In this episode of the Redefining Cybersecurity podcast, host Sean Martin interviews Dr. Valerie Lyons, co-author of "The Privacy Leader Compass," providing practical guidance for privacy leaders navigating the dynamic landscape of privacy.
Guest: Dr. Valerie Lyons, Author
On Linkedin | https://www.linkedin.com/in/valerielyons-privsec/
____________________________
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
____________________________
This Episode’s Sponsors
Imperva | https://itspm.ag/imperva277117988
Pentera | https://itspm.ag/penteri67a
___________________________
Episode Notes
In this episode of the Redefining Cybersecurity podcast, host Sean Martin engages in a conversation with Dr. Valerie Lyons, co-author of "The Privacy Leader Compass." They discuss various aspects of privacy and provide practical guidance for privacy leaders.
Dr. Lyons highlights the regulatory difference between the US and Europe's approach to privacy, with data minimization being a regulatory requirement in Europe. However, she emphasizes that it's not about which approach is better, but rather understanding and complying with the regulatory requirements. They delve into the principles of Fair Information Practices (FIPS) and privacy by design, which are enshrined in GDPR.
"The Privacy Leader Compass" is designed to be a comprehensive resource for privacy leaders, incorporating the McKinsey seven S model. It goes beyond compliance, incorporating ethics, trust, and consumer satisfaction in privacy programs. The book is intended to be location and jurisdiction agnostic, allowing privacy leaders to adapt the framework to their specific contexts.
The conversation also highlights the value of learning from privacy pioneers and leveraging their experiences. The book includes contributions from over 60 privacy pioneers, providing real-world examples and insights. Dr. Lyons emphasizes the importance of collaboration and learning from others' experiences rather than starting from scratch.
They discuss the flexible interpretation within privacy legislation, such as the choice between appointing a Data Protection Officer (DPO) or a Chief Privacy Officer (CPO). They stress the importance of developing a privacy strategy and vision, regardless of the jurisdiction, and exploring why privacy leaders were hired for their roles.
Throughout the conversation, Dr. Lyons and Sean Martin present a balanced perspective, focusing on practical guidance and empowering privacy leaders. They explore the dynamic nature of privacy and the need to go beyond compliance, considering ethics, trust, and consumer satisfaction. The conversation is grounded in real-world experiences and provides valuable insights for privacy leaders navigating the ever-changing privacy landscape.
About the Book
Congratulations! Perhaps you have been appointed as the Chief Privacy Officer (CPO) or the Data Protection Officer (DPO) for your company. Or maybe you are an experienced CPO/DPO, and you wonder - "what can I learn from other successful privacy experts to be even more effective?" Or perhaps you are considering a move from a different career path and deciding if this is the right direction for you.
Seasoned award-winning Privacy and Cybersecurity leaders Dr. Valerie Lyons (Dublin, Ireland) and Todd Fitzgerald (Chicago, IL USA) have teamed up with over 60 award-winning CPOs, DPOs, highly respected privacy/data protection leaders, data protection authorities, and privacy standard setters who have fought the tough battle.
Just as the #1 best-selling and CANON Cybersecurity Hall of Fame winning CISO Compass: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers book provided actionable advice to Chief Information Security Officers, The Privacy Leader Compass is about straight talk - delivering a comprehensive privacy roadmap applied to, and organized by, a time-tested organizational effectiveness model (the McKinsey 7-S Framework) with practical, insightful stories and lessons learned.
You own your continued success as a privacy leader. If you want a roadmap to build, lead, and sustain a program respected and supported by your board, management, organization, and peers, this book is for you.
____________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
ITSPmagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
____________________________
Resources
The Privacy Leader Compass: A Comprehensive Business-Oriented Roadmap for Building and Leading Practical Privacy Programs (Book): https://www.amazon.com/Privacy-Leader-Compass-Comprehensive-Business-Oriented/dp/1032467304
Enduring Ideas: The 7-S Framework: https://www.mckinsey.com/capabilities/strategy-and-corporate-finance/our-insights/enduring-ideas-the-7-s-framework#
____________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
[00:00:00] Sean Martin: Hello, everybody. This is Sean Martin, your host of the Redefining Cybersecurity podcast here on the ITSP Magazine Network. And podcast network that is not just a network and, uh, where we get to talk about all things at the intersection of technology, cybersecurity, and society. And, and as the host of this show, I dig deeper into cybersecurity, which.
Funny enough, uh, sometimes crosses over into world of privacy and, uh, not always, but there's some overlap there and, and, uh, perhaps some conflicting things as well, which we may or may not touch on today. Um, a good friend of mine posted a note on LinkedIn, which is where, honestly, that's where a lot of my inspiration comes from new topics and interesting things coming to bear.
And, uh, a new book. Is on its way, uh, the Privacy Leader Compass, uh, co written by Dr. Valerie Lyons and Todd Fitzgerald. And I'm thrilled to have, uh, Dr. Lyons on with me today. Doctor, how are you? I'm good.
[00:01:06] Valerie Lyons: Thank you for having me on. Delighted to be here.
[00:01:09] Sean Martin: Uh, this is going to be fun talking about privacy and, and the word compass, uh, excites me because I'm, I'm all about how to operationalize something.
And for me. That means, because the way my brain works, it means a project, you know, a start and a destination and hopefully some, some decently defined path of how you want to arrive with success toward whatever the end is, maybe multiple ends, multiple milestones, but nonetheless, a compass guiding you is, is super important in my mind.
And, uh, so we're going to talk about the book and, and some of the things within it before we do that, though. Um, A few words from you about your journey and, uh, leading up to the writing of this book.
[00:02:03] Valerie Lyons: So, um, what I suppose took me to the book, um, was I had, I'd spent a number of years in privacy, working in privacy prior to that, working as a CISO in cybersecurity.
I'm a bit like the human version of 27001 and 701, you know, I have an extension and that extension has been the last decade in privacy. And then I kind of decided to formalize that with a PhD in privacy. Um, so that took me over five years essentially to complete that PhD. When I finished the PhD, it's, it's kind of like bucket list, bucket list, bucket list, you know, uh, a series of different things.
I wanted to, to really bring some of that. knowledge that I had gained over those years to the fore. I didn't want it to sit in a vault and just gather dust. I wanted to bring that knowledge, not specifically the PhD research that I did, but more the knowledge that you amass. sort of around a PhD, um, in terms of, of all the reading that you do and sort of being aware of different pieces of research that are ongoing and going to conferences.
Amassing a knowledge, that's really what you do in a PhD. And, um, I'd already I'd seen the quality of the CISO compass, I'd seen how it was structured, I really liked the way it wasn't jumpy because a lot of the scholarship that I'd seen and literature that I'd seen was quite jumpy, particularly with multiple authors.
So I partnered with Todd, um, to sort of leverage that structure, which was the 7S model to produce a book for privacy leaders rather than cybersecurity leaders. And that was the Privacy Leader Compass. So that's how it was born.
[00:03:56] Sean Martin: Nice one. Nice one. And you, you equated it to, uh, to having children, your post that I saw.
And oftentimes we, I mean, we, we, I'm a father, so we create another being and we do our best to shape it and form it and then off it goes, right? And it does its thing. And hopefully... as a child or in the form of a book brings goodness to those that interact with it, right?
[00:04:23] Valerie Lyons: I just hope that it's not going to have as much of a need for investment after its publication than the child does.
Um, but, um, it is very similar in terms of you're nurturing something for a long time and nothing is happening. No one knows about it. It's, it's, it's... The big secret, um, but you're working away on something for a long, long time and then one day it gets delivered, you know, it's in a box and you open it up and there it is, this thing, a book.
And, um, for people who've written more than one book. It's like having your second child and your third child. It's not the same as the first. The first was just the, the big experience, the big surprise. And, and that's what it is for me. I, I thought a book would be just like children. I quite romanticized it, and it's absolutely hard work.
Writing a book is It's not for the faint hearted. Um, and so, there's so many similarities between having a baby, romanticizing it. I had romanticized my first child out of all proportion. I was so disappointed by the reality of it. Um, but I, I'm, I'm much more realistic about the book than I am about
[00:05:44] Sean Martin: And to your point about investment post, uh, post release, if you will, um, I, I suspect, I don't know, even based on my own experience, a lot more work beforehand goes into creating a book.
You talked about the research for your PhD, the work that you've done over the, over the years. Um, Can you share a little bit about how all of that came together? Because nothing can match hands on experience, right? Um, and then there's studying the topic and looking at best practices and leveraging frameworks to kind of help shape one's mind and how they might approach it.
And then there's the research that just... fills all of that. It's an empty space, if you will, whatever's left with other people's thoughts and experiences and trials and tribulations. How did you pull all of that together, uh, into the, into the model that, that, uh,
[00:06:48] Valerie Lyons: In the book, I can pull it together in that I pull in a framework that's actually a business oriented framework.
So that's kind of very much my academic me. My academic me is somebody who reaches out to different theories and different structures. to adopt them and apply them in a different context. That's very much sort of the academic background, but I also know from my academic background that that allows you to stop the jumping.
I had a really interesting conversation with a 19 year old recently where when she saw my book, she said to me, well, how do you know you got everything? And I thought it was a great question. You know, it's just so big. How do you know you got everything? And, and I said to her, it's because I used a framework to actually structure it.
That's how I know I got everything, but I may not have gotten a hundred percent, but at least I know I got 98. You know, that, that I, I, short of, of developing an encyclopedia. It, it had to be as much as I could possibly get in, in a very structured way. So I used the McKinsey 7S model. It's a, it's a time and tested, it's quite an old model, um, but it's a business oriented model and it's essentially designed to Uh, determine or to establish, um, effective organizational structures that you can build an effective business.
Um, and so we took that and we applied it to the privacy organization and to essentially develop a good privacy business. So all the things that are looked at in the business and then The McKinsey 7S model, we've applied to the privacy program so that you're building, you're starting at the base, the S strategy, and you're working your way all the way up to the leadership styles that you have.
So that's, that's how we kind of brought it together. Um, and I think when I look back on. sort of the PhD and my experience. Um, I have an experience, like also my other academic background is my, I have a master's in leadership, uh, executive coaching. So that was all brought into the book because it, I bring in a lot of the tools and techniques I learned during those master's programs.
Um, and. And then Todd, um, had already applied the 7S framework to the CISO compass. So it was, it was a straightforward exercise for him. What he needed was the privacy expertise. So we were, um, we were, you know, perfect bed partners for the book in, in the marriage of, of the two.
[00:09:38] Sean Martin: And I want to ask you this, the, the, um, when I hear of things within an organization, they're often referred to as programs. So you have a security program, a privacy program, a platform engineering program, and what you just described was replacing the word program with business, which to me. Could be pretty profound, right?
Cause you have to look at potentially things through a different lens, not just what is the objective, but what's, I'm assuming what was the cost in return of achieving that objective, right? And, and, and are you able to do that? Do you have the resources and the skills? So maybe, can you touch on that a little bit?
[00:10:25] Valerie Lyons: It's a really good question. Business effectiveness, which is essentially what the 7S model is, if you're looking through it, through the effectiveness. So rather than looking at the privacy organization as a return on investment, and what money do you get back from that? I think there's a separate way to look at that.
But what you're looking at is the effectiveness of your privacy. program or your privacy organization. And that effectiveness can be established by a number of different things. Trust your customers, having trust. So if your customers trust you, then you're obviously doing your job right because privacy breaches will decrease trust.
Lack of breaches. Um, you can have lack of fines. Um, there's reputation in, you know, there's lots of things you can do to measure the effectiveness. of the actual program. Um, return on investment for privacy is a very, very difficult one to measure. It's a very difficult one to measure. Um, what I can say is that if you look at the Fortune 100 organizations and what's in their CSO reports, um, I'm not saying you can quantify the measurement, but in their CSO reports, they do have ESG figures.
So, you'll see quantification there and CSO does include privacy and cyber security in, in the CSO reports of those Fortune 100 organizations. So, you can get metrics. If you look at those reports, you can get a number of different metrics that can provide. sort of insight into effectiveness. Um, and, and I think you're going to see that increase a lot more over the next two to three years where those larger organizations in Europe will have mandatory The production of CSR and ESG publications, so that becomes mandatory for just a limited number, but definitely those fortune 100 and in fact fortune 500 most likely, um, so yeah, it's very hard to determine the value of privacy.
And your return on your investment, but at its most basic, if you look at it at a very basic level, it's going to be no fines, you know, compliance, data protection, um, uh, no breaches, um, they're the very basics. Uh, but I think there's much more if you start looking at, um, your consumers and society, like decreased privacy concerns, increased consumer trust, increased intention to purchase things.
These are all things that will result from effective privacy programs, but not necessarily just yours.
[00:13:20] Sean Martin: So many questions in my mind. I'm just thinking, and I'm going to put this out there because one of the things I often ask my guests, and it's typically in the conversation or the context of cybersecurity and I'm, I'm a risk management guy at heart.
So everything for me is. How do you reduce exposure in the first place? Um, which could help with, just as an example, if, if I'm worried about privacy, maybe I shouldn't collect the data in the first place. And if I'm not collecting as much, maybe I don't need as much, uh, storage and, uh, heavily reliance on massive replications of data for.
Disaster recovery and sovereign cloud or sovereign digital sovereignty requirements. And I know there's lots of these things, which then ultimately can impact ESG results, right? If you're not using much data center. So what are your thoughts on help? And I don't know if it's how much of this you cover in the book, maybe using the understanding of what privacy is and what risk to privacy is to really help companies achieve something better than just.
I'm going to protect all the data that I've collected because I've already collected.
[00:14:40] Valerie Lyons: So there is a slight difference between, I think we have to sort of recognize that between the US's approach to privacy and Europe's, but data minimization is a regulatory requirement in Europe. I'm not saying that that means Europe does it better than the US.
I'm just saying that it is a regulatory requirement. Therefore, we would consider data minimization and the principles because those, those FIPS principles, the Fair Information Practices, they are enshrined in GDPR. So, instead of being sort of discretionary, Or with some leverage to kind of fiddle with them somewhat.
They're mandatory, they're, they're enshrined and, and so they're, they're regulatory requirements. In terms of the book and how the program that we've, and the framework that we've developed around it, um, applying the 7S model. We look at different things to try to establish that robustness that, that really you're referring to and, and so privacy by design, for instance, would be one of those things.
And again, privacy by design is a regulatory requirement in GDPR. So, you know, at the same time, we've written the book to be. Um, and it was intentional to be, um, area and, and location and, and jurisdiction agnostic. So, uh, we, we recommend and, and, and say that you should be doing privacy by design. This is what it is, and this is how you need to implement it.
Um, and so privacy by design would be baking privacy in right from the get go. And, and it's, uh, it's a very simple process, really. Because it's not realistically practical when you're talking about lots of legacy systems and legacy data, you can't build privacy in and it has to be an add on at some point.
And we accept that, but when you are looking at the risk now of a legacy system and legacy data that you collected already, you have to look at it with the mindset of Privacy by Design and those principles and see how you meet those principles and those principles of FIPS. But I think where we move, and that's an important part of the book, sort of what makes it different is we move from just compliance, FIPS, regulatory requirements, into what else?
do you need to think about? And what are those things that you're never going to get, you're going to struggle to get funding for because they're not regulatory requirements and at the same time there is a return for doing them and they are things like consumer trust. So we talk about ethics and I've been studying ethics for years because my PhD is titled doing privacy right not doing privacy rights and and so incorporated there is ethics.
Um, the ethics of privacy has become very important now because we see AI and the issues with AI. Um, but it shouldn't be kept to just AI. When we talk about ethics, we should be thinking, uh, I've simplified it into just because you can doesn't mean you should. Um, and, and I think that's the space. Where we see real value from privacy is making privacy something that engenders increased consumer trust and actually creates a sense of community and, and, and social concerns reducing about privacy as a result of what we do.
And I can give you a good example, would be Cisco. Cisco do an awful lot of work in this space of, of advocating for stronger privacy, of advocating for a stronger internet, for, you know, and they, they've written amicus briefs, and there's a, there's a lot of evidence out there of work that they do in the background, um, to promote privacy.
And, and I suppose in my PhD, what I try to do, um, is to put a value or a sense of value on what that increased consumer trust means to an organization and what privacy activities create greater. Consumer trust, what privacy activities that organizations can do create greater privacy concerns. What activities do they do in that space of non regulatory requirements?
So things they do like writing amicus briefs, like developing open standards, like lobbying against privacy or lobbying for privacy. Those things. have a value in terms of how much consumer trust they generate, how much privacy concern they generate. So we've tried to bring that into the book in terms of advocating for what organizations can do that will engender increased consumer trust beyond the regulatory minimums.
[00:19:46] Sean Martin: And I'm excited to get into some of the, some of the content in each of the, each of the chapters. Before I do that, I want to get your view on how, how this book comes to people, I'll rephrase that. It didn't sound right. I'm trying to figure out, is this when you use a framework, my initial thought is. It's a step by step helping somebody create a program that, that follows a bunch of best practices and leverages a bunch of knowledge.
Um, but I, I can also see where a book can leverage stories and storytelling to, uh, to help people. I guess gain, gain insights that they, that they can't get just from looking at a framework or an existing project plan that they can tweak. And then there's, then there's a way to present things that makes it thought provoking.
So it's not just a, not just a guide, but all, or a reference book, but can get people to think for themselves in the context of their own business in the region, the region regions that they're operating within. So. What combination of that and more or less? Does this book represent, how do you expect people to leverage it?
I guess.
[00:21:13] Valerie Lyons: And again, it's a great question, Sean. It's, it's, it's a reference book. I wanted it to be a book that would be on the desk of every privacy leader, um, that it would be their go to almanac. Um, but it is, um, also a guidebook. And also, most importantly, similar in structure to the CISO Compass, it has, um, contributions, cases, cases and, and vignettes and stories as, as you call them.
Um, from more than 60 pioneers in, in privacy. Um, some. Really, really incredible people have written, uh, in the book, um, to support or, or provide a case or their examples of how they dealt with a particular challenge related to that particular chapter or that particular sector. Even, in fact, the, um, foreword is written by Anne Cavoukian, the mother, if we're allowed to use the, um, pronoun mother of, uh, Privacy by Design.
Um, so, uh, there's incredible wealth of contribution in the book in terms of learning from the history and the mistakes and, and the experience of others. And I think both Todd and I would be. Staunch advocates of the collaboration of connecting with and learning from others who have tread that particular path in the past.
Why tread it yourself when you can learn from them? So, um. I think it's also going to be stories, you know, war stories and learning stories from these, you know, pioneers in privacy and in the privacy industry. And also there's, you know, we didn't just stick, sorry, just didn't stick with privacy because there's people who've worked in trust and people who've worked in cybersecurity and people who've worked in ethics.
There, there's lots of different elements that we've tried to find the right. Pioneers for those particular sections. Yeah,
[00:23:33] Sean Martin: that's fantastic. And at some point here, I'll, I'll, I'll present the spot and then I'll put you on it wherever you're comfortable for one of those stories that, that stick out to you.
Um, so you can either share that now, or I want to go through some of the, uh, some of the topics in the chapters as well. So maybe, maybe we do that. And as we're going through. Some of these, uh, maybe, maybe a story comes to mind that, that you feel like sharing because when the like roads there, that's the spot I'm going to put you on.
You can, you can paraphrase, uh, but, uh, so let's talk about the beginning. There's roadmap landscape strategy. I kind of combined those three and to me, those are very Dynamic elements. So I'm curious how you present that in the book, uh, in a way that stays fresh as, as people start to build their program.
Um, cause privacy pre GDPR is, is different than now. And of course in the U S there are a bunch of privacy data protection, uh, rules and laws coming around, uh, some, a lot of driven from California. So how. And of course, business is changing, internet, global business is changing, um, technology is changing.
So how do you kind of, all those three together, strategy, landscape, and, and, uh, a roadmap for success. How do you present that in a way that, that allows for things to be dynamic?
[00:25:17] Valerie Lyons: Um, well, as I said, one of the key parts is. Making it agnostic to any particular jurisdiction. So it's not about California.
California is in there, obviously, uh, huge pieces of legislation. So you're going to find California in the, the, the legislative piece. Um, but you know, developing a strategy, it doesn't matter whether you're in the US or whether you're in Europe, when you're developing a strategy, you want to. Create a privacy vision.
You want to ask yourself, why were you hired to do this job? Is it because the last person was, was rubbish or where they fired or, you know, what was the reason that you were hired to do this job? And that doesn't matter. in any jurisdiction. And, and so, um, we go through the different things that you need to explore in the book in terms of developing that strategy.
Um, and so, I don't believe that there's any need for the frameworks to account, or our framework to account for different jurisdictions. Um, But in terms of how can we provide flexibility, if you want to call it that, I think by keeping it agnostic, you, you provide some flexibility. Um, but there's, with privacy, when it's in legislation, it's very hard to be flexible.
And I've seen I've seen people try to simplify it and do various different things with legislation. It doesn't work. Legislation takes an awful long time to build. It takes an awful long time with an awful lot of really experienced people to create it. And so when it says X, I have the theory of don't fiddle with it, accept that that is what it is and you must do it that particular way.
So there's no flexibility really in legislation, but there is in interpretation. And so in the interpretation space, you know, we have sort of incorporated how you can interpret different pieces of legislation. The appointment of a DPO versus a CPO. There's flexibility there because, um, in, in, in Europe, DPO is obviously a GDPR role.
It's, it's very much specified. If you call somebody a DPO, they need to follow a set of rules. So we make it clear that there are other words you can use if you don't want to follow those rules. If you wanted someone to become a privacy champion, for instance, they're not a DPO and they therefore don't have to follow those DPO rules.
Um, and, and, and we've seen that a lot. Our experience would, would, would say we've seen it a lot where people by forcing titles have forced roles to do things that actually the organization doesn't need to do. Um, they've, they've. They create... more record keeping, um, as a result that they don't need to do all because they misname a particular role and the CPO role and the conflicts between those two roles and other roles.
So there's a lot of flexibility in how we deliver. And, and that flexibility is incorporated into, uh, the 7S model as we go through the 7, 7S model. We don't say in, in the book, you must implement a framework. We explain why frameworks are great. You know, the NIST cyber security framework and the privacy framework are, are to me, I'm, I'm a...
Um, but we go through the different frameworks and we explain why you would use one versus the other and how you can use them and how you don't need to certify to them. Because a lot of people think that if you use 27001, you must certify to it, but you can use it as a framework. You can absolutely structure your program.
You don't have to attest to it. So again, we've brought flexibility in there. So really, there's in business. There's no point in saying to people, other than legislation, you must do this. In privacy, it's the same. Legislation says you must do this, but you need to think about these other things as well, and how you might achieve them, if you so wish.
And here's the benefits of doing them, if you so wish.
[00:29:52] Sean Martin: I love it. And it's interesting that you brought in the role and the human element here, because I, I wanted to kind of bounce around a bit and and touch on staffing and skills and and some of the things you mentioned, uh, to me say understanding and scoping as well.
Um, so having having a clear understanding throughout the organization of What's in, what's out, who's doing what, to whom, when, why, per regulation, per our values, per whatever. Can we achieve this? Where do we need help? It's a big, you know, which obviously goes back to the, the strategy and, and roadmap piece.
Um, so talk to me a little bit about the, the, the staffing and the skills part of this and, and what you cover in the book for that.
[00:30:43] Valerie Lyons: So staffing, um, bringing in my, my, my masters in leadership and my, my experience of leading privacy teams. My struggle was always, and many people I spoke with who work in the privacy community in Ireland and internationally, and cyber security people, because I was a CISO for 15 years, is these forging teams.
You know, you've got to form them, you've got to reform them. We've all heard the phrase, storming, forming, norming, performing. But it happens so often, and especially now. Teams grow and reduce, grow and reduce, and they amalgamate because they move into different teams and teams amalgamate. So there's a lot of change in organizations and privacy and cybersecurity are no different with that change.
And so it's forging those teams, making them work together, um, that we try to find a way to to offer to readers in the book a way to forge teams, um, in a way that reflects how that particular team is working right now and what their, what their strengths are, what their weaknesses are. Um, and so I use Belbin's.
Melbourne's team roles to do that, um, I've always used it. I've been using it for years for many teams that I've worked with. Um, I'm a resource investigator, um, under Melbourne's team role. It's not a surprise given I've done a PhD. So I'm, I'm demonstrating my role all the time, writing a book, same again, resource investigator, networking with people and.
Um, trying to get them, you know, to, to contribute to the book and, um, to, to know these pioneers and be able to, to get them to contribute to the book. Um, that's very much the resource investigator, but do not ask me. to do a project plan because it will not be a good thing, you know, um, and I've learned that over the years that, that, but that's my Belbin team role.
And so I, you know, I'm very important in a team, but when I have a team, I also need to make sure that I have a planner and I have an implementer because they're not me. And so I use Belbin's Team Roles for many of the teams I use them for, for where I work now, I manage a team of about 30 people and I use it for those people as well.
And then I use another one called Goals, Roles, Processes and Interpersonal Relationships, GRPI model. Um, it's from a, a guy called Beckard and both these, uh, Belbin, Meredith Belbin is an old, um, sort of team roles model and it dates into the 90s as does GRPI, but they're time tested, they work, um, they're very effective.
GRPI is. It's a wonderful tool for when you're forging a team and you want the team to become a high performing team. And I don't mean that word high performing team to, you know, work them to death kind of thing. What I mean is, um, I often use the analogy that when I was having my first child, it was an emergency caesarean.
And if you've ever been in a theatre, That's when you see a high performing team where everybody knows, because I, he was premature so it was about 20 people in the room and everybody knew what everybody was doing and everybody was ready to do their particular job and each person only had one tiny little job but they knew exactly what it was and the room was filled with people but there was no you.
Chaos. Um, so I, I think that GRPI is essentially taking away chaos from a team. Um, and when you take chaos out of the team, when you, when you bring calm, it's a really nice workspace for people. So it's not just about. Creating a team that's high performing, you know, their, their output is amazing. It's also about creating a team that work well together, that are nice together, that understand each other, you know, and, and, and, you know, kind and, and, and understanding and empathic and GRPI helps.
to, to reach that space, uh, where people actually know the roles, responsibilities of everybody else and themselves. They know how they're going to interact with each other. You know, what are we going to do when somebody's late for a meeting? Um, and, uh, one of the things I often suggest, um, is that everybody claps, um, when the person comes back in again or when the person arrives, because it's, it's, Everybody laughs and it's quite light, but it's sort of a deterrent for arriving late at a meeting.
And so, um, you know, there's lots of different interpersonal things that you, you can go through and agree right up at the get go for that team. Um, so that's the GRPI piece. And then on the skills, the skills piece is, is really interesting because the privacy leader Um, one would think up there at the very top should be the, the, the actual subject matter expertise.
Um, that should be at the top, but when you're leading a team, those leadership skills, that empathy, um, they're also just as equally important. So, I'm not saying one pips the other, but do say, That is, when I'm recruiting a consultant, because that's the role that I, I often am recruiting new consultants for our team, um, I look for somebody who's got The soft skills, the project management skills, and I can teach the subject matter skills.
The subject matter isn't as important in my view as them being able to work in a team. Um, you know, there is very few people who are working in isolation. Most people are working in a team. And so, team skill. That being able to navigate teams and how they work and how they interact is so important. And so we go through those skills in terms of the privacy leader.
What are those key skills that they need to have? They also need, um, another series of skills, which I believe takes an awful long time to learn. And that is how to communicate to the board or to a really senior executive level because they talk a different language and you must learn that language.
They switch off in 30 seconds if you haven't started to speak in their language, which is going to be strategy. It's gonna be, you know, the shared values. It's gonna be, you know, this, the, the, the, the numbers that they need to hear about the revenue that, you know, they need to hear about the breach and the fines, the, the language that, and the things that they're interested in are different than your day-to-Day stuff.
And you need to learn that skill. Um, and I think that takes experience. Um. You know, the first time I spoke to a board, my mentor at the time was at the end of the table and I saw him put his head in his hands as I started to speak because I knew he was saying to me, you just got this wrong. But, you know, I learned from that experience.
Um, I learned from that experience to dumb it down. That was my lesson. You know, dumb it down. Um, so, uh, they're the, the, the key skills. Project management to me is, is an enormous skill for a privacy leader because you are running multiple projects at the same time.
[00:38:45] Sean Martin: So we're, we're getting close on time. I want to touch on this one thing.
Um, cause I don't want to let it go. It's, it's around styles. And values because you talked about the common in the theater. Everybody has a role. Um, presumably everybody knows what's going on and that's real life. But in, but in also real life in business, we don't always know everything. And there is a ton of ambiguity and.
Perhaps, uh, not always a common understanding of who's doing what and when, which can, can lead to chaos and certainly drives an opportunity for decisions to be made. Do we go left? Do we go right? Do we touch it? Do we leave it? Do we do this? Do we not? Whatever, whatever the decision is. And to me, It's, it's a values driven leadership style that empowers the team to make the best decision with the information or lack thereof that they have knowing who, who's going to take the reins to, to drive that decision forward.
So any thoughts on that? And obviously in relation to the book.
[00:40:04] Valerie Lyons: Um, yeah, absolutely. Um, leadership style is, is going to influence hugely, um, how the team works and makes decisions. Are they going to be collaborative? Are they just going to have decisions pushed on them? Um, in, in the chaos, um, is somebody just going to become quite authoritative and, and, and guide them?
Or is everyone going to be like a headless chicken and, and flap about? Um, So in the book, what I've done is I've taken, um, there was a famous article, um, in Harvard Business Review called Leadership that Gets Results. And it was by Daniel Goleman who wrote the book, um, Emotional Intelligence. And so he built these and it was based on a series of, of research.
Based on a series of studies that they did over three years of various different leaders, um, and to establish based on the emotional intelligence, the criteria, and that he had already established when he wrote the book, different styles of leadership were there in terms of emotional intelligence. And he came up with six leadership styles.
And he has said that they were like a set of golf clubs, and that you were on The golf course, um, you had to make a decision as to what club was needed for the next shot. And that one leadership style wasn't enough. That there were these six leadership styles and you had to be able to choose from these six leadership styles, um, at a particular moment in time.
And that he said that a good leader would need to have at least four clubs in their bag. Um, and that there was two clubs. The coercive and manipulative ones where, um, where not really good to have in the bag, but sometimes you might need them, but that you really needed to be careful with them. Um, my experience is I've never seen their need in my work life.
Um, but I suspect in something like perhaps a mergers and acquisitions situation, they might be, um, but they, they have. Negative effects on the team. There's no two ways about it. Take a look at Twitter and, uh, or X as it's now called and, and Elon Musk a year ago. In fact, today, um, uh, the effect that had on teams when a different leader pulled out the club, the coercive club.
Um, So, we go through those six leadership styles, when to use them from a privacy leader's perspective. So, we've analyzed each style and gone through how you can use those styles within your privacy team and what are the circumstances where maybe you might want to turn the volume up on certain styles or when you might want to turn the volume down on certain styles.
But you can do, uh, what I think is interesting about the leadership styles is you can kind of go through them and if you... Honestly, explore yourself. You can figure out if you've got four in you. Um, I'd say most people have two. Um, I think I probably have three. Um, so the fourth? Hmm. Um, I think you probably need a little bit of, of hardness to, to play with the fourth club and the fifth and sixth.
I just don't play with. Um, but most people I've spoken to say they have definitely got two of the leadership styles and they, they fall into them naturally, but they're not always the same two. Um, so. I think it's worth exploring for people to see if there's a style in there that they need and where's their shortcoming.
Um, if, if you know that you've got a shortcoming, maybe there's a style that you could learn. Um, but I do think that when you are in a privacy leader role, and you have a lot of people who are looking to you to make a decision and to make a decision quickly, or to make a decision that affects them, um, that you need to make sure that you choose the right club for that moment.
Um, and it's, it's not necessarily natural. Some people say it's natural. I don't think it is. I think sometimes you just need to take time out to think what should my leadership style be in this particular circumstance.
[00:44:42] Sean Martin: Always go for the driver.
Ah, that's fantastic analogy. So as we come to the end here, it's, I'd love to hear a story. So either one recalled from. from the book or one personal that you've experienced in your, in your years doing this. Something that, that demonstrates a change in how an organization approached their privacy program.
[00:45:19] Valerie Lyons: How an organization approached their privacy program.
[00:45:25] Sean Martin: Or any other story that
[00:45:27] Valerie Lyons: has come to mind. I think, um, I think... What I think is more interesting, I'm not going to say, I'm not going to answer that because the privacy programs can, you only have insight into a privacy program of what the organization tells you.
You have to work in the organization to know truly. What the privacy program is, whether it's just compliance and whether they're reporting that they're wonderful and they call this looking good versus being good. So, um, there's a lot of whitewashing of privacy in CSO reports, for instance. So, if you read them, and they actually take time to read them, they're just window dressing.
Compliance. So they're saying we trained everybody in the organization, we've done this, we've done that, but actually they had to do that because GDPR said that they needed to make sure that they had everybody trained. So, when you take that lens off and you start looking at organizations and what they're doing, who's really building privacy programs?
that are, um, truly exceeding regulation. You know that they've, they've done more, and so they've seen privacy as something worth pursuing beyond regulation. So they're, in that, I know they're getting more funding than just compliance funding. So if you look in the Fortune 100, you'll see that organizations like Coca Cola and, and Mondelez and food organizations, they're doing nothing.
They just do compliance because they're not dependent on data and it doesn't influence their business in any great way. Personal data, I should say. But when you look at organizations like Apple, like Cisco, Um, interestingly, General Motors, um, uh, HP, Dell, um, these all have, um, CSO reports where you can see that they're doing things far in excess of regulation.
Microsoft does a huge amount in excess of regulation. But again, We're a different lens because, for instance, Microsoft would say, um, we train all our staff, irregardless, we, we have, um, trained all our staff, um, in privacy awareness training, irregardless of the requirement to do so. And, uh, we have achieved a level of GDPR compliance, regardless of whether it's required to do so, because we believe it's the strongest, uh, piece of legislation.
Thank But that may not be why they're doing it. They may be doing it because running a patchwork of compliance to legislation is an absolute nightmare to figure out who, what country needs to comply with what section. So if we just pick one and it's the most difficult, we only have to adhere to one and we just make life easy on ourselves.
And so again, that could be whitewashed. So you do have to have a very cynical lens. to see through some of the things that are said within CSO reports. At the same time, I have the view that I don't care. It actually doesn't matter because if, if you need to do something in privacy that exceeds regulation, because you want to put it into your CSO report, so you want to bring it to your stakeholders and your shareholders in a corporate report, then I'm the winner.
I, you know, I, I actually don't care what your motivation is in that it's improved privacy a little bit more than just as far as regulations. So I believe it's a win win. I do believe that there's some organizations like Cisco, um, that do have privacy at heart. Um, but then it's what they sell. Their products actually are used to protect privacy.
So, that they're used by some to compromise privacy, they try to disconnect from that and say, well, it's not us that's using it, it's that government over there that's doing it, not us. And we don't agree with that. And so, I think they do have to disconnect themselves from it. And so, that to me is more interesting than just looking in someone's privacy program.
Um, because I think most organizations. Are just doing compliance and, and very little else. Um, but the, the fortune, the fortune 500 is where you need to look. If you want to see the organizations that are doing more, um, who I have the greatest regard for are the startups who come to my organization and say.
Can you do us a data protection impact assessment? Or can you do some work for us? And we know it's not compulsory for them, but they want to do it because they want to do the right thing by privacy. And they're the, they're the programs that amaze me. That I, I think, wow. We got to you. Yeah.
[00:50:58] Sean Martin: Cause presumably it's a difficult decision to take funding that could potentially shorten the runway or take away from other market driving or in market enabling features or services or whatever.
Yeah. So to make that decision, it's a, it's a pretty, pretty
[00:51:17] Valerie Lyons: powerful. Yeah, I agree. But I think what they want to say is we're doing, we want to do the right thing here. And that's the value that they want to communicate to their potential clients.
[00:51:32] Sean Martin: Valued. Multiple, uh, meaning of value there, right? There are values and the value.
[00:51:38] Valerie Lyons: Absolutely,
[00:51:38] Sean Martin: yeah. Love it. Well, Dr. Lyons, uh, fascinating conversation. I'm, I'm sure we've, uh, simplified 472 pages, I think you wrote.
[00:51:51] Valerie Lyons: 476. But at the beginning, um, the, it was 52 pages was written on when they initially released it. And I was so annoyed because it looked like a child's book, you know, 476
[00:52:08] Sean Martin: pages.
I love it. Love it. Well, we've condensed that into a summarized 52 and change minute chat here, which. I've thoroughly enjoyed and, uh, I'm super happy you, you, you joined me today. So
[00:52:23] Valerie Lyons: thank you for having me, Sean. It was a pleasure. My privilege too.
[00:52:27] Sean Martin: Fantastic chat. And of course, everybody listening, uh, I'll include a link to, uh, locations.
You can get the book in a few different spots and, uh, ensure we'll, we'll include a link to, uh, Todd's CISO compass as well, because I think it's probably a good companion for folks who straddle that line. And, uh, anything else that, uh, Dr. Lyons wants to share that she thinks would be helpful? Maybe mention a few frameworks, ISO 27001 and NIST.
CSF and privacy frameworks. Maybe those are good links. So I'll leave that for you, uh, Dr. Linus to think if there's anything else that can help folks prepare for this and a good companion to your book. And, uh, thanks again for joining me. Thanks everybody for listening and watching. Uh, please do share with your friends and, uh, subscribe for even more as we continue, uh, operationalizing security and privacy, uh, in business.
So thanks everybody. Thank you.