Episode #
12
The Intersection of Cyber Risk and Data Privacy with Guild Education's Julie Chickillo
Show Notes
In this week's episode of the Future of Cyber Risk podcast, David speaks to Julie Chickillo, VP, Head of Security at Guild Education, a platform where workers can gain the skills and support they need to grow in their careers. They discuss current trends around cyber risk management, including the rising need to integrate more data privacy into security practices. They also talk about how security teams can better understand how risk impacts business decisions, how to weed out "dark patterns" when developing software, and how to support team growth through continuous learning opportunities — including a security book club.
Topics discussed:
The evolution of Julie's career, from being in legal, security, governance, risk, and compliance for nearly 20 years, to becoming head of security at Guild Education, a career enableist platform.
The day-to-day actions of a head of security, including overseeing the privacy and risk groups, looking for new ways to support the team, and keeping up with developments in the industry by talking to founders.
What security practitioners get wrong about cyber risk management, and why practitioners shouldn't own the risk themselves.
Why Julie likes talking to founders about what they're seeing across the industry, and how you can find them at conferences and trade shows "on the outside."
What skills and training are important for a security team, including learning a language like Python, taking free courses, engaging in book clubs, sharing opportunities on Slack, and more.
The necessity of being able to translate data and privacy concerns to business leaders, and to be able to talk about the impact to business decisions.
What dark patterns are, how they impact privacy and data use, and how to better consider user experience when designing software.
Quotes from Episode
#1.)
"You have to message up. I think it's, again, really understanding the impact to the business that you're trying to message. And so you can't just say, oh, there's a vulnerability on the S3 bucket and therefore a certain set of data is at risk. You're going to have to translate that into, 'Because we see a certain data set impacted, we're going to make a business decision to spend time and money fixing this vulnerability.' You have to flip it. You can't just use the privacy words or the technology words. You do have to translate into the business speak." (14:07)
#2.)
"I think the thing that a lot of practitioners get wrong is they assume or they feel the pressure to own the risk themselves. And so what I would say from my philosophy and what my standpoint is that my job is to be an advisor on the risk to the business. And so I should be able to explain to a business owner or somebody within the business, like your CFO or even head of engineering, what risks are at stake and then aligning that to the business risk appetite." (4:27)
#3.)
"The other one that is really exciting for me, that we're starting to see, is an intersection between data privacy, data operations, and security. I think it's an emerging practice that will definitely be powerful in the next, probably two to five years, maybe sooner, depending on how fast it catches on. I think it's the next DevSecOps." (10:49)
#4.)
"So you're designing security into the practice of software development. It's also thinking about privacy and the implications to privacy as you're building out your software. And so it's the things early on, maybe in a lifecycle as you're building product or as you're making decisions about user experience — how are they impacting privacy rights?" (20:27)
#5.)
"I think with that we are going to have to see a change, a shift from somebody who's just in technology to that business person who's translating the risk from your cyber or privacy programs back to the business. We're already seeing the boards having to bring somebody on for a cyber level. And so if you're having somebody on the board who can speak to cyber, you're going to have somebody inside who can report out to that person." (27:21)