Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

HELP WANTED: Growing a Workforce for Managing Privacy Risk

Help Wanted Image

It’s a very different world that we’re living in from the one in which we published the NIST Privacy Framework this past January. These changes have demonstrated that the need for effective privacy programs that can adapt to new risks has never been more important. 

A skilled workforce is a key pillar of an effective privacy program. As the framework roadmap stated, “Further development of a knowledgeable and skilled privacy workforce (to include privacy practitioners and other personnel whose duties require an understanding of privacy risks) is necessary to support organizations in better protecting individuals’ privacy while optimizing beneficial uses of data.” Unfortunately, we’ve heard consistently that recruitment and development is a challenge. Now is the time to make headway on this challenge by creating a workforce taxonomy aligned with the Privacy Framework.

What is a Privacy Workforce Taxonomy?

Maybe we should first ask: what is a privacy workforce? Personnel in all parts of the organization such as IT, cybersecurity, legal, product development, human resources, and marketing may not consider themselves to be “privacy professionals,” but can still have a role to play in managing privacy risk. Perhaps then we should not talk about a privacy workforce so much as a workforce capable of managing privacy risk. If that’s the case, we believe that developing a taxonomy that is aligned with the Privacy Framework will enable us to categorize and describe a workforce capable of managing privacy risk, and in turn, help organizations to better achieve their desired privacy objectives. In addition, it could support recruitment with more consistent position descriptions and inform the education and training of professionals to produce a more skilled and knowledgeable workforce.

We’re coordinating with our National Initiative for Cybersecurity Education colleagues so that this effort will align with the new, streamlined structure of the Workforce Framework for Cybersecurity, introduced in July 2020 as Draft NIST Special Publication 800-181, Revision 1. Since NIST’s approach to privacy and cybersecurity is to recognize their independence as disciplines as well as their overlap, the end result of both initiatives is intended to be listings of tasks, knowledge, and skills and examples of organizing them into work roles and competencies that organizations can use in a modular fashion to address their workforce needs for privacy and cybersecurity.

Help Us

Building these modular resources will be as “easy” as it is for a privacy professional to answer the proverbial question, “So what is it that you do?” We need your help to understand the many nuanced aspects of your work, operational insights, and workforce challenges. To start, please attend the virtual workshop Help Wanted: Growing a Workforce for Managing Privacy Risk that the International Association of Privacy Professionals (IAPP) will host on September 22-24, 2020. This workshop is free, open to the public, and designed to fit into your busy schedules and maximize the opportunity for participation from around the world. We’ll be facilitating working sessions where you can share your feedback and ideas about what you think is needed to achieve the Privacy Framework’s outcomes and activities. The working sessions will have limited capacity, so don’t wait to register.

The Road Ahead

Following the workshop, we will take your feedback and use it to inform the development of a draft taxonomy that can include sets of roles, tasks, knowledge, and skills that we will share with you for your input. We see this process unfolding over the next several months, with the goal of releasing these resources in 2021.

With that, we’re hanging up a virtual “help wanted” sign: we need input from a wide range of roles (e.g., technical, business, policy, legal). If you want the job, here are your first tasks:

  • Register now for the workshop
  • Share your perspective about:
    • Challenges, needs, and opportunities for developing a skilled and knowledgeable workforce
    • The work roles, tasks, knowledge, and skills necessary to align with the Privacy Framework
    • Your organizational priorities for workforce resources (e.g., listings of tasks, knowledge, and skills and where those fit in work roles and competencies)
    • Other issues that we should consider as we develop these resources
  • If you haven’t already, join the Privacy Framework mailing list to periodically receive updates about this effort.

We hope to “see” you on September 22, but if not, there will be more opportunities to collaborate with us in the coming months to support the growth of a workforce better able to produce systems, products, and services that provide equitable benefits while minimizing the risks to our privacy.

About the author

Naomi Lefkovitz

Naomi Lefkovitz is the Senior Privacy Policy Advisor in the Information Technology Lab at the National Institute of Standards and Technology, U.S. Department of Commerce. Her portfolio includes work on the National Strategy for Trusted Identities in Cyberspace (NSTIC), privacy engineering, privacy-enhancing technologies, cybersecurity and standards development.

FierceGovernmentIT named Ms. Lefkovitz on their 2013 “Fierce15” list of the most forward-thinking people working within government information technology, and she is a 2014 Federal 100 Awards winner.

Before joining NIST, she was the Director for Privacy and Civil Liberties in the Cybersecurity Directorate of the National Security Staff in the Executive Office of the President. Her portfolio included the NSTIC as well as addressing the privacy and civil liberties impact of the Obama Administration’s cybersecurity initiatives and programs.

Prior to her tenure at the White House, Ms. Lefkovitz was a senior attorney with the Division of Privacy and Identity Protection at the Federal Trade Commission. Her responsibilities focused primarily on policy matters, including legislation, rulemakings, and business and consumer education in the areas of identity theft, data security and privacy.

At the outset of her career, she was Assistant General Counsel at CDnow, Inc., an early online music retailer.

Ms. Lefkovitz holds a B.A. with honors in French Literature from Bryn Mawr College and a J.D. with honors from Temple University School of Law.

Dylan Gilbert

Dylan Gilbert is a Privacy Policy Advisor with the Privacy Engineering Program at the National Institute of Standards and Technology, U.S. Department of Commerce. In this role, he advances the development of privacy engineering and risk management processes with a focus on the Privacy Framework and emerging technologies.

Prior to joining NIST, he was Policy Counsel at Public Knowledge where he led and developed all aspects of the organization’s privacy advocacy. This included engagement with civil society coalitions, federal and state lawmakers, and a broad cross-section of external stakeholders on issues ranging from consumer IoT security to the development of comprehensive federal privacy legislation. He spent the early part of his career as a working musician and freelance writer in his native southern California.

Dylan holds a B.A. in English from the College of William and Mary and a J.D. from the George Washington University Law School.

Comments

No comment, but I would be happy to be aboard.

Admirable Position
I shall apply🙋‍♀️

Looking forward to learning

Hi NIST
I have recently seen the request from NIST to support the “Growing a Workforce for Managing Privacy Risk”. This is a great initiative bring together the backing of your two organisations to address part of the risk puzzle. So many organisations I work with are confused over the boundaries, functions and responsibilities that link these two business critical risk domains; Security and Privacy, even before addressing the link to ERM.
Many organisation I work with feel they have been protected having taken legal advice on privacy and DP, yet when we (as Security SMEs) review threat and vulnerability scenarios we find core failures to address some of the most basic CIA risk controls needed to keep critical client data secure! The Security and Privacy domains need to work together hand in hand, and a functional RACI needs to be crystal clear to support both clients and practitioners.
Given my role in client advisory on the Cyber and IS side of this conversation (I dont mean technical) I would be very interested in participating in this activity as the confusion between these two critical domains has needed ironing out and aligning for some time. It is a little unclear if this exercise is focused on just DP professionals or both DP and IS&C professionals, and if its going to be a US focused discussion, or a more macro ERM to global Privacy discussion.

Please could you let me know your thoughts.

Many thanks,
Warren

Warren,

Thank you for your comment. The workforce workshop is open to both data protection and information security/cybersecurity professionals, and we hope that you’ll participate and share your insights on the importance of collaboration between privacy and cybersecurity teams.

Regarding your question about geographic scope, the taxonomy will be developed to align with the NIST Privacy Framework, which is designed to be an enterprise risk management tool usable by any organization around the world. With that goal in mind, we encourage broad participation. We look forward to virtually meeting you next week.

Best,

The NIST Privacy Engineering Team

Add new comment

CAPTCHA
Image CAPTCHA
Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.