I hadn't considered.
It makes sense that you wouldthink about that.
So, I've seen salaries and jobrequirements for privacy
engineers that are all over theplace, right, depending on
company size, the type ofcompany, BigT ech versus
anything else, based on location, industry vertical.
(30:05):
.
.
.
Can you unpack for us why yousee these discrepancies all over
the place and maybe give ussome insight into how salaries
are calculated for privacyengineers?
Jared Coseglia (30:19):
The first 2 buckets that I think are the
easiest to help define thediscrepancies in compensations
are regulatory scrutiny andbusiness opportunity.
Sometimes those go hand- in-hand.
If there's an organization thathas tremendous regulatory
scrutiny - but also tremendousbusiness opportunity by bringing
(30:40):
in skilled engineers that canhelp take products to market or
improve the enterprise in a waythat drives client acquisition,
client retention, or justoverall revenue growth - that's
where you're going to seeinflated salaries compared to
peers in the marketplace.
For example, if you're a retailcompany, but you do not use any
customer data, you do notrepurpose that data, you don't
(31:03):
market that data, you're afamily company and you are a
subscription-based organization,you're not be selling ad tech,
you may not pay a lot for aprivacy engineer because the
impact on the business may notbe dramatic enough to warrant
paying the same amount that aBigT ech company who is making
lots of money on ad tech would.
(31:23):
Now, in the same token, ifyou're a bank or a healthcare
company who is under tremendousregulatory scrutiny, but may not
have the same businessopportunity that a BigT ech
company have, you may wind uppaying a premium for a privacy
engineer because the riskassociated with a failure to
have good privacy- by- designbaked into your products or your
(31:45):
process could be disastrousfrom a financial perspective,
much less a reputational damageperspective.
Therefore, salaries would beincreased in those verticals.
Now, I'll also say this this ispart of the reason why the
birth of privacy engineering incontracting has been such a boon
- and will continue to be as wesee it for the next 6 to 12
(32:07):
months - is because so many ofthese companies want to use some
of that great expertise thatcomes out of these highly-
regulated companies in theirorganizations.
They just don't need thatexpertise forever.
They need it for this moment intime when a new product, or a
new service, or an annualized orbi-annual revision to a piece
(32:32):
of technology needs updating.
That's where the impactopportunity comes in for a
contractor.
Those are the main drivingforces.
Look, the other is geographic,and this is something we haven't
dived deep into yet, but it'sworth mentioning.
Part of what has changed foreverin the workforce is we will not
all be required to work in anoffice 5 days a week ever again.
(32:56):
Most companies are pushing forhybrid and the ones that are
pushing for fully in- office arestruggling to retain their
people with those changes inpolicy.
So, as certain people chooselifestyle over financial success
or the desire to be at a bigcompany and in their office and
(33:16):
have the ping-pong tables andthe catered lunches and all the
other perks that come with goinginto a campus-like environment
- which Big Tech has built areputation of attracting and
retaining talent with - may nolonger be the cultural appetite
for job seekers, particularly inthe privacy engineering
vertical.
Being able to work remotelyfrom home may supersede some of
those previous incentives thatdrove people to go work for
(33:40):
organizations.
That's a real change in ouroverall global culture, but
definitely in our domestic U.
S.
culture.
I think a lot of organizationsare struggling to mandate an
in-office policy.
Some of them may be doing it,in fact, in hopes that people
will quit, because sometimesit's easier when people quit
than it is to fire them and payseverances and buy out
(34:03):
employment contracts or whateverthe case may be, and instead
get people to quit and then youdon't have to pay unemployment
either.
But, a lot of people will say,"listen, I'll take $10,000 or
$20,000 less a year or on thiscontract in order to be able to
work remotely from home and havethe flexibility I'm looking for
, and that's a bigger prioritythan even base compensation.
(34:23):
The number one motivator for jobseekers for the last 3 years in
a row has been remote work-from- home flexibility.
So, when candidates come to usfor representation - and we
probably talked to 50 to 60different candidates a day
across my organization - wealways ask them what's
motivating you to considerseeking opportunities?
(34:43):
The #1 motivator for the last 3years has been remote
flexibility, because of eitherpeople changing their policies
or people wanting moreflexibility; and, the #1 way way
to get people to quit is tochange your work- from- home
policy.
That can go in a lot ofdifferent ways.
Right?
It doesn't just mean 5 days orno days.
You could be working no days inthe office and your company
(35:04):
says you've got to come in 2 to3, and now you have a whole
segment of your employeepopulation that is going to go
looking for work because they donot want to come in 2 to 3.
You could be 2 to 3 days a weekand say now you got to come in
4 to 5, and you will have asegment of your population that
is going to go look foremployment elsewhere because
they do not want to adhere tothose in- office policies.
(35:24):
Keep in mind, a lot of theseengineers, who are making solid
salaries, often well north of$200,000 a year in total
compensation, if not basecompensation moved further away
from the epicenters of thepandemic during 2020 and 2021.
And, they're not moving backbecause the cost of living is
too high, especially whenthey're not getting paid, if
(35:46):
they were laid off, the sameguaranteed base compensation
that they were prior to thepandemic.
So, this has also created atremendous amount of dissonance
in the marketplace and; yes,people will have to pay a
premium to get people who arenot currently working in an
office to decide they're goingto change their lifestyle and
(36:07):
start coming into an office.
Before 2020, we were paying youthis and now I have to pay you
20 to 30% more to get you tocome back into an office that
you were comfortable coming intoprior to the pandemic.
" Well, I hate to break it toyou but yeah; yeah, you are, and
that's about the percentage ofincrease in base compensation or
(36:28):
hourly rate that a contractoror a full-time employee -
whether it's privacy engineeringor any other kind of privacy -
asks for when they say, "okay,I'd be willing to go into an
office, but I need to see mycompensation go to this level.
To even consider it, it's about25 to 30% more than whatever
they were making before.
Debra J Farber (36:47):
I can understand that, too.
I mean, I don't want to justsay that priorities have changed
, but I think people haverealized during the pandemic and
being remot, that there's acertain power that they have
over there.
Like, "Hey, I could do my jobremote.
You as my manager now know thatbecause you've seen it happen
and I'm efficient and it's goodand you want things to change
(37:09):
and me to come back in,
Jared Coseglia (37:19):
Well, and not only that, but companies have
always been able to bank on,when things go into recession or
seemingly into a recession, jobseekers who are out of work or
willing to take less than whatthey were making in order to get
back on employment.
That's not the case anymore.
It's just not.
They'd rather go contract andthey'd rather wait out the
market.
And you know, we're not talkingabout people who are making
(37:39):
$50,000 a year and need to putfood on the table making money
somehow.
We're talking about people whoare making hundreds of thousands
of dollars a year, generallyspeaking, and these people can
wait it out 6, 12, 24 months tosee if the market rebounds and
take that gamble.
There are plenty of contractsavailable in the interim and
there are going to be even morein next year, because the
reality is people have not wonthe battle of getting sufficient
(38:03):
headcount to grow theirprograms, specifically in
privacy engineering, even in2022.
The E&Y IAPP report says theyonly grew by 12% in 2022, and
this was the busiest year in mycompany's history for data
privacy staff.
We placed more people in 2022than we have any other year; and
even that indicates that therewasn't enough growth in privacy
(38:26):
programs to really meet thedemand of what the business
needs from privacy professionals.
And, that's gone down, not up,in 2023.
Debra J Farber (38:36):
So, I was going to ask you what are your
predictions regarding theprivacy engineering and privacy
operations job market for 2024and beyond?
You started to answer some ofwhat you, before I even asked
the question, started to talkabout what you kind of see for
the future a little bit.
But, I want maybe a fulleranswer, because you were waxing
philosophical, and now I wouldlove for you to make some
(38:56):
predictions.
What do you foresee, and whatkind of advice would you give to
folks looking for privacyengineering roles based on your
predictions for 2024?
Jared Coseglia (39:05):
Yeah, so I'll start with some stats that kind
of drive the predictions thatwe've been making, one of which
is nearly 82% of all open jobrequisitions in 2023 have been
in corporate - meaning not inlaw firms, not in third- party
consulting firms, and not insoftware companies.
I think software companies wereprobably hit the hardest during
(39:27):
the down economy and laid offthe most amount of people.
OneT rust laid off, I think, afourth of their staff, something
like that, or an eighth oftheir staff.
What we've seen is, you know,they haven't hired them all back
.
They're running much leaner,and so a lot of these
opportunities are in corporateand they're in programs.
As that increases the amount ofopportunity to go in- house
(39:52):
increases in privacy, it isputting increased pressure on
the people who work at law firmsand consulting firms and
software companies to do morewith less, and that includes
fewer people.
So, the quality of life for alot of people working at law
firms and consulting firms andsoftware companies over the last
12 months has reallydeteriorated; and a lot of
(40:13):
people coming out of thoseverticals are coming to us
saying I am burnt out and I wantto go in- house because I do
not have the resources (in termsof human capital) to
sufficiently service mycustomers, and so I'm really
working the job of 2 to 3 people.
What we're going to see iscontinued attrition from those
employer verticals intocorporate America, in addition
(40:35):
to the increase in corporateAmerica getting buy-in to
attract and retain that talent,whether it's in a contract or a
full-time capacity.
So, in terms of a prediction, Ithink what we're going to see
is more people bringing privacyengineering in- house, leaning a
little less aggressively onoutside third- parties to help
them with those agendas because,quite frankly, they can't get
(40:58):
the service; or they're notgetting the quality of the
service they want; or it'staking too long for them to get
the service, which is also whypeople are coming to us
aggressively to hire contractors.
Hey, we didn't talk about thisearlier, Debra, but one of the
differences between contract andfull-time hiring is speed to
hire.
The average timeline forplacement for a contractor in
privacy is about 14 days rightnow, and in two of 2022, in the
(41:22):
peak and height of hiring frenzy, it was 7 days, so less than a
week.
So, if you're looking forsomeone to come and impact your
program as a privacy engineer,it'll take you 14 days or so
with my organization to getsomebody hired from the time we
send a resume to the timesomebody gives a verbal
acceptance.
That's what we call 'speed ofhire.
' But, if you're trying to DIYstaff it yourself and you're
(41:44):
trying to hire it in a full-timecapacity, and you're 30% to 40%
below market of what peoplewant in terms of compensation,
and you don't know how to parseresumes that come in bound to
your organization and that's theprimary means with which you're
trying to recruit, your searchcould stay open for 200 - 300
days.
I mean, I know a couple of bighousehold name companies that
have had the same job open theentire year, and at a certain
(42:09):
point they're either going tolose that headcount or they're
going to have to engage athird-party agency and stop
being penny-wise pound foolishabout paying an agency fee to
get that person hired; orthey're going to have to turn to
hiring a contractor becauseeventually the work has got to
get done.
As I like to say, over the next6 to 12 months "the levy is
going to break and it will breakright around Q4 of 2024.
(42:33):
And that's when we're going tosee competition increase
dramatically and whencompetition increases
dramatically, so do salaries.
That's what we saw in 17, 18,.
That's what we saw in '21 and'22.
That's what we're going to seein '25 and '26: lots of people
needing to hire because theywaited 2 years to do so; lots of
(42:54):
people coming to market; lotsof competition.
You're not going to always getyour first candidate.
You may not get your secondcandidate.
Job seekers being able toentertain 3 to 5 full-time
offers, as opposed to 1 or 2,which is what it's been more
like this year.
A quick sidebar (43:09):
the 'offer acceptance rate' is one of the
things we track here at TRU,meaning if a job seeker gets
multiple offers, which one dothey take?
What we found in Q1 and Q2 andQ3 of this year is that nearly
80% to 75% of people were takingthe first offer that they
received.
So, if you were fast, if youwere quick, you were more likely
(43:32):
to get a yes than if you tookyour time.
Now, part of that is becausejob seekers weren't getting a
second, third and fourth offer.
But, if you go back to Q2 2022,when we were at the peak of
post-pandemic hiring, only 45%of the job seekers we were
working with were taking the 1stoffer they received.
They were waiting to get thatsecond.
They were waiting to get thatthird, sometimes a fourth and a
(43:55):
fifth, either to use as leverageagainst the one that they
really wanted or because theythought they could get a better
offer later on.
People haven't been thinkingthat way.
People right now generally - 3out of every 4 - are taking the
first offer they receive, ifthey're an active job seeker.
So, going to market now andbeing fast is going to give you
competitive advantage.
You may not have that sameadvantage in '25 and '26, when
(44:17):
competition increases, whensalaries then also increase and
inflate as they did in 2021 and2022.
I mean, look, according to theIAPP Salary Survey, people got
raises to the tune of 7%, whichis the highest year- over- year
percentage of raises.
This is not moving jobs; thisis just staying in the job
(44:38):
you're at.
A 7% increase is almost unheardof.
The average is somewherebetween 2% and 3%, but the point
of higher salary increase in2022 for mid-market between 3
and 8 years was between 20% and40%.
So, that's probably what'sgoing to happen in 2025 and 2026
.
If you're looking to get greattalent accepting quickly at a
(45:01):
reasonable price, my advice isgo to market now and get the
budget and buy- in that you neednow to hire in 2024 before
things get crazy again.
Debra J Farber (45:12):
That's actually perfect timing.
We're at the end of this year.
I know it's usually October fora lot of companies, maybe
November, where they're lookingto get their budgets approved
for next year towards the end ofone year and the beginning of
the next.
So, that's really great advice.
I had intended on asking youlater what words of wisdom you
(45:33):
might want to leave the audiencewith, but I think that's
actually a really good one (45:34):
plan for next year now.
I'm not sure if we actuallycovered this, but what are some
of these annualized compensationranges that you've been seeing
this year?
Obviously they're all over theplace.
But then next year, given whatyou're seeing and like what you
said - you saw 7% raises to stayin the same job for instance -
(45:56):
what do you think 2024'scompensation ranges would be?
To stay the same?
Jared Coseglia (46:02):
Well, I can categorically tell you we're not
going to see a 7% bump inraises for people between 2023
and 2024.
[Debra (46:09):
I think that makes sense].
They're not going to get bigraises, if at all, are going to
get raises.
So, if you want to make moremoney - as always, but certainly
this will be exacerbated inthis annualized cycle - you're
going to get more money bychanging jobs than you are by
asking for a raise.
Having said that, I still thinkwe'll probably see low single
(46:29):
digit raises across the board inprivacy, because privacy people
are valued and they are uniqueand they are special in the
ecosystem of corporate America.
But I think, in terms of salaryincreases, what we saw in 2023
as a counterpoint to 2022 wasabout a 12% to 24% increase at
the point of hire.
So, despite it even being adown economy, job seekers are
(46:50):
still commanding 12% to 24%increases in base compensation
compared to what they weremaking in their current
positions, which is still a verysizable increase.
That's mainly for people in the3 to 8 year window.
What I would say in terms ofsalary ranges is it really
depends on industry, and youhave to look at both base comp
and total compensation.
With the Fortune 500 - andthere are outliers that are
(47:14):
exceptions to the numbers I'mabout to give you - and BigT
ech, if they're not in theFortune 500, though most of them
are,we're seeing anything for
privacy engineers between $175Kand $300K on base compensation.
But, those total compensations,depending on the size, scale,
and complexity of the role -whether they're managing people,
processes, technology, or allof the above - can range
(47:35):
anywhere from $250K total compto a $600K a year total
compensation.
When we move into banking orfinancial banking and brokerage
or healthcare or healthcare tech, it's less by about 25% to 30%.
So, we've seen engineersanywhere from $130K, $150K base
(47:56):
all the way up to $200K, $225K.
Total compensations at a bank: sometimes you can double your (47:57):
undefined
base at a bank, but usually it'sabout somewhere between 25% and
75% bonus on top of your base.
So, somebody making $150K mightmake $300K, might make $225K,
$250K; it really just depends.
Then, I think we go into thisnext tier, which we'll call
(48:17):
"elecom, food services, retail.
Those engineers often can makesimilar to big banking and
healthcare on the base, butoften do not see nearly as
lucrative of bonus.
So, base salaries can rangeanywhere from $130K to $200K in
those areas, but often the totalcomp hovers around $160K to
(48:42):
$250K on those high and low ends.
Debra J Farber (48:46):
That's fascinating.
I was sitting there just takingin those numbers and thinking
about my own experience workingin different verticals.
I guess I could see why some ofthe highly- regulated verticals
would pay a little more, givenhow, if you're a payment
processor or a bank, you need tohave high fidelity of your data
(49:09):
.
There's just a lot moreregulators that are breathing
down your neck.
I could see why there'd be awillingness to pay more versus
retail, which has a lot ofprivacy issues but might be a
little more immature when itcomes to compliance and
engineers that are integratedinto the compliance life cycle,
(49:31):
so to speak.
Jared Coseglia (49:32):
I think that's very accurate.
I would also add that when youstart hybridizing those
industries, for example FinTechor healthcare tech, that's where
you start to hybridize thosesalaries, too; and certainly a
healthcare tech company is goingto pay more than a healthcare
company.
Fintech company is probablygoing to pay more than a bank.
I would also add this, thevolume of jobs is going to be
(49:55):
bigger in BigT ech - despite thesalaries maybe seeming aligned
- than it is in the banking,brokerage, and healthcare space.
You just won't see the samenumber of human beings doing
privacy engineering and thehealthcare community as you will
in the technology community.
So, the amount of jobsavailable is very different,
even if the salaries aresomewhat aligned.
Debra J Farber (50:16):
Yeah, it's also making me think about the
privacy regulations that kind ofdrive these things.
HIPAA doesn't have as muchuncertainty in it.
There's processes and ways ofaddressing risk in privacy and
security that are very specificin HIPAA; and where you see
something like GDPR, there are alot of requirements there but
(50:37):
some of it is principle-based,then it needs a lot of legal
interpretation.
Because it's still such a newglobal framework that business
are trying to deal with, there'sa lot more uncertainty about
whether or not approaches arecorrect or will stand up to
legal scrutiny.
(50:58):
So, I could see that it'd beeasier to maybe scale something
in the healthcare space withoutas much risk.
You can quantify it betterwithout as much unknown risk, I
guess.
I could wax philosophical.
You just have me thinking aboutmy own background in different
industries and so I'm justthinking about them as we're
(51:20):
talking today.
As we near the end of this year, what's your advice for privacy
engineers who will seekcontracting roles in the new
year to best position themselvesto hiring managers?
Jared Coseglia (51:34):
I'll give a twofold piece of advice, the
first of which is AI is going tohave a very dramatic impact on
how engineers - any style orfashion, much less privacy - are
valued; and so, understandingthe complexities of AI is going
to be a differentiator that bothcommands a higher salary and,
(51:56):
over time, will broaden theamount of opportunity that you
will be competitive for.
So, understanding whether it'sregulatory frameworks or best
practices or competitiveintelligence or creative
ingenuity, baking AI into yourknowledge base is going to be
(52:18):
advantageous.
It remains to be seen how orwhen, but I think that
inevitability is nigh.
The second thing I would giveadvice and guidance for privacy
engineers when seeking jobs isyou've got to focus both on your
resume and on interviews intalking about what you've done,
(52:38):
not about what you know.
Where we often find our privacyengineering candidates
faltering or not getting thejobs is because too much time is
spent during the process,either on paper or in person,
speaking about the hypotheticalinstead of talking about the
actual and the practical.
People really want to hear whatyou've done, how you've done
(53:00):
it, and what your process is orwas on those projects; and often
, I think engineers -particularly privacy engineers
who like to wax poetic - oftentalk about the things they know
and not the things they've done,and that's where things tend to
get off track in the interviewprocess.
So, really focus on goodstorytelling that is historical
and not hypothetical.
Debra J Farber (53:21):
That's really good advice.
Thank you.
What resources do you recommendfor privacy engineering job
seekers?
I know you have some resourcesthrough TRU Staffing.
Are there ones you'd like todirect people to?
Jared Coseglia (53:32):
We have a ton of resources.
We have our Annual Data PrivacyJobs Report, and that gives you
insight into Speed of Hire.
That gives you insight intoVolumes of Jobs and what
industries they're in.
It gives you insight into Pointof Hire Compensation, which is
very different from the IAPPSalary Survey - which we
sponsored and co-developed thisyear with the IAPP - because all
(53:54):
of that is what people tell youthey're making.
Our data really comes from whatwe're actually placing people
in, or what we know people areaccepting in terms of offers,
and those numbers are verydifferent.
So, I would check that out.
Our Annual Data Privacy JobsReport comes with lots of
valuable information and marketintelligence about what's
happening in our community.
If you've never been a privacycontractor or you've never hired
(54:16):
privacy contractors, we havetons of resources available
about what you can hire, what'savailable out there, how you can
silo your experience to becomea privacy contractor, how to
maneuver in the ecosystem as acontractor or as a hiring
manager looking to hirecontractors.
You can find all of that attrustaffingpartners.
com.
It's all available there andfree for all to consume.
Debra J Farber (54:41):
Awesome.
Thank you so much.
I'm going to put thoseresources, links to that, in the
Show Notes so that everyone hasaccess to them.
Do you have any closing wordsof wisdom you'd like to leave
everyone with today?
Jared Coseglia (54:53):
Privacy is an amazing industry.
It's an amazing community.
If you've found your way intoit, either by accident or
deliberately, you're blessed.
Don't leave.
We need you.
There's high demand for yourskill sets.
Thanks for having me, Debra.
I really appreciate it.
Debra J Farber (55:09):
Oh, it was my pleasure.
Thank you so much for joiningus on Shifting Privacy Left to
talk about contracting forprivacy engineering roles.
Until next Tuesday, everyone,when we'll be back with engaging
content and another great guestor guests.
Thanks for joining us this weekon Shifting Privacy Left.
Make sure to visit our website: shiftingprivacyleft. (55:29):
undefined
com, where you can subscribe toupdates so you'll never miss a
show.
While you're at it, if youfound this episode valuable, go
ahead and share it with afriend; and, if you're an
engineer who cares passionatelyabout privacy, check out
Privado (55:46):
the developer-friendly privacy platform and sponsor of
the show.
To learn more, go to (55:50):
privado.
ai.
Be sure to tune in next Tuesdayfor a new episode.
Bye for now.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!