I'm delighted to welcome guest, Melanie Ensign, Founder and CEO of Discernible, where she helps organizations adopt effective communication strategies to improve risk-related outcomes. She's managed security & privacy communications for some of the world's most notable brands, including Facebook, Uber & AT&T.
Melanie counsels executives and technical teams to cut through internal politics, dysfunctional inertia & meaningless metrics. For the past 10 years, she's also led the press department & communication strategy for DEF CON. Also, Melanie is an accomplished scuba diver and brings lessons learned preventing, preparing for & navigating unexpected high-risk underwater incidents to her work in security & privacy. Today's discussion focuses on the importance of communication strategies and tactics for privacy engineering teams.
Copyright © 2022 - 2023 Principled LLC. All rights reserved.
Debra Farber 0:00
Hello, I am Debra J. Farber. Welcome to The Shifting Privacy Left Podcast, where we talk about embedding privacy by design and default into the engineering function to prevent privacy harms to humans, and to prevent dystopia. Each week we'll bring you unique discussions with global privacy technologists and innovators working at the bleeding-edge of privacy research and emerging technologies, standards, business models, and ecosystems.
Debra Farber 0:27
Welcome, everyone to Shifting Privacy Left. I'm your host and resident privacyguru, Debra J. Farber. Today I'm delighted to welcome my next guest, Melanie Ensign, Founder and CEO of Discernible. After managing security and privacy communications for some of the world's most notable brands, including Facebook, Uber and AT&T, Melanie founded Discernable to help even more organizations adopt effective communication strategies to improve risk-related outcomes. She counsels executives and technical teams alike to cut through internal politics, dysfunctional inertia, and meaningless metrics. I love that. For the past 10 years, Melanie has also led the Press Department and Communication Strategy for DEF CON, the world's largest hacker community. She's an accomplished scuba diver and brings many lessons learned preventing, preparing for, and navigating unexpected high-risk underwater incidents to her work in security and privacy. I'm also lucky to call Melanie a really close friend and collaborator. So, I'm super pumped for our discussion today to focus on the importance of communication strategies and tactics for privacy engineering and technical teams.
Debra Farber 1:45
Welcome, Melanie. So good to have you.
Melanie Ensign 1:47
Oh, Deb, thank you so much for having me. I'm thrilled to be here.
Debra Farber 1:51
Awesome. Awesome. So, just to kick things off, it makes sense I think to ask you to give us an overview as to how did you get into security and privacy communications? I know you didn't start out that way.
Melanie Ensign 2:03
No, actually a little bit by accident, in fact. I started my undergraduate education in marine biology. I grew up with the ambition of becoming a shark scientist. And truthfully...if I had to do it again, I wish somebody would have told me to pick a major based on what I wanted to do as a job versus the subject matter that I wanted to know the most about because I loved learning about sharks. But, I decided ultimately, it was not the right career path for me, and I ended up graduating with a degree in communications. And then, I went to graduate school and got my Master's of Science in Corporate Public Relations. And from there, I parlayed my previous scientific acumen and literacy into helping companies translate very technical and scientific concepts into things that other audiences and non-experts could understand.
Melanie Ensign 3:01
So, I worked on a number of tech companies in terms of some of their sustainability efforts and environmental impact projects. And ultimately, at this time, I was working at a large global public relations agency. And I sat down with my manager at the time and said, "Look, one of the reasons why I chose this firm was because we have 80 offices all over the world. And, I really wanted some international experience, and right now I'm only working with two of those offices." So I asked for an international global project. And I said, "If I need to learn something new, I'm willing to do that; but, I would like something that could help me grow and really stretch my global experience." And so, the opportunity that was presented to me pretty early on in my career was leading security communications for AT&T. And this included not just their MSSP business, which was their managed security B2B business, but also for their Internal Corporate Security team.
Melanie Ensign 4:04
At the time, both of those organizations were led by the Chief Security Officers. So, you know, the Chief Security Officer was responsible even for the business and consulting side of security at the company. And, I did not know anything about cybersecurity at the time. I had a little bit of kind of like a early entry into the world of programming when I was very young. My dad taught me how to code in DOS, which was a short-lived skill. But, you know, when I discovered this world of cybersecurity, it pushed some buttons and filled some gaps for me in terms of personal satisfaction that I didn't realize I was missing previously. And, it gave me an opportunity to...we weren't just selling something or just managing an organization's reputation, but there was a really net positive cause behind the whole thing in terms of helping keep people safe, respecting their data...so, it naturally fit with me.
Melanie Ensign 5:04
And, for the next six years, I just got so immersed in the world of cybersecurity, and eventually privacy when I moved on to some other organizations. But, I found that the people in this space were so wonderful because they were doing something to make things better for others. And so unlike some of, you know, my colleagues in communications or marketing or public relations, where they get really excited about the attention that they can get through that work. What really fuels me and what really got me to commit to this particular subject matter was that, at the end of the day, we were making a positive impact on the world. We weren't just developing new tech for the sake of new tech. Right? And, we were helping people to protect themselves and to get a better understanding and higher-level of literacy about what was happening with their data and their experiences online and with technology. So, it was almost by accident that I stumbled into this space. But, as soon as I found it, it was kind of love at first sight. I found it very fulfilling, and I found the technical elements of it to be interesting. And, those elements are changing so quickly that it keeps my interest on a pretty consistent basis.
Debra Farber 6:18
That makes sense to me. I mean, you're also talking to somebody who's an English major and went to law school - did lots of writing, so communicating...even though it's different type of communicating for legal right, a different audience and different way of communicating. I had the same kind of pull to the space of privacy and security - that it's constantly changing. It's constantly changing and I'm never gonna get bored. Right? So...
Melanie Ensign 6:42
Debra Farber 6:43
It kind of pulls you in; and if you like that kind of constant change, or a "change is the only constant" kind of mentality, then, you know, this area's for you, right?
Melanie Ensign 6:53
Yeah, I mean, honestly, I entered the space of time back when just the term hacker was considered so negative. Right? Like "white hats" and "pen testers" technically are hackers; but, it was such an unfamiliar term to most of the world, that for me, I just saw this immediate connection between what I had been doing in trying to educate the public and policymakers for better shark conservation policies and better environmental protections...immediately saw the connection between that and the need to educate people on what a "hacker" really is, and why it's important that we have both sharks and hackers in our world in order to maintain healthy environments. Right? Whether that's the marine world where we need these apex predators. One of the first signs that a reef is unhealthy is when the sharks disappear, right? And same thing with our digital lives where if we don't protect, you know, the hackers that are helping to make things better, we lose like a really important part of the kind of like our immune system, right in our digital lives. So, there was a really obvious application, from my perspective, in terms of things that I had been doing in shark science in helping people kind of get over their initial fear of the unknown, and being able to apply that in the security space as well.
Debra Farber 8:16
I love the comparison, and I know that you've spoken in the past, particularly with a keynote speech on shark science and applying how people think about the fear of sharks, even when they don't necessarily...doesn't make sense even have that fear, based on the reality, and how that psychological, you know, way of thinking or that your brain can get into that psychological state of fear with security breaches, or being afraid to do things and you make some connections there. And, I just love that overlap with these disparate, or seemingly disparate, areas of marine biology and shark science and privacy and security. It's just I love it.
Melanie Ensign 8:53
You know, there are so few new ideas in the world, to be honest. And like this is something that actually comes up a lot in my work, even with privacy engineers...is there are so few new ideas, that humans have been really good about documenting a lot of the things that we have learned, you know, over the past 1000s of years. And a lot of times when we think we have discovered a new idea, what we're actually doing is identifying knowledge and ideas that exist in a different discipline that have yet to be applied in our own. And so, you know, whether I'm working with CISOs, or Chief Privacy Officers or privacy engineers, and they're like, all of a sudden there's this movement and eagerness towards building trust, right, where...we know a lot of things about trust, actually. We have 1000s and 1000s of years of research and a body of knowledge about how trust is built, how it's maintained, how you nurture it, how you continue that and so it is thrilling to see you know, the privacy world really take this on as a value proposition for their profession.
Melanie Ensign 10:04
But, we don't need to be re-creating the wheel, right? Privacy does not need to define what 'trust' is, or how it's earned and how you maintain those relationships. There is tons and tons of scholarship from the field of communications that already exists in how this works. And so, you know, that's one of the things that I'm constantly working on with our clients...is where does this knowledge already exist, right? Let's not like spin cycles unnecessarily. Let's go find knowledge that already exists and let's apply it to the problem that we're facing so that we can take advantage of the fact that somebody else has already learned these lessons. And, we're going to apply it into a new context.
Debra Farber 10:43
That makes a lot of sense. In fact, I mean, we do that all the time with comparing privacy to the security space and how we're about, I don't know, 15 years behind security, and, you know, lessons learned from other risk-related areas. So actually, I think this is a good segue to ask, if you could give some insight into what a comms professional like yourself does on a day-to-day basis to support technical teams like privacy engineers, and maybe pepper that with some examples, you know, from your time at Uber and Facebook - not that you have to be specific on projects or anything but like...?
Melanie Ensign 11:17
Yeah, absolutely. So the work that I do, and for folks that are in similar positions, are kind of...I think of it in kind of two buckets, right? There's the work that we do for the privacy tech companies. Right? Kind of like on the vendor side, where we're advising on, go-to-market communications. Right? So, once they've decided what they're building, where they fit in the market, you know, it's like, how do you explain that to other people, right, which can help with investment, it can help with customers, it can help with partnerships and their internal teams, as well as helping them form kind of where they fit in that world, right? That can also include different types of coaching, public speaking, content development, helping them to be more effective communicators with the ultimate goal of helping them sell whatever the solution is that they've built.
Melanie Ensign 12:04
So, that's one category, but the other half of our business, which I think is really applicable to your listeners, is the work that we do with internal privacy teams. So, we do this for both security and privacy, but I'll focus on privacy engineering, given the scope of the podcast.
Debra Farber 12:21
Melanie Ensign 12:23
We are essentially like the one-stop-shop for these internal teams who need counsel, advice, and guidance on what are the effective ways to communicate about privacy to our various stakeholder. Right? So, it could be anything in terms of working with the Chief Privacy Officer on their upcoming presentation to the board to advising on product or feature proposals that are going through the company and helping them think how is this particular aspect of our product or service going to be perceived externally, especially when we work so close on a project or product that we care a lot about? It can be difficult to see around the corner and imagine that people would either misunderstand or interpret what we're doing in a different way than what our real intent is. Right? But, that happens all the time.
Melanie Ensign 13:17
I wrote a blog post a while ago actually about preventing privacy outrage. Right? So, there's a misconception, I think, within the world of privacy, that privacy events always involve some kind of security breach, right? That once there's been a security incident, well, now we have to think about the fact that their privacy implications for, you know, the exposure of that personal data. The reality is, is there are privacy incidents that happen all the time that are not getting the appropriate support from a communications perspective that they deserve. So things like, oh I don't know, if you collect user phone numbers for the purposes of 2FA and then you end up using it for targeted advertising, for some companies that may result in a very, very negative and public news cycle, complete with congressional probes, regulatory audits...I consider that to be an incident, even if it didn't include a security breach because of the resources and the time that is required to respond to that type of an event. And so, we advise on how can we actually avoid those things to begin with. Right? There is an unfortunate kind of norm within the world of corporate communications, where we tend to get promoted in our profession when there is a crisis that we are rewarded for how we have managed the crisis, rather than being rewarded for how did we use our skills and inputs to prevent that crisis.
Melanie Ensign 14:48
So, that's something that my team takes very seriously. You know, when we're advising clients on what they're building, or even something as simple as a blog post, I mean, there's a huge percentage of, you know, FTC consent orders that I have been involved in throughout my career that started with misleading statements on websites and blog posts, right, not a security breach. So, being able to work with companies on what are you saying publicly across all of these different channels, including, you know, I think many of us are amused by the story of Max Schrems's rise to influence actually originating with a big tech lawyer presentation to Max Schrems's class at Stanford when he was in law school. So, either been something as simple as 'where are your lawyers speaking outside of your company?' can have a huge impact later on for the company in terms of 'what are you seeing publicly?' You know, how are you going to be accountable for that? Is it accurate? Right?
Melanie Ensign 15:48
I don't believe that all of these companies are intentionally lying. I think some of them are, but I don't think that's most of them. It's just careless, and it is kind of a lack of visibility of what's around the corner, right? Because, for the most part, they are used to working with communication teams that aren't advising proactively on how to avoid an incident from occurring because those individuals get rewarded for walking through the fire once it happens. Right? And, we take a different approach where we dislike when our clients have fewer fires. So, whether it's advising on a blog post or a product idea or a conference talk or even how do we communicate to our employees? How do we communicate to our board? We do a lot of training with engineering teams about how to negotiate shared outcomes with other engineering organizations. Right? So, being a privacy engineer, most of the time, I mean, 'privacy engineering' is such a new concept in terms of specific domain knowledge that most people that are doing privacy engineering right now are software engineers, back-end engineers. Right? And, they're trying to talk to the Infrastructure team, or the Data Platform team, or the Product Development team. And, even though they're all engineers, they are not all speaking the same language. So, being able to help those teams communicate with each other can actually get kind of accelerates the process for privacy engineering within an organization, because it's like pass Go, collect $200 [[a reference to the game Monopoly]], rather than having to constantly swim upstream.
Debra Farber 17:27
That makes a lot of sense. To me, it's kind of also part of that, like, a shift left mentality, right? Instead of just dealing with the crisis, it's like, let's prevent the crisis. Let's move further. Let's move further into the product development process to think about comms, but not afterwards, after something's built-in. Like now, you're just gonna go to market with it, or now you're going to publicly disclose something. Right? So, I love that. In fact, I want to read a pretty glowing endorsement of you written by Nishant Bhajaria, the Senior Privacy Engineering Manager at Uber - actually, he just moved to Meta, but was your former colleague. And he says, "Her knowledge of the InfoSec domain, grasp of the details, read of the room, and command of how features play to the message, make her the rare breed: one that combines technical knowledge with organizational navigation. She never, ever, ever is obsessed with driving a story. Rather, she invested her political capital in building features that protected security and privacy. For her, trust was built on the bedrock of capability rather than the quicksand of spin. She held engineering and leadership at Uber to a high standard. She is like the training wheels on a bike. She will keep you from falling, but also equip you to go forth on your own." I mean, that's...honestly couldn't ask for a more glowing recommendation from anyone, and especially Nishant, who, you know, wrote the book on...the runbook, basically, for data privacy, and for technologists to follow. And so, I guess I want to ask you, what's the secret? How can companies use technical communication strategies and tactics to earn trust with the public? And with your, obviously, with your stakeholders, like Nishant here?
Melanie Ensign 19:15
Yeah, I mean, I think the big thing...I hate to use this word 'authenticity,' but like it's so core to be effective as a communicator. I remember when I was interviewing for my job at Uber. This particular interview that I was in happened to be with somebody who I knew from her previous job. So, this is somebody that I had some history with; and you know, I said, "You know, I know it's been, you know, a little bit since we've worked together, but I want to remind you of who I am. I am not coming to Uber to put lipstick on a pig. So, if you're hoping that I'm just going to magically make these external public perception problems go away, I am not the right person for this job. I am going to focus on making your organization what you aspire to be so that the PR job is just about creating the window so people can see it." And, I believe in that not just because I think it is the only way for an honest communications professional to sleep at nights, but, because it gives your reputation strength and longevity.
Melanie Ensign 20:29
You do not get benefit of the doubt when you make a mistake if you have a history of bottling everything up, being really obscure, and trying to spin every situation away from accountability. And again, this is, you know, I'll just loop back to what I was talking about earlier about there being this body of knowledge about trust, and, you know, and all this scholarship from the field of communication. We know how hard it is to build a positive reputation for something and how quickly you can lose it. So, those of us who profess to be communication experts should be the strongest champions for honesty and authenticity and helping our organizations become what they aspire to be makes the external communication part so much easier because it's honest. And, we're not burying bodies. I think that one of the biggest lessons that I learned through my time in Silicon Valley is that buried bodies are not just stressful, but they're very expensive. And, if you've got skeletons in your closet, the sooner you bring them out and teach them how to dance, the better off you're going to be as an organization.
Debra Farber 21:47
Oh my god, what a visual! I love the visual!
Melanie Ensign 21:52
I mean, if people are willing to give you a second chance when they feel that you deserve it, right, it gets a little bit tricky when we start talking about like 17th and 18th chances. But, people need to genuinely see an effort to change. And, I think that's something that big tech is struggling with now is we now have 20-30 years of history with these companies, and not a whole lot has changed, particularly for their users, for regulators, and I think people are kind of at the point where it's like, "Look, you've had every opportunity to prove that you could do it on your own. You either can't, or you really don't want to."
Debra Farber 22:30
Yeah. Which is why I'm generally skeptical of self-regulatory attempts, like what the advertising industry attempted to do. And then, you know, they fell asleep at the wheel.
Melanie Ensign 22:41
I think there have to be the right incentives for like...I think we're at the point now where I do see some new incentives from the market, where, you know, we're starting to see, you know, particularly advertising work, people scrambling to be like, "Oh, shoot, now there's a reason to self-regulate." But, there hasn't been that pressure, at least coming from the right areas and at the right magnitude and intensity for these companies to change. And, they're so focused on short-term results. And we can argue about whether or not they should be, right? I mean, even like, you know, The Business Roundtable, years ago, made the decision that shareholders should not be the number one priority for businesses. And yet, it's still often run that way. Right? And so, I think we have to be honest about are there the right incentives for self regulation in all of these circumstances? You know, by and large, when it comes to big tech, I don't think that has been there in the privacy space; but I also think at the same time, it has been there longer than companies wanted to admit. Right?
Debra Farber 23:50
Melanie Ensign 23:50
Advertisers and marketers inside companies were benefiting off of these bullshit metrics that they were getting from Facebook, you know, in terms of elevating their own influence and position within their organizations. Right? So, when did we expect any advertiser on Facebook to tell their boss like, "Hey, these metrics are mostly meaningless and it's violating people's privacy in the process." Right? There's a whole industry built around marketers needing numbers to sit at a C-suite table, right? And, you know, it just took way too long, I think, even for CEOs to look at their CMO and go, "What do these numbers actually mean? Like engagement is not a bottom line measurement, right?"
Debra Farber 24:40
Which is kind of funny makes me think of Twitter and how Elon Musk is continually like, "Oh, Twitter has never been so alive. Look at all the engagement!" and you're like, "Does that translate into advertising dollars?" Like, are people actually...you know, there's fewer advertisers out there now and that's the problem. So like, who cares how many people are active in that is not necessarily going to translate into revenue generation? So, tell me more about how that translation process and like conversion to maybe someone buying something. But, just engagement alone, it's a data point. It just tells you...maybe you can compare one, I don't know, social media item's engagement to another, and that might have some weight in an organization, but I could see how just, you know, there's challenges in organizations where people are just creating metrics for the sake of metrics as opposed to driving towards an outcome with those.
Melanie Ensign 25:30
When the tradeoff for those metrics are things like 'respect for your customers,' privacy, like compliance, you know...it's kind of like the things that we are sacrificing in the name of these metrics has always baffled me.
Debra Farber 25:50
Yeah, same, same. So what inspired you then to leave big tech and start Discernable? There's definitely a lot of issues, that I'm sure you had your hands on, at these companies. So yeah, why did you decide to go out on your own?
Melanie Ensign 26:05
Yeah. So, I mean, truthfully, I knew very soon after I joined Facebook, I knew I was gonna go out on my own eventually, I just needed to figure out what was my business model. You know, what were we actually going to sell as a company? Where was our focus going to be? What would be our methodology? And, truthfully, part of the reason I chose the job at Uber is because Uber had never had security or privacy communications before. And so, it was an opportunity to build that program from scratch using my methodology and essentially creating kind of like a proof-of-concept. Right? And, I'm really proud of the things that we accomplished at Uber while I was there, considering the reputation that company had previously.
Melanie Ensign 26:49
And all of those things were very genuine. In fact, I remember, one of the earliest projects that I worked on was the differential privacy efforts that the privacy engineering team did with the interns at Berkeley, I think there was actually something you talked about with Menotti during his episode.
Debra Farber 27:07
Yes, I was just gonna say we dove into that.
Melanie Ensign 27:09
Yeah. And when we're getting ready to open source the project, we wanted to make sure that people knew about it because, you know, open source projects get better when more people use them and contribute to them. So we set up an interview with a reporter to kind of give them the exclusive on the story and I nearly like peed my pants laughing, honestly, when this reporter asked, "Is this something that you built just for PR?" I nearly nearly fell out of my seat where I was like, "I wish I had a team of engineers just building things for me." When I was there, we weren't building things just for PR. Right? Like, there weren't resources to do that, and also, that doesn't make any sense, right? The amount of time and engineering effort that goes into building something like a differential privacy platform to do all of that for like one or two news articles, like makes zero cents. Right?
Debra Farber 28:01
Melanie Ensign 28:02
But I just I laughed at the question silently because I'm like, "If I had Menotti team building things for me, number one, this is not what I would have asked for; but, number two, I was baffled, like, "Are there companies that actually build stuff like this just for some press coverage?" Like, it floored me. But, having worked with so many people in big tech who then went off to become CISOs and Engineering Directors, they kind of, you know, the alumni network of these companies is pretty significant and very impressive. They were all asking me while I was that Uber, "When are you going to go start your own thing so that I can hire you to help me with what I'm doing now?" because they had...you know, we had worked together for years at other companies, and, you know, when you build that kind of network of folks who understand the value that you bring, who don't understand why their new company hasn't provided it to them yet, and they know that there's somebody who could help them if only she were available. That was a very compelling argument for me to go, "Okay, maybe now is the time that I should do this," and we launched the company on a Monday, and by the end of the week, we had our first client. So, you know, I have to credit, you know, the really amazing people that I've been very lucky to work with over the years as kind of being the catalyst that finally helped me get past all of my hesitation to go, "Okay, there's a pipeline of companies already lined up who need this help." And, you know, we've kind of been running full speed ever since.
Debra Farber 29:35
That's just...it's awesome. I've been watching, you know, the growth of Discernible and it delights me to see your successes. And, there's so many things that - obviously like, I'm in awe of a lot of what you've accomplished and a lot of who you are - but one of the things that really strikes me is how much you put a focus on ethics in your work. It's not just something you say; it's really rules to live by. And, in preparing for this interview and looking at your blog posts and website, I see that you really focus on the Arthur W Page Society Principles, kind of almost a 'code of ethics' in the comms world, and I had not previously been aware of it. So, do you mind just kind of running through the foundation of the Page Principles, and you know, how you navigate ethics in your work?
Melanie Ensign 30:27
Sure. I mean, truth be told, the reason these principles are on our website, number one is for accountability and transparency. I think people deserve to know who they are reaching out to before they reach out for help from my team. But, it's also been an incredible filter for us of being really clear that this is how we operate. So, if you want something outside of this, we're not going to be a good fit. We are very, I think, privileged to be in a position where we can say "No" to business; and, you know, more often than not, if it's not a bandwidth concern, it is often a misalignment in values. So, having these on the website makes it very clear not just how we work, but who we're willing to work with as well.
Melanie Ensign 31:14
Arthur W. Page Society - so they're very well-known in the world of corporate communicators. Like I mentioned, you know, I got my Masters of Science in this field, and so I've been aware of kind of these, like various groups and industry associations for a long time. And, there are a number of them, but Arthur W. Page always really stood out to me, because it was created by, like, Chief Communication Officers, if you can imagine that those actually exist. And they do at some of like the world's largest companies, and they're responsible for a lot more than just PR and media and content. Like, they are, you know, they're stewards of the corporate personality, persona, and kind of like all of the external affairs of the company. And so, this was the level of professionalism that I always aspire to as I was growing up in my career. So, these are the principles that we chose to use at Discernable.
Debra Farber 32:11
Do you want to read them out?
Melanie Ensign 32:12
Sure. So, they are: 1) Tell the truth; 2) Prove it with action; 3) Listen to stakeholders; 4) Manage for tomorrow; 5) Conduct public relations as if the whole enterprise depends on it; 6) Realize an enterprise's true character is expressed by its people; and 7) Remain calm, patient and good humored.
Debra Farber 32:34
I love the seventh one. I think that's great, especially the good humored part.
Melanie Ensign 32:38
I mean, we deal with a lot of sensitive topics, which you can imagine in security and privacy. But, at the end of the day, it's also really important that we focus on the humans that are affected by what we do, the humans who are involved in what we do (like our own team, and our clients). Like, one of the biggest benefits that I've gotten from starting my own company is just having a fucking life. I never really had a life before. I am a better person because I spend less time working, to be honest. I am a better partner. I'm a better friend. I'm even a better adviser to my clients because I have experience in the world outside of my job. And so, you know, I think it's really important that we take our work seriously, but we don't take ourselves too seriously.
Debra Farber 33:27
I think that's great advice. So earlier, we were talking about PR and some tensions between PR and... you know, maybe they don't understand necessarily the internal comms or driving stories that PR is going to pick up in the media or that the media is going to pick up. So, what makes for a good story that the media would want to cover? And I'm asking this question...I know your answer...I'm asking this for the audience because I think your answer is going to be pretty enlightening about what works and what doesn't work in trying to communicate for public relations purposes.
Melanie Ensign 34:05
Yeah, so the key thing - the number one thing is "Why does it matter?" Like being able to very clearly and concisely explain why something matters can be a difficult task, especially when it's something that you care so much about and something that you are so close to. Right?
Debra Farber 34:27
Does my new feature that I just shipped matter?
Melanie Ensign 34:30
Well, it depends on who you are and what your feature does. And, I think that's the thing, particularly...I mean, we work with a lot of startups, both in security and privacy, nd I think that one of the early conversations that we have with folks, especially those were, you know, if the founders are coming from big tech companies, they're used to getting press coverage for sneezing. If you are at a startup that nobody has ever heard of yet, you kind of have to earn your stripes. It is a longer road to get the kind of coverage that you were used to if you're working at say, Microsoft or Facebook or IBM. Like, these companies get lots of press coverage, not just because of how big they are and how influential they are, but because...or maybe I should say, as a result of those things.
Melanie Ensign 35:14
There are reporters at all the major news outlets who are responsible for writing stories just about that company. Right? So you know, there's somebody at The New York Times and somebody at The Wall Street Journal whose entire job is writing about Amazon. Right? So you're...they're going to write a lot of things about Amazon with varying degrees of importance because they need to find a story about Amazon that day. Right? If you are not that big brand, we have different expectations in terms of how we get attention from media, and whether or not we should get attention from media, and specifically, which media in that mix do we want to be engaging with. And a lot of times, I mean, I don't know many PR people would say this, and I guess maybe I consider myself a former PR person who has graduated into more strategic comms. But, you don't have to filter your message through the media. You know, media relations is a means to an end. It is not the goal in and of itself. Coverage for the sake of coverage is not a thing, at least not a worthwhile thing.
Melanie Ensign 36:17
Like I am the CEO of a communications company and I have spent $0 on media relations. So, I think it's important to note that there are ways to get your message out to the people who need to hear it without going through the lens of a reporter and hoping that they understand the essence of what you're talking about and the meaning of what you're doing. I have seen really successful tech startups in both security and privacy, you know, who have started by reaching out directly to the community. Right? I mean, you and I are both involved in in TROPT, which is The Rise of Privacy Tech, that is a great way for privacy tech companies to immediately get in front of their target buyers, you know, no media filter required. And so, thinking about what are your business goals? What objectives do you have in being savvy enough to understand that you may not actually have to engage with the media proactively in order to get to where you want to go.
Melanie Ensign 37:21
Now? You mentioned Elon previously. So, there's definitely some strategic differences in the way he and I would approach reactive media in terms of responding to questions from the press. But, you know, you don't have to be, you know, pitching your company to media every day to get the business objectives that you need, especially in this world of all of these different communication channels, where we can create our own content and go directly to the people that we're trying to talk to.
Debra Farber 37:50
Makes a lot of sense to me. So, we talked to kind of, you know, I brought up bringing, like a product service or feature to market and like, you know, I also know that you don't think press releases are that impactful these days. So what does work? And, maybe it should ask you for what works well, if not press releases and, I don't know, like, how do you get heard...
Melanie Ensign 38:14
Debra Farber 38:14
...right, if you're going to market with something? But, then I also wanted to ask you about how you can get maybe an internal project that was really cool. Like you were talking earlier about the differential privacy, you know, bringing it from the lab to the real world and one of the first real world deployments at Uber - how would you bring that story to light and become more public? Like, if you could kind of walk us through your thought process there...?
Melanie Ensign 38:38
Sure. So, you do need to know I have one exception to my 'press releases aren't worth it' rule...
Debra Farber 38:45
Melanie Ensign 38:45
...which is funding announcements. And the reason I say that is because even though nobody who's buying security or privacy is reading press releases, investors are; the investment community reads press releases. So, if you are announcing a Series A, having a press release about that is helpful in your...you know, when you start trying to raise for a Series B, for example. And I have done lots of press releases for startups who are announcing the close of a funding round. So, that is one exception that I do think is valuable, but it is certainly not valuable in security press coverage. A press release in and of itself is not going to get you, you know, tons of press attention. But again, going back to what I said previously, it doesn't have to. You might not need that right now. Right? And, there are other ways to get it.
Melanie Ensign 39:37
And, you know, so when we're thinking about launching a product or a new feature or even an internal project, like the differential privacy project at Uber, for me, you know, the big thing was, you know, again, going back to why does this matter? It was never about this matters because Uber is doing that. The brands behind the story is rarely the most important part of the story. This mattered because it was going to be an open source tool for something that a lot of companies were struggling to do. Right? So many companies had tried to build this internally, and here was a way for them to kind of leapfrog a couple of steps. Right? That this was going to be an accelerated way for them to be able to integrate this technology into what they were building. So, first and foremost, that was a really compelling story specifically for a technical audience. Right? It's not a story that, you know, consumers are going to care about, necessarily. So, we leaned into that aspect of the story, when we were talking to reporters who write for other engineers. Right? This is now a resource that's available to you. And, you know, what was the process and building it? And then for the mainstream reporters, it was an opportunity for us to actually educate people on what differential privacy actually is and what it does. Right?
Melanie Ensign 41:05
There's always confusion, you know, when there's a new technology coming out, and I know that you have seen this, particularly when you're working, you know, had been talking about privacy enhancing technologies, and nobody really understands what everything means and there's different definitions for things. So, we knew that if this was going to be something that was important to the company and to the community moving forward, we needed to be part of the education process. Right? So, in those conversations with mainstream media, we were talking about, "why does this matter to consumers? Right? And, it matters to consumers, because it kind of erases a lot of the excuses that big tech had been using for decades about, you know, why they couldn't do certain things in a more privacy preserving way. Right? Because here's proof that it can be done. Right? ...which is also a really important message for regulatory and policy stakeholders. Right? So, you know, we were never pitching a story for the sake of pitching a story. I think that's what you know, Nishant is talking about when he said...you know, to me, it was never really, you know, getting an article was never the goal for me. It was, "Who do I need to have this conversation with?" Right? And, if I don't already have a relationship with them, how can I get their attention, and how can I get that dialogue started because most people that I know are too busy to read a full length article, even from the best reporters.
Melanie Ensign 42:36
So, if I can build that relationship without having to do hours and hours of press interviews, I'm going to take that accelerated path. And, for some audiences, I know that being vulnerable in front of a reporter is the only way that that message is going to be credible if it's coming from particular brands, let's say. You know, the differential...you know, when the story told about this reporter who asked about the differential privacy project at Uber, I mean, even though I thought the question was funny, because I was like, "Oh, God, I wish I had engineers at my beck and call!" The reality was, it was a valid question. Right? To that point, the company did not have a great reputation for respecting user data or caring about privacy. I mean, the reality is Menotti and his team had existed for years, but it does take a long time to build these systems. And, there isn't a story to tell until the project is real. Right?
Debra Farber 43:35
Melanie Ensign 43:36
And so, like I said, I understood where the question came from, and I understood that Uber at that time, was not the most credible messenger for this message. And so, working with media was a way to earn some of that credibility. I mean, this reporter that asked us this question is very sharp, very technical, and knows their stuff. So, if this reporter was convinced that we were genuine, that meant something to the rest of the community. And so, it's about being strategic with who you're talking to about what? why? and when? And, it's not just blasting emails to reporters every time you write a new line of code.
Debra Farber 44:21
Right, right. Now, I know we have just a very little amount of time left, and I do want to get your perspective maybe on a few comms snafus that have been in the headlines recently. And so, the first would be around Twitter. And let's say, as Musk took over Twitter, he pretty much laid off all the comms team.
Melanie Ensign 44:45
Yeah, like he did at Tesla previously,
Debra Farber 44:48
Right? Right. So this is something that he's...you know, he doesn't seem to put a value as much on comms as others might. So, I'd like to just get...you know, what would you have done differently or what are some have the problems that have arisen from a lack of comms at Twitter during this time.
Melanie Ensign 45:06
I mean, I think the biggest problem for Twitter not having a comms team is that everybody can see you Elon for exactly who he is. I think a lot of corporate comms teams, one of the biggest values that they can provide to their company - and you know, this is for better or worse - is that they can shield executives from their worst qualities. Right? That they kind of save them from themselves in terms of how they represent the company. And, I think the fact that Elon does not value the guidance and advice of a professional communications adviser, I think speaks to the larger issue of people that have so much power that they truly don't have to care what other people think.
Debra Farber 45:50
Yeah. Yeah. And I wish we had more time to delve into that one, but I then want to go next to...
Debra Farber 45:57
Elon is my least favorite topic.
Debra Farber 46:00
That's fair. Well, I'm glad I made it brief then. The other would be, you know, OpenAI's ChatGPT and the fact that personal data across the web was used to train these models even though it's amazing technology. So, there's this kind of dichotomy of "Holy crap, this technology could be really helpful and look at all the things that can do!" or potential for it. And then, on the other side is what does that mean for personal data that's been siphoned from people without their consent or any sort of renumeration. So, when it came to mind...I mean, it's all anyone's talking about these days is large language models, chatbots, you know, AI, its potential. So, you know, I guess with OpenAI, what would you have advised them to do differently in terms of comms?
Melanie Ensign 46:49
It's a tough question, because truthfully, I have not spent a lot of time thinking about it.
Debra Farber 46:54
Well, that's fair.
Melanie Ensign 46:56
But, in terms of like, specifically, what that organization should have done differently...
Debra Farber 47:01
Yeah. So they kind of came to market and was like, here's our next iteration of ChatGPT. Everyone can use it.
Melanie Ensign 47:08
Yeah. I mean, it's like, I've saw what they did. But I haven't thought a lot about like, what were the alternatives? I just, I rolled my eyes and moved on to the next dumpster fire. Again, I think it speaks to your values. Right? I don't think that they did this not knowing that that was a possibility. I think they either miscalculated the likelihood that people would care or they very clearly calculated how little they cared.
Debra Farber 47:40
Yeah, I mean, there's...it's kind of a little unclear, right? They went from being called OpenAI, but now they're offering this closed, you know, not open product.
Melanie Ensign 47:49
And I think the closed is more about protecting IP, otherwise no enterprise is going to sign a license. I think it's more about that than protecting personal data, I mean, has yet to convince me that they've made that a priority.
Debra Farber 48:03
Well, either way, they were going to be a nonprofit and now they've got this for profit arm that, you know, Microsoft has invested billions into. So, that doesn't look very great to earn trust.
Melanie Ensign 48:14
I mean, truthfully, I think their launch was a publicity stunt, and I think they got exactly what they wanted from it.
Debra Farber 48:20
So, now everyone's talking about it.
Melanie Ensign 48:21
You know, what was an effective strategy? Yeah. Does it reflect who they are as people and what they value? Yeah.
Debra Farber 48:31
Yeah, that's, that's fair. I mean, so they've since come out with more information on ways that they're protecting privacy and ways that they're implementing data protection rights to satisfy different EU regulators. But basically, because they had a lack of calm strategy, you know, going to market, they've now got all this, you know, these regulatory headwinds, especially out of Europe, but, you know, that are probably thorns in their side right now. So, there probably were better ways to come to market where they wouldn't have those headwinds - if they had had more discussions, if they had more, I don't know, expertise on their team, a whole bunch of things.
Melanie Ensign 49:10
And honestly, I think this speaks to kind of one of the biggest challenges that we're having in general in the privacy industry, is that it is a challenge to convince many organizations that avoiding these headwinds is worth it because many of them got to where they were by authority and regulations and simply paying whatever it cost for their outside counsel to deal with all the lawsuits and investigations and audits and all of that. Right? So, it very quickly became the cost of doing business rather than a motivator to consider alternatives.
Debra Farber 49:54
Yeah, I do think that that I think we see that often in Silicon Valley
Melanie Ensign 49:59
And truthfully, a lot of it is like a forced error on our part as a community and privacy profession where the more we talk about what we do as compliance, the less interesting it is for anybody else to listen to us.
Debra Farber 50:15
100%! Even when I did pure compliance, as in a role, I never referred to it as compliance. You know, it's my own comms there.
Melanie Ensign 50:25
Yeah, I mean, even if I'm telling a solution that helps with compliance, nobody wants to spend money on something that just makes them look adequate at their job. I need your compliance solution to make it easier for me to weigh resources to create allies inside my company to make my business partners happy. And to elevate the position of my organization from Compliance to a Business Advisor. If all you're offering me is something that checks the box, then I have to do all of the heavy lifting of explaining and connecting the dots between compliance to business results. Like that should be built into your product.
Debra Farber 51:14
Melanie Ensign 51:14
Otherwise, why would I buy it? I don't want to look mediocre at my job, I want to be so awesome that nobody ever refers to my program as compliance.
Debra Farber 51:25
I agree. I mean, obviously, like I care a lot about, you know, shifting left. Right? So, I really do agree. I think compliance is important, but it is not sufficient for a privacy program.
Melanie Ensign 51:37
Well, I can recognize as an individual that compliance...it's like my personal values align with complying with legal requirements. For the most part, there are plenty of laws around the world that are incredibly unjust, and some civil disobedience can be warranted from time to time. But, I can recognize - like I said, as an individual professional - that actually being compliant with the laws is important. But, it's not how I sell what I do to the business because the business is going to...
Debra Farber 52:11
Because it's not important enough to them.
Melanie Ensign 52:13
Exactly. Because, I mean, you point out any company within the fortune 500 that hasn't broken a law in pursuit of business success. I pay more taxes than Amazon, okay. So, you know, it's like the law in and of itself is not a motivator for people who have not spent the last two decades of their life learning it.
Debra Farber 52:40
No, it's absolutely true. Right. So, it's our job.
Melanie Ensign 52:44
...especially, especially when laws can change. Right? Laws are not a moral code.
Debra Farber 52:50
That's true, it's more of a framework so that as they change, you want to be able to handle those changes and be able to communicate that into the business. So, you want to have those feedback loops within the business to be able to communicate about new changes in the regulatory environment.
Melanie Ensign 53:06
Here's the thing. When you sit down with it, you know, with any big tech CEO and they ask what the risks are of not complying with something. They're not asking because they're going to lose sleep over it. They're asking because they want to know how much it costs and whether or not they can afford the legal risk of not doing it. If they can, they're probably not going to do it.
Debra Farber 53:27
Oh, exactly. This is...I mean, it's also another reason why I think self regulatory doesn't work and you need actual external regulators.
Melanie Ensign 53:35
These people did not get to where they are through the generosity of their heart.
Debra Farber 53:41
Indeed. It's a really great point. So before we close, because I feel like we could talk for hours. Are there any resources that you would like to recommend where privacy technologists can learn more about effective communications? I mean, Please also tell them about your newsletter, and you know... but any anywhere else as well.
Melanie Ensign 54:04
Sure. So, I mean, our newsletter, of course. We include everything from, you know, contemporary communication research to theory, because again, like, the scholarship of communication is so valuable in, you know, forming strategy and execution. Right? There's no reason why any communication effort needs...like do we don't need to be guessing. Right? We have enough knowledge and research so that we can make informed decisions about this. So, that's certainly a resource.
Debra Farber 54:29
You include psychology in it, studies about the brain and neurology, comparisons to sharks and marine biology. I mean, it's just it's really great and unique.
Melanie Ensign 54:39
Yeah, it's a lot more than "How do you write the TLDR at the top of it email?
Debra Farber 54:43
Melanie Ensign 54:45
Yeah. But I also...you know, to share some resources that aren't about myself, GitHub has a newsletter called ReadMe, which is one of my favorite things to read these days because this content is curated. by a professional editorial team. They've got former editors from Wired and other publications, and 99% of the content is contributed by external engineers that are working on open source projects. But because they have the opportunity to work with amazing content experts,and editors, the articles are all really good. And, it's making engineers more effective in the way that they write and in the way that they communicate with their teams. So, if you're not already subscribed to the GitHub ReadMe newsletter, I highly recommend it. It's some of the best writing from technical experts without having to read a full length research paper.
Debra Farber 55:43
Oh, that's awesome. I was not aware of that resource. So I'm going to check that out and subscribe. Thank you. Awesome. Any other parting words or, you know, tips for our listeners about comms?
Melanie Ensign 55:57
You know, if you care, you're half of the way there. You know, thinking about effective communication starts with thinking about your audience and what your goals and objectives are. So, I mean, you may not have noticed as we've been going through this conversation, but I have been very deliberate in what I have said this entire time because I'm thinking about who could be listening, what is it that they need to know, where are they in their journey, and how can I be most helpful for them in terms of thinking differently about the way that they communicate both as individuals and as an organization. So, there really is no such thing as a non-strategic conversation, just conversations where you're not paying attention to the strategy that's happening.
Debra Farber 56:39
That is really fascinating, and a great place to end. Melanie, thank you so much for joining us today on The Shifting Privacy Left Podcast. I really enjoyed talking about comps with you. I'm sure we'll have you back on the show in the future. And thanks for coming today.
Melanie Ensign 56:55
Of course. Thank you so much for having me. And, for folks who are interested, you can find me on Mastodon. I'm @Wednesday@defcon.social. And you can find me on LinkedIn as well. I am not on Twitter.
Debra Farber 57:08
I'm not on Twitter anymore. Yeah, it's sad.
Debra Farber 57:13
Well, thanks for joining us today, everyone until next Tuesday, when we'll be back with engaging content and another great guest.
Debra Farber 57:22
Thanks for joining us this week on Shifting Privacy Left. Make sure to visit our website shiftingprivacyleft.com where you can subscribe to updates so you'll never miss a show. While you're at it, if you found this episode valuable, go ahead and share it with a friend. And, if you're an engineer who cares passionately about privacy, check out Privado: the developer-friendly privacy platform and sponsor of this show. To learn more, go to Privado.ai. Be sure to tune in next Tuesday for a new episode. Bye for now.