 
                Hi, my name is Jamal Ahmed and I'd like to invite you to listen to this special episode of the #1 ranked Data Privacy podcast.
Discover:
And so much more....
Ready to become a World Class Privacy Expert? Book your call to join the World's Leading Privacy Program
He spent 9 years on Google’s information security team and led security for social products. From there, Jad became Snap Inc.’s first Chief Security Officer, creating programs for security, privacy engineering, and spam and abuse from the ground up. Early in his career, Jad recognized that developing meaningful defenses takes time and resources, and decided in 2018 to create a tool that would address those challenges. He and Chris partnered to launch TerraTrue. Jad holds a bachelor’s degree in computer engineering from McGill University and a master’s in computer science from Stanford.
Follow Jamal on LinkedIn: https://www.linkedin.com/in/kmjahmed/
Connect with Jad on LinkedIn: https://www.linkedin.com/in/secplusplus/
Find out more about TerraTrue: https://terratruehq.com/
►https://newsletter.privacypros.academy/sign-up
► https://www.youtube.com/c/PrivacyPros
Apply to join here whilst it's still free: https://www.facebook.com/groups/privacypro
Are you ready to know what you don't know about Privacy Pros? Then you're in the right place.
Intro:Welcome to the Privacy Pros Academy podcast by Kazient Privacy Experts. The podcast to launch progress and excel your career as a privacy pro.
Intro:Hear about the latest news and developments in the world of privacy.
Intro:Discover fascinating insights from leading global privacy.
Intro:Professionals, and hear real stories and top tips from the people who have been where you want to get to.
Intro:We're an official IAPP training partner.
Intro:We've trained people in over 137 countries and counting.
Intro:So whether you're thinking about starting a career in data privacy or you are an experienced professional, this is the podcast for you.
Jamilla:Hi everyone and welcome to the Privacy Pros Academy podcast. My name is Jamilla, and I'm a data privacy analyst at Kazient Privacy Experts. I'm primarily responsible for conducting research on current and upcoming legislation as well as any key developments and decisions by supervisory authorities. With me today as my co-host is Jamal Ahmed, Fellow of Information Privacy and CEO, Kazient Privacy Experts. Jamal is an astute and influential privacy consultant, strategist, board adviser and Fellow of Information Privacy. He is a charismatic leader, progressive thinker and innovator in the privacy sector who directs complex global privacy programs. Considered by his peers and clients to be one of the UK's pre-eminent privacy experts, he has the credibility and gravitas to engender confidence. He is a sought-after commentator, contributing to the BBC, ITV News, Euro News Talk Radio, the Independent and The Guardian, amongst others. The Privacy Pros podcast reaches audience in 72 countries and is ranked the number one privacy podcast in the world and one of the top three GDPR podcasts. Jamal strives to be a great leader, listener, and coach. He has grown a talented, high performing team who protect the privacy of a billion plus data subjects and our international experts in data privacy, GDPR and cybersecurity. Jamal and his team are driven by the principles of simplifying and demystifying privacy, removing complexities and educating clients to forge a privacy by design culture that enables clients to build their internal privacy capability and capacity. He works with global clients across multiple sectors and jurisdictions, partnering with boards and C suite, debates constructively, challenges, rigorously questions intelligently and advises pragmatically alongside exceptional experience and qualifications. He has value by providing pertinent insights, bringing alternative perspectives, and triggering healthy debates. Hi Jamal.
Jamal:Hey, Jamilla. How's it going?
Jamilla:I'm good, how are you?
Jamal:I'm fantastic. I'm so excited to speak to today's guest with over ten years’ experience at Google. So tell us more about Jad.
Jamilla: and resources, and decided in: Jad:Jamilla and Jamal, it's so great to be on your podcast. Thanks for having me.
Jamilla:Thank you so much. And as we always do on the podcast, we always start off with an ice breaker question, something not related to privacy at all. Jad, what's the best compliment you've ever received?
Jad:One of the most interesting ones I've gotten, actually, from colleagues is around being a charismatic leadership, particularly in security and privacy. It's important to have that influence, that connection, that ability to listen to the needs of those around you and to meet them. And really that meant a lot to me, and I appreciated it.
Jamilla:That's great. Jamal, what's the best compliment you've ever received?
Jamal:I was worried this is going to come to me next. I don't actually know off the top of my head what the best compliment I received is, but I do tell you what makes me really happy and warm inside is when people I look up to and people I aspire to, they come back and said I've inspired them in some way or they found something I did really great. That really makes me feel really humble, and it just makes me feel grateful to be able to do what I do.
Jamilla:Nice. I think the best compliment I get is I have three younger siblings who are teenagers, and teenagers are so mean and they think I'm the least coolest person in the world. So whenever they say that something I did was cool, or they'll let me meet them after school in front of their friends, that's the best compliment.
Jamal:Oh dear, no.
Jamilla:No offence to any teenagers listening.
Jamal:So Jad one thing I’m actually interested to learn a little bit more about your actual career journey? How did you first get into privacy engineering and what was life like going to university and getting into your first role? And how did you end up at Google and do what you did there for nine whole years?
Jad: ed at a start-up in the early: Jamilla:
Wow, great.
Jamal:Yeah. Thank you for walking us through that, Jad. It sounds like you have such depth and breadth of experiences and stories. I'm sure that has really helped you to get to where you are now, but that’s also help you to understand your clients or your customers problems before they even know they might have this problem and be able to eliminate that. And we spoke to Chris on a recent podcast, and he was talking about this shift left principle of mindset that you guys have and you're bringing how useful it is, and we'll jump on to that in a second. Could you explain a little bit more Jad about why for us to have success over security, for us to have data protection as security and privacy, both teams need to work together?
Jad:Oh, that's a great question. The way I sort of look at it, and again, different organizations draw the line differently between security and privacy. It isn't black or white for some organizations. Certain efforts they do fall under privacy, in others, they fall under security. There is a bit of that grey area overlap. But as you said, you're absolutely right, it is two sides of the same coin. And the way I think about it is, security tends to be about protecting a company applications, products and infrastructure from risk, from people being able to access it, doing things that they're not supposed to do, extract information, inject information, delete data, steal data. Security is about protecting that foundation and preventing cases where someone does something that they're not supposed to do on your environment. And if you look at it from that definition, you cannot have privacy if there isn't security. So if your company doesn't have a good enough security program, there is no way they can be good at privacy, because someone will find a way to get into the data, into your systems, extract it, and basically compromise everything about that user's data. And so it's a bit more foundational in the sense that you need to have it. There's just no question about it. Privacy comes on top and is about a number of things there around respecting the laws, making sure that you are complying with all the different regulations. You're also respecting the users expectations about what data you're using, how you're using it. And that makes it more fungible, much more in a way, much less black and white. Because privacy changes over time. What users expect of how you build the product and what you can do on that product is evolving over time. So privacy has to be thinking about, what does the user think I'm doing? Am I crossing any line for them? Am I respecting the way I'm using that data? And then of course, how am I sharing the data? Is it sharing with consent from the user? Am I collecting data under the right legal basis? And am I handling it in the way that I say I am handling it? So privacy goes on top of security and opens up a slew of other considerations, thinking it's again, very, very multidisciplinary. And so I just think about them along those lines myself.
Jamal:That's super insightful. And the other challenge I want to ask you about is what happened or what could go wrong when you have privacy teams and security teams working in isolation by themselves.
Jad:Honestly, a bit of a recipe for disaster because, and I believe this, this is not hypothetical, security teams care about giving advice to developers and product teams that helps build software that is safe. Privacy teams care about giving advice to those same constituents, the developers and the PM, to build products that take privacy into consideration and are adhering to user expectations and different regulations. Those two things are both meaningful and important. But it's also very, very possible that developers get conflicting advice from those teams. just because security is looking at security and privacy is looking at privacy. So security tells you, you should build your product this way, and then you'll be safe. Privacy tells you, you should build it this way, and that way privacy is preserved. But really, when you're having those conversations in isolation of one another as a developer or as someone who's building a product, you're sort of stuck in the middle because often you get advice that is correct for each area but isn't the most efficient on a larger scale. And so what we are seeing, what we've seen before, what we continue to see today, is that often when you're doing anything new at your company, the privacy team asks you, please do these reviews using this tool, work with us. Security team tells you, please do these reviews using this tool, this process, work with us. And often you get stuck in the middle. You're like, I can't continue, I'm literally getting conflicting advice. And then you have to bring those teams together to think with you about a third solution, one that satisfies both security and privacy. And it's not bad. It just results in unnecessary friction, in unnecessary delays, because what you want at the end of the day you want as a developer or product person, you want to ship your software, you want to release this feature, you want to move on to the next thing. And when you're sitting there and arbitrating between those different teams, you are deadlocked. It takes a lot of toll on you, you have to bring in and re-evaluating. So this is one of the things we cared about with TerraTrue, and we're seeing it put to good use, which is one tool where you conduct all of your reviews and collaborate with all those teams at the same time. So they're all part of the same conversations, the same discussion, and coming together with you on a common solution. And it removes just a lot of friction. And we can talk more about that as well in that context.
Jamal:Yeah, you can tell us a little bit more. We spoke to Chris, and he did a really good job in explaining how you can really employ TerraTrue in your enterprise to really help to get rid of those inefficiencies and stop duplicating all of that work. And you have one single source of truth that really helps the business understand what's going on and take care of those privacy and security considerations. Jad, what have you seen has been the biggest benefit to your clients that are using TerraTrue that they might not be achieving, that they might not be enjoying without TerraTrue?
Jad: ted since GDPR took effect in: Jamal:One thing I really love about TerraTrue is it's really in line with the kind of ethos we have, is we need to move beyond compliance to inspire trust, cultivate that confidence so we can make a bigger impact. And by bringing all of those teams together to collaborate, you're actually cultivating that trust within the team, within the organization. Yes, we're all on the same page. You're inspiring that confidence. We know it's all been taken care of, and we don't actually have to go and disrupt the business by asking them the same question two times, three times, four times, and then getting sick of giving the same responses, or we just had this conversation. So you're able to really bring everyone together and get a lot more effectiveness and that helps you with that competitive advantage, because not only have you made sure you've captured whatever you need to do from a legal point of view, but forward thinking businesses, they've actually signed up to the fact that privacy is something that we can actually use as a competitive advantage moving forward. And that's why you see the biggest companies in the world that spend millions of dollars on research promoting privacy as the selling point. So it's great to see you actually being able to support those forward thinking companies who actually have realized, hang on a minute, there's lots of great things to happen. Not only can we protect our users, manage their expectations and hold that trust with their personal information, we can also make sure internally we've got our teams collaborating. So we're moving forward in the same direction rather than these two teams going off on their own things and then having blockage later down the line and realize that they won't work and somebody needs to compromise. And no one's willing to compromise. And these don't want to hate them. And they don't want to have a war with them. And you can't walk down the corridor without getting a missile thrown at you. So yeah, this is really great stuff. Jad what I want to ask you about when you're hiring privacy technologies, when you're hiring privacy engineers, what are the kind of skills, what are the kind of qualities that you're looking for? And when you hired people in your roles at Snap, at Google and you grew such massive teams, what is it that stood out about candidates that attracted you to say, yes, I want you on my team?
Jad:When we're interviewing for colleagues to come in and do privacy reviews, it's really around a few things. One, empathy is incredibly important, right? You're working with the whole company. Anyone in the company can ask for a privacy review. It could be HR, sales, engineering, finance, marketing, any team. And so your ability to understand their timelines, to understand their needs, to be creative around solutions, because the last thing you want to basically, there are two horror cases for a privacy team. One is to be rubber stamping because you're not doing the company any favour. If you just look at anything and say, yes, that's fine, no problem, go ahead. You're doing a disservice in the long run. The other one is, if you're constantly delaying work or obstruction in work, that's really horrible. So having that empathy to say, I want to see from the business perspective what the issues are, and I want to help you come up with solutions that allow you to move quickly but also do the right things at every step of the way. And I think that's important, your ability to communicate, to understand, to sympathize, and to grasp what folks are building so you can give them solutions that help them do what they want to do and prevent the cases where it's abusive, where it's unexpected and all of that. The other aspect is really learning on the job, because again, as much as you've been exposed to it previously, when you join an organization, it has its own assumptions about what is high risk, what things you should do what things you shouldn't be able to do, and coming in with the passion not just to find the problem, but to be part of the solution. I'll give you a simple example about why that's important. When I joined Snapchat, it literally took me I was the first security person they hired. So I spent the first three days reviewing all of their code base, the whole back end systems, mobile apps, Android, iOS. I reviewed all the code, I looked at it. It took me three days. From that three days, I found enough issues that I knew would consume the next several years. Finding the problems was easy. I'm not going to say it's trivial, but it's easy. Solving that problem is much harder because that's where you have to collaborate with others. You have to advise them on better ways to do things and be there with them at every step of the way. Developers have limited time. If you're not building yourself defences and hardening frameworks that they can use easily, conveniently into the way they develop, you're not doing anyone a service. So that takes a toll on you as well. You have to be, if you're giving advice to teams and say, please do this or please do that, if you're not willing to help them at every step of the way with how to do it and how to do it right, it's just pointless advice. So really, it's important to feel that not only can you identify problems, but yes, you can sit down, design, develop, build frameworks, build hardening solutions, and offer it to them that they can use in the way they're used to developing. So it doesn't feel like I'm going to go way out of my way to do something for you. And that's really important. The confidence of being part of the solution, not just the problem, I think those are some of the really the key things, because you're constantly learning and growing, and that potential to drive and own is really important.
Jamal:Thank you, Jad. That's been super insightful. So what you're saying, the three things I took away from that, more than anything else was number one is the empathy, making sure you have that empathy for the people that you're working with. Secondly, having the passion to be part of the solution. And thirdly, to really understand your colleagues, understand the rest of the business and not tell them what to do, but show them how we can achieve what we need to achieve together and be fully invested in the end outcome.
Jad:I think that's the way it works. And that's with the shift left, that's the power of shift left movement. If you think of privacy purely as a compliance play, there's nothing wrong with compliance, but you're missing a big part of the picture. To improve an organization's privacy posture, you have to build defenses, you have to build solutions. And if you're not set up as a company to do that, then you're ultimately set up for failure. You get into an organization that is very mature, and suddenly you realize you have very lax controls and it's very hard to pull them on top afterwards. You have to do this thoughtfully from the get-go. And that's really privacy, that's really security. That's really the importance of collaborating together, identifying risks together, solving for them. Not everything is an emergency. Not everything has to be solved right away. But recognizing those patterns, that's why it's important to do privacy by design, to do these assessments, but also to learn from them and to build stronger foundations so you don't constantly encounter the same problem over and over again.
Jamal:That's amazing. That's amazing. So, Jad, we've spoken about so many things. We've spoken about your background, we've spoken about history, we've spoken about what you look for when it comes to hiring. I have one final question for you before Jamilla is going to ask you a question. And my final question to you is, what three pieces of advice would you have given to your younger self 20 years ago if you could meet them now?
Jad:That's an amazing question. Three pieces of advice?
Jamal:Yeah. Three top tips that you would give to your younger self to really excel in this industry.
Jad:Look, there is one right on top of mind, and I think people have to be cognizant of it. There is burnout that you hear often in privacy and security teams. Right. It's sometimes very frustrating to work with the entire organization to adapt to people's styles and the way they do things. It takes a lot of cognitive load on you, and sometimes you're not being acknowledged, you're not seeing the results of your work. One of the things I would say is, if you're in a leadership role, understand more quickly what's your tipping point, and start to think about how you would hire ahead of time. It takes a long time to hire one. One person cannot do everything. Set expectations that are sane because there is this tendency to overburn yourself, overwork yourself, and really you're not doing anyone any favours. It doesn't help your career, it doesn't help others around you. It's always better to do less, but structure it in a way that leaves you buffer. Yes, it might feel that the company is more exposed to certain risks, but at the end of the day, having that quiet peace of mind, that creativity, to think and to want to cooperate and collaborate with others, trumps the extra value you can get from doing more work. So if I were to go back in time, I've certainly worked very hard all of my life. And this is a pattern that is not unique to me. Recognizing more quickly where I reached my limits and building structure to prevent getting into that territory where you're very, very frustrated and just annoyed, and you take it on, on people you work with always, always wins on the long run. So that's sort of one that I think about a lot. The other one is around celebrating successes. Again, it's not specific to privacy or security, but it's really an important one. And I've heard some talks from others about this too. When they go forward in their career more and more, and they look back and they realize how much they've done collaboratively with their teams, there are always moments that you could have stopped more and really enjoyed and celebrated because they were worth it. You did things that were incredible, innovative, never been done before. You take the time to enjoy them, take the time to write about them, speak about them, even if you're moving fast as an organization, those are really important. My only regret is sometimes I didn't help my team and myself celebrate wins as much as I could. That stays with you. You remember that more than you remember the things you've actually done. And in terms of a third one, I think just I'm very passionate about privacy and security. These fields you can get into in many, many different ways. I've had my own path. There are many others. Don't ever let someone tell you your background is not sufficient or is not the right one, because these fields are multidisciplinary. You learn a lot from collaboration with folks who have different backgrounds than you, solutions are multileveled and can benefit from that view, that wider angle view. And so never, like, you know, never be discouraged. These fields are scary, they're large, they're complex, they move a lot. Find your niche, explore it. Learn and grow. Basically stay hungry. What Steve Jobs used to say, okay, got it.
Jamal: is done. There's always like: Jad:You're absolutely right. A mentor is also incredibly important. I'll tell you this small anecdote when I wanted to start TerraTrue, I reached out to the head of security and privacy at Google, Eric Grosse, and I said, Look, Eric, I am thinking of doing this. I'm passionate about privacy and security. I want to bring solutions that are win-win for developers and privacy lawyers, privacy reviewers. And I just bounced that idea off of him and he said, Jad, why are you even talking about it? Just go do it and see where it goes. It didn't take much of his time, but to have that support to know that there is someone who's just looking out for you, but also giving you blunt advice, I think it's just extremely powerful and just to know you're not alone. So I hope you're right. People should have mentors that guide them along the way. We all need them. They're always valuable. And one of the things we did with TerraTrue was really based on how much hard work Chris, my cofounder, and myself and others did at Snap. It was a very fastly growing environment. We were working around the clock. I don't know if Chris told you this joke, but his first day at Snap was 24 hours long. Literally. He stayed at work on his first day for 24 hours. We were launching something big and he was like, oh my God, this is my first day. That's why when we started TerraTrue we both of us said, look, we're in this for the long run. This is not a sprint. We're going to be smart about it. We're going to ruthlessly prioritize. We're going to work in a way that is effective, creative, smart, not try to burn the midnight oil to achieve a short term gain. And I think that set the tone for the whole company.
Jamal:I love that. I want to adopt that ruthless priority.
Jamilla:Jad to end, we like to ask our guests to ask Jamal a question. So anything that springs to mind, feel free.
Jad:Look, with pleasure. I think. Jamal, you brought up the iPhone advertisement from Apple. I mean, I'm in San Francisco. I see these billboards all the time. It's about privacy. And I give them so much credit because truly, this is not just a tagline. They've really done a lot of work on privacy. My question to you is this how long do you think that's going to be the message? Is it another year? Is it a short-term fad from now, which I don't think is the case? Or is it ten years later, we're going to still see privacy on the billboard for the iPhones?
Jamal:Well, I can't predict the future, but what I can predict is the direction that the Data privacy industry is moving in and the direction of public. And I'll give you an anecdote actually, I think it was last year. I forgot which year we are in now. Towards the beginning of the last year or the year before WhatsApp announced that they're going to be updating their privacy notices, and they now want to combine the metadata with the stuff that you do on Facebook. And people went ballistic. People that don't even know what privacy means, people that don't even know what privacy is all about, people who have never cared about privacy, they were up in arms about this new update and what they thought that meant for their privacy. And I had my mom's friends asking to speak to me to understand should they delete their WhatsApp because they use it to communicate with their relatives and other people in other countries and stuff. And I was like, wow, this is amazing. Like, people actually care about their privacy, and people are actually caring more and more about it. And we see lots of studies coming out that say people will actually buy a laptop for the same price or a higher price if they believe that their privacy and the security is going to be protected better than another company offering the same product at a lower price, but they don't trust them with their personal information. And that kind of just makes it ring true for me of just how important this is. And if you look, privacy was something that people used to do as 20% of their job, in addition to compliance or security or whatever it is that we're doing. But now you have fulltime roles in privacy not just full-time roles, you have teams. And you just said your Jad, how you had when you first entered Google and Snap, there was just one or two people in the team. And you've grown that to literally thousands. And we can see that with the advances in technology, with the advances in artificial intelligence, with all this stuff about facial recognition and things getting more and more invasive in the way they can do things, but also solve problems, privacy concerns are becoming more and more of a concern for people who have never even thought about privacy before. And a few years ago, we used to hear people say, well, I don't really care too much because I've got nothing to hide. But we don't hear the argument anymore. People are more like, yes, what is it that you can do? Should you be doing it? And do I want to expose myself to that? And people are starting to ask questions. And what I talk about to my mentees is this privacy paradigm that we're shifting into and moving away from wherever we're now, where everything is privacy centric moving forward. So that's where I see things moving. And it's not just me. It's also governments as well. We see governments all over the world introducing privacy legislation because they've now seen that the citizens in their country are speaking up and value their privacy. And they look to Europe and they look to other parts of the world where they see how those individuals have been given privacy or afforded privacy as a basic human right. And they're like, we want that too. And that's why you see governments all over the world introducing privacy legislation to say, yes, we also respect and value your privacy because it is going to be a big deal. And for those forward-thinking companies who are getting onto that and who are actually going beyond ticking the box to be compliant and using it to inspire trust, cultivate that confidence, and then move on to have a bigger impact, they will actually be the ones that really benefit and profit and maximize the rewards from taking that privacy first approach.
Jad:No, thank you for that. The privacy space has grown so much, and as you said, it's based on needs. It's not just fiction. People care about it more. There are more ways in which it can fail. And having that apparatus from legal to technical defenses to make sure that things continue as smoothly in a way that isn't the most privacy preserving, is absolutely key. I love the space, and I have no doubt, too, that it will continue to grow.
Jamal:Thank you, Jad. It's been an absolute pleasure speaking with you. I could speak to you for days on the end, but both of us have to go and look after people and make things happen. Thank you so much for giving us the time today, and I look forward to bringing you back to one of our sessions at the Privacy Pros Academy, where you can speak to some of our mentees.
Jad:Thank you so much. I had a great conversation. I'm very thankful to you and to Jamilla for having me on your part.
Outro:If you enjoyed this episode, be sure to subscribe, like and share so you're notified when a new episode is released.
Outro:Remember to join the Privacy Pros Academy Facebook group, where we answer your questions.
Outro:Thank you so much for listening. I hope you're leaving with some great things that will add value on your journey as a world-class privacy pro.
Outro:Please leave us a four or five.
Outro:Star review, and if you'd like to appear on a future episode of our
Outro:Podcast, or have a suggestion for a topic you'd like to hear more about.
Outro:Please send an email to team@kazient.co.uk
Outro:Until next time, peace be with you.