When Lisa Hawke joined a startup legal firm in Silicon Valley, it was the company's enthusiasm for cybersecurity that attracted her to the firm.
"Security was definitely a priority for the company, and they had already gone through the SOC 2 Audit on security and availability," she says.
"They brought me on to take that forward and build out the operational practices and procedures and company training. All of the things that you really need to have in place to demonstrate operational effectiveness when it comes to security."
Opportunity knocks: the chance to create the security culture
Hawke is Vice President of Security and Compliance at Everlaw, which offers cloud-based products for e-discovery and investigations.
She says the idea of creating the security culture she envisioned was too good to pass up. Especially because in one of her previous compliance roles she came into a culture that did not support compliance.
"If the leaders of the organization are only doing it to check a box, and to, you know, make this one customer happy—and not doing it because they feel it's critical to the organization—then you're just going to be set up to fail."
This is something we hear regularly from security leaders at SecureWorld cybersecurity conferences around North America. And that type of culture can leave security and compliance professionals without the support to mature a program.
Implementing privacy and security by design
Lisa Hawke says she is a big proponent of both privacy by design and security by design, which she has integrated into Everlaw's culture.
To some, those may only be buzzwords. So how, exactly, does this look within an organization?
We asked Hawke to share her views:
"It's important to make sure folks on the team understand that privacy involves everything relating to personal data, which is a very broad category of information. And privacy is about the actual person's control over that data. While security involves how we're protecting that data."
Got it. But how does this look when it comes to implementation?
"In terms of incorporating it into our business processes, we do several things here. It's not only how it relates to development of our product, it is also how we operate as a business. When you think about privacy by design, you might only be thinking about developing software and applying data minimization there.
For example, if you have a product that requires account sign-up, from a personal data perspective, maybe you only need the person's email address and you don't need their name, phone number, job title, home address, or other information. In the past, lots of businesses haven't thought twice about collecting all of the information.
As part of privacy by design, you can apply the principle of data minimization to how you're developing the information needed to set up an account on your platform."
As Hawke tells it, however, that is only part of a privacy by design strategy.
"What about how your marketing team is collecting leads, you know, what tools are they using? Where is that information going? And what about your other teams that use personal data of your customers or prospects to do their jobs?
So when we think of privacy by design, it's looking at each of the teams, how they use personal data, and then going through the process of identifying and documenting, what did they use that data for and do they need it?
Also, when and how are we deleting it? Then asking, where is it stored? That is where security comes in. It's a holistic process."
Even though these words are only typed, can you sense her passion for both privacy and security?
That might explain her side gig.
Bay Area non-profit: Women in Cybersecurity and Privacy
Hawke is a Vice Chair and Board Member of WISP, which stands for Women in Security and Privacy.
The non-profit began a few years ago in the Bay Area and is growing.
"One thing that we feel really strongly about is that the fields of security and privacy are merging. It doesn't matter if your organization has two separate teams or a combined team. We believe it is becoming increasingly important for privacy practitioners to understand security, and for security practitioners to understand aspects of privacy as well."
The primary mission of WISP is to advance women in privacy and security through things like networking, up-skilling, and offering scholarships for women to attend cybersecurity conferences. WISP provides a number of resources enabling more women to earn certifications.
"From my own point of view, I think we're in a position as an industry where the talent is there. I see and meet so many women in the privacy and security field that are out there. We need to acknowledge this talent and stop gate-keeping."
And we have little doubt that Lisa Hawke and organizations like WISP will help talented women find their roles in security and privacy.