Victoria: 00:00

The thoughts and opinions expressed by guests on this podcast are solely their own and do not necessarily reflect the views of their employers or any other individual or organization.

If organizations are not promoting minorities and women, if they're not having them visible and supporting them and making their voices heard, it's just really hard. You can’t become what you can’t imagine. We do need more women and more minorities. There is room for everybody in this field.

Intro: 00:22

Are you ready to know what you don't know about privacy pros? Then you're in the right place.

Intro: 00:27

Welcome to the Privacy Pros Academy podcast by Kazient Privacy Experts. The podcast to launch progress and excel your career as a privacy pro.

Intro: 00:38

Hear about the latest news and developments in the world of privacy. Discover fascinating insights from leading global privacy professionals, and hear real stories and top tips from the people who've been where you want to get to. We've trained people in over 137 countries and counting.

Intro: 00:58

So whether you're thinking about starting a career in data privacy or you're an experienced professional, this is the podcast for you.

Jamal: 01:14

My name is Jamal. I'm your host. I am the founder and the lead trainer at the Privacy Pros Academy. And I'm now also the number one international best-selling author of the Easy Peasy Guide to the GDPR. Today I have an amazing guest, and we'll be getting into cybersecurity. We'll be talking about emerging legislation and also women in cybersecurity. And to do that is our amazing guest today, Victoria. Victoria is responsible for providing strategic legal advice to multiple teams across Shopify about information, risk management, regulatory compliance, incident prevention and response, and cybersecurity awareness and training initiatives. Victoria is a certified Privacy manager, a certified Information Privacy professional for the US by the International Association of Privacy Professionals. And prior to joining Shopify, Victoria managed Microsoft's Digital Crimes unit for the Americas. A native of Colombia, Victoria spent years as a public defender in Arizona, first assigned to capital habeas appeals and later trying major felony cases. Prior to practicing law, Victoria was an industrial engineer in the technology and automotive sectors and a competitive figure skater. Wow.

Victoria: 02:25

I've been all over the place with my career.

Jamal: 02:28

How have you managed to fit all of that into such a short time already?

Victoria: 02:33

I'm pretty old. I'm pretty old. I don't know. I can multitask, I guess.

Jamal: 02:38

That's amazing. That's amazing. We've never had a figure skater here before.

Victoria: 02:42

It's not a very popular sport, especially in Colombia. There were very few of us. But I loved it. I did it for, I don't know, 16 years of my life.

Jamal: 02:55

Wow. Amazing. Now, I have a question for you. If you could instantly become an expert in any hobby or activity other than figure skating, what would you choose and why?

Victoria: 03:05

And it has to be something realistic. It's not like I'm going to have superpowers. Right?

Jamal: 03:09

Up to you. Be as creative as you want.

Victoria: 03:12

Well, if it was something kind of like a superpower, there was a show, I think it was called out of this World, where the girl could touch the tip of her fingers and stop time.

Jamal: 03:23

Wow.

Victoria: 03:24

That's what I would want to do. Because even back then, when I was watching it and I was in school, I always thought, oh, I don't have to study for test. I don't have to do homework. I could just stop time and pretend that I did it. So I think that's what I will do.

Jamal: 03:41

That will be an awesome superpower. Imagine how many other things we could achieve if we had more than 24 hours in our day.

Victoria: 03:48

I could watch a lot of TV. I could sleep.

Jamal: 03:52

So you have a background in industrial engineering. Then you was doing all of this law related stuff, and then you went to Microsoft, you did all of the digital crimes, and then you decided to pivot your career in privacy and cybersecurity. What inspired you to pivot?

Victoria: 04:08

Well, most of the pivots in my career have actually been circumstantial. It's either because I had to move states or because a better opportunity came about, or something like that with this. When I started my career, I wanted to be a public defender, and that's all I wanted to do. I never dreamed of being at a law firm, being a partner, being really anything like that. And as I started my career in cybersecurity and working at law firms, I realized the importance of those titles and kind of going high in the corporate ladder, mainly, or at least from my point of view, for representation. There are not many Latinas in cybersecurity. There are not many women in general. There's not many that have the combination of being attorneys, working cybersecurity, being women, being Latinas, you name it. So at that point, I realized that that was important for me and that it was important to show that we could get to those leadership positions. And so I have strived to kind of improve my career and go and get more challenges and higher levels in organizations just because of that. To be honest, I want to make sure that other people, younger attorneys, younger women, see that it's possible and see that I also have a daughter so obviously all of that is important to me.

Jamal: 05:36

So it's all about really pursuing excellence and showing that Latinas can emerge and really rise up that corporate ladder. It's really interesting you say that. We have a number of Latina women in our privacy pros network, and they came up with this name, and literally translated, it translates to flip flop crew. And I can't remember the word off the top of my head. I'll have to go back to the crew and ask them, sorry.

Victoria: 05:58

Yeah, I know why chancla came about.

Jamal: 06:04

Tell me. Tell me. They call themselves the chancla.

Victoria: 06:09

There are very different meanings, but I think what they're referring to is that there is a joke that Latinos have been raised by chancla, meaning your mom will take the flip flop and just kind of discipline and they're very good at aiming the chancla. And the chancla is basically the tool of choice for a lot of things, for discipline, for killing insects in the house, you name it. It's a versatile tool. A lot of us were raised by chanclas.

Jamal: 06:45

All right, got it. That makes sense now. That makes sense. Okay. And when they actually heard that you're going to come on this podcast, they're super excited, and they've given us a bunch of questions. Some of these questions are from the Chanclas crew that we have at The awesome. So one of the things they want to know is how do you approach the intersection of privacy and cybersecurity, and what advice do you have for privacy professionals to better understand this relationship?

Victoria: 07:09

Well, it is common for people to think that privacy and cybersecurity are the same thing. And it's understandable because they meet at various points. The way that, I guess, on the books, the way that is explained makes a lot of sense and it’s privacy has to do with authorized access to information. So the information is already captured. You have it in your organization. And who can have access to that, who can be disclosed internally and externally. And cybersecurity has to deal with unauthorized access to information. So when you have a bad actor coming into your system, when there's been, for whatever reason, a leakage of information that is disclosed because of malware or something like that. So that's kind of the basics. In terms of my work and my day to day practice, it's just I take a more practical approach, and I have colleagues that work closely on privacy compliance. So the GDPR says X, and we have to do this, and we have to have let's say we have to do ROPAs, and we have to make sure that this is documented. From the cybersecurity standpoint, it's more okay, since we have to comply with this, what kind of safeguards can we have in place to make sure that that's the case? So do we have different profiles, so different roles within the organization can have access to certain information that cannot be accessed by others? Are they aware of what we have to do and so that the technical team can put in place, I don't know, firewalls whatever it is that is going to maintain and make that compliance possible? I have the tendency to like more the technical aspect of things. So to me, I kind of always by default, go to the cybersecurity side of things and then kind of make my way back to why it’s needed for privacy.

Jamal: 09:14

Got it. That's actually a really interesting approach, and I think it's something that we can all take away already from this podcast is you focus on the technical side first, and then you come back and see how that fits in with the management, the overarching policies, and what do we need to do from that privacy side. One of the ways I like to explain privacy and cybersecurity and how they overlap is I say think about it. Imagine you're coming home for you to get inside your house, you probably have a key so that's the security. The key is there to protect you so that only you can come in or anyone else that you've given the key to come in. So that keeps it secure. That stops someone else, the strangers, from coming in and taking things out or coming and vandalizing and destroying your property. But at the same time, when you get in, the first thing you usually do is you draw your blinds, depending on what time of day it is. Why do you do that? It's because you don't want people to see inside. So privacy is you drawing the blinds, stopping people from seeing what you're doing, what you're up to, how you're spending your time, how you're enjoying your space at home. And security is making sure that people can't come in and harm you or interfere with your property. And that's how privacy and security come together.

Victoria: 10:19

It's kind of funny because on the privacy portion of that example, my mind went to how I hide all the junk food and the sweets so my kids don't eat it. So I guess it's a different style of privacy.

Jamal: 10:34

Thank you. Thank you for sharing that. That's made me chuckle. Okay, so, Victoria, in your experience, what are the most common cybersecurity vulnerabilities or weak points that organizations tend to overlook?

Victoria: 10:45

I think an easy one is training, training of people and awareness. I mean, there will be a lot of vulnerabilities, technical vulnerabilities, depending on the sophistication and the complexity of your systems, but the majority of the issues come from training, whether people don't know how to report an incident. An easy one is, for example, somebody sending the typical email with the subject, we have been breached or data breach. And I start sweating when I see the B word because people just don't know or in their intent to be useful and provide as much information. Oh, well, information about, I don't know, 20 Social Security numbers were exposed, and here's the list, and here are the people and here and it's kind of like you're creating another issue within the organization. And we have heard over and over with people, the social engineering. So I think that's a key vulnerability that is, in a way, easier to control and solve than other things that you may not know and that can be exploited. And then the short term mentality in that it is expensive to create a program. And I'm not necessarily saying in terms of buying the most expensive technology or software, it is expensive to have the resources, the time to document an information security program to make sure that it works, to train people about it. And sometimes companies see that investment as something that is not necessary. And then you always hear, once they've been breached or once they went through an awful experience, why didn't I do this? Why didn't I do that? Or why am I paying this much now? And then you have to say, well, I told you so back then when I told you, you needed to invest. So those kind of things that are a little bit of common sense, I think, are the riskiest ones because companies don't really see it, and sometimes they actually tend to look for and expend all the money and all the resources in looking for these crazy vulnerabilities or issues with software when they have something right there in their own home.

Jamal: 13:12

Got it. Great. That's really insightful. Thank you for sharing that. So what I've understood from what you said is the two most common pitfalls that you come across time and time again, number one is lack of training or lack of appropriate training. And one of the challenges you found is when you don't have staff who are appropriately trained, who are adequately equipped, they don't have clarity. So they don't know what a breach is or isn't. They don't know the difference between an incident and a breach, and if it is an incident, what they need to do, if it's a breach, what they need to do, when to report it, how to report it, what are the appropriate actions to take. And when they don't have that clarity, they have no confidence. They don't know what to do. So oftentimes they'll do what they think is the right thing to do, which might necessarily not be, and it actually might be more detrimental and cause more problems, as you've shared in your example. And that means there is no credibility in the actual business when it comes to protecting against those harms. And that's one of the things that we really focus on, and I call it my C five methodology is the first thing I think is very important is making sure that we educate with clarity. When people are clear on what they need to do, what they don't need to do, what is what, then they're confident. And when they're confident, they always go and do the right thing. And that gives full credibility.

Jamal: 14:21

And that is exactly what we see, a lack of the other challenge. I see. And this ties down to the second point that you're saying about the budget, is they often have this short-sighted approach, and they see that, oh, this expensive is training, or this program is going to be expensive, or these consultants are going to be expensive. But what they fail to ask themselves is actually, how much is it going to cost us if we don't do this and something does go wrong? And that's where you've come and said, look, I did explain it to you. I told you so. I hate to say it, but I told you so. And so this is the cost. So if you think putting in a program, putting in the measures is expensive, then wait till you find out the real cost of not doing so. And the thing that's often overlooked is keep it simple. Just do the basics. One of the things that really frustrates me is companies will do the training, but they don't follow the up with awareness. Like, people have so much stuff going on at work, so much stuff going on in life, and then all of these other things happen. Just because you spent 20 minutes on a training and clicked a few boxes at the beginning of the year, along with all of the other compliance you must have done, that was mandatory. That doesn't necessarily mean they have the clarity, the confidence they need to credibly, be able to identify these situations and behave appropriately when those things happen. And it's not their fault. It's because they're so overwhelmed. And that's where we have to come in as leaders in the organization and say, okay, we've given them this education, but how do we make sure they remember it? How do we make sure that they still remember what they need to do and that they're acting on it and they know where they need to go and they feel supported. And so I think those two challenges that you've shared there are super valuable. And we don't have to spare spend hundreds of thousands on the most shiniest tool that's coming out. We just need to focus on the basics. And if we get the basics right, then we can stop ourselves from damage to the reputation, from those fines, from losing customers, and from becoming an organization that can't be trusted with people's data.

Victoria: 16:07

And you're completely right, Jamal, because one of the things about clarity and about people being overwhelmed is that sometimes these programs tend to be complicated and hard for people to identify with. So, for example, I remember in the past there was a client of mine that I was advising and their system for reporting asked the person who was reporting, is this a privacy incident? And I said, this puts the burden on the person, notifying whether or not is this a privacy incident? I don't know. I'm not an expert in privacy. And so just by changing the name and defining what an incident or a potential incident could be, people will report more incidents because they didn't have to be stopped and think, well, is this privacy? Is this personal information? Is this identifying the individual? How will they know? So organizations need to think about this. And I also think it's very important in terms of that clarity to have people relate to things. So when you explain in training that an incident is if you have a bad actor from another country coming and asking for ransom, if I send an email with personal information to the wrong person, I may not think of it as a data incident because it's not this movie that I have in my mind that an incident it means that. So it's kind of making these trainings and this information relatable and match the day to day activities of different roles within your organization.

Jamal: 17:51

So valuable, thank you for sharing. So cybersecurity incidents, they're becoming more sophisticated and they're becoming a lot more frequent. I think every time I read a new article, the stats just get higher and higher. What are some proactive measures that privacy professionals can take to stay ahead of potential threats and really enhance our cybersecurity posture for our organizations?

Victoria: 18:09

Well, I think it's been said over and over and again, I believe in the importance of training and preparation. The famous phrase of is not if, but when you're going to be attacked. And I think it's kind of cheesy, but it is true, unfortunately. So assuming that everybody is going to be attacked or be the victim of some sort of attack, it depends on preparation and how you handle it. If you're going to be attacked anyway but you have a good system and you know how the organization needs to work because you have had tabletop exercises where you have planned ahead. You know that you have to have in your incident response team different representations from the C suites, from PR, from the technical side, from legal, if you know that how to engage third party forensic personnel, for example, how to get outside counsel and how to handle all of that. I think that's the best way to really not necessarily prevent it but be prepared in how to manage it. As we have seen the difference in different attacks that have become kind of famous over the last few years, the difference has been made at how these organizations have reacted to it, how they have communicated with their clients, what they have done to avoid something similar from happening in the future. So preparation to me is key. And again, I am also aware that it's not easy sometimes to have the best technology, the most expensive technology. So I wouldn't necessarily say, well, just go get this, or with the resources that you have, considering the nature of the information that you handle in your organization and precedent as well, you should learn from other people's mistakes, then be prepared.

Jamal: 20:00

Absolutely. I love two things that really stood out for me from what you've just said there. Number one is learning from other people's mistakes. And that's basically something that I think is so important. Why should we have to learn from our own mistakes when we can see there's enforcement actions, when we can see there's incidents and we can really find out about it? We have networks of individuals in our communities of privacy professionals, cybersecurity professionals who are sharing this information with us instead of just saying, okay, that happened and moving on with, let's say, okay, what happened? Why did it happen? What did you learn from it? What can we learn from it? And that's really the real reason I love diving into enforcement actions, just to see what I can learn from those incidents. So the organizations that I'm looking after and supporting can benefit from that without having to make those mistakes. And oftentimes what I see is there will be aggravating factors, which means that if there is an enforcement action, they've got higher fines. And I can say, okay, why was the fine higher than it could have been? And let's make sure that my clients don't actually suffer the same result if that was to happen. And also there's other times where there's mitigating factors, things they did that meant that the fine could have been higher, but it was actually lower because supervisory authority said, you know what, that's good practice, or we like you did that, so then we can adopt those best practices and really be in a good place. And the second thing you mentioned there is about being prepared, and I absolutely agree with you. And I think even when you look at some of the reports on the cost of breach, if you have a good Incident Response plan with an appropriate Incident Response Team, then that can significantly reduce the time it takes for you to deal with it and the cost associated to that. The challenge is too many organizations think, oh, it's not going to happen to us, but like you said, it's not if, it's when. So when it does happen, the best thing privacy professionals can do is make sure that they know exactly what to do. They've done the routine. It's a little bit like the fire drill at school. And we teach this on the CIPM, the Certified Information Privacy Program Manager for anyone who's interested how to put that Incident Response Team together, who should be in there, who plays what role in it. You mentioned PR. Some privacy professionals listening might think, what do you mean by PR, Victoria? Why should they be there? But yes, look, if there is a major incident, then you need to manage the communications that are going out to the press. Because if you're not giving those communications, the press is going to make up whatever they want. And if you don't have a dedicated PR person and everyone's not aware of who to refer them to, the journalists will call up the call centre, the lower skilled person, try and get information from them. And if you haven't trained your staff how to respond to those queries and where to direct them, guess what? You're going to be on the papers for the wrong reasons. And if you're a listed company, that could impact your share price, it's going to lose a lot of trust with your clients, and it could become a nightmare. I mean, look at British Airways example. They had the Enforcement Action, one of the highest enforcement actions that was issued here in the UK. But then they had huge expenses when it came to litigation and it was an undisclosed amount they settled for in the end. But associated to that was all of the costs of the reputational damage, the share prices, the number of people that would have bought tickets and flown with them, who no longer trust them, the number of customers that were loyal customers who was impacted in the breach that will now go and fly with a different airline. So there's so much cost to it and if you have a strong incidence response team and an incidents response plan then you can mitigate all of that. And when it does happen a little bit like when you used to do your figure skating, you can have a very gracious approach on how you actually do this and make you look good.

Victoria: 23:22

Yeah. And actually two things about that. I definitely think the message is one of the key components in incident response, both internally and externally. You have to make sure that the message is controlled. That is only people who really need to know within the organization and that they know what to say. Because when there is an incident, sometimes, let's say it is in a production environment and clients are experiencing interruptions and are going to start calling and there is going to be support. It is very important to make sure that you train those people that are going to be in the front lines to say, we're aware and we're investigating or this is what happened. When I was at a law firm, I always told my clients, remember in the movies that they say everything you say could be used against you in a court of law. I said that always remember that because in a rush to try to be open or transparent, sometimes companies want to do good by communicating early on. And then let's say they said oh no, it wasn't a big deal, this happened. And then later they had to come up with a statement saying well actually all financial information was disclosed or something like that. So that affects, as you mentioned, their credibility, their reputation and all that could be also used against them in litigation. If you are in litigation claiming we didn't think that this was severe enough, for example, we didn't react on time because we just but then there is internal communications that have been disclosed where your employees are freaking out saying there is a data breach and this and then how are you going to deny it? Or someone says to the press yes, we've been breached, we've been attacked and then that's already out there. So that's very important. That's critical in terms of the reputation. I also think that you have to kind of consider what business you're in because well, and this is my personal experience in the US for example, Target had a breach that was very known and my credit card was in that pile. But guess what? I'm going to go to Target every day and I'm going to continue going to Target because it's Target and it's convenient and they have earned my trust in a way. But if I get the same notice from my doctor, my bank, then I'm going to think about that. I'm going to an airline where information when I'm flying and I'm in the middle of the air could be hacked. I'm going to think about that. So the message is key in terms of incident response.

Jamal: 26:00

Absolutely. Now, cybersecurity is a constantly evolving field. How do you stay updated with the latest trends and advancements in the industry and what resources do you personally recommend for privacy professionals who want to stay informed and relevant in their careers?

Victoria: 26:15

I get asked that question often, and I think it's funny because I wish there was some source where I could say, oh, I go with this or I go. And that's part of the beauty of why I like cybersecurity and this field and privacy in general. That is always changing. There is always new legislation, there's always something new. It's just kind of curiosity. I'm very active on LinkedIn. I don't have any other social media, so LinkedIn is a good source. I have a network of professionals and experts that are great and I get information from that, sometimes Google. If there is something that I see in the news that is interesting, then I will go and look for and do some more research about it. But unfortunately, I don't have an answer of I get my information this way. There's also well, as far as I'm aware, there are books, your book, about GDPR in other areas of practice of law. I feel like here is the book in labou unemployment or in divorces. Here is every day there is something that comes up and I don't know, just the news.

Jamal: 27:31

Your answer was actually a lot more valuable than if you've just given me this place and that place because this is exactly the nature of the industry that we're dealing with. And this is, like you said, why me and you love this so much. It's constantly evolving, constantly shaping. But what you've identified there, Victoria, is we have to be open and we have to be adaptable and we have to be versatile in where we seek that information from. There isn't one single source of knowledge. Yes, there's great podcasts like our Privacy Pros podcast, Debbie Reynolds podcast, and other great podcasts we can listen to. There's Webinars, there's all of the stuff from the IAPP. If you're a member, there's lots of great sources, but they don't have everything. So when we see something that's relevant to us, our particular organization, maybe a project that we're working on, then it's up to us to be proactive about how we go about and seek that knowledge. And yes, it helps having a strong network, following the relevant people on places like LinkedIn, like yourself, Victoria, I learned a lot from your post, so thank you for those as well. And it's really being adaptable, and that's exactly what you said there. But we have to make sure that we're actively seeking that. And the other thing I love about your answer is so many people stress about, oh, how do I stay up to date? I don't know what's going on? Is this happened? Is that happened? They hear a bit of news, they're like, I panic because I haven't heard about it. But that's know you're not alone. Victoria goes through that, I go through that. Everyone in my community, we all go through that. Everybody doesn't know everything. And that's why it really pays to have a global community of people from different backgrounds, different organizations, different industries, and together, you can come together and really knowledge, keep each other informed and updated. And when you have questions, instead of spending hours and hours on Google trying to find the answer, someone there will be able to direct you towards the answer. And that can save a lot of time, save a lot of stress, and that's where community and your network really pays off.

Victoria: 29:13

And I think something very important to take from what you just said is to know what you don't know. I realize it's such a huge field, and that's part of the beauty of it. There is so much, I mean, privacy and within privacy, all kinds of different aspects within cybersecurity that I know kind of the topics that I am interested in, that I like and that are mainly in cybersecurity. I know that I'm not up to date to every single development of GDPR, for example. So when people are like, I don't know if it's a flex or what, but they're like, oh, well, do you hear that the European Commission said this and that it's like, no, I did not, because I'm not following that. And then there are experts that can tell you all about that because I'm concentrated on this and I have no problem saying I just don't know it. I don't know everything around there. And I also think it's up to us to share that information. The way that I started posting stuff on LinkedIn and everybody asked me and I said, I don't have any intention of making any profit from it. I do it mainly because I like it. And because when I find sometimes resources that I think are useful for me, then I think, well, I think this is going to be useful for someone else. And I put it out there. If someone finds it useful, great. If someone doesn't care about it, move on with your life, and then you will find it. But if we all do these kind of things, then we're going to have this community where we share information. If I find out about something and then I'll share it, I'm a visual learner and I like charts and I like graphics. So normally when I find good charts and good graphics, I share them. But we're not going to know it all. And I think more important than knowing it all is having the ability to say, I don't know it. I have found that a lot of people have made mistakes and I also have had my confidence in someone who is considered a leader be shaken when it's kind of, why don't they just admit they don't know it?

Jamal: 31:20

Thank you for sharing that. It's so important because a lot of people suffer from impostor syndrome. A lot of people feel like they have to know everything. And what you said there is, look, I'm at the top of my game and I'm very confident about what I know and I'm also very confident about what I don't know. And it's okay for me to say, hey, I don't know anything about that because here's what I do know. And when I do come across something that's really great, I give value to my community, to the people who I'm connected with and I share because I think if something's useful for me, then it's going to be useful for other people. And one of the things I love that you do, Victoria, is not only do you share, but you also add your own take and your reflections on it. And that really helps us to sometimes have a different perception of stuff or understand it and digest it a little bit better. And that's one of the things that we really try to foster at the Privacy Pros Academy and the people who join the Accelerator program and say, look, it's not about asking what can I get, but rather what can I give? And even if you are at the beginning of your journey, trust me, you are ahead of someone else. You're just one step in front of someone else. And if just one person can benefit from that, then you know what? You've done a great job there. And that's what I encourage. And that's what I love to see from you, is why I was waiting for how long to get you on the podcast is because you're there, you're sharing knowledge. I mean, you've given up your time to be here today. You had to make time in your busy schedule. But you're here because you want to add value and everything you're saying is super valuable and super useful to every single person that is listening right now. And the other thing that you'll see, hopefully after this, is what we encourage our listeners to do is to then share their takeaways of what they've learned and share that with you by tagging you in a LinkedIn post. So you can also see the value you've added and you can really feel good about the fact that you took the time out to do this because you is creating value for lots of people all around the world. Now, one of the things you mentioned there was about legislation, are there any upcoming legislative changes or proposals that we should be paying close attention to?

Victoria: 33:07

There are way too many. Now, the obvious answer is all the proposals that are coming with artificial intelligence. There are a lot of proposals in terms of privacy, and then I will leave the privacy professionals deal with those. As far as children online privacy from the cybersecurity in the US. They just revealed how they're going to implement the national cybersecurity strategy that has some really good points for us. The SEC is about to implement the new rule in the time that you have to report cyber incidents and how you have to add that to your quarterly filings with the SEC, you name it. There's also the new agreement with the adequacy of transferring data that we know that's not going to be the end of it. We're probably going to have Schrems three, four, five, who knows? So there's always a lot, and I think that's why it's great. There's always so much happening and so much that you can pay attention to and track. And in that sense, there are great resources. Like the IAPP has a chart tracking the state privacy laws. There are different law firms that publish this kind of comparison charts. It's way too much for me to say, let's pay attention to this one or the other.

Jamal: 34:32

Thank you. Thank you. That was super useful. And I guess it's also important to go back to context and think what is important for my organization, and not just what's important for my organization, but what's important for the stage we are in right now, like, what is the priority for us? And it's not always important to make sure that you're on top of every single law and every single variation and update, but what you do have to know is what is happening so then you can understand and be aware of it, so you know if it's relevant to you or not. But if you kind of just close yourself off and say, hey, Jamal and Victoria said, we don't need to know everything, I'm going into hermit mode for the next six months, then that's also not what we're saying. What we're saying is just have this open approach. Have a network of people around you that you can rely on, that you can trust, and just be aware of what's relevant for your clients or for the organization that you're working on. Now, Victoria, as someone who is super inspirational, as a thought leader in the industry, what are three or your top three skills that you believe that every single one of us should develop to really excel and thrive in our careers like you've done?

Victoria: 35:35

I think that's difficult because I think that depends a lot on the person. We each have our own style, and we can develop different skills that will be beneficial in different ways. I think from my personal perspective at least, the things that I appreciate that I do. One, is to not take myself too seriously. I have kind of a goofy personality as it is. Not taking myself too seriously allows me to, as I said, be able to say, I don't know, or be able to be open minded to criticism, to feedback, to someone saying, hey, have you considered this or have you considered that? And that also has helped me have a good leadership style in that I handle or deal with my teams just like that. We're all team members, we all can provide great ideas, we can all contribute the same way, no matter what your position in the team is. I think that has been beneficial for me. I'm also very curious, and that has helped with the fact that if I want to learn about something, then I just go and try to find the answer. Talk to people. Because in an environment where there is not a specific guidance or sources or only one source of truth, you kind of have to be curious and creative in how to find the information. And I'm pretty organized, I'm not going to lie that that helps to kind of keep track of everything that is going on at work and keeping track of legislation and those kinds of things. So those are three things that work for me. But I think you can have any skills you want and be successful. There are things that other people do very well that I don't and are still important skills to have.

Jamal: 37:29

Wow, okay. So what I'm taking away from what you've just shared there is the first thing is we need to really get in touch with ourselves and figure out what we're good at, what our style is, what we're naturally more inclined towards. And what you've discovered has really worked for you is number one, having that growth mindset, not taking yourself too seriously, being open to saying, I don't know, I want to learn, and being open just to listening to the people around you in your team. Just because you've come up with an answer doesn't mean that it has to be that way and you have the absolute answer. But actually being open to listen, being open to learn, being open to say, I don't know has really helped you with your leadership, has really helped you to thrive in your career. Second thing that you said that really stood out for me was about curiosity. And I hear this from every single inspirational person that I've actually spoken to is they ask themselves great questions. And I say to my mentees, the quality of your life, the quality of your career, the quality of anything you do is going to be determined by the quality of the questions you ask yourself. So get curious and ask yourself powerful questions. And so hearing that thing about curiosity also being a common theme I'm hearing from you, is also very refreshing. And the final thing that you said is about being organized. And I think that is super important because the more you organize yourself, the more time you have, the less overwhelmed you feel, the less stressed you'll be. Because you know, there is a time and a place for when you're going to get around to doing something.

Jamal: 38:49

You've blocked time out to manage your time. And I think as people progress in their careers and they become leaders, that time blocking, that organization, that setting those boundaries, becomes more and more important and becomes more and more powerful in helping you to propel your career. The challenge I find a lot of people find with staying organized is they get motivated, and they might go and do something to stay organized, but what lacks is the discipline to then see that through and then it becomes a big pile of mess again. And so one of the things that we teach on the accelerator program is stacking your habits and just asking yourself why you're doing this to begin with and really changing your identity. So if you feel that you're like you're disorganized right now, you're a little bit messy, or you could do things better, then take on the identity of a super organized person and then you'll see how your life changes and then just stack those habits up. Have time, have a routine. Make sure you start the day with your routine. Make sure you have a shutting down work routine. Make sure you have an end of day routine. And when you routine and have discipline, you'll find that you actually have more time to do the things that you love to do and you're actually able to get more out of that 24 hours. Because the thing is, look, a lot of people complain about time. Two things I hear most complaints about is I don't have the time and I don't have the money. Well, the money is just a mindset issue. You can have a scarcity mindset that you don't it or you can have an abundance mindset and go and find it. The other thing is time. Everyone has the same amount of time. Like I don't have any more time than one of my neighbours. You don't have any more time than me, Victoria. We all have the same 24 hours of the day. So how is it that some people are able to go on and do so many things, have a very rich and cultural life, do really well in their work, spend time with their families and also have time for hobbies and stuff, whereas other people just struggle to get by and they're scrapping it from one time to another? And that all comes down to what you said there is being organized. So if you have any tips for being organized, I'd love to read some LinkedIn advice from you on any of those. It's been super helpful.

Victoria: 40:40

o the US. I came to the US in: 2001

Jamal: 43:18

I think it's so important what you said there about having real friends, friends who actually want for you rather than want from you, and that they want best for you. So they're really happy to tell you, hey, that's not how you pronounce that or that's not quite right, or that's not quite wrong. I'm very fortunate. I have a few friends in my close circle that are like that and if they see something that I'm doing wrong, something that could be better, something that I've not done right, they will tell me not to embarrass me, but they want better for me. They want me to know what's right and what's wrong. And I think it's very important that whenever we come across those opportunities to help someone to be better, we take them, but it's the execution. So if you have a really good relationship with someone, you'll actually understand how they like that feedback. It doesn't necessarily have to be. You have to publicly do that because some people might get embarrassed and it might impact their confidence. But you can also correct them later or remind them later, or drop them a message. But find a way of delivering that feedback and understand what feedback style is actually preferred by the person you're trying to give that feedback to. And the other thing you said is you don't take things personally. Like, this is so important. And I think that is the quality and the distinction of what makes a great leader and what doesn't is the ability to take on feedback and not take it personally because you're committed to the goal. You're committed to making sure this task I'm about to do, the organization I'm serving, how can I do the best for them? And therefore it becomes about something greater than you, and it's not about you or I have the best idea. You couldn't care less if you came up with the idea or someone else came up with it, as long as it's going to help fulfil the purpose, see the vision, and achieve the mission. And that's what makes a great leader. So, Victoria, I am super inspired and honoured to be able to have the conversation with you. I do have one more question for you, though, before I let you go. So one of the things that we're really passionate about is helping women, helping people from black and minority ethnic backgrounds to pursue careers in privacy and also cybersecurity and foster that inclusive, supportive environment and enrich the organizations. What tips or what words of inspiration would you like to share with someone who's listening, who might fit that category?

Victoria: 45:13

Well, one that we do need. We do need more women and more minorities. There is room for everybody in this field. I think, in my experience, one of the things that I try to do and that I feel organizations may be able to improve, is to make this profession and this environment more welcoming. Because it is often that I find myself being the only woman, the only minority, the only both woman and minority in a room. Especially before, when I was a practicing as an engineer. I mean, it's a heavily male dominated field. Same with law. And then if you combine law and cybersecurity, you won't find no women. But the environment is not welcoming. You have to be able to have thick skin and not get offended and things like that, which necessarily shouldn't be that way. It should be welcoming of all personalities. All different people have different strengths and they should be celebrated and validated. And unfortunately, as sad as it is to say it, I have encountered a lot of obstacles from other women or other minority, maybe, because sometimes they feel I have worked really hard to make it here. So I'm not going to hand it easy to someone else. I don't know. But at least in my case, I try to make that environment welcoming. We're all here. We're part of the team. That's very important. Two. As I said, representation. If organizations are not promoting minorities and women, if they're not having them visible and supporting them and making their voices heard, it's just really hard. You can’t become what you can’t imagine. And if I don't see anyone and the organizations that I have been normally I'm always the only Latina or the only female that has been partnered at the law firm or the only Latina in a whole legal department. It's really hard for me to aspire to be that or to be in that field when I don't see anyone else that can think like me, that can, in a way, mentor me. And that's a little unfortunate too, because it puts a lot of the burden on us, on minorities, on women, to make sure that so that's why I think that, again, awareness, education and organizations in general making more of an effort to have that representation and to really mean it. I mean, there are a lot of companies that recruit and actually attract minorities and women, but then once they start working at the organization, they're not supported and they end up leaving. So it's not just about ticking the box and counting the numbers. It's about making sure that they are set to be successful once they are in the field.

Jamal: 48:22

Thank you very much for sharing that. And I can resonate with a lot of the stuff you're saying, and I often talk about it in some of my LinkedIn posts, so I really understand what you're saying in terms of we need to see people in those leadership positions at the pinnacle of the industry so we can aspire to be like them. Because your mind can't conceive something it can't imagine. So if you can't imagine it because you haven't seen it, then what hope is there to aspire? So that's why I'm super grateful for the work that you're doing, for you actually showing up as a leader on LinkedIn. Look, you could have just kept everything to yourself and just said, hey, I'm doing well and I'm quite happy. That's it. But you're not. You're actually saying, hey, look, this is possible. Hey, Latinos, look what's possible. Come on, let's thrive. I'm here to show you that it can be done. I'm going to support you. I'm going to mentor you. I'm going to show you the way because I believe in me and I believe in you. And I know together we can drive this change. And on the flip side of it, you're saying that organizations, leaders in the organization have to take responsibility to go beyond ticking the box of how many applicants did we get and how many people did we hire? But actually create that environment where they are supported, where they are nourished, where they are nurtured, to be able to thrive and grow, be excellent and have that representation and have those opportunities and help them to overcome some of those challenges. And I'm not saying that there are challenges, but it's not that people are intentionally always creating those challenges. Oftentimes they're not. That's just the way it is. So we have to recognize that, like you said, it's all about awareness and having clarity. So let's get clear. These challenges do exist. Let's accept that first of all, because once we accept that, we're halfway there to solving the problem. And now we get curious. And now we ask the questions that you've been talking about and say, how can we make things better? How can we make things easier? How can we pioneer change? And how can we really disrupt the status quo and enrich everyone?

Victoria: 50:05

Yeah, as you said, sometimes it's not necessarily ill intention. It's just that you are not aware of the things that may be obstacles for certain individuals. So for example, if I'm designing a product, I'm likely not going to think about how a person that doesn't have vision is going to use that product because I don't have to think about that on a daily basis. Someone who has a relative who is blind, for example, may say, well, what about this? And so the same, I feel, is in this we have different cultures, different backgrounds. So when I'm a leader in an organization without any intention, I may be setting things up for what I'm accustomed to deal with or to work with based on my culture and my background and not think, well, somebody who is a minority or somebody who is a woman may not face the same environment may have this obstacle, may have this difficulty. And we even saw that with the pandemic and how it affected women, disproportionately women having to work from home and then when we were returning back to the offices, how it was an issue with childcare. So it's just if you don't have to live it on a daily basis, it's likely that you're not going to think about it. Not because you're mean or anything, but if we have more individuals representing and thinking about the issues of those communities, then that's going to come to the surface and someone is going to say, well, what about women? Or what about this or that's why it's important to have those numbers and to be able to think about how to include everybody.

Jamal: 51:50

Thank you so much. Very inspiring and great words there. And I hope we can all learn from Victoria and we can actually go and apply those. And at the same time, if you are listening and you are a woman, you're a Latina, you're someone from a minority background, you also have responsibility to speak up. If something's not working or something could be better, don't just accept it and think, oh, I don't want to disrupt it, or someone's going to look at me the wrong way because guess what? There has to be a first person. There always has to be a first person. And if you can make things easier for yourself, that means other people that follow and come into the organization, you're making things easier for them. And change will happen gradually, but we all need to take a step towards it so we can't just say, oh, you know, the organization is like this, I'm going to leave. Take action, commit to doing something, take accountability, and let's together collectively work towards creating those environments where every single person can thrive, every single person is nurtured, and every single person can make a significant impact that's going to leave this world a better place. And that's exactly what we're trying to do here at the Privacy Pros Academy. We're trying to create legacies for every individual to be able to protect and have control over their personal information. And we want to make sure that every single person has an opportunity to be able to show up as their best selves and really drive that mission forward. Victoria, it's been an absolute pleasure speaking with you. We spoke about your career pivoting to cybersecurity. We spoke about privacy and cybersecurity, where they come together. We spoke about some of the most common pitfalls that you see and how training is so important. We spoke about the benefits of actually having an Incidents Response Plan and Incident Response Team in place. And then we got a little bit philosophical and we started talking about self development and what drives you and what's really helped you to excel. And we finished on some hopes for the future on how we can really drive about positive change in privacy and cybersecurity sectors. It's been an absolute pleasure speaking to you from myself, from all of my chanclas what's the word?

Victoria: 53:44

Chanclas.

Jamal: 53:46

From all my Chanclas at the Privacy Pros and from our whole community. Thank you very much for coming here and sharing those valuable gems with us. And thank you for all of the great work that you're doing, especially the knowledge share on LinkedIn. We truly appreciate it.

Victoria: 53:59

Thank you. Thanks for the invitation. Thanks for an entertaining discussion. I'm dying to meet the Chanclas I want to become an honorary member of Chanclas. Awesome. And thank you so much. Thank you for the work you do. I think I agree. As we said, there's going to be this group that. Are promoting people to get into this field to do their best to shine. Thanks, this was fun.

Outro: 54:28

If you enjoyed this episode, be sure to subscribe, like and share so you're notified when a new episode is released.

Outro: 54:36

Remember to join the previously pros Academy Facebook group where we answer your questions.

Outro: 54:41

Thank you so much for listening. I hope you're leaving with some great things that will add value on your journey as a world class privacy pro.

Outro: 54:48

Please leave us a four or five star review and if you'd like to appear on a future episode of our podcast, or have a suggestion for a topic you'd like to hear more about, please send an email to team@kazient.co.uk

Outro: 55:02

Until next time, peace be with.