The following comes from the IAPP’s report, A Call for Agility, The Next Generation Privacy Professional (a must read for all persons practicing in the privacy realm):
The agile privacy professional is the next generation privacy professional:
- an expert practitioner who is keenly attuned to culture and regional distinctions as these continue to grow in an increasingly interconnected data economy;
- who can migrate and adapt to different roles within an organization and offer value at reach;
- who exhibits both comfort and grasp of legal/compliance and technical disciplines; and
- who instills direction and leadership of privacy management within an organization
I’d like to focus on the third bullet point for the moment. A recent Carnegie Mellon study found that almost one-third of websites studied had errors in their compact privacy policies. A visitor to one of these sites would incorrectly assume that the collection and the use of his/her data was consistent with the IE settings. The study suggests that some errors were the result of sloppy work and that some were on purpose. 21 of the top 100 sites had errors in their compact privacy policies.
Lack of consent and unfair and deceptive acts aside, how do you avoid these problems? The study suggests that while some sites appeared to do this on purpose (some used known configurations designed to workaround IE privacy settings), many appeared to be sloppy. Governance is the obvious answer, but how does the non-technical privacy professional navigate these issues? By learning a little bit of technical knowledge and some skill.
Reading about current events in the privacy realm will pretty quickly alert you to technical issues that you need to be aware of. But you need to dive deeper. In this case, a diligent privacy professional will educate himself or herself on compact policies (in this case, the study does a fairly nice job of explaining technology behind compact policies, which is relatively simple). This issue also needs to be added to your checklist of what to look for before you allow a site to go live.
I am a big fan of cross educating, particularly within an organization (but doing it outside of your organization can be a great networking opportunity). While working for a previous employer, myself and a security colleague would sit down once a month and spend thirty minutes on privacy and thirty minutes technology with each of educating the other on our respective fields. We usually picked the topics ahead of time. For example, when I was reading Security Engineering, by Ross Anderson, I need to understand man-in-the-middle attacks and how they could be countered by Fortified Password Protocols. In this case, not only do you get the substantive knowledge, but you also get the experience of your colleague. You can begin to analogize the situations you come across with the situations your colleague has told you while explaining the reason why disabling online accounts after three failures to log on can lead to larger problems (denial of service attacks). To complete the circle, you would bring a copy of this study to your next informal education session, learn about compact policies, and then stroll down to the persons who owns the website development for your organization (and impress him or her with all your technical knowledge not mentioning the fact you just learned a few minutes before).
But you don’t need always need an expert explaining things to you. A few minutes on the internet can be petty effective as well. Here is the Wikipedia entry for man-in-the-middle attacks. The security team will then start to think you are very cool when you start using Alice and Bob in your privacy examples (do a little research and you’ll understand why).
As your knowledge deepens, you’ll start to see the world, and particularly your organization in a whole new light. No longer will SWIFT be a case about “system architecture” that is discussed in the abstract at conferences and not at all at your internal meetings. Suddenly, you’re having a chat with the head of IT and then your senior management about why using Salesforce.com to support your middle east teams may raise issues for your high value middle eastern prospects because their data will be stored in the US and they aren’t keen on having that data stored in the US because of real and perceived concerns about US government access. Then your reading Enterprise Architecture A to Z by Daniel Minoli and asking questions your IT people don’t even know the answer to. 😉
Key take away: Know enough about technology to have intelligent conversations with your IT people and to be able to speak with credibility to senior management.
Next Practices 
“asking questions your IT people don’t even know the answer to”
This isn’t a fairly hard proposition, as least what I’ve been exposed to. Most IT personnel are so busy with BAU they don’t bother to keep up with what’s going on outside their three walled cubicle unless its in their job description to do so. You start talking cryptography, man in the middle attacks, etc and the only thing you’ll hear on a conference call is the distant sound of dogs barking.
I also find, unfortunately, that a lot of people who have risen up from doing data entry or something similar lack the substantive background to engage in high level architectural discussions and even more importantly seem uninterested and not willing to learn.
This is definitely true, but experience and knowledge does vary. I’ve been lucky to work in highly regulated industries or organizations that have the resources to retain the right talent. They are worth their weight in gold. Organizations must take responsibility for developing their people. I’ve always greatly enjoyed identifying those that are hungry. And, as you suggest, personal development must be required in an employee’s committments. The organization must support that development as well. Training and awareness is critical. Unfortunately, many of the smaller and medium size organizations don’t have the resources, have poor management who do not prioritize developing their staff, or just plain don’t care.