Privacy Please Podcast with Lourdes Turrecha, Founder and CEO of PIX LLC

Lourdes Turrecha, Founder and CEO of PIX LLC, joins Cameron Ivey and Gabe Gumbs at Spirion on this edition of Privacy Please to talk all things privacy.

Highlights include:

  • Lourdes’ path to becoming a lawyer and focusing on privacy law
  • The evolution of the infosec profession in just the last 10 years
  • The rise of privacy technology and what that means for startups and established companies
  • The data privacy and data security hurdles when working from home
  • Why we ought to look at privacy beyond mere compliance

Listen to the show here and leave us a review on iTunes

Transcript:

Cameron Ivey:
Ladies and gentlemen, welcome to Privacy Please. I’m your host, Cameron Ivey, and with me is Gabe Gumbs, of course, and today we have an awesome, awesome guest. Her name is Lourdes Turrecha, and she is going to introduce herself and tell the listeners what she’s all about. Tell us how you began in privacy and how you became a lawyer.

Lourdes Turrecha:
Absolutely. I am one of those people who’ve always known they wanted to be a lawyer. It was that weirdo when I was a child… you know when you were a kid, you wanted to be a doctor one day and an astronaut another day?

Cameron Ivey:
Right.

Lourdes Turrecha:
Not for me. It’s weird. I guess I’ve always liked rules and learning them as much as I can, and then finding the loopholes and finding which one are strict rules and which one are flexible rules, and that’s really how it started.

Lourdes Turrecha:
On the public interest side, I like the fact that you could impact a lot of people and do a lot of good, and so, it’s been almost an entire lifelong journey, ever since I was very young, to really work towards becoming a lawyer, which is why it’s so hard for me today to conceptualize or identify as an entrepreneur and a founder. I still have my license, but I don’t use it currently. I am working with startups on privacy and cybersecurity, mainly. I do have my own privacy consulting firm, PIX.

Lourdes Turrecha:
I started in privacy just about 10 years ago. I think it was when we still had Safe Harbor, before Privacy Shield, and we were looking into that and I thought, “This is so interesting. Why do we need a treaty to transfer data from one place to another, from Europe to the U.S.?”

Cameron Ivey:
Yeah.

Lourdes Turrecha:
Yeah, I mean, it just blew my mind, and so, I was so lucky to then stumble into Daniel Solove’s information privacy law class, which was way ahead of its time then. I think there were less than 10 law schools that offered an information privacy law. I mean, you have Fourth Amendment privacy; we’ve had that forever, but information privacy law was still relatively new then and not offered widely. I’m not sure if either of you are familiar with him; he’s one of the leading thought leaders in information privacy. The Supreme Court cites his work. He probably wrote one of the earliest privacy law casebooks, and he’s a philosopher in privacy and has published a lot of very interesting and thought-provoking works in this space.

Lourdes Turrecha:
I got very lucky to have benefited from his mentorship and advice throughout the years, and ultimately, got my first job in privacy at a Fortune 300 company through his referral, which just started this amazing career, so thank you, Dan.

Cameron Ivey:
Yeah, I mean, it’s… oh, go ahead, Gabe.

Gabe Gumbs:
No, I was just saying that is quite the interesting journey, and for someone who recognized early that they appreciate the nuances of structured boundaries… namely, the law… and wanting to examine it in such a way that you could find ways in and out of it, to find yourself working closely with privacy and security does seem somewhat natural. Why didn’t you ever go further down, say, the security side of this, though? Just purely curious, why the privacy side more than the security side? Not that you can separate the two, but there certainly are nuances between the two.

Lourdes Turrecha:
Yeah, it’s interesting that you point that out, because my first job in privacy was building the privacy program at a Fortune 300 company, and it happened to be within the CISO’s organization, so I was literally sitting across the hall from the architects and the analysts, and my meetings from 8:00 to 6:00 are with them, and our security projects, and that’s where we came from.

Lourdes Turrecha:
I wasn’t “an info-sec” professional purely because it made sense for me to label myself as a privacy professional given my legal training and background, but I have worked quite a bit in the information security realm on privacy, and same with one of my more recent companies, Palo Alto Networks; they’re huge in the cybersecurity space, one of the leading under-priced cybersecurity companies. I worked with our R&D folks, who built cybersecurity products, and then our internal information security teams on security and GRC projects, as well. It was a very close relationship.

Lourdes Turrecha:
I guess, I suppose, to answer your question, it made for sense for me to kind of keep the privacy labeling. I mean, they’re distinct, and we could go into that, as well, because I see that quite a bit about how folks interchange the two and don’t know the scopes, and I don’t know if that’s something that your audience might be interested in listening or hearing about.

Gabe Gumbs:
I think they would be. One of the questions that we ask our listeners when we talk to them offline, and other folks that we interview, oftentimes is can they describe for us the difference between security and privacy? We get a range of answers. I mean, I’d love for you to answer that question for our listeners, also, if you would.

Lourdes Turrecha:
I mean, I’d be happy to share my take.

Gabe Gumbs:
Yeah.

Lourdes Turrecha:
From the data level itself, the types of data that both domains are involved in very different. There’s an overlap. Privacy is only concerned with personal data, so data relating to people; whereas security is concerned with anything that is of value to an organization and that needs protecting. Of course, that would include personal data, but we could also talk about IP and trade secrets and financial information.

Lourdes Turrecha:
The types of data involved are very different. The scope of inquiries are also different. In security, we talk about the CIA: confidentiality, integrity, availability. When it comes to privacy, one aspect of privacy is securing personal data, but that’s not the only inquiry. We also need to ask whether we collected it with an appropriate purpose and where there’s purpose limitation and data minimization; whether we’re keeping it for only as long as we have a reason to; whether we’re honoring individual rights when it comes to accessing and deleting their data.

Lourdes Turrecha:
There is the overlap, but there’s also that really interesting aspects to privacy and security on the security side as well ah, it is fascinating.

Lourdes Turrecha:
What about you guys? How do you think about it? I mean, I love having this conversation, and I’ve literally had to ask this question to both types of professionals, to privacy professionals, to security professionals, and those who overlap both side. I’m always interested in what…

Gabe Gumbs:
The very clinical answer that I will sometimes give, maybe sometimes often, is kind of the niche definition of it, which is faith that… security issues are a byproduct of unauthorized access to data, while privacy issues arise as a byproduct of authorized access to data. It’s a very clinical answer to it.

Gabe Gumbs:
My less non-clinical answer usually boils down more to, one of those things, security, is about protecting the data; one of those things, privacy, is about protecting the individuals that that data talks about, the very digital identities of those individuals. Now with the regulations we have out there, I think I might even change my talk track more to the data that those individuals own, because I think that is a much better way to look at it. You protect the data that your company owns very differently than you protect the data that I own.

Gabe Gumbs:
Thankfully, now, we are starting to, as Americans, get more ownership of our data, and hopefully that distinction helps make the difference between security and privacy quite a bit more clear for all of the defenders out there. I tend to think about things in terms of breakers, defenders, builders kind of thing. I’m a very technical person in that respect, just by nature as well as by trade; and so, when I look at it through the lens of the protectors of the world versus, say, the breakers, or even the builders, that’s how I think about it.

Gabe Gumbs:
Having read some of the IAPP materials on similar topics, they don’t talk about it in terms of builders, but they do talk about privacy for engineers and privacy for architects, which are the builders, and I think it’s still a good lens by which we should look through those things, especially as we give way to the rise of privacy technology, right?

Lourdes Turrecha:
Right, and I want to hone in on one of the terms that you mentioned, and it’s the ownership of data. It’s one of the topics that I’ve loved following throughout the years, and it’s very timely, too. I mean, it’s interesting, because the privacy profession is quite… how do I say… disunited when it comes to whether people should have ownership over their data.

Lourdes Turrecha:
I don’t know if you heard the Senate hearing on this in November, where the Senators wanted to hear from consumer advocates and tech folks about ownership of data, and the consumer advocates are actually against it because they think that giving people property rights to their data would have terrible privacy consequences. I don’t necessarily share that view, but it’s a fascinating topic, for sure.

Gabe Gumbs:
Yes, it is. Cameron, you want to kind of dive into a bit about privacy tech, and kind of where-

Cameron Ivey:
Yeah.

Gabe Gumbs:
Yeah.

Cameron Ivey:
Yeah, I actually had a question, because we were talking about the topic of RSA; obviously, all three of us were there. I think you, Lourdes, you spoke there; I’m not sure how many conferences you had. I’m wondering, what was the trend? I think we had a conversation about this. You mentioned something about a lot of tech companies being interested in this privacy realm, but not really knowing much about it. Let’s dive into that. Let’s double-click into that and kind of discuss that further, and what you feel about that.

Lourdes Turrecha:
Sure. I mean, if I remember correctly, I wrote out my notes on RSA. I mean, I’ve been going for years, and so this year… and each year, privacy has been on the rise, but this year was no exception. From the keynote stage to the sessions, there was a robust privacy track that was put together by our colleagues, Susan Hinson and Angelique Carson; so, thanks to those two women, but also to the expo booths. If you look… I mean, you guys were there… looked at the messaging, privacy was everywhere, so it wasn’t all about security anymore.

Lourdes Turrecha:
There were quite a few startups; some of them we know in the privacy tech space, but many new ones that I hadn’t heard of.

Gabe Gumbs:
I can give you exact numbers. 106 of the 658 exhibitors self-identified as a privacy organization.

Lourdes Turrecha:
That’s amazing. Wow, 106. Wow.

Cameron Ivey:
What was the difference from the last year, Gabe? I think we had those numbers, too.

Gabe Gumbs:
The year before, it was something around 60-odd or so.

Cameron Ivey:
Yeah, it jumped up amazing.

Gabe Gumbs:
Oh, yeah, if you could misspell the word privacy, it was probably on your booth.

Lourdes Turrecha:
It’s interesting, a lot of them have put in the work to really look at the problems… the three of us were talking about this earlier, about starting with the privacy problems or building the solutions. Some of them have put in the effort to do that; well, some of the other ones, it was a little disappointing as a privacy professional, because when they start going into how they are solving problems, it became clear to me that they were talking more about security problems, and that they weren’t really clear on the privacy problems that they could solve, or that they were trying to solve for.

Lourdes Turrecha:
There is that opportunity there, and the good thing is that we have domain experts in privacy who could help those folks out. We talked about the rise of privacy tech, and it’s a movement that folks in privacy, and also founders and investors interested in privacy tech that were looking into, to kind of bring together technologists and entrepreneurs interested in privacy, and investors interested in privacy, and domain experts who understand privacy, so that we’re not talking above each other and so that we could help each other out solve for these problems. We start with the problems, and we solve some of these problems through technology, because as we’ve talked about, the law is always lagging behind, so let’s try to see if we could start solving for these through new innovations.

Gabe Gumbs:
Let’s talk about some of those innovations a little bit, or at least more importantly, how we will integrate them into our professional lives. You and I also talked a little bit about what I might start calling the rise of privacy operations, which is really nothing more than… if I think about network operations, I think about kind of three types of data that we collect to monitor how things are going in a network. I kind of collect time series data; time to respond to things, time to resolve things. I collect a lot of log data, availability data, performance data. I collect event data, transaction data, backup data, era data.

Gabe Gumbs:
On a security side of things, by and large, and I’m boiling this down into big categories, but there’s monitoring data, there’s analysis, there’s automation stuff; so I’ve got my threat detection on my monitoring stuff; I’ve got my axis monitoring. On the analysis side of things, we’re looking for a lot of indicators of compromise and prioritizing alerts and user and entity behavior analysis. On the automation side of things, system isolation, remediation incident containment; you name it.

Gabe Gumbs:
What are we really going to end up with when we’re thinking about privacy operations? If I have this area where I’m doing real time system intelligence in a knock and real time security intelligence in a sock, for us to get to a place where we are operationalizing privacy… and I know I don’t have this expectation that a privacy operations will be a thing everyone has… but it certainly is what I have an expectation that privacy tech will help us enable. I need to be able to collect data collection intelligence, so how did I get that data, and where does that data move within the environment? That’s just one type of operationalizing of privacy.

Gabe Gumbs:
What else do you see being important in that space?

Lourdes Turrecha:
I think the most important one is just knowing what personal data you have in a manner that is up-to-date. Traditionally, we’ve… because everything else follows from that. You can’t really have a good privacy program without knowing what types of personal data you have and where they are, and traditionally, we’ve done inventories and mapping through spreadsheets and all of these Microsoft Suite tools, but that’s no longer… and maybe 10 years ago that was acceptable, but today, that’s no longer… I don’t believe it’s acceptable anymore. That’s no longer viable because of the rate of how much we collect and move data and transmit data; the moment we finish a manual inventory, it’s stale. It becomes more important to have good tools that will allow us to then build that program, the operations, on top of it.

Lourdes Turrecha:
We talked about privacy tech tools out there that have the ability to automate the detection and inventory and mapping of personal data, and your network and your endpoints, and in your cloud applications, so that the privacy operations team, which I don’t believe should be just lawyers or should just be security folks; I think privacy is very much cross-functional. You need auditors. You need privacy engineers.

Lourdes Turrecha:
I think we need to start with really good privacy tech that would enable operations in a way that gives us good data about the where and the what so that we can start our compliance on top of that.

Gabe Gumbs:
And why shouldn’t it be cross-functional, as well as across different individuals inside the organizations? Again, back to my examples of security operations and network operations, those things are. Those things, although there may be some siloing of ownership of the technology itself in terms of who operates it, but everyone participates in that activity. We’ve been talking about that in data security for a long time.

Lourdes Turrecha:
Yeah, it should be. It should be cross-functional. I think teams today, privacy teams, especially in mature organizations with mature privacy programs, are cross-functional. We just need to then layer on top of that an operations center like you suggest, that would give them then the up-to-date, accurate overview of where their personal data is in their organization.

Gabe Gumbs:
Indeed. Well, this has been a great conversation so far.

Lourdes Turrecha:
Sometimes I worry that I’m so passionate about privacy that I have to apologize about being a geek.

Cameron Ivey:
No, don’t apologize. This is the world of Privacy Please.

Gabe Gumbs:
Yeah, I learned a long time ago to stop apologizing for being a geek and being passionate about security and privacy. Forget about it. It is the thing that I legitimately… it excites me so very much.

Gabe Gumbs:
Let’s talk about some other things going on in the world right now. We have this pandemic, and it’s been rather unfortunate in its impact across the world and how it’s affecting all of us.

Gabe Gumbs:
Let’s talk about the impact on privacy that it’s having, and we can start with just the fact that I’ve heard that some of the enforcement of some of the privacy regulations might be suspended for some period of time, which is unfortunate in and of itself. I think that’s a bad idea. We’re going to be having this conversation again in probably just a few months, and so for anyone thinking, “Oh, it’s going to be suspended. I can go on about not caring about it,” that’s not going to end well for them.

Cameron Ivey:
No.

Gabe Gumbs:
Yeah. But let’s-

Gabe Gumbs:
Go ahead.

Lourdes Turrecha:
Yeah, we’ve seen it globally. We’ve seen increased surveillance, and different levels of increased surveillance, too, depending on jurisdiction, and I think that highlights the cultural nature of privacy. Privacy in Europe is very different from privacy in the U.S. or privacy in Japan. In Japan, it’s more tied to their sense of honor. In Europe, it’s more tied to individual rights. In the U.S., it’s tied to consumer protection.

Lourdes Turrecha:
We see that here, as well. We’ve also seen how law enforcement have asked for increased ability to track folks, and I think also highlights the need for a framework that would allow for that. GDPR in the EU, and you guys have probably seen all the different data protection authorities’ guidance on this; the GDPR is not black and white. There are gray areas that allow for things like this. If there’s a legitimate interest like societal health, then we would allow for the processing of personal data for that purpose.

Lourdes Turrecha:
It just highlights why we need that in the U.S., because what happens then is that, in the absence of such a framework, we end up giving up some of those rights. Peter Swire wrote a really good piece on this that is a comparative piece to what happened during 9/11. We think this is unprecedented. We think the coronavirus is unprecedented, and to a certain extent, it is, but from a privacy perspective, we’ve seen this encroachment upon our privacy happen. We saw this happen 19 years ago, and we can learn from what happened then and how we can tackle some of those requests from law enforcement to detain folks indefinitely, or to track us.

Lourdes Turrecha:
I mean, yes, there’s a good reason to track folks so that we can contain this, but we can do it in a way that’s privacy-protective, and that’s probably one of the areas where good privacy technologies can help.

Gabe Gumbs:
I hope so. I do believe we have an opportunity there, for sure.

Cameron Ivey:
So, I’m interested. I don’t know if I’m switching gears too quickly here, but I’m just curious. Being a founder and a CEO, Lourdes, what’s been the biggest challenge for you and your employees and your company during this time? What’s been the biggest challenge around privacy and just transitioning to work-from-home? I’m not sure, maybe you’ve always worked from home, but can we dive into that? What have you been dealing with?

Lourdes Turrecha:
Being a privacy professional and having worked in cybersecurity, I am one of those privacy and security Nazis; I’m sorry for using that word, but I really am.

Cameron Ivey:
It’s all good.

Lourdes Turrecha:
I’ve done the things that folks… if you’ve seen the materials out there NIST and SANDS have released, using a VPN and covering your webcam and turning off your home devices and making sure your WiFi is secure, and making sure you use secure browsers and all of this stuff, using encrypted messaging like Signal and closing windows before joining a video call, all of those things; those are things that we practice.

Lourdes Turrecha:
I think the biggest issue that I have is less about privacy and security and more about just making sure that we are getting through this together and in a way that… we don’t know when it’s going to end, and so it’s just really taking care of ourselves and being good to the people that we have around us. The work-from-home one, there are a few productivity things that have come up, as well. I still get up at the same time and… the first week I didn’t, okay? Let’s be clear. The first week [inaudible 00:26:49] third week… someone shared in one of those webinars that it’s a good idea to get up at the same time, to kind of act as if you’re going into the office; and so, I dress up like I’m going into a meeting. Not really, it’s sort of in the middle, but I’m not in pajamas or anything like that.

Cameron Ivey:
Right. You’re wearing pants, yes. I don’t know about Gabe, though.

Lourdes Turrecha:
Not that I’m judging, it just works for me. I think the first week, not having structure, it was difficult. I don’t know about you guys. I mean, different people have different preferences, of course, but I like having the structure because it lets me kind of… it gives you a sense of security, too. Not everything is falling apart. You have a schedule. You get up in the morning. You take your lunch. You take care of yourself at the end of the day and log off.

Lourdes Turrecha:
What about you guys? What’s worked for you?

Gabe Gumbs:
Well, I’ll let Cam speak to this, because actually, I’m a crusty old work from home veteran. I shared this experience before, but my original work from home experience began via yet another tragedy many moons ago when, post 9/11, we lost a lot of office space in New York. As someone who was in the technology space, we were one of the lucky ones that were able to work from home and to alleviate that pressure on the city.

Gabe Gumbs:
I’m with everything you said, and I’ve always been that person. I follow that routine. All of those things have been ingrained in me for a while, but Cameron, this is kind of new territory for you, and you’ve got a family at home and those things, so why don’t you share with us how this has impacted your life, and from a privacy perspective, as well?

Cameron Ivey:
Yeah, it’s impacted majorly, because I’m the kind of person that I like people. I like being around the office, I like the energy that I can bring to the office with people and my co-workers.

Cameron Ivey:
It’s been hard because that energy is not there. It’s not the same energy. Obviously, we have the benefit to use video chat, which we’re using more and more now, which is great. I’ve mentioned this before, but you see across the board on LinkedIn and social media that companies are using social media and videos, and never did before. I’ve seen people talk about how this is actually going to help save some businesses rather than hurt them, and I truly believe that, because it’s making them open up even more because they have to, or they have to adapt or they’re going to die. It’s just incredible.

Cameron Ivey:
My experience at home, we’ve been fortunate that we came to my in-laws to stay over here to help with our 11-month-old, and it’s been a challenge to stay on the same schedule, but making the best of it, and again, using technology in all our practices to stay private and safe. I don’t know, it’s been odd to say the least, but always a optimistic person, and just trying to stay above water like everyone else. I think it’s good because our companies, we’re staying positive, as well, as a group, and we’re all staying connected, so it’s been good, but it’s still odd. It’s very odd.

Lourdes Turrecha:
The virtual happy hours and game nights and lunch with are on, right? I mean, I’ve had a few the past couple of weeks.

Cameron Ivey:
Oh, so how are those going for you guys?

Lourdes Turrecha:
I like that we’re being creative on how we stay connected with each other. I do like that a lot.

Cameron Ivey:
Yeah, it just makes it easier. I think some people are just uncomfortable with it all, but I think once you see more and more people do it, you open up a little more. It’s definitely interesting, but just how many companies are opening up on social media, which is nice.

Cameron Ivey:
I don’t know if you guys saw that funny video; so, there’s that old video that has the guy with the kid that walks in behind him and he kind of like shoves him off. I saw a parody made of that with a woman doing it. Have you seen this?

Lourdes Turrecha:
I haven’t seen the parody, but I know it’s…

Gabe Gumbs:
I have not.

Cameron Ivey:
It’s hysterical, because it’s basically saying, well, the woman… the woman in the entire conference, she’s on like a news show, and the news show is interviewing her on the webcam, and all this stuff is happening behind her, but she’s continuing the conversation and she’s doing the stuff at the same time; so, she’s ironing clothes, she’s just doing everything at the same time. It’s hysterical because… I don’t know, it just-

Lourdes Turrecha:
It’s reality today.

Gabe Gumbs:
I feel like women would just call that days that end in Y.

Cameron Ivey:
Yes. Yes.

Lourdes Turrecha:
Right?

Cameron Ivey:
It was just funny, though.

Lourdes Turrecha:
Yeah, can you send me that?

Cameron Ivey:
Of course, absolutely.

Lourdes Turrecha:
I mean, this pandemic is probably going to end up being the best… there’s a silver lining, I guess. I’m not as a positive. It’s going to end up being the best argument for the remote work movement, because after this, employees can no longer argue that we can’t… “We can’t let you work from home.”

Cameron Ivey:
Yeah, “You can’t do it. You’re not productive enough.” That’s not true, but that’s a good point.

Lourdes Turrecha:
It’s a win for the remote work movement.

Cameron Ivey:
It is. It’s a challenge, for sure. Before this pandemic even happened, talking about 2020 and beyond in privacy… I know we’re talking about making the business case for privacy, the rise of privacy tech and data ownership… what are your biggest goals around privacy when it comes to trying to build this community and being a part of that. What do you see ahead?

Lourdes Turrecha:
I’m really happy to see that there are more companies trying to solve for privacy problems, and yes, not all of them are starting with their problems, but we can help with that, right?

Cameron Ivey:
Right.

Lourdes Turrecha:
It’s interesting and it’s encouraging that more entrepreneurs and technologists are recognizing that. I think it’s because the timing has been right… I mean, before this pandemic. The timing’s been right because of several reasons: the regulators are paying attention in Europe, and yeah, in California; even at the federal level here in the U.S.; we have several bills that are pending.

Lourdes Turrecha:
The consumers are also, interestingly, changing their sentiment towards privacy. I’ve been tracking consumer sentiment for years, and while they’re not where I want them to be, it’s still encouraging to see them care and be more informed about their privacy, and I think there’s several reasons for that… the Snowden revelations and the Cambridge Analytica and the slew of data breaches that’s happened… but the most interesting and encouraging thing to me was that founders are starting to get it, companies are starting to get it, and even investors are writing checks. This is not something that’s been the case in privacy, and I think it’s an amazing time to look into that, especially during this pandemic.

Lourdes Turrecha:
There are startups solving for coronavirus, and one of the biggest and interesting problems that they’re facing is privacy, especially for the monitoring and the data types of startups.

Cameron Ivey:
Why do you think that is?

Lourdes Turrecha:
I think it’s because, historically, we here at Silicon Valley have not looked up privacy beyond compliance, and that’s a mistake because there is a real value to privacy beyond checking the boxes, and there’s a clear business case. The research in the past few years have demonstrated this. There’s a clear trend companies have recognized, that it can be a competitive advantage. You’ve seen all the Apple ads about how they care about your privacy. We’ve seen big brands like Microsoft do the same for years.

Lourdes Turrecha:
In the cybersecurity industry, which I’ve been, the biggest players have done the same, as well, and there’s a good reason for that. I’ve seen more than a hundred deals, B2B deals, derailed because of privacy and security problems, and companies that want to get ahead, who want to close the deal, who want to demonstrate to their customers that they can be trusted with their customers’ data really need to take privacy seriously. It can’t just be a contract thing anymore, because they will audit you. They will look up whether you designed your products with privacy features and with privacy in mind. It’s exciting, and I liken… I would hope that this trend continues so that it’s not even a trend anymore. It just becomes the status quo that we build with privacy in mind.

Lourdes Turrecha:
I think you guys are familiar with Michelle Dennedy. It would be nice… I mean, we were talking about this a couple of months ago… it would be nice for engineers to just know privacy so that we don’t have a separate role for privacy engineers anymore, and I think security went through that with dev-sec ops and all of that earlier than we did. It would be great if we just did things with privacy in mind from the product perspective, from an organizational, cultural perspective, and it makes a lot of difference, too, when we start from the top.

Lourdes Turrecha:
I’ve worked with organizations where privacy was a board level goal and value, and it makes a ton of difference for the customers and for their brand, and whether or not the team is accomplishing anything, whether they’re funded.

Cameron Ivey:
Yeah, because there’s a lot of organizations that can never see that ROI when it comes to privacy.

Lourdes Turrecha:
Yeah. You guys saw the Cisco research on this, the two point four… I think it was two point four ROI. For each dollar, you get like two point four return on investment privacy.

Gabe Gumbs:
That’s significant, and it is important to recognize that the number one reason why we should do these thing is because it is the right thing to do. However, we can’t lose sight of the fact that ultimately, businesses do exist primarily to conduct business, to make money, et cetera, and we should be able to do the right thing while still doing the right thing by the business, and when those two things can happen together, I think privacy will hopefully become one of those conversations that we look back on and think, “Man, I can’t believe we were actually debating whether or not CCPA should be a thing.”

Lourdes Turrecha:
It really derails us from more important arguments and discussions, too. I mean, we shouldn’t really… I feel like we’re talking minutia and things that are so irrelevant when it comes to this and that about the CCPA, when we should be focusing our collective brain power to solving things like, how do we make sure that tomorrow’s technologies in machine learning, our connected devices, are built in a privacy-protected way? We’re not doing that, because we’re focused on this or that about CCPA or any other regulation, and in the grand scheme of things, does it really change consumer privacy? I don’t know. That’s the argument, right?

Gabe Gumbs:
It’s a good point.

Cameron Ivey:
All right, I guess we’ll… kind of coming up to the top of the hour. I just wanted to wrap things up. Was there anything that we, Gabe and I, that we didn’t ask you that you wanted to touch on? Anything specific?

Lourdes Turrecha:
I think we had a pretty cool conservation. Thank you, you guys.

Gabe Gumbs:
I enjoyed our conversation very much. I appreciate it. I hope all our listeners enjoyed it, also. Where might they find you and some more of your really awesome content? I personally think of you as a bit of a thought leader in this space, and I know that label sometimes get thrown around a bit, and some folks like it, don’t like it. I don’t know how you feel about it, but I’d love for our listeners to be able to hear some more from you. Where can they find you online?

Lourdes Turrecha:
You’re very kind, so thank you. I am in all of the socials. I am on Twitter, @lourdesturrecha. I’m on LinkedIn, as well. I do have a Medium blog where I talk and write about privacy. I also have my privacy consulting firm’s website, PIX.llc, and I look forward to talking more about privacy with you guys in the future.

Cameron Ivey:
Yes, absolutely. Thank you for taking the time to be on the show with us. We really appreciate it, and we really thank you for what you do, and for advocating for privacy.

Lourdes Turrecha:
The pleasure is all mine. Thank you.

Gabe Gumbs:
Thank you. Have a great day. Enjoy the weekend. Stay safe.

Lourdes Turrecha:
You too. Take care.

Cameron Ivey:
Stay safe.

Related Blog Posts

Blog Post
Podcast Episode 25: Privacy for Remote Students and Europe’s View of Privacy
Blog Post
Podcast Episode 24: James McQuiggan: Security Awareness Advocate at KnowBe4 Educator
Blog Post
Cal State CISO discusses protecting sensitive data for half a million people
Blog Post
Privacy Please Podcast with Chris Leach–CISO advisor at CISCO
Blog Post
Podcast Episode: Coronavirus and Work-from-home Privacy concerns with K Royal – Associate General Counsel
Blog Post
Privacy Please Podcast with Michael Santarcangelo of Security Catalyst