The Shifting Privacy Left Podcast

S2E4: Training the Next Wave of Privacy Engineers with Nishant Bhajaria (Uber)

January 31, 2023 Debra J. Farber / Nishant Bhajaria Season 2 Episode 4
The Shifting Privacy Left Podcast
S2E4: Training the Next Wave of Privacy Engineers with Nishant Bhajaria (Uber)
Show Notes Transcript Chapter Markers

Nishant Bhajaria is the Director of Privacy Engineering, Architecture, & Analytics at Uber and Author of "Data Privacy: A Runbook for Engineers.” He’s also an Advisor to Data Protocol, Privado & Piiano. In our conversation, we discuss privacy engineering trends, educational materials that Nishant has developed, and his advice to privacy technologists, engineers, and hiring managers. 

Thank you to our sponsor, Privado, the developer-friendly privacy platform

Nishant is a great example of a cross-functional, influential agent who has adapted to the ever-growing privacy discipline. He describes himself as an engineer for the attorneys and an attorney for the engineers, which has helped him secure positions at WebMD, Nike, Netflix, and now Uber

Nishant shares his advice for career development, both through the lens of how to break into the privacy space and also how to grow within your role. He explains how he’s been able to get board-level understanding about the importance of privacy as a product, not an afterthought. He also highlights takeaways from his book and online courses.

Topics Covered:

  • How privacy engineers can secure their jobs during this widespread tech industry layoff 
  • Privacy tech as the glue between different teams and in-house services
  • How to make privacy more visible to the business as something that benefits the bottom line 
  • Common mistakes that Nishant sees engineers make when it comes to privacy 
  • What’s covered in Nishant’s ‘Privacy by Design’ courses 

Resources Mentioned:

Guest Info:

Follow the SPL Show:
Privacy assurance at the speed of product development. Get instant visibility w/ privacy code scans.

Shifting Privacy Left Media
Where privacy engineers gather, share, & learn

Buzzsprout - Launch your podcast

Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Copyright © 2022 - 2023 Principled LLC. All rights reserved.

Debra Farber  0:00 
Hello, I am Debra J. Farber. Welcome to The Shifting Privacy Left Podcast, where we talk about embedding privacy by design and default into the engineering function to prevent privacy harms to humans, and to prevent dystopia. Each week, we'll bring you unique discussions with global privacy technologists and innovators working at the bleeding edge of privacy research and emerging technologies, standards, business models and ecosystems. Today, I'm delighted to welcome my next guest Nishant Bhajaria, Director of Privacy Engineering, Architecture, and Analytics at Uber, Author of Data Privacy: a runbook for engineers, Advisor to Data Protocol, Piiano, and Privado (the sponsors of this show), a TROPT Evangelist, and Instructor of multiple privacy engineering courses, even one that comes with a certification. Welcome, Nishant.

Nishant Bhajaria  0:58 
Thank you for having me here. Super excited to be here.

Debra Farber  1:00 
Me too. To our audience, we're actually filming this during Data Privacy Week. So there's a lot going on. But today, I'm really excited to kind of dig into really the topic of privacy engineering. And, Nishant, I've been following your privacy engineering career since your days at Netflix, and you've been quite an evangelist in this nascent space, and your passion for educating technologists about privacy engineering approaches and methodologies and best practices and how do you balance the trade-offs is really palpable. So, tell us first, where did your passion for privacy come from, and how has it evolved over the years?

Nishant Bhajaria  1:40 
It was interesting, my passion for privacy was something that began very gradually. So, I don't count myself as a privacy warrior. I'm not one of those people who likes to get into arguments with folks necessarily about whether privacy is a human right, or whether it's guaranteed in some document someplace. I mean, I believe both of those things to be true, but I have always learned how to build privacy into companies for whom, initially, privacy was not a natural instinct. How do you build a program? How do you build tools? How do you treat privacy, not necessarily as just a first principle, but something that can be quantified, something that could be visually verified, conceived, identified, you know, productized, and scaled. I think privacy...when you look at it, implementing privacy in the context of a high-engagement product is a product that customers will love. It's like, you know, when you buy a car, you may not buy a car for seatbelts and airbags, but you will not buy a car without a seatbelt or without an airbag, right? So I think of how do I make privacy something that becomes more of an instinct, more of a product, more of an expectation, more of something that can continually be improved while adding equity to the actual enterprise as well. So, I think of privacy as some sort of a product.

Nishant Bhajaria  2:50 
So having worked in multiple companies, so I joined WebMD during the beginning of the Great Recession. I joined a startup after that when we were almost out of money, and then I joined Nike during a time of high scrutiny by the Dutch DPA; and I joined Netflix when it was undergoing the VPPA consent decree under the FTC. So, I've always had to solve for privacy and satisfy multiple people at the same time. So, for me, I've always come to privacy to the sense of how do I make it work for as many people as possible. So, whether you call it passion for privacy or just this intense desire to make it happen, I'll let you pick, but that's kind of how my career trajectory and privacy have gone at the same time.

Debra Farber  3:26 
Yeah, you know, I think that's a really great point. With your engineering background, you know, you're you're definitely approaching it from, you know, there's a problem, how do I solve it, and how do I build something to solve it? Like, how do we architect it? That kind of thing. And, I guess it's your experience is having to bridge the gap between like a legal requirement that doesn't necessarily have very specific guidelines on how to move forward technologically. Like, how do you map for that, and then your engineering brain just kind of was solving for that problem. So that that makes sense. That makes sense to me, and I love how people are coming to the space from really all different disciplines.

Nishant Bhajaria  3:58 
Yeah. And I just had to say that, I don't know if it's necessarily my engineering discipline. People, often, when they listen to me talk in events like this one, say "You don't sound like a typical engineer," because I spend my evenings not doing engineering stuff. I do other stuff. Spending time writing code was not something that always felt like a good use of my time, even when I was a programmer. I think of myself as somebody that can make things work at the organizational level. So I often market myself within within the company, myself within the company, as "an engineer for the attorneys and an attorney for the engineers." I think of myself as sort of the cross-functional agent that can do things and make things happen, influence other people to make things happen. And, the reason that's important is because there are too many attorneys and too many engineers who are so siloed that they don't necessarily have the instinct to get privacy right. And, privacy by definition is everybody's problem and it's by definition no one person's problem, right. So, in a very OKR, enterprise-silo-driven world, privacy and security and compliance and misinformation and trust & safety are not things that companies easily do very well. So, you have this dichotomy where engineers can build amazing stuff, get services out the door pretty quickly, but some are struggling when it comes to getting privacy right. So, I think of myself as an antidote to that dichotomy, but I can have empathy with engineers and attorneys, and not be pigeonholed into either enterprise.

Debra Farber  5:26 
I mean, I think that that's what makes you so successful. I think that's what's required in organizations. I mean, having been in privacy over 17 years, you know, I've seen a lot of...and having a law degree, too...I think I absolutely agree that the lawyers had dominated this industry early on and, you know, that technical controls and, you know, the engineering part of the privacy-by-design had not happened for so long. It's kind of why I have this podcast, really to encourage people to shift left in their organizations with privacy, and you really need to understand both worlds, right? I am not an engineer by trade, but I have learned a lot about software development and the process. I even went and I got a Scrum Product Owner certification, about 10 years ago. You know, these things weren't really appreciated for so long within organizations. So, it really does take engineers who are getting into privacy to move the needle in engineering. I mean, obviously, they they're the ones that understand how system design works, and I can only learn so much without being somebody who codes. Right? So, it takes a whole variety of perspectives to understand the regulatory space to understand the, you know, the market drivers, to understand the product features you want to, you know, make sure are part of whatever you're shipping. So, that brings up a great question, which is, how would you define a "privacy engineer" and what does one do today; and, you know, how do you see the position might be changing over time as privacy matures in organizations, if it changes at all.

Nishant Bhajaria  7:01 
I think when it comes to "privacy engineering," that discipline itself is so nascent that I don't know if that has been an accepted understanding of that yet. And, to that end, my friends at Google who are privacy engineers often do reviews of, you know, PRDs, CRDs - they run queries to make sure the product is working correctly and privacy-by-design is being done as was conceived off during the design phase. So, that's what they do. Privacy engineers are also often people who, you know, do consulting and cross functional work across the company, which is kind of the pedigree I came from. They influence architectures here, coding there, design commitments here, privacy policies there. So, they do a bit of everything in their touchpoints for multiple folks across the company. These are the people that have done the hard yards by working at startups and scrappy companies where stuff always had to be on fire, and you had to clean it up right away. Right?

Nishant Bhajaria  7:52 
And then, the third kind of privacy engineering is done by people who write code, and some of the engineers who report in to me these days at Uber are privacy engineers in the sense that they write code to build services for deletion, for encryption, for data obfuscation, export, things like that. So, you know, I think what's going to happen is you're going to have the conceptual definition of privacy engineering that is followed by people who like work for Brookings or the AI, or people who work on Capitol Hill. These are folks who influence standards and regulations, which will be by its very nature, not very prescriptive. There'll be fairly high-level. So, somewhere in between a detailed tech spec and first principles. So, that's one kind of privacy engineering, but I kind of feel like every company is going to make decisions for their liking. Every individual will make decisions for their needs. And I feel like we're gonna have the situation where there's going to be these multiple tracks of privacy engineering. You know, it's kind of like when you hire people for engineer...for coding, just regular coding, when you hire somebody who's a full-stack engineer, you assume that they can do front and back end, but typically, they have some more pedigree for one versus the other. Right? So, we're going to have multiple definitions, and it's going to be like one of those terms where it's going to take a bit of conversation to figure out what the need is and what the skill is.

Debra Farber  9:10 
That makes a lot of sense. You know, do you think it's going to kind of follow a little bit like how security ended up having security engineers that, you know, some are liaisons with product as Product Security Engineers. Do you think it'll depart from how security - you know, because security & privacy are a little different - will it depart from security in any way that's obvious right now; or, do you think kind of follow a similar trajectory because of how products get made and companies it's kind of similar? You've got to fit into some of those processes, and.... \

Nishant Bhajaria  9:40 
Well, I'm not sure what to say to that, Debra because it's such a good question. I think even on the security side, I've, in my role as Head of Privacy Engineering at 4 different companies, and now I've reported to different folks. The common pattern has been, like a Netflix and now here at Uber, I report to the CISO directly and what has been my observation is that security also is a pretty embryonic field when you think about it. The difference is, on the security side, how do you separate AppSec from ProdSec, how do you build a good SRI program? How do you build security assurance?

Debra Farber  10:13 

Nishant Bhajaria  10:13 
There's a lot of raucous debates there. And on the privacy side, how do you separate responsibilities between the legal side and the engineering side? So, you have very different kinds of debates and different kinds of stakeholders; but, I have noticed that there's a lot of talent flowing into privacy and security right now. So, that is good, because we need more people to fix these problems; but, as more talent walks in, their discipline expands and the debate increases. So, I'm not sure honestly. I feel like the upside is that there's a lot of attention, a lot of money, a lot of funding, a lot of technology being built, like the Privado (like you and I are part of right now); but, on the other side of the injuries, the more you discuss something, the longer it takes to finalize something. Right? So, and all the while, the regulations keep on coming, the inquiries keep on coming, the scrutiny keeps on coming (the DPAs), the consent decrees keep on coming, and the bad actors keep on acting. Right? So, I'm not sure we're at a point of stasis, which you have to be at. Like when we've switched Intel, when we switched from memory to devote processor speeds, when we switch from waterfall to agile, there was a definitive shift, like the industry said, "We're going to move this way." I think because of how existential the privacy and security threats are, I'm not sure we're at a point where the definitions will have ever been allowed to settle. Maybe that's an odd answer, but that's kind of how I look at it.

Debra Farber  11:38 
That's a really interesting perspective. Yeah, I mean, I do think I...over the years, I've been finding's obvious to me as somebody who looks at this industry and it's like obsessively following everything going on, like where I think things should go, or where I believe they will go; and you know, instead of it happening in like two years, you know, it takes over a decade. So, things definitely take a lot longer when you're talking about  changing the ways of business, and culture change, and federal policy. I mean, we still don't even have a federal privacy law, and I don't think we're going to ever have one, quite honestly - at least not anytime soon. So, you kind of have to think about what are the other ways to make change, and I think I do agree with you (to circle back to what you said) that, you know, some people work in standards. I think working in the standards and making sure there are privacy-knowledgeable people working on different standards across all...there's so much innovation going on across industries - across web and XR and, you know, cloud that they need to be thinking about privacy there.

Debra Farber  12:40 
And once you standardize it, you know, if that becomes the norm that's adopted, then a lot of the problems go away versus waiting for, you know, high-level laws, which of course, I believe in. I have a JD. You know, I'm a non-practicing lawyer. Laws are important, but innovation, the pace of innovation is so fast right now; and, you're right, the more heads you put together from more disciplines, the more you're compounding the issues that need to be looked at, and the controls that need to be thought out and put in place. So, we can't wait for the laws to be negotiated and put in place. So, what trends are you currently seeing in the market regarding the hiring of privacy engineers?

Nishant Bhajaria  13:20 
You know, it's kind of been a sad week to be asking those questions and answering them. This is going to be sort of the first test of the discipline. Like it's obviously a very important discipline for companies to have, but we have seen a fair number of privacy engineers and people in privacy lose their jobs. So, if you exclude and I think, in the long-run, the turmoil we're going through right now will prove to be just a bump in the road and an episode rather than the entire epitaph, if you will. But, I do think one trend that I'm seeing is that the people who are succeeding as privacy engineers, or people who are succeeding as privacy professionals, are the folks who are extremely agile and very flexible and who can make the case that privacy is a business problem solver rather than something of a perpetual urgency cause. Because, you know, we've gone to the well multiple times; we've said GDPR or bust, CCPA or bust, you know, and I feel like there's a bit of fatigue in the industry right now about just how much work it entails to get privacy right. So, the people who are doing well and will continue to do well are the ones who can make the case for privacy and prioritize things as if privacy were a feature.

Nishant Bhajaria  14:28 
The second thing I'm seeing is that people who can identify stakeholders across the company who will benefit from the outcomes of privacy engineering. So for example, the security teams who don't have to worry about encrypting as much data because you ended up deleting data that you shouldn't have collected to begin with. Right? Another example would be building bridges with the machine learning team whose models are gonna be more accurate because the data size is now more reflective of the company's needs. Or, the finance teams who don't have to cut a big check to these cloud providers because, again, some of that data was destroyed. Right? So, having that cross-functional, influential capability is pretty critical. The privacy engineers who are essentially relegating themselves to becoming the messengers between the legal team on the one side and the engineering organization on the other side, those folks are going to struggle because we're gonna be living through (for the next few quarters, at least) an age of limited means and high expectations; and, people who can figure out how to make privacy more visible to the business as something that benefits the business will do very well. So, I'm increasingly hiring for that right now. Like, I need somebody with the ability to work with people. I need somebody with the ability to have empathy. I need somebody who can essentially have relationships I don't, for example. That is essentially...and I'm talking to a lot of my colleagues across industry, they're looking for more or less the same thing.

Debra Farber  15:53 
That's really helpful. And I was just going to ask you that, too, like, what factors do you look for in a privacy engineering candidates? But I think you just answered the question. What advice would you give to hiring managers who are having a difficult time hiring for this role? You know, there just aren't enough privacy engineers in the marketplace with the requisite skills to just, you know, hit the ground running without some, you know, cultivating of here's what privacy is or here's what the particular problem is. So yeah, what advice would you give to hiring managers?

Nishant Bhajaria  16:26 
The first advice I would give to hiring managers is know exactly what you're solving for. You know, it's like when people buy third-party solutions, not just for privacy or security, but for just about anything in particular, or whether they look for something different, the recency bias is pretty extreme. So, the expectation often know, I compare privacy engineers to folks who stand by elephants at a circus. They have one job, which is nobody's idea of fun. Right? So, don't optimize for the crisis of the day. Don't expect somebody with privacy on the resume to come and fix things for you right away, because what you're going to do is throw this person at the rest of the company, they will burn themselves out, and the company will feel that privacy just keeps blocking us left and right. So, hire for somebody who can get you some short term wins. Use that to build some relationships or learn about the company in the stack, build a long term vision. So, know what you're hiring for.

Nishant Bhajaria  17:21 
If you're hiring a mercenary to deal with the crisis of the day, then maybe hire an EXT with a lot of experience or build or have a solution that sort of cut some corners, but gets you to a point of maturity. But then you know, that's what you're hiring for. But, if you're looking for long-term gains in business maturity and trying to optimize for the next five years, hire for that. Hire people that have domain expertise, have written code, have deployed services-led teams. So, understand what you're looking for. And by the way, I would give the same feedback to people who are looking for work right now, or kind of get into the domain right now. What do you want to be? Do you want to be somebody who can deliver quick wins and go from company to company every six or seven months? That's one model. Or, do you want to build a big program and make the case for that budget and gradual growth? So, know what you want. That is my first bit of advice and mostly prominent bit of advice whether you are the hiring manager or the person with the resume.

Debra Farber  18:15 
That's great advice. I know you really enjoy unpacking privacy engineering and giving advice on how to approach building privacy by design into systems and such. So, I know you've developed multiple courses for LinkedIn Learning on privacy engineering. Do you want to tell us a little bit about what some of the topics are or the course itself?

Nishant Bhajaria  18:36 
Yeah, so let me kind of step back from the question a little bit and make it more about career development are also getting privacy, security, and trust right.

Debra Farber  18:43 

Nishant Bhajaria  18:44 
I tell people that privacy engineering is a great domain whether you are the manager or the employee because it enables you to do a whole bunch of other things. Okay. Getting privacy right requires you to work across the company, across the platform, things like that; and, it enables you to transition from privacy down the road to security, for example, to misinformation, public safety, trust, you know, things like that. So, it's a great career; it's a great investment for anyone to make.

Nishant Bhajaria  19:11 
So, my career in this domain really took my waning days at Google, I was literally sitting at my desk on the last couple of days; and I saw a post on LinkedIn on LinkedIn about...I think it was by the then-CISO of Lyft, interestingly, and somebody from LinkedIn Learning had a comment on that post saying, "Hey, Mike, we'd like for you to teach some courses on privacy and security on our domain. If you're interested, let me know." And I responded to this person saying, "Hey, if you don't get a response from Mike, I'd love to talk to you about it." And I'm not sure where the Mike responded or not, but the person at LinkedIn and I talked, and that led to my first LinkedIn learning course that was filmed in, I think, July or August 2019. This was the Introductory Privacy Program course. That course got a ton of visibility. I think we're at like 17,000 learners real-time right now, and that got me the book contract from Manning Publications and Simon & Schuster for Data Privacy: a Runbook for Engineers - the book that I released last year. It's a one year anniversary and all proceeds go to animal rescue from my royalties. So, I would love for people to buy the book.

Nishant Bhajaria  20:18 
So I went from my first privacy engineering course to the book contract and to additional privacy courses, and now there has been additional courses on career development, getting promotions, hiring good engineers, building diverse & inclusive teams, professional work culture, scaling a security program, etc. So, what you have is a separate, parallel career where I'm educating people. We are 13 live courses on LinkedIn Learning, which in turn led me to Data Protocol, which is the company that has produced my Data Privacy Engineering Certification, which is a lot more hands-on, for people who are really trying to walk away with actual skills that they can apply. So, you have the certification, which is a lot more hands-on. It's an 8 hour certification. It's a terrific one, even though I say it myself. I've gotten really good feedback from companies like Zoom & Virgin Atlantic that have purchased it.

Nishant Bhajaria  21:05 
So, you have these three things - the book, the courses, and the certification - that began purely because I took a chance. And that's how privacy careers work. That's how privacy improvements work. Making those relationships happen, making small improvements happen, building small tactical wins, and then having that long-term vision and working backwards from it. Right? So, that's kind of the general bit of trivia that I would say. And I will reinforce, anytime somebody takes your LinkedIn Learning course, and I get a royalty; anytime somebody purchases the certification from Data Protocol; anytime you buy my book, there's a portion of it that goes towards me for royalties and I have donated every penny from that to Animal Rescue, which is a cause pretty close to my heart. So, if you want to support the environment and these precious elephants and animals that are so critical for our life, and if you want to learn more about privacy and security engineering, I would say buy my book, buy my certification, and take my courses. I would really appreciate it.

Debra Farber  22:04 
That's awesome. And I've actually own the book, and glad to know I'm supporting elephants, and I love the book. I think it's a it's a great desk reference for...again, I'm not an engineer myself; I definitely consider myself a privacy technologist, but I'm not an applied engineer. But, I do talk about this stuff all the time, I am part of the awareness process and I really care about these issues. So, I know, I soak in everything I can about really deep tech topics and I can honestly say that, you know, you've got a great runbook there. Like it's got examples; it brings together a lot of concepts; and it is definitely meant for the engineer to use. So it's, you know, your audience really well and, you know, I think it's great book. So people should definitely take a look at it, support the elephants, and then with the Data Protocol Certification, which I have to admit, I have not taken yet, but I'd like to actually take the courses. I do want to point out, it looks like that anyone can take this course for free, and that the the only cost is if you want to get the official certification. Is that correct? And do you want to talk a little bit about that?

Nishant Bhajaria  23:13 
That is correct. Yeah. So the certification and...the owners of the company probably have all the latest details because I've been fairly hands-off since the certification went live; but, my understanding is the course itself is free. The certification cost varies on a case-by-case basis. So if it's a company, there's a pretty significant discount, if you take it individually, it's still I think, a couple of 100 bucks. But yeah, the certification & to display that badge on your profile, so there's a small cost to it. But, the course itself & the learning materials are free.

Debra Farber  23:44 
That's great. Yeah. So this is like a great free resource. But really, like Data Protocol itself looks's a company that different trainings to developers across organizations. So I know you're getting a lot of eyeballs on that; and, you know, other people here should know that it's a free resource they can use if they want to really, you know, get a good handle on what is privacy engineering and how you can succeed today in that field.

Nishant Bhajaria  24:11 
I think the other thing is, if you whether you look at the book or the certification, in both cases, there's a progression to it. Right? Like the benefit of the certification is you have me talking to you if you think of that as a benefit; but, I'm teaching you real time and you can apply those examples with the core console in the certification process itself. Right? That's the real win here, which is how do you know you actually learned?

Debra Farber  24:34 
Oh, okay, that's not clear on the website. Cool.

Nishant Bhajaria  24:37 
Exactly. And you can actually learn real-time with help coming view live with it with our menus and whatnot. So just as an example, you want to share this dataset. How much data can you share? What is the identification risk? What is the obfuscation technique that, you know, like you can you can do all that real-time on the console and then you can apply those learnings to your datasets offline. So that's the real benefit when we're seeing companies not just use a certification to train privacy engineers, but to train non-privacy engineers because not every company can afford someone like me.  Right? So what you could do is train your existing engineers, your attorneys in the certification, and you can have them build privacy by design into their code, into their data stores, things like that. Right? So...

Debra Farber  25:22 
Yeah. Which also brings me to what privacy tech tools out there are you finding to be super helpful or are you most excited about?

Nishant Bhajaria  25:31 
There are several that I'm excited about? I mean, obviously, I love the work Privado is doing. I love the work Ethyca is doing. I love the work that is being done by the folks down in SkyFlow as well.

Debra Farber  25:41 
Can you describe a little bit about what that work is just in case the audience doesn't know?

Nishant Bhajaria  25:46 
Yeah. There's a...I'm gonna keep a broad swath here. Like some of them are working on code scanning. Some of them are working on tokenization of data. Some of them are working on building a developer platform that enables developers to do work that is privacy-friendly. Kind of where I talked about with my Data Protocol Certification. The goal across the board remains the same. How do you either do the privacy work on the side, you know, for the engineers and they can benefit from the API is in place? Or, how do you build a console and SDK that embed privacy into the developer experience right at the outset so they don't make as many mistakes? So. the goal is how do you make it easy for privacy to be part of your design process? It's not so much at the first principal level; it's about getting API's in place. You know, it's like when you type an email or a Google Doc; it auto recommends language for you based on what it thinks you want to say. It's kind of like that, if you will. How do you make privacy something that is auto-available, but context-sensitive? That's so...I mean, these companies are very different.

Nishant Bhajaria  26:48 
But my real challenge and positive concern about the industry is there is so much good work happening on the privacy tech space, that I don't think companies always understand what they want or what they're buying. So, if you're buying OneTrust versus buying Privado, for example, are two different things. If you need OneTrust, there's a very specific use case for that. If you need Privado, there's a very specific use case for that. So, companies...I'm still seeing that companies that need one are buying the other because the people inside the company who should be making the purchasing decisions don't quite know what's broken; and they are operating from a place of crisis and concern rather than, you know, a place of genuine awareness about exactly what's to happen.

Debra Farber  27:30 
Yeah, it's my concern as well. And it's been that's been that way about privacy for a long time, but now we have more and more tools shifting left.

Nishant Bhajaria  27:37 
Exactly, exactly. And the fact that that keeps that keeps happening further solidifies the image and calcifies the image of privacy being a blocker, or worse, a problem that cannot be solved. So, you haven't understood the problem correctly; you bought the wrong solution; you put too much money into it (the sunk cost fallacy), and then you have now decided that privacy cannot be fixed. So, you will never in the short to fix it to begin with. Right? So that's my concern.

Debra Farber  28:03 
Yeah, and it's a fair one. Um, so do you have any advice to how we could better get the message out to companies? You know, I'm doing the best I can,with my podcast for awareness. Really try to do some education, but it's not at the executive level, per se. Right? It's engineers, technologists, researchers; and then there's efforts like The Rise of Privacy Tech to really define the space. I know you're plugged into that as well. But like, what else could we do to really move to get like a board-level understanding that privacy is strategic; it can increase ROI; it's something that you want to be able to say you have better than others. It's like seatbelts, right? Like you wouldn't buy a car without a seatbelt. It was hard to get seatbelts into vehicles originally because the car manufacturers didn't want that necessarily, but now they're competing on the safety. Right? So, how do we got just generally your technology companies to want to compete on safe use of data? I mean, obviously, we've got different levers right with that finds with that, which hasn't really moved the needle over the years, it just comes a line item that companies are, you know, "Oh, we're going to get fined for that, well, let's make you know, $500 million now and we'll just pay $10 million later, you know, it's still worth it: shareholder value. Right? So, how do we actually protect humans better and get that message out to be heard to make impact and really shift left?

Nishant Bhajaria  29:26 
I think the real challenge is, you know, there are many internal customers for privacy. So, you know, you would think if more than one core team wants something purchasing it will be easier, but what happens is when you buy a solution when you buy something for an engineering team, right, when you buy an SDK, or when you buy a license for an enterprise tool, and that team uses it, and that's the only tool that will fix our problem, it's a bit of a risk and reward situation like you would be the first in line as the vendor for that product to, you know, get the contract, but you have the risk of that team goes away and the demand goes away. And that is why you see enterprise tools laying people off now, because a lot of their customers are shifting spending; and, if you have one core use case, and the use case is no longer operative, you're done.

Nishant Bhajaria  30:11 
So, what happens is privacy is the opposite. Privacy Legal needs a tool for a certain purpose. Privacy engineering needs it needs a certain other purposes. The people who are compliance assurance needed for some other purposes. And the challenge is no one to meets all of those needs at the same time end-to-end. It's just very hard and the discipline is too new for that. Right? And the other challenge is, these people who need the tool, at the same time, don't always talk to each other. So, the problem here is that the people who need the tool don't have a story, and the people who sell the tool don't have a story. So, what we need are examples of what actually works and the people who compete on in this space need to realize that they will have to coexist. Like I don't think there's going to be one tool that's going to put everybody else out of business. We're going to have this oligopoly type situation going on here. Like, it's not really a monopoly, it's not going to be a duopoly, it's going to be many different people solving many different problems going in many different markets. But I think being very clear about what you're solving for, don't give me high level words like governance or compliance or categorization. Tell me, what metrics did you have the business achieve? What did you solve for? And, I feel like when you explain how you solve a specific problem or specific sets of problems with examples and metrics, you will then attract that kind of clientele, which will give you specialization and then you can expand from there. So, I feel like you have several instances where people are solving for multiple things at the same time and ending up not solving for any one thing in particular, and I think selling a bit more intelligently and then building with that insight would be helpful.

Debra Farber  31:51 
I absolutely agree. In fact, these days, I really specialize on the go-to-market messaging so that companies' marketing doesn't sound exactly the same as the person in the vendor booth right next to them that has a vastly different product, but it's using the same words. Right? And I also 100% agree with the fact that you're not just going to have one tool. It's why I'm kind of dedicating time to talk about privacy tech, and I'm so excited about privacy tech is I expect there to be explosive innovation like we saw in security. You know, you go to an RSA Security Conference and there's just 1000s of vendors; and I anticipate we're going to see something similar in the privacy space as the technical solutions evolve more, maybe not as large, maybe, you know, different different use cases, maybe they'll blend together as organizations, but I do think it's going to take multiple tools depending on what your use case is - maybe even depending on your industry. So, I think it's the VC funding tech that doesn't necessarily understand how necessary multiple tool sets are. So if you have any advice on how to get the VCs, to better understand this, that would be great because you're really trying to help the privacy tech companies out there flourish so that we can, you know, help companies so that we can help preserve the privacy of humans, you know.

Nishant Bhajaria  33:14 
I think what VCs need to realize is something fundamental, which is, rather than asking people to get a V1 out the door, maybe be a little more patient in the beginning and demonstrate that, "Hey, let's come up with 3 or 4 examples. Like, for example, if a VC is funding Company A, Company A can identify alliances with engineering teams in specific large companies. Right? So, you don't you don't get to say that we sell to Google or we sell to Amazon or something. What you can say is "We have worked with PMAX at Google to solve a specific problem." And then you realize that you now have a niche within the company and niche within, you know, the industry to solve a specific thing and have engineers advocate for you and essentially create, not an open source situation, but sort of a cooperatively & collectively-built solution going. Right? That's the use case. So I would basically...

Debra Farber  34:06 
So community. Building community.

Nishant Bhajaria  34:08 
Exactly. Build a community. Build a product, and not necessarily a product, but build a feature and build a community and build a feature and build a community. So keep building one on top of the other. And I feel like injecting yourself into specific companies would be the good way to go. So I think like VCs, rather than forcing founders to build something and ship something, build for someone and ship for someone wouldn't be a good place to start here. And that means you have fewer customers in the beginning, but more dedicated customers, people actually using your food, and then using your stuff; and then, when you demonstrate that as an example of things working correctly, you can now essentially sell to more people. So, as it as an example, learning your lessons the hard way by selling to specific teams in Google and Amazon could then equip you to sell to Cedars Sinai you know, JPMorgan Chase, and Walmart at the same time. So, there may be a slower ramp-up in the beginning, but then things really spike after that. But the hockey stick model will have a bit of a plateau before it. That's what I'm going for.

Debra Farber  35:10 
That's fascinating advice. I really enjoy hearing your perspective on that. Are there any, like, big mistakes that you see engineers make, whether it's privacy tech engineers,or it's just internal, you know, engineers, making like consistently? Any trends of mistakes they're making when it comes to privacy? And if so, do you have any approaches to advise them to take instead, like, whether it's architectural or...

Nishant Bhajaria  35:37 
So, I think the way to think about this would be there is a ton of stress right now on companies, not...I'm not talking about privacy tech companies, but companies in general, where all these smart engineers who are wondering, there's all these job cuts happening, so how do you build stuff in a way that's going to keep your career germane? Right? So, I would say the privacy tech space has a unique opportunity here to say, "We will sell our solution to you as a developer-enablement platform." Right? So, how do you make sure that the in-house developers don't see you as a threat? And how do you make sure in house developers understand that they can't simply do everything? So how do you frame these relationships as sort of a...think of this as hiring contractors, right? So, people hire contractors to allow for focus, for a time commitment, and for specialization. Right? So how do you think of privacy tech as a way to identify things that engineers just cannot do or because they have to ship stuff right now? And, how do you think of privacy tech as the glue between different teams and different services that were built in-house. And, I think that would be a great approach to go. If I were selling privacy tech stuff right now, that's what I would do. As this conversation has gone on, I've gotten 4 messages from different vendors (not necessarily privacy tech) and they are focusing on high-level first principles. They're talking about who was funding them. They're talking about who their alum...their VPs come from XYZ company. All of that may be great, but none of that is the reason for me to buy your tool; and there is so much fatigue, like I have started like marking as spam messages that I get on LinkedIn for people who want to sell me...who want to give me a free Amazon gift card people are selling this in the worst possible way; and I think the sales teams are doing such a disservice to the founders and the VC funders that I couldn't tell you how bad that is right now. And, I understand where the pressure is coming from. It's a tough economy, but I feel like selling as an enablement platform that we do something very specific for you, and here's an example would be a much better approach than offering to buy me coffee or giving me, you know, free tickets to the game or something. Right? The sales channel is broken pretty badly.

Debra Farber  37:49 
Yes. And that that's just, that's a great, great response and I'm taking it all in. I think it's really excellent advice. I hadn't been thinking in those terms, and I agree with your perspective, now that I'm listening to it. So, I think we're at the end of our conversation and I wanted to know if you have any other events coming up, or research about to be published, or anything else you'd like to plug?

Nishant Bhajaria  38:15 
I have recorded recently at LinkedIn Learning upgrades to my 2 courses around data governance. That is how do you classify and inventory data? That's the first course? And how do you share data with privacy secure tools built around it. So, those two courses will be going live in the next month or so. So, keep an eye out on my LinkedIn feed. So please add me on LinkedIn. You'll see those courses getting updated. They represent a significant update over the previous version of those courses that came out at the very beginning of the COVID pandemic in March 2020. So, we tend to update these courses in 3 year increments. So, that's what's going to happen going forward. Otherwise, there is...I think I've mentioned this before, but I'll mention again, my book was released February 15th last year. People remember the iconic photograph of my mom holding the book and when I went to Mumbai to visit her last spring, and that sent sales through the roof. So, the book 1 year anniversary comes out, which is going to be its 2nd print. The book is also going to be released in Chinese and Russian in the coming quarters as well. So, there's a lot happening, and I'm trying to mix it up with updates of stuff I've already done and new stuff as well.

Debra Farber  39:23 
That's great. I'm glad I asked that question because that was, you know, really nice to hear what's coming up. I also want a picture this time maybe of you and an elephant.

Nishant Bhajaria  39:34 
Well, I went to the elephant sanctuary when I was in India the last time, but I didn't quite take the book. So, maybe the next time, yes.

Debra Farber  39:43 
Okay, awesome. Well Nishant thank you so much for joining us today on Shifting Privacy Left to discuss privacy engineering, the educational materials that you've developed that helps engineers shift left in their organizations, and your advice to privacy technologists, engineers, researchers, etc. I'm definitely going to invite you back in the future to talk more about this topic, and I hope you'll join then. In the meantime, thanks for joining us today, everyone. Until next Tuesday, when we'll be back with engaging content and another great guest.

Debra Farber  40:18 
Thanks for joining us this week on Shifting Privacy Left. Make sure to visit our website where you can subscribe to updates so you'll never miss a show. While you're at it, if you've found this episode valuable, go ahead and share it with a friend; and, if you're an engineer who cares passionately about privacy, check out Privado, the developer-friendly privacy platform and sponsor of this show. To learn more, go to Be sure to tune in next Tuesday for a new episode. Bye for now.

Why Nishant became interested in privacy engineering
Nishant's definition of a "privacy engineer" & how he thinks the role will evolve
The trends Nishant sees in the market regarding the hiring of privacy engineers
Advice to hiring managers who are having a difficult time hiring for privacy engineering roles
Career development advice for privacy engineers, including Nishant's LinkedIn Learning courses, Privacy Engineering Certification with Data Protocol & his book, Data Privacy: a runbook for engineers
Nishant describes the privacy tech tools on the market that he finds useful
Nishant's advice on how to shift privacy left
Venture capital's role in understanding privacy tech and why it's essential to build community amongst privacy engineers
How to appeal to privacy engineers when selling privacy tech solutions
Nishant discusses the updates to his courses and book

Podcasts we love