S2E23: "Navigating the Privacy Engineering Job Market" with George Ratcliffe (Stott & May)

Show Notes

This week, my guest is George Ratcliffe, Head of the Privacy GRC & Cryptography Executive Search Practice at recruitment firm, Stott & May.

In this conversation, we discuss the current market climate & hiring trends for technical privacy roles; the need for higher technical capabilities across the industry;  pay ranges within different technical privacy roles; and George’s tips and tools for applicants interested in, entering, and/or transitioning into the privacy industry. 

Topics Covered:

• Whether the hiring trends are picking back up for technical privacy roles
• The three 'Privacy Engineering' roles that companies seek to hire for and core competencies: Privacy Engineer, Privacy Software Engineer, & Privacy Research Engineer
• The demand for 'Privacy Architects'
• IAPP's new Privacy Engineering infographic & if it maps with how companies approach hiring 
• Overall hiring trends for privacy engineers & technical privacy roles
• Advice technologists who want to grow into Privacy Engineer, Researcher, or Architect roles
• Capabilities that companies need or want in candidates that they can't seem to find; & whether there are roles that are harder to fill because of a lack of candidates & skill sets
• Whether a PhD is necessary to become a 'Privacy Research Engineer'
• Typical pay ranges across technical privacy roles: Privacy Engineer, Privacy Software Engineer, Privacy Researcher, Privacy Architect
• Differences in pay for a Privacy Engineering Manager vs an Independent Contributor (IC) and the web apps for crowd-sourced info about roles & salary ranges
• Whether companies seek to fill entry level positions for technical privacy roles
• How privacy technologists can stay up-to-date on hiring trends

Resources Mentioned:

• Check out episode S2E11: Lessons Learned as a Privacy Engineering Manager with Menotti Minutillo (ex-Twitter & Uber)
• IAPP Defining Privacy Engineering Infographic 
• Check out Blind and Levels for compensation benchmarking

Guest Info:

• Connect with George on LinkedIn
• Reach out to Stott & May for your privacy recruiting needs

Privado.ai
Privacy assurance at the speed of product development. Get instant visibility w/ privacy code scans.

Shifting Privacy Left Media
Where privacy engineers gather, share, & learn

Buzzsprout - Launch your podcast


Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Copyright © 2022 - 2024 Principled LLC. All rights reserved.

Chapters

• 1:30: Introducing George Ratcliffe from Stott & May
• 2:33: Whether the hiring trend are picking back up for technical privacy roles
• 5:45: The skill sets & competencies companies seek when they say they're looking to hire for a 'Privacy Engineering' role
• 10:28: What the current demand is like for a 'Privacy Architect'
• 13:41: George's thoughts on whether the IAPP's new Privacy Engineering infographic maps well with how companies approach hiring for privacy engineers today
• 16:45: Overall trends George sees as companies hire for privacy engineers & technical privacy roles
• 18:54: The capabilities that companies desperately need or want in candidates that they can't seem to find; whether there are roles that are harder to fill than others because of a lack of candidates and skill sets
• 23:21: The trends George sees when it comes to filling roles for 'Privacy Researchers'
• 27:15: Advice for those who are already technical and want to grow into the privacy space & become a Privacy Engineer, Researcher, or Architect
• 31:32: Debra's advice on the importance of networking
• 33:43: Typical pay ranges across technical privacy roles: Privacy Engineer, Privacy Software Engineer, Privacy Researcher, Privacy Architect
• 37:23: Difference in pay for a Privacy Engineering Manager vs an Independent Contributor (IC)
• 39:45: Whether George sees companies seeking to fill entry level positions for technical privacy roles
• 42:13: The best way for privacy technologists to stay up-to-date on hiring trends

Transcript

George Ratcliffe: 0:50

Any candidate that goes into interview for any job should have, in my opinion, a really clear "why they want that job and why they would be good at it. If you can answer that question or give a hiring manager, interviewer, whomever it is a really clear and confident answer, to me that's always going to have them leave the interview with a really good feeling. Even if it's not the right fit, they're still going to leave with a really positive impression of you. For me, really specifically, if you're looking to make a jump into a slightly different industry, having a really clear 'why' that you can articulate appropriately and share with that person, it's always going to put you in a really great spot.

Debra J Farber: 1:31

Welcome everyone to Shifting Privacy Left. I'm your host and resident privacy guru, Debra J Farber. Today, I'm delighted to welcome my next guest, George Ratcliffe, Head of the Privacy, GRC and Cryptography Executive Search practice at recruitment firm, Stott and May. As you might imagine, we're going to talk about the field for privacy technologists. I'm really excited to dig deep.

George Ratcliffe: 1:56

Welcome, George. Thanks, Debra! Great to be on and really looking forward to what should be a great, and hopefully a really useful, conversation for a lot of people.

Debra J Farber: 2:05

Yeah, I think so. I think there's a lot of appetite from my audience to better understand trends in the job market. I'm so excited you're here. I know you have so much first-hand knowledge about the job market for privacy roles in particular. This discussion is going to be pretty enlightening for those who are seeking new positions with titles like "privacy engineer, privacy architect, privacy researcher and even GRC engineer, in addition to non-technical privacy roles.

Debra J Farber: 2:34

I can't wait to dive deeper on some of the trends you're seeing. Let's start with some of the technical privacy roles in the context of the current market climate. About four months ago, in a previous Shifting Privacy Left podcast episode, I had Menotti Minutillo, a Privacy Engineering Manager who had just left Twitter at the time and is now at, I believe Netflix. We talked about his observation that privacy engineers were being laid off at a much higher rate than companies were hiring for them, and his concern about how that will affect the hiring pipeline for the profession. I guess my first question to you is are you seeing the hiring trends pick back up for technical privacy roles?

George Ratcliffe: 3:19

I actually love this episode. There's a lot of stuff that I took from Minotti that's been really helpful for my understanding of the space. Firstly, I completely agreed with Minotti's observations. It was really concerning to see it happening. I think we've all seen plenty of tech layoffs before, but it's the first time I've really seen people being laid off in privacy. And, coming onto a decade that I've recruited in the space or certainly on mass, it was definitely really concerning at the time. The one thing I would have added to that is that the gap we saw between the number of jobs available, the number of people being hired and the people being laid off, I'd have said was pretty uniform across tech. It wasn't like we were much of an outlier compared to everybody else. We just hadn't really seen it before. In short, we're seeing a massive rebound here. At the moment. A lot of tech companies more in that pre and post IPO stage of development, as opposed to the really big tech companies just yet, are coming back to the table with technical hiring across all of the skill sets that you mentioned. We're not back to that volume and that bump that we saw at the back end of '21 and early '22.

George Ratcliffe: 4:32

For me at the moment, obviously, a huge part of my job is keeping an eye on what's going on. It definitely feels like each week we're seeing a little bit more. There's a couple of new positions coming out. There's a few new companies coming back to the table. I think what's probably most encouraging for me is we're also starting to see companies that I haven't traditionally associated with having a privacy tech function coming out and looking to hire. They're fairly broad and not entry- level, but fairly broad in the first one or two hires they're making. Coming to the table with positions like that, which for me, is really, really encouraging to see that world of privacy tech growing not just in terms of people in certain organizations but growing in terms of the number of organizations who are operating within the field.

Debra J Farber: 5:18

Oh yeah, that gives me a lot of enthusiasm as well. I just obviously love the privacy tech market. I'm a huge advocate for that. I do agree. I'm seeing that too. I'm seeing not so much in the hiring, but a lot more privacy tech companies. It's good to hear that they're expanding and as they're expanding, they're looking for technologists that have privacy expertise. Everyone seems to have their own, slightly different, definition of a 'Privacy Engineer.' I thought you'd be the perfect person to ask, based on what you're seeing across different organizations: what skill sets and competencies are companies seeking when they come to you saying they're looking to hire for a 'Privacy Engineering' role?

George Ratcliffe: 6:00

Yeah, I'm actually going to revisit another point Menotti made here. We're still at such an early stage, but I think when it comes to privacy technology and specifically on the engineering side and I've even heard certain people make a fairly rudimentary comparison, but one that rings fairly true is that privacy tech is where security engineering was maybe eight or even 10 years ago. In a sense, we've got all these different skill sets and so many different roles that are actually grouped under this same job title of 'Privacy Engineer.' Rather than go through everything that somebody could do within a privacy engineering or privacy tech role, I do like to break it down. For me, there's three different roles, the key roles here, that are different in their own way but do sit under that same banner with the majority of companies out there. I'll run through some of the really key competencies that I see sit in each one most regularly. The first one is the 'Privacy Engineer' - the job title that everybody sticks on it, but this one is the one I guess we most commonly see in BigT ech. It's the most common role we see at Google, at Meta and a lot of the other kind of FAANG businesses. Also, a lot of larger organizations who are still at an early-ish stage in having privacy tech functionality as a whole. People who sit within this job typically do have a pretty strong technical or engineering background, but their focus is predominantly for me on reviewing codes, reviewing products that's brought to them by development and production teams, looking to see if it sits within the organization's privacy policies, looking to see if it matches up with the privacy- by- design or privacy- first parameters they've had set out for them. Another key thing that goes in there is they're often working in quite a large advisory capacity as well. They'll plug in and work really closely with engineering and design teams to work through any problems, any gaps they've found, to make sure that everything's redesigned appropriately before it then gets signed off, if you like, put into production and out in front of customers or consumers, depending on which side you're on.

George Ratcliffe: 8:14

The next one is I like to term it 'Privacy Software Engineer.' I've been one that's really happy to see this job title getting out there a little bit more regularly. Probably not something we'd have seen 18 months ago too often at all, but it's certainly becoming more common now. Privacy Software Engineer often performs some of that design, review and advisory work that a privacy engineer would, but the differentiating factor for me is spending a lot of their time focusing on physically designing and building their own privacy- preserving code or products. Obviously, without diving too deep can be anything from looking at writing an anonymization code or script, or something on the deletion side right on through to getting in some of the really technical and advanced pieces, like differential privacy programs and so on and so forth.

George Ratcliffe: 9:04

The third kind, and I apologize to anybody that feels like they're being put into a bucket here - I'm just trying to keep this as broad and general for everybody - this is more on the research side, 'Privacy Research Engineer.' Again, something we're starting to see become more common, particularly within advanced consumer tech companies and also within AI companies or pure privacy tech vendors as well. Like I said, more recent addition. So people in these roles typically sit at that intersection of academic research and production, researching new applications that can be, in some instances, completely brand new for one of the privacy enhancing technologies that are specific to the needs of their employer or the specific product, before then going and obviously applying that research.

George Ratcliffe: 9:51

In fairness, I think Amazon have had Applied Privacy Research Engineers for quite some time, but still, in a lot of other companies, their going through and actually physically putting their research into production. Some organizations, that's just looking at putting together a prototype or a proof of concept. Other organizations, they're doing the whole piece. Right? They're going right the way through to building that specific piece and putting it into production for their company.

Debra J Farber: 10:16

That's super helpful. I really like that breakdown, hearing privacy software engineer, privacy research engineer. That is definitely a slight change into how we're seeing people structure the titles of the job role. I am curious though, for privacy architects I'm getting asked more and more if I know of a privacy architect for a role, are you seeing that in your placements as well, or is it to a lesser degree than some of the privacy engineering roles?

George Ratcliffe: 10:44

Yeah, that's a great question, Debra. I think privacy architect is definitely a role I've recruited for a good period of time. The number of requests we get on that side is definitely increasing. I would say what's probably changing more for me is the number of - again, I'm probably going to split this into two sections

George Ratcliffe: 11:03

I just said two years ago, maybe even three, pretty much every requirement or search we were working on for a client that was a privacy architect was, to be honest, pretty much more somebody that was like a differentiate between a TPM and what I'm about to say, a 'Technically-minded Program Manager.' So not a TPM, very different to that, but essentially a program manager who could speak enough tech to work with architects, work with people who are sitting really deep into that back end to help them plug things together. Definitely still get plenty of those coming through. It's still a really hard job to fill because there aren't many people who can do that.

George Ratcliffe: 11:41

What I'm seeing more of at the moment, and this really fits in well with a lot of, I think a lot of the things we'll probably discuss as we move through, is more technical-minded people coming into this space. So we're looking at genuine architects who can completely pull apart data pipelines, the flows of an organization, everything to do with that and rebuild it themselves, so more in line with what we would consider a traditional enterprise architect within any other area of tech. So, that's what we're seeing more of and I'm definitely seeing more of a shift towards that. And, again, frankly, like every other area, it's a really hard space to find people in, particularly people who can - obviously, we can find all of those skills we've just talked about, but then also match up with the tech stack and the requirements or the customer base of that particular organization.

Debra J Farber: 12:31

Right, that makes a lot of sense, especially as we start seeing the advent of an explosion of privacy tech. It's like well, which tech stacks, which new technologies is the company using within their work? So, I could understand why that makes it even harder for you and your clients.

George Ratcliffe: 12:49

That's where things are a little bit different to the engineering side, because I think, particularly with companies that are a bit further down the line, they can justify on the engineering side using which languages they want or which frameworks or packages to design what they need. But when we're getting into the really nitty-gritty like architectural side, it's like you kind of have to align with what the company's already using, because you look at, let's say, like 500, even 1,000 company like that architecture's been in place for such a long period of time. It's just not gonna be feasible to like pull in different programs or anything like that to stuff that's like so integral to a company. So yeah, that's where the challenge is a little different to things on the engineering side. But, we can make a case of bringing in a new toolkit or something like that. So, definitely keeps us on our toes over here, I bet.

Debra J Farber: 13:42

So, the IAPP's Privacy Engineering Section Advisory Board, they recently published an infographic that defines privacy engineering, and it lists job functions that work toward privacy engineering goals. Those job functions are software development, system design, data science, physical architecture, process design, IT infrastructure and then human computer interaction (HCI) / UX design. Do you think this maps well with how you're seeing companies approach hiring for privacy engineers today? I'm just trying to get a sense of if this is aligned with what you're seeing in the market or if this is more of a North Star that the IAPP folks who put this together want to get to.

George Ratcliffe: 14:29

Yeah. So I think a North Star analogy is perfect. I think that to me that is kind of like the gold standard of what the majority of companies should be sort of aiming to get towards, and I think the majority of companies that we work with, and obviously place candidates with, are working towards getting certainly close to having each of those kind of defined areas. I think the challenge is that's a journey, right, and everybody is at their own specific point on that and some people are further on than others is how I would kind of say. I would say outside of maybe a couple of organizations I'm aware of are probably at a point where there are too many that have their privacy tech program at such an advanced level, or privacy engineering specifically, where they've broken down into each of these areas. The average, I think, out of companies that we would look at that have a privacy tech function, we're probably looking at an average of maybe three people. So, naturally obviously, there's got to be a good amount of kind of consolidation here, and then there obviously are plenty of companies that just have like one or maybe two people. So, obviously these different skill sets have to be like kind of split out between a smaller number of people. I'd say the majority of companies are at, that we kind of work with who are kind of halfway through

George Ratcliffe: 15:45

this, is that most companies are starting to kind of split into two areas. So we're starting to see a lot of the earlier kind of ones that you mentioned there: so software development, system design and the UX kind of side being grouped into one kind of role; and then a lot of the other pieces kind of coming into another, so data science, architecture, process design and infrastructure kind of going into another skill set. And there are plenty of good examples of San Francisco companies at the moment who have kind of moved towards having - yeah, they don't call it like a front end - but obviously having what I would say more front end focused, and then having a privacy infrastructure team that are focusing on, like we say, a lot more of that kind of heavy lifting and those back end pieces. So, that's what I'd say we're probably at. I definitely agree with the IAPP, though I would love to see in three, four years, the majority of companies out there having really like defined functions across each of these areas which are also important for a privacy engineering function.

Debra J Farber: 16:46

Absolutely, I agree with that. I'm going to add the infographic that I'm referencing into the show notes, so if anybody wants to check it out, you can find it there. And then, what are just some basic other overall trends you're seeing as companies hire for privacy engineers and technical privacy roles?

George Ratcliffe: 17:05

Yeah, there's a couple. I'd say that the one that stands out the most is probably the move towards higher technical capabilities. So I think, similar to what we touched on with the architecture piece a minute ago, almost every time we have a client coming back to us we worked with, let's say, six or 12 months ago, we're looking for a similar person that sits within the same team. The jobs are just getting a little bit more technical. So, let's say like 12, 18 months ago, we're looking at like basic automation and scripting skills within Python and a good background working with a cloud environment. Now, we're looking at people who can come in and write production- level code in Python or potentially Go. We're even seeing, in some instances we're seeing like Star kind of coming in a little bit as well, but that's definitely really hard to find. But, I'd say that's the same across the board.

George Ratcliffe: 17:58

So, if we just go back to the piece we were talking about earlier, where we split those privacy engineering roles into three sections, people in that initial privacy engineering spot we're looking at being able to advise at a higher- level of technical capability to the engineering teams they're working with. We look at the research side and where it might have been just looking at some anonymization and deletion things, now we're looking at really detailed applications, so differential privacy and, obviously, areas that are still really kind of new. So, I think the technical upward curve is definitely the biggest thing, I'd say; and I think, again, that's pretty natural in terms of the evolution of what's still a fairly immature space. And, I'm not a security recruiter by trade, but I'm sure if you speak to most people, my colleagues, I guess you could say on that side of the fence I'm sure they'd say that's probably similar to what direction security started going in six, seven, eight years ago.

Debra J Farber: 18:54

Yeah, thanks for that. That's really helpful. So, this is a two-parter question. I have them separate, but I think they're kind of almost the same question. So, what capabilities do companies desperately need or want in candidates that they can't seem to find? Put another way, is there a role that is harder to fill right now than others because of a lack of candidates and skill sets?

George Ratcliffe: 19:19

Yeah, that's another good one. I think the biggest difficulty we probably have, and the most common thing we hear regardless of the skill set within privacy tech, is the blend of technical and communication skills. So, I think certainly my philosophy on it is privacy technologists - whether it's an engineer, an architect, or a researcher - will sit in a really unique position. So, obviously we have to produce really high-end technical work that's fit for purpose in some of the best and biggest tech companies or in other industries out there on the face of the earth. But at the same time, obviously we're producing this work, producing the products and the code that go out to customers and consumers around the world, you still have to be able to talk to so many different people, which is such a big challenge.

George Ratcliffe: 20:08

I can't at the moment really think of any other areas (again other than, possibly, security), where you can have some of the brightest and highest- paid technical minds within an industry.

George Ratcliffe: 20:19

They still then have to be able to go out and speak to, let's say, regular software engineers. They need to speak to lawyers. They need to speak to salespeople and even, obviously, business owners are completely different areas; and, I think in much bigger organizations, you can potentially have a spot where you can have somebody who doesn't need to do a huge amount of that, but particularly in companies that have teams of 3 to 15 folks in privacy tech, you can produce the best work possible; but if, ultimately, you can't go out and then educate people across your organization as to why it's important, it's always going to be a real challenge to get your work out there and actually see it have the end result on the customer. And so, I think for me, honestly, that's probably the hardest thing. There's always more digging we can do. There are always more stones we can turn to find a specific skill set, and that's a challenge. But, the biggest one is finding that balance of technical and softer communication skills as well.

Debra J Farber: 21:15

Yeah, that makes sense because, you know, it's one of those unicorn roles, right? I guess one of the questions that I have is why does it have to be one person? Why can't you just hire someone who likes to do the implementation, the work, be in the weeds, who works with someone on the team, that is, the communicator? I see myself as that communicator kind of role, but it doesn't exist independently from being the engineer when I look at job roles. So, any thoughts on that, like why are companies determined that it is the exact same role that has both those skill sets of technical and communications capabilities?

George Ratcliffe: 21:53

Yeah, I think it's more a matter of like circumstance at the moment, Debra. I think if we got together every kind of CPO of a company that has a privacy tech function in some shape or another, I'd like to think the majority of them would probably see that role that we're talking about here being on the roadmap. It's more a case at the moment, I think one of the biggest cases probably budget. To be perfectly honest, I think, particularly off the back of the last 12 months in the tech industry, everybody is trying to do more with less, and that's always been the case. But, that's really pertinent right now. I think, as companies continue to shift from the mindset of seeing privacy as a compliance or a legal kind of function into it being a business enabler and a differentiator that will continue to see teams and budgets grow.

George Ratcliffe: 22:43

And for me, I think that has to be a role that has a really big future within the privacy tech industry. It's just a case, and I guess if we go back to the IAPP infographic that you're going to pop in there, I think most people would like to have at least one person doing each of those things; but, the reality is most companies need to at the moment have to have one person doing three or four of those. So, it's just a case of, I think, maturing privacy, continuing to become more of an important topic for companies, and, as we see that natural kind of evolution, I'd absolutely see that as being a really important skill set for companies to have.

Debra J Farber: 24:05

Excellent. Thank you for that. So, you mentioned before - we talked a little bit about privacy researchers - and, I'm seeing some companies with large research centers hiring for privacy researchers and they typically have PhDs. So, a lot of them are doing their postdocs and coming out of school and going straight into, as you said, becoming applied engineers, basically in the privacy space. So, can you speak to what trends you're seeing when it comes to these positions? Are they mostly for data scientists who research privacy enhancing technologies on their deployment, or are there other areas as well? And, is it necessary to have a PhD according to your clients? Because from what I'm seeing, all of them require a PhD.

George Ratcliffe: 24:53

Yeah, it's definitely a pretty high technical bar to get into that space. I would say at the moment, I can think of a couple of people off the top of my head that don't have a PhD and are in this space. I think the stumbling block for anybody that doesn't have a PhD is that traditionally, you know, bachelor's and master's programs just don't have anywhere near the same level of research within them. So you're fighting a little bit of kind of an upward battle there, in the sense that you've got people with a PhD who have the best part of four or five or sometimes six years worth of research experience that they can apply straight into what it is they're doing. I think we'll probably continue to see that being a dominance. I can't imagine that we'll see much of a shift, certainly in the short term, where we'll see folks without that really proven research background making a jump. There are definitely alternatives to it. I think MITRE, obviously affiliated with the government, is a great example. I have seen people go and work with a master - a technical master, obviously - with MITRE, who've done a lot of research there and have then got to a point of going into an applied research role with a tech company. So, it's absolutely possible but it's definitely the less trodden path at the moment. In terms of I think your other point was around people coming from that sort of data science background, kind of the same thing. W e predominantly see people coming from a data science or a more kind of pure computer science background into that space, largely because, obviously, those are the programs that have the most crossover with privacy enhancing technologies.

George Ratcliffe: 26:28

So again, probably about 60%, 65% of the people that I've worked with in that space have had a part of their thesis or part of their research has been focused on some form of either privacy enhancing technology or an adjacent space. But there are plenty of people out there who obviously have focused on the fundamentals and are then able to make the jump across and apply their research background, their technical knowledge and skill set to the privacy space. I'd say most often it's people who've always had some kind of interest in privacy, whether they've been impacted by a breach at a company, or a family member or a friend has had something like that or could be something completely different. But yeah, that's, I'd say, typically what we see at the moment.

Debra J Farber: 27:15

Interesting. Thank you so much. That's really insightful. There might be people out there who are already technical and want to grow into the privacy space and maybe become a privacy engineer or researcher or architect. What advice would you give them?

George Ratcliffe: 27:31

So firstly, great news. I'm like very confident we're going to see this transition become easier and easier to make. I guess on one hand, you can say fairly simple economics and supply versus demands; we're certainly - other than that couple of big layers we talked about earlier - we're not seeing any companies decreasing the number of people they have in their privacy function. The vast majority are obviously increasing it and there is a limited supply of people coming in who've rolled off one of the master's programs. I'm also happy to kind of add to that; I've had a number of conversations with clients in the last two, three months where they're already aware of that and they're already quite keen to start exploring hiring people with really really strong technical backgrounds who have some skills that are adjacent to privacy, some kind of reason or some understanding of that space, so just a baseline knowledge rather than coming as sort of the ready-made candidate who's done exactly the same role elsewhere. So, to appropriately answer your question, Debra, in terms of being able to, I guess, upskill in your own time and get yourself ready for that jump, there're a few different avenues that I've seen work really well and have helped kind of candidates within the past. So, the first one and I think I would suggest this for everybody who's looking to make this jump is the kind of formal qualifications. So the CIPT course that the IAPP rolled out, I think probably about three years ago now, is a really great starting point. Obviously it's going to teach you the fundamentals of the privacy world, how to apply some of your technical background to it, and it's just from what I said. If nothing else, it's also going to put something on paper that shows you're really interested in the space and committed to kind of making that jump.

George Ratcliffe: 29:13

Second piece, like less formal but more achievable to anybody in their day- to- day role, is getting more privacy exposure. So, that can be like seeking out privacy- related projects or changes in your current role. I'll happily, tell you, I can't think of anybody I know, certainly high up in the privacy tech world, that wouldn't be happy to have an extra pair of technical hands on a specific project. So, trying to find out where those are, get them at the top of your resume and make sure they're really clear when you're speaking to people, you know, when you're applying for that next role, what it is that you've done. The other piece, I guess I'd say on that and more for the kind of engineers, but specifically, is again just being involved in the privacy space. So, if you've got a GitHub, start playing around with writing privacy code or potentially even like privacy preserving products of some degree. Now that can sound quite daunting to somebody that's never done it before, but I don't think it needs to be. You don't need to go in and build the finished product right away. Just being able to display to somebody and pop your GitHub link on your resume that shows you're playing around, you're interested in that space and you're already putting your own time into developing a skill set there is going to set you above so many people out there. Certainly, from my perspective and again I firsthand have seen that work really effectively over the last couple of years.

George Ratcliffe: 30:34

And the last thing is, for a little bit further down the line, but having a really clear 'why.' So we can even take like a step back from this. I mean, any candidate that goes into interview for any job should have, in my opinion, a really clear 'why' they want that job and 'why' they would be good at it. If you can answer that question or give a hiring manager, interviewer, whoever it is a really clear and confident answer, to me, that's always going to have them leave in the interview with a really good feeling. Even if it's not the right fit, they're still going to leave with a really positive impression of you.

George Ratcliffe: 31:07

For me, really specifically, if you're looking to make a jump into a slightly different industry, having a really clear 'why' that you can articulate appropriately and share with that person, it's always going to put you in a really great spot. To me, it doesn't matter too much what that why is. As long as it's clearly like something that's important to you, then for me that's always going to put you in a really good spot and hopefully give you a really good chance of making that jump.

Debra J Farber: 31:32

Yeah, that's a really good point. It also makes me think of networking. Right? Going to events where there's privacy engineering folks there and building those relationships so that, even if there's not a position for you right now, if you make a good connection, like you were saying in an interview, but here in a networking capacity, they might think of you for another role in the future, whether on their team or if they move to another company and have a new hiring mandate. So, you leverage your network - you don't go build a network because you want a job right now. You build a network so that you have a network to go to when you are seeking that job in the future. That forethought, I think, has really done well for me in my career, just generally. So, I would extend that suggestion to anyone who's listening and seeking any job role. Go to where the people are who are hiring managers and so you could learn from them and build relationships.

George Ratcliffe: 32:27

100%. Yeah, I completely agree, Debra. I think, obviously the two biggest ones are the two that the IAPP run within the U. S. Right? If you're based in the Northeast, get yourself across to the conference in DC at the start of April next year. If you can get down to San Diego for the PSR Conference. Is that in October? I want to say it's the start of October.

Debra J Farber: 32:49

I think so.

George Ratcliffe: 32:50

Yeah, October. If you can get yourself down to those events, then that's brilliant. You don't often even need a pass, like just being able to be around there. Send a few messages to people on LinkedIn who've posted about going, and try and grab a coffee or a drink with them is a great thing to do. I've definitely seen people leverage those conferences into helping them get jobs in the future. So, yeah, that's a great bit of advice.

Debra J Farber: 33:12

Yeah, yeah. Then there's all of these privacy engineering conferences popping up around the globe as well - some of them connected to research universities, others that are a little more show and tell and cross-functional, like the PEPR conference, the Privacy Engineering Practice and Respect conference. It's a USENIX conference in September in the Bay Area. That's a really good one, too. There's so much out there. Just don't sit behind your computer and just apply for jobs all day. Instead, get out there and go where practitioners are that you can meet. So, here is a question that I'm definitely excited to hear you talk about. It's about salary ranges, because anyone who's paying attention can see that there's a very wide range of salary ranges for these different privacy roles. Right? Privacy Engineer, code review, Privacy Software Engineer, Privacy Research, like you mentioned before, and Privacy Architect. What are the typical pay ranges across these different technical privacy roles? What companies are looking at the lower range? What are the higher range? What are the pros and cons that applicants should be thinking about?

George Ratcliffe: 34:23

Yeah, I'm definitely going to get a few messages about this down the line, aren't I? Somebody who's got way more than I said they could get? I'm always happy to have people challenge me on that. So, yeah, no worries. Yeah, as you put it, it's such a wide range. It's a really tough one to nail down, but I'll definitely do my best.

George Ratcliffe: 34:43

I think the first thing I'd say, particularly anybody at an earlier stage in their career is really sit down and think about what the non-negotiables are for you. And, for me, whenever somebody says 'total package' in inverted commas, for me, I think obviously this is like cash is always important, particularly in a high- cost area; but, start to think more about things like scope for growth. Like, where have people gone when they've joined this team at the same stage that I'm at? Where have they moved to after? Is this really taking me in the right direction? So, yeah, I'd always say get a really good list of those things there. Make sure you're really clear on what's important to you before you start to jump into this, because, as you put it there, Debra, there is a range for all of these roles, but it typically will be different types of companies and a different level of requirement they're asking from you at the different ends of it. What I would typically say, and again this is a bit of a generalization, is that if you're looking at more enterprise- type firms (so, companies that have been around for a little bit longer - they're a bit bigger, not necessarily an Amazon or a Facebook or a Google or a Reddit, something like that), you're probably going to be looking towards the first half of the ranges I'm going to give you here. If you're looking at more advanced companies, or, let's say, like an Open AI, somebody who's really on the cutting edge, then typically you're going to be looking at the higher ends. But, just make sure you balance up what they're asking from you in terms of input to get what you're getting out.

George Ratcliffe: 36:07

So, as a real broad- brush though, I'd say it's like that first Privacy Engineer we discussed - probably, you're looking at like $130,000 to $210,000 on the base side, at the top end, and around $170,000 to $300,000 total comp. Privacy Software Engineer, probably $175,000 to around $300,000 base and around $250,000 to $450,000 total comp. Privacy Research - this is where it gets really broad. So, anything from $175,000 through to mid-$300,000s on the base, and then $300,000 to potentially $650,000 in terms of total comp. I'd say, the top end of that is going to be tough if you're just rolling off a PhD. That's probably somebody that has been through a couple of roles there.

George Ratcliffe: 36:54

On the Privacy Architecture side, slightly different; probably looking at $170,000 to $270,000 / $275,000 base, and around $250,000 to $400,000, maybe $450,000 at the top end in terms of total comp. So, yeah, really broad ranges, and if anybody wants a bit more detail on that, the IAPP guides are pretty good. But, I'm also happy if people want to reach out. I'm always happy to have a chat and see if I can steer them in the right direction on those.

Debra J Farber: 37:24

Yeah, that's really insightful. I am curious, though, because we are talking about, like just broadly, a Privacy Engineer. But, what about like a a Manager Let's say, a Privacy Engineering Manager versus a Independent Contributor (IC) kind of role?

George Ratcliffe: 37:40

Yeah, that's a great question, Debra. So, in terms of that, I would say your best bet on that one, because this is where it does, similar to the research, when it gets really broad. The best bet for anybody who wants to understand that for a company they're looking at is, I would probably go and use Blind or Levels or FYI. Have a look at the Software Engineering Manager banding, so the companies that you're looking at, that will give you a really accurate readout; because again, those bandings become so broad and so wild, I don't know if it's necessarily gonna be great for me to put a number on that right now.

Debra J Farber: 38:14

Okay, yeah, it could be high. Like, it could be really high, which is good. I just want the listeners to know the career path ing if they they choose to go a Privacy Engineering route and want to go up the chain that right now it could be pretty lucrative; but, it also could be a lot more work and a different kind of environment than they necessarily want to work in. So, there's always pros and cons. Could you describe what the Blind app is for those who aren't aware?

George Ratcliffe: 38:40

Sure, yeah, so Blind and Levels are the two that I use kind of like most regularly.

George Ratcliffe: 38:45

They're just web apps you can go on, pick out a particular organization, and then it will give you a readout of basically the Crowdsourced information and data, so data on what people get paid at those specific levels, particularly in tech; you know, it's not as relevant for a banking community, for example, because those bandings are so well established and have been there for so long. But, you think, like a Microsoft, for example, have like 50 different levels within the organization. So, it's really good just breaking down what band you can expect for a base salary; a bonus, if there is one; and from an equity perspective. So, yeah, super helpful. It's also, every company structures their packages slightly differently. Some companies, way more slanted towards the stock element, some companies more towards like base and bonus. So, it's, for me, a really helpful way just to try and understand how a package is structured, what you can expect, and what sort of banding you should be within if you're applying at that particular organization.

Debra J Farber: 39:45

Excellent. I really appreciate that. I think that's gonna be really helpful, and I'll put a link to the Blind app In the show notes as well. So, are your clients seeking any true entry level positions for technical privacy roles, or are they kind of saying it's an entry level role but it really requires a ton of prerequisite experience?

George Ratcliffe: 40:06

So, we yeah, we don't typically get engaged too often on entry level positions. A lot of companies will try and do that themselves wherever they can because they're obviously outlay on employing a search firm like us. It's not cheap, and so they'll try and find graduates where they can themselves. We do occasionally, maybe like a couple a year, I would say, certainly from what I see - and again I'm very happy to be kind of challenged on this by people - we don't have the same problem that you have in security, where companies look for entry level candidates or that you know they say they're looking for entry level and then looking for like three or four years of experience or X, Y or Z qualifications that people normally get down the line. So, a lot of the time when I see, again, entry level roles out there, I think they're banded around the right type of level. The trouble is always going to be - most companies will try and do that directly.

George Ratcliffe: 41:03

If you go and click on 'Apply' on LinkedIn, yeah, you could get lucky. You can get in front of the right person at the right time, but so often there are so many people, it's a really high chance you'll just get lost amongst people who are just unqualified. So, I think, yeah, maybe one bit of advice, if you don't mind, Debra: I'd say, for anybody who is rolling off, you know, one of the masters programs or looking for that entry level role within privacy tech, go and have a look on LinkedIn. See if you can find the talent acquisition people who focus on privacy. Try to build a relationship with them.

George Ratcliffe: 41:37

Even if those companies aren't hiring right now, those people are always going to be invaluable in your career and helping you get through the door, and also make sure you're not one of three or four hundred resumes for a position. You're somebody that's actually getting pushed forward. I'd say, do the same with agency recruiters, as well. You know, there aren't loads of us in the privacy world, and we're less likely to be able to help you right now; but, any decent kind of agency recruiter in the privacy space, we'll try and build that relationship with you for three, four, five years and should be in a good spot to help you at some point during that period of time, if not a couple of times.

Debra J Farber: 42:13

That's great advice. Thanks for that. What's the best way for privacy technologists to stay up- to- date on hiring trends? What resources do you use or do you suggest they tune into?

George Ratcliffe: 42:25

I'm actually going to defer back to your bit of advice from a few minutes ago, Debra. I think the best, like the best way is always going to be face time with people in the industry. So, if you can get yourself to the conferences - I know you mentioned a couple that are slightly newer there and focused on privacy tech - all the larger ones getting to those conferences, getting along to their, whether it's the happy hours or the dinners and just trying to get as much face time with people as you can. For me, it's always going to be the best, like the best way to kind of stay up to date on that. I'd also say, especially if you haven't done much of that before, go in with like two or three questions that you've jotted down on a piece of paper or on your phone that you can just drop into conversation to try and understand a bit more.

George Ratcliffe: 43:08

Obviously, try not sound too robotic with the delivery, which I've definitely done a few times, but just try to ask people, you know, what kind of initiatives they're working on; what are the big kind of focuses from a privacy engineering perspective is always a great way to just sort of absorb and learn as much about what other people are doing. The other thing I'd say is newsletters. Most of the conferences we've mentioned, the companies that run them have newsletters and they're always one of my biggest resources. So, yeah, getting signed up to those, reading them when you're having your coffee in the morning, is a great way to do it and a great way just to stay up to date with general things that are happening. So yeah, to be the honest, those are probably the two biggest ones that I use, and just yeah, just kind of chatting to people as much as I can, which I'm sure you can tell by now and I love to do.

Debra J Farber: 43:56

Same. Awesome. Well, you know we're nearing the close. I just want to make sure that people can reach out to you if they have questions or if they are seeking, you know, either to hire you to help place people in their companies for privacy technology roles, or if they are looking for jobs. What's the best way to contact you?

George Ratcliffe: 44:17

Yeah, sure, so always happy for anybody to reach out. Yeah, always happy to have a conversation, and help wherever I can. Best way is always through LinkedIn. So, yeah, just just pop me a note on LinkedIn and we'll be able to find some time to catch up.

Debra J Farber: 44:33

Awesome. Any last pearls of wisdom you want to leave the audience with today before we close.

George Ratcliffe: 44:38

I don't think so, Debra, but, thank you so much for having me. It's been been great to talk a little bit about these things and, yeah, I really hope it's helpful for people out there.

Debra J Farber: 44:47

Yeah, likewise. I definitely want feedback from the audience if you're finding this helpful, so feel free to reach out and, you know, let us know, because we we'd like to bring more content like this in the future as well. George, thank you so much for joining us today on Shifting Privacy Left to discuss hiring trends for privacy engineers and other technical privacy roles. I definitely hope to have you back in the future to update us on trends.

George Ratcliffe: 45:12

Thanks, Debra. Yeah, anytime has been an absolute pleasure. Would love to come back.

Debra J Farber: 45:16

Excellent. Until next Tuesday, everyone, when we'll be back with engaging content and another great guest. Thanks for joining us this week on Shifting Privacy Left. Make sure to visit our website, shiftingprivacyleft. com, where you can subscribe to updates so you'll never miss a show. While you're at it, if you found this episode valuable, go ahead and share it with a friend. And, if you're an engineer who cares passionately about privacy, check out Privado, the developer- friendly privacy platform and sponsor of the show. To learn more, go to privado. ai. Be sure to tune in next Tuesday for a new episode. Bye for now.