There’s been lots of chatter about difficulties qualified candidates face in getting their first privacy gigs. Simultaneously, industry often bemoans the difficulty of finding and hiring the right person for privacy roles.
While there’s no hard-and-fast data on the problem, it’s an issue raised at coffee meetings and via LinkedIn DMs enough that it seems worth discussing as a community. If there’s any truth to it, what’s going on? Why are seemingly qualified – and certainly passionate – newbies struggling to find jobs if there are more than enough to go around?
In a recent episode of The Privacy Beat Podcast, host Angelique Carson spoke with two privacy pros, and one who’s aspiring to be just that, about why it’s hard to break into privacy at a time when the industry’s seemingly thriving.
Our three guests:
Ryan Torrey: Has a gig in privacy
Sherry Truong: Has a gig in privacy
Cleo Li: Looking for her first gig in privacy
Cleo Li graduated from Georgetown Law and got a job as a trade lawyer at a boutique law firm. The problem? “I’ve always felt that privacy’s calling for me, so here I am.” Though she got her CIPP certification in March 2022, her active search for a job in privacy isn’t going well.
“It hasn’t been working out,” she said, “Because every employer always wants 2-3 years of privacy experience,” and she doesn’t have that on her resume.
Ryan Torrey, counsel at VF Corporation, fell hard for privacy in law school after studying cyber law. He even started a recreational club.
Sherry Truong is privacy counsel at Asana. She describes herself as a “big Constitutional Law nerd … like really big.” She got a taste for privacy as a career when she landed at GitHub under Hanna Poteat’s mentorship. She remembers thinking, “This is really exciting. I know it’s gonna be a thing. Low and behold, year’s later, it’s a thing.”
She loves the privacy industry’s passion.
“We all just really love what we do, and I think it’s really rare, especially in the legal profession, to find a practice area that resonates like that.”
But she didn’t fall into success, she had to strategically take opportunities that would give her the right skills and experience to get her to the privacy role she wanted.
“It takes a lot of grit to find the right place,” she said. “Pre-GDPR, people didn’t see the value” in privacy, so she had to advocate for herself back when she was trying to get a foot in the door. She feels for people trying to do the same.
“The issue we’re running into now is that there are these abundant jobs, but I see a lot of people running into the same roadblocks I did, which is [hiring managers] want a certain number of years of experience. But privacy is still a young industry.” She said people don’t see or know what they’re looking for because they’re looking for a person who can come to the job “out of the box and say ‘Here’s how you do all these things.’” But they’re not understanding that privacy isn’t a one-size-fits-all role.
Ryan agrees that “years served” seems to be a barrier to getting hired. But that doesn’t make sense to him because of privacy’s relative infancy as an industry.
“We’re all solving these problems at the same time, and there’s new law happening all the time.”
He thinks interviewers and recruiters advance candidates who demonstrate they can think on their feet versus simply the number of years served. After all, the goalposts are always moving in privacy.
“If you can show you can think on your feet at an interview, recruiters should be cognizant of that, that’s very important in roles like ours.” He said he even thinks organizations should consider customer service skills as solid “experience” in a privacy role. He worked in a movie theater and as a golf caddy. He had golfers screaming at him that they made a bad shot. Imagine smoothing that one over.
“I’m always dealing with our internal clients and trying to smooth over a situation that we have to react to in a quick way, and [the clients are] asking me why, and I have to smooth it over and explain.” It requires a tone and candor someone without customer service experience might lack.
But it’s not that experience is irrelevant, Truong said. “It matters in the sense that you gain more confidence, you get an instinct, you get more skills. I don’t want to discount that years of experience has a positive effect. But I also think if you’re trying to hire someone, [experience] should be secondary to, ‘What do you think about privacy? Do you want to read about this all day everyday? Does it light a fire in you when someone does something that breaks the trust of their users? These are important things people leave out.” Hiring can be kind of robotic, and so you miss those things.
Sherry’s advice for privacy newbies: If, for example, you want to be privacy counsel, think about what steps it would take to get you there. See each role as a path toward what you want. “It might not quite align in the beginning, but if you see [those roles] as building blocks, as long as you’re moving in the same direction toward where you want to be, and you’re really passionate about privacy, I find people that have those two things together usually end up in the role they want – whether that’s a legal position or non-legal.”
She also advises newbies to take the opportunities that continually present themselves. “Those that feel like, ‘well this is interesting, this keeps coming up, and I wouldn’t have expected it.’ Run with that. And don’t give up. Usually those experiences will throw you into the fire, which is how you learn in privacy.’”
Ryan’s advice for newbies: Don’t be closed off to things that come your way, and highlight soft skills on your resume to indicate your multi-dimensional talents.
To hear the full conversation, listen to this episode of The Privacy Beat Podcast.