Women in the Future of Data Privacy
Patricia Hillbrands, Jennifer Mitchell, and Cindy Ping will be on a panel moderated by Stephanie Carter, PhD, at the upcoming Life Science Data Privacy Governance & GDPR Alignment Conference in Philadelphia.
- Patricia Hillbrands, Privacy Officer, Arthrex
- Jennifer Mitchell, Privacy Officer, Abbott
- Cindy Ping, Director, Privacy Officer, Shire
- Stephanie Carter, PhD, Lead Information System Security Officer, U.S. Department of Justice
The keynote privacy officer panel “Life Science Data Privacy in 2018 and Beyond” will kick off the two day conference and cover the evolution, current global state and future of data privacy. Read more below to gain some additional insights from the panelists.
According to the Women’s Society of Cyberjutsu, a Washington, D.C.-area nonprofit focused on empowering women to succeed in cybersecurity, women make up 11 percent of the world’s information security workforce. Can you please describe your experience as a woman in a high-level position within a male-dominated industry? Can you describe how you got to this point in your career?
Dr. Stephanie Carter: When I entered the military, I worked as a Communications Security Specialist, Information Technology Specialist, and later an Information System Security Officer. I decided to stay on that path because within the military, to get promoted, you have to have education. I have a BS in Information Technology, BS in Software Engineering, and a MS in Information System Security. Once I retired, I knew I wanted to stay in the field because I truly love and have great passion for my career. In the military, we live to protect so that is engrained in me. With this in mind, it made sense to stay within a field that every action you take, every thought you have, and every word you speak must be concise and accurate and directly leads to the protection of data which indirectly affects the protection of the people.
It would be heaven to have a role in which everyone was respected, everyone got along, business processes are defined and objectives are consistently met, nothing ever breaks and the only threats are nature; but it isn’t. I took the time to educate myself on the latest trends in other countries. I traveled all over the world with the military and through exposure to other regulatory entities such as EU and NATO, I had the knowledge that the US is not a silo and that these countries, especially when it comes to data, affected each other.
In my experience as a woman in data security, I want to highlight some of my credentials: I am a black woman with a PhD in Computer Science, have been in the field for 25 years, hold three active high-level, senior management certifications and three others, and I have held over 15 certifications throughout my career. Oftentimes, I am in charge of the team because at times I have more years of experience than total experience of the team. With the exception of my time with the U.S. Army, my teams are always all male. When going into the environment with the credentials I have, knowing that I am a true asset, I naively think everyone around me would automatically think the same thing. However, my work experience tells otherwise. In the workplace, I get constant pushback, my expertise gets questioned and I am expected to not raise concerns when team members are not pulling their weight. I have been the subject of many sexist comments and experience team members not doing what I tell them just because I told them so. For instance, I could direct my team to carry out a task but until a male in a position higher than me says the same thing, it does not get done. However, I have no problem being a leader and sometimes you have to make the hard decisions and give direction that needs to be followed without worrying about what is thought about you as a person or a leader.
Patricia Hillbrands: My career path led into the field of Data Privacy through the healthcare field, working as an RN throughout the 1990s when HIPAA was first introduced as legislation.
Cindy Ping: I have extensive healthcare experience, beginning as a nurse for over a decade and then entering the pharmaceutical industry, where I pioneered privacy program development and implementation strategies. Thereafter, I served as founder and principal of SolutionSight, Inc., a consulting firm focusing on data protection, compliance and education strategies. Currently I am a Privacy Office at Shire plc., a multinational pharmaceutical company. Male dominance has been prevalent in all the roles I have held during my career, however, I choose to focus on what I needed to do to reach my goals. Being open to new challenges and opportunities allows you to blaze the trail for other women. As organizations began to focus on data privacy many of my peers were not interested in taking part in the opportunity to learn about data privacy. I choose to take on the challenge and this allowed me to gain new knowledge and skills that have opened many doors for me. I became the expert in a field that has grown and continues to grow in very exciting opportunities.
Jennifer Mitchell: I started my legal career in BigLaw practicing as a white collar defense lawyer in the healthcare and life sciences industry. When I was an associate, I didn’t fully appreciate the disproportionate number of men in leadership roles because in law school and within the associate ranks, the male-to-female ratio was balanced. I thought that we were a new generation with more equal opportunities to climb the ladder. Through observing the attrition of talented women over the years though, I began to understand the phenomenon. I eventually became a Partner at my former firm, but I still recognized limitations to leading a satisfying career in a male-dominated field. One thing I love about privacy is that it is a relatively new and fast-growing discipline. After I realized I wanted to sharpen my expertise in the field and practice it full-time, I had to take a step back and think about how to hone unique skills in order to be valuable, and even indispensable, to my clients. I worked in-house at an academic medical center and consulted for a variety of clients before taking my current role in the medical device industry. I approached my career in privacy through my legal background in healthcare and life sciences and my understanding of the industry, but there is no single, formulaic pathway to achieving high-level positions within privacy. This variety of expertise and career backgrounds in our industry is part of what makes it so interesting.
Do you have advice for women who are interested in pursuing a career in data privacy and cybersecurity?
JM: I think the most important thing is to have a passion for your practice, have a plan for shaping the experience you need, and have the confidence to convince your clients/colleagues that you have the unique knowledge and skills to guide them through this evolving and challenging field. If you have a good mentor early in your career, you are lucky. If you don’t, you will have to work extra hard to learn substantive skills and also build a network. Working long hours in an office might be rewarded in the short-term, but you need to be mindful of the importance of networking early in your career. In the long-term, you won’t be remembered for billing 2,400 hours if no one knows who you are. Try to attend privacy networking events, ask people for coffee, or even speak on panels. If you are more introverted, focus on publishing articles. Have a presence on LinkedIn. If you ever feel like you’ve stopped learning at your current job, try to expand your responsibilities, or move on to something new that will challenge you and expand your skills.
CP: Be a continuous learner, passionate about what you do and communicate clearly. The stronger your knowledge and skills are the more opportunities you will have and the more people will recognize you as a leader in the field. Having passion for what you do gets you through those very tough times that shake your confidence. Clear communication allows you to send and receive the information successfully. If you know the answer but cannot communicate with your team, including senior members of the team the opportunity to demonstrate, your contribution is lost.
SC: For women who are pursuing this field there are a few things I would like you to consider, which I call my 5 C’s to becoming a champion in Cybersecurity: Commitment, Confidence, Candor, Communication, and Coaching. I believe if you go into this field with your eyes wide open, it will better prepare you for longevity. Have commitment to your career and passion. Confidence does not mean that you are stuck in a narcissistic realm of wanting everyone to know how great you are – true confidence is the certainty that there is truth about something or someone. We are all human, we make mistakes and although can do some things very well most of the time, we may also do those same things not so well at other times. So, confidence has to be an absolute truth, taking the good and the bad. Sometimes women take the things done or said as personal attacks against themselves and therefore you proceed to defend yourself; however, of all of the challenges that we as women have in the field, the problem is with the process, culture, and resistance to change – and not with you as an individual. So when standing up for your credentials, know what you know and for what you don’t know, find out; but always stand firm and express with respect what you know to be true. Never leave something unsaid or undone because you feel that no one is listening or because you feel they value your male counterparts’ expertise over yours. Never allow yourself to be subject or subjected to sexism, racism, or any other kind of –ism. It is okay to speak against this, with the caveat of knowing “how” to say what needs to be said. Tone is everything and with content, always attack the problem and never the person (even if the person is the problem, perform a root cause analysis of what the underlying issue is and speak up about that. Although we feel that people can be the problem, there is ALWAYS an underlining issue/condition that exists). Additionally, talking is not communicating. Talking is sharing words. Communicating is sharing information. Information informs; words express. Please know the difference. When you learn to communicate versus talk, you are able to get ideas across and make decisions. Finally, coaching is not leading; leading is guiding what is already there into completion of the mission. Coaching is taking what’s already there and developing it into what is needed to complete the mission. Coaching is vital to cybersecurity due to the ever-changing, ever-evolving atmosphere in which it lives. What worked yesterday, won’t work today and what worked today more than likely won’t work tomorrow.
Can you please describe some of the ways that the ever-evolving data privacy landscape has impacted your role and your organization?
JM: I am very fortunate to work in a global position in the medical device field at a company with rapidly evolving technology, which keeps my role dynamic! While the data privacy landscape is always evolving, we are starting to see more global regulations align with common principles of good privacy practices. Still, it seems that regulations rarely keep up with technology advancements, and it can be difficult to harmonize potentially conflicting regulations in the global landscape while assessing potential risks for product launches or initiatives. The GDPR is a step in the right direction toward centralizing privacy regulations globally, but I suspect we will have to work with many areas of uncertainty in implementing privacy compliance for years to come.
SC: The data privacy landscape was very decentralized in decades’ past but as the U.S. continue to solidify relationships with our allies in different countries, our data privacy landscape is very inclusive in a non-direct way meaning that the laws, directives, practices, and processes now takes into consideration the privacy laws of our ally countries. This means that although no country can enforce their data privacy laws outside of the country’s jurisdiction, it does mean that within the U.S., these laws have to be taken into consideration whereas in years past that was not as paramount as it is now. It will not be without its challenges as the GDPR addresses data/information that originates outside of the US, but in due time, with understanding of importance, compliance, and effective implementation processes, it will be doable and a move in the right direction.
CP: Participating in the evolution of data privacy has allowed me to go from novice to expert to leader. Data privacy promotes transparency and individual choices which are more prevalent within my organization. It has heightened the organization’s awareness that data processing is an important aspect of almost every business process. Data processing is complex and each step has its own requirements that need attention. The fact that it is “ever” evolving has demonstrated that it is a continuous process that needs continuous attention.
Can you describe some of the areas that excite you about the future of data privacy and the GDPR implementation?
SC: The areas that excite me about the future of data privacy are: More accountability for organizations; more data protection-driven decisions and investments; a centralized framework for protecting data throughout the entire lifecycle that will streamline protection of the data no matter the borders it crosses and provides more power to the owner of the PII and the disposition of that data.
PH: In the past 5-7 years, the subject of data privacy has gained worldwide attention and traction, gaining some much-lost ground. It is exciting to be in a field that is making history.
CP: What excites me about data protection is its evolution. There is always something new and the GDPR has set the bar. Many other countries are evaluating it and implementing various aspects of it. Some organizations are embracing privacy by design becoming more accountable in their data practices.
JM: I am excited to observe changes in U.S. legislation and Supreme Court decisions that seem to be embracing more of a European level of protection over personal data. I am excited to witness the future of big data analytics, and the balance between data subject rights and advancement of healthcare technology through the use of analytics. Additionally, I’m excited to be an advocate for the profound effects of connected medical devices on patient care, while also putting user privacy choices at the forefront.
What is something you believe is most important for attendees to walk away from the conference knowing? What do you hope attendees take away from your presentation?
JM: I hope that all attendees will walk away feeling proud and energized to be part of this exciting discipline, while recognizing the seriousness of the responsibility that we should all feel in ethically shaping the impact of privacy and technology on society in the information age.
CP: Data privacy is an exciting, growing field with many opportunities for women. Data privacy is not a check the box activity. Each situation and process must be examined carefully with appropriate controls applied.
SC: I am moderating an all-female panel of data privacy officers. The first take away is that women rock! The second take away would be that this panel debunks the great divide between male and female roles in the workplace. The last and most important take away, stemming off of the second, in my opinion, is that these women did not get to where they are in their career by use of their female attributes but by use of their professional abilities. They are trailblazers who have made great strides in this field and their experience and knowledge should be listened to and taken seriously and respected. In the professional realm, I would like the audience to take away proven techniques, knowledge of changing laws to ensure that we can effectively protect the sensitive data of the people and keep them and organizations safe from data breaches, stolen identities, and reinstate a trust and confidence in our ability to do so. I also think it is very important that attendees know that this is not just another framework; it’s not a framework at all – although there are some requirements that must be met. We have so many frameworks out there including NIST, COSO, ISO, PCI, etc. and some are hard to implement and hard to find consistent practices across organizations.
Join privacy executives across the life sciences at the Life Science Data Privacy Governance & GDPR Alignment Conference on July 26-27 in Philadelphia, PA. View the full program agenda to learn more about data privacy and GDPR.