The Shifting Privacy Left Podcast

S2E36: "Privacy Engineering Contracting: State of the Market & 2024 Predictions" with Jared Coseglia (TRU Staffing)

Debra J. Farber (Shifting Privacy Left) / Jared Coseglia Season 2 Episode 36

This week, I welcome Jared Coseglia, co-founder and CEO at TRU Staffing Partners, a contract staffing & executive placement search firm that represents talent across 3 core industry verticals: data privacy, eDiscovery, & cybersecurity. We discuss the current and future state of the contracting market for privacy engineering rols and the market drivers that affect hiring. You’ll learn about the hiring trends and the allure of 'part-time impact,' 'part-time perpetual,' and 'secondee' contract work. Jared illustrates the challenges that hiring managers face with a 'Do-it-Yourself' staffing process; and he shares his predictions about the job market for privacy engineers over the next 2 years. Jared comes to the conversation with a lot of data that supports his predictions and sage advice for privacy engineering hiring managers and job seekers. 


Topics Covered:

  • How the privacy contracting market compares and contrasts to the full-time hiring market; and, why we currently see a steep rise in privacy contracting
  • Why full-time hiring for privacy engineers won't likely rebound until Q4 2024; and, how hiring for privacy typically follows a 2-year cycle
  • Why companies & employees benefit from fractional contracts; and, the differences between contracting types: 'Part-Time - Impact,' 'Part-Time - Perpetual,' and 'Secondee'
  • How hiring managers typically find privacy engineering candidates
  • Why it's far more difficult to hire privacy engineers for contracts; and, how a staffing partner like TRU can supercharge your hiring efforts and avoid the pitfalls of a "do-it-yourself" approach
  • How contract work benefits privacy engineers financially, while also providing them with project diversity
  • How salaries are calculated for privacy engineers; and, the driving forces behind pay discrepancies across privacy roles
  • Jared's advice to 2024 job seekers, based on his market predictions; and, why privacy contracting increases 'speed to hire' compared to hiring FTEs
  • Why privacy engineers can earn more money by changing jobs in 2024 than they could by seeking raises in their current companies; and discussion of 2024 salary ranges across industry segments
  • Jared's advice on how privacy engineers can best position themselves to contract hiring managers in 2024
  • Recommended resources for privacy engineering employers and job seekers

Resources Mentioned:


Guest Info:

Send us a text



Privado.ai
Privacy assurance at the speed of product development. Get instant visibility w/ privacy code scans.

Shifting Privacy Left Media
Where privacy engineers gather, share, & learn

Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Copyright © 2022 - 2024 Principled LLC. All rights reserved.

Jared Coseglia:

AI is going to have a very dramatic impact on how engineers of any style or fashion, much less privacy, are valued. So, understanding the complexities of AI is going to be a differentiator that both commands a higher salary and, over time, will broaden the amount of opportunity that you will be competitive for. So, understanding - whether it's regulatory frameworks or best practices or competitive intelligence or creative ingenuity - baking AI into your knowledge base is going to be advantageous. It remains to be seen how or when, but I think that inevitability is nigh.

Debra J Farber:

Hello, I am Debra J Farber. Welcome to The Shifting Privacy Left Podcast, where we talk about embedding privacy by design and default into the engineering function to prevent privacy harms to humans and to prevent dystopia. Each week, we'll bring you unique discussions with global privacy technologists and innovators working at the bleeding edge of privacy research and emerging technologies, standards, business models, and ecosystems. Welcome everyone to Shifting Privacy Left. I'm your Host and resident Privacyg uru, Debra J Farber. Today, I'm delighted to welcome my next guest, Jared Coseglia, the Founder and CEO at TRU Staffing Partners, a 14- year old, globally- recognized, award-winning contract staffing and executive placement search firm that represents talent and opportunities in 3 core industry verticals: data privacy, e- discovery, and cybersecurity. Today, we're going to be discussing what's new on the horizon in the market for privacy engineering, specifically around contract work.

Jared Coseglia:

Thanks for having me. Great to be here on the coolest podcast in privacy.

Debra J Farber:

Oh, you know how to flatter! I appreciate it, though. You know, I know my audience really has an appetite for more information about the state of the privacy engineering and privacy tech job market. Obviously, I'm eager to have you on the show, Jared, it was perfect timing meeting you at the IAPP Privacy Security Risk Conference in San Diego last month; and so far, we've been building a relationship and I feel like I've known you for a long time. I think it has to do with us both being from the New York area, but that's neither here nor there. So, meeting you was wonderful, and I know from having talked to you before recording this episode that you really do have a finger on the pulse of the contracting market for privacy roles, including privacy engineering jobs. So, what I'd like to do, if you're up for it, is to focus on the current state of the contracting market generally for privacy jobs and then focus on what you're seeing, and what you're forecasting for, the privacy engineering market specifically. Does that sound good to you?

Jared Coseglia:

Sounds like an amazing plan. I have lots of information to share. Absolutely.

Debra J Farber:

Awesome, okay, great. I guess the first up is: can you compare and contrast for us what the contracting market is like from the market for full-time placements generally, but also, you know, if you want to contextualize, with privacy jobs.

Jared Coseglia:

Yeah, I may kind of give you a little bit more than just an answer to that, because it's a complex ecosystem. Right? What happened in Q4 of 2022 was a bit of a shock to the system for privacy engineering, meaning we saw the stock market - after nearly 24 months of meteoric rise on the NASDAQ - crash pretty hardcore. That crash led to a significant amount of layoffs in BigT ech, but generally across the Fortune 500 and beyond. Those layoffs, for the first time maybe in a decade, dramatically affected the engineering community, particularly the privacy engineering community; and that hasn't necessarily come to a full stop yet. As we just saw, I think two weeks ago, LinkedIn / Microsoft laid off 700 employees. About half of those were engineers and many of them involved in privacy and security engineering. So why? Why did they all get laid off? Mostly because these BigT ech companies needed to improve their profitability, and in order to improve profitability and get their stock prices to go back up, they needed to fire people. Headcount is the most expensive line item in any business and certainly with very expensive, very skilled privacy and security engineers, they became an easy target. Now, what happened at the same time in Q4 of 2022 is the rise and birth of what we now see as AI in a new and enriched way.

Jared Coseglia:

So, a couple of things happened after those events. Right? Zuckerberg lays off 10,000 people, the rest of BigT ech slowly follows over the next 3 to 5 months, and then the rest of corporate America follows over the next 6 months. A lot of those people were paid very well. A lot of them are doing advanced privacy engineering in a way that a lot of companies hadn't even begun to institutionalize in their programs. So, what we started to see happen at the beginning of this year, in 2023, were a lot of organizations trying to take advantage of all these RIFed privacy engineers becoming available - some for the first time ever in their careers - on the market. Here's the problem. Most companies couldn't afford to pay the full-time salaries that privacy engineers were commanding in BigT ech at their organizations that were not part of BigT ech, and that dissonance between what a privacy engineer was commanding from their former employer, in terms of a full-time base and total compensation, and what other employers were willing to pay was a pretty wide gap. So the rise of privacy engineering contractors was given birth for the first time in the privacy industry's entire history. For the last decade or more, what we've seen is an extreme drought of supply, despite whatever the high demand may be for privacy engineers; and, in Q4 of 2022, there was now a supply available. But, they couldn't afford to hire them at the same rates that they were being hired by BigT ech, or they weren't willing to.

Jared Coseglia:

What they have been willing to do is bring them on in either a fractional or a part-time capacity as contractors, to come on board and impact the organization. That has become really appealing to a lot of job seekers that are privacy engineers.

Jared Coseglia:

A lot of times, there is a greater sense of satisfaction by making an impact rather than looking for something that's going to be stable.

Jared Coseglia:

Stability has never really been the cornerstone of why people joined BigT ech companies, nor has it been the historical trajectory of their career.

Jared Coseglia:

I'm going to go to work at Twitter and spend the rest of my life there. I mean, some people may have thought that. But they were also very surprised when that company had a change of control, and that also led to a lot of layoffs, as we know, and that was not just economically- based, but just because of a massive change of control in a company that had really been an apex of a lot of privacy engineers either getting their start or thriving. So, now we're seeing companies bring them on in fractional capacities, and that supply equilibrium to demand has now enabled a vast amount of corporate America and beyond to utilize these very seasoned, skilled privacy engineers in their programs, but not necessarily in a full-time capacity. And, this is a trend that we believe we're going to continue to see for probably the next 6 to 12 months, with an expectation that the full-time hiring market for privacy engineers is likely to rebound towards the end of next year.

Debra J Farber:

Wow! So, I've got definitely a few questions there; one being at the end of next year, why do you see that as a boon in hiring for privacy engineering?

Jared Coseglia:

Well, if history tells us anything, it will be - because privacy full-time hiring versus contract hiring tends to go in waves every 2 years. So, let's flash back to 2015-16, when hiring was pretty quiet. Not everyone really knew what privacy engineering was. It was still very undefined. I mean, to some it still is very undefined, though it's much more defined than it was nearly a decade ago.

Jared Coseglia:

Then GDPR got announced and 2017 and 2018 was a massive ramp in full-time hiring of people trying to get ready to be compliant or take new products to market with the proper compliance and privacy- by- design baked in. So, there was a massive increase in full-time hiring. Then 2019 came, things got stabilized and then 2020 happened, where things crashed and burned. Unemployment went up to 14%. People were getting laid off left and right. We saw contracting go through the roof. Nearly 60% of the jobs filled in 2020 were contracting; and that's across the entire privacy vertical, but certainly that included engineers. Then, 2021 and 2022 happened and things went through the roof again. Full-time hiring went sky high. Competition was extreme, salaries increased by anywhere from 10% to 40% at the point of hire. So if you were a privacy engineer making $100,000 (which is low, but just as an example), chances are, if you moved jobs in '21 or '22, you went up to $130K to $140K. If you were making $200K, you probably went up to $280K. And so, we then hit Q4 of 2022, and that all crashed again.

Jared Coseglia:

Well, if every 2 years we have this kind of cyclical contract versus full-time modality occurring in the marketplace, it's likely to say that in 2025 and late 2024, the lights are going to come back on in a meaningful way; and that also makes sense when we look at stock prices. Right? Most of the companies that are hiring privacy engineers are publicly- traded companies, at least in the volumes that would drive market trends. Even today, LinkedIn Insights indicates that 38% of open privacy jobs that are posted on the internet are coming out of BigT ech, despite them laying off all these people. We'll talk a little bit about - as you and I kind of prepared for before this call -the difference between firing people and then rehiring them, just rehiring them as contractors instead of full-time people and how that changes the P&L reports and the ledger and the line items and thus the stock price of an organization, because that's happening a lot right now, too. But, yeah, I think time has indicated to us that every two years we go through this cycle.

Jared Coseglia:

A quick stat just to give you a sense of what happened this year - and we're almost at the end of it: north of 50% (so about 53%) of all the jobs that we've seen filled, including ones that we work on, were contracts this y ear across the entire privacy ecosystem. That's the first time that contracting on an annualized- level has actually exceeded, with the exception of 2020 (pandemic year), full-time hiring.

Jared Coseglia:

So, this is now no longer just using contractors, particularly privacy engineers, when market conditions dictate it; this is now slowly becoming a perpetual way in which programs have to think about talent, and that acquiring talent in full-time capacities is no longer the way all employees will get onboarded into a program, nor is it the most fiscally responsible way for an organization to augment talent. They may not need a privacy engineer to come on board forever. They may need them for a succinct 3 to 6 month project and then phase them out. Now they're able to go to market and find somebody with really specific skill sets that can have the kind of impact they need in that 3 to 6 month window.

Debra J Farber:

So, that actually raises a question for me. In terms of fractional work here, are we talking about full-time work for a small amount of time, like 3 weeks to 3 months, something like that; or does it also include maybe part-time work, 10 hours a week for a year? What are ways that you're seeing the contracting being deployed, whether as like full-on staff augmentation, or are we bringing people on to lead projects and lead the business, even though they're from the outside?

Jared Coseglia:

So the answer is: all of the above. We see examples of what we call "part-time impact, and part-time impact may mean I need someone for three months, 40+ hours a week, have a big impact, and then I phase them out. We also have seen a lot of, what we call, "Part-time perpetual, which is "okay. I don't really know how long I'm going to need them, so I'm not going to set an end date to the assignment. But I also don't know if I'm going to need them 40 hours a week. I may need 10 hours this week, 40 hours the next, zero the next month, then five hours, then 10 hours the next week.

Jared Coseglia:

And we call that Part-time Perpetual, where somebody can come in at a fractional capacity and have a real impact with no necessary end in sight. So, it's not a high-impact project, but rather using an engineer with a specific skill set to have perpetual impact in a variety of projects, just not in a full-time capacity. That allows some of these privacy engineers to then work for multiple organizations at the same time, and that can be really rewarding for the job seeker. A lot of the motivations that we see from privacy engineers who come to us for representation is "I'm bored, I'm kind of working for the same company doing the same thing over and over, and I'd like to work with different people or be exposed to different kinds of opportunities, and this approach really does allow them to do that quite literally.

Jared Coseglia:

But then, there's also what we see as what we call Secondees, which is more to the point I was bringing up earlier of: you lay off a bunch of full-time people, then you hire them back on contract. You're not necessarily hiring the same people back. Quite often they're hiring a less expensive person or people back to replace the expensive people that they let go. But, when they hire somebody back, they may hire them back and have them have the same responsibilities that they would have had as a full-time employee. But, they're not a full-time employee; they're not a direct hire; they're a contractor. Even though they're working direct hire, full-time employee hours, they don't hit the books and therefore affect the stock price and the profitability of the company in the same way that a full-time hire or a host of full-time hires would. So, there is a lot of - particularly in BigT ech - the utilization of contract as a way to keep talent on board perpetually and not part-time, but without being a full-time employee.

Debra J Farber:

I love it. I mean, that appeals to me, for sure. So, I think that that allows someone to have a lot of varied experience at multiple organizations and be able to kind of have a say on what projects that they take on and then not get bored. I think that's huge because in just . . .I think about some operational stuff, like if you're in a large company and you're leading something like the onboarding of data stores to data deletion capabilities, I can tell you from personal experience you might really burn out from how boring that can get. So something like this. You know, obviously I'm thinking operational privacy here, but I can understand and think of examples in the engineering space as well. So, I think that this is a great solution for a lot of people who are just feeling stuck, maybe, in their privacy operations or privacy engineering job. Currently, it doesn't really feel there's enough jobs open for them to move around.

Jared Coseglia:

Well, and not only that, Debra, but it also allows them to maintain their financial status in life, because a big piece of this is that there's a misconception with a lot of, let's just call it, 'older executives' who've got the expectation that when people get fired and the economy is in a slump, that people are going to compromise what they're willing to take in terms of compensation in order to get back to work.

Jared Coseglia:

But what we've witnessed happen, since the BigT ech layoffs of Q4 2022, is that privacy engineers are not willing to take $100,000 pay cuts in base compensation just to get back to work, because they know, like we do, that this will rebound, and likely much faster than things have historically pre-pandemic. So, they can wait it out 18 to 24 months and, in the meantime, do contract. The reality is most of our contractors, who are what we call 'perpetual' or 'lifestyle contractors' that aren't even necessarily looking to go back to full-time work, wind up working 7 to 9 months out of the year and making the same or more money than they would working 12 in a full-time capacity. Now, they may get slightly different benefits. They may not get the equity that they would get at some of the large tech companies. But, they wind up getting a lot more time off. They might wind up making a lot more cash in pocket Day 1 that they don't have to wait to vest at a BigT ech company, and they get the diversity that you just described, as well.

Debra J Farber:

Yeah, I think that's great. I mean, you know, I've worked for consulting firms in the past and the diversity is always there at any consulting firm, most consulting firms, unless they're like a specialized vertical. But, I have felt in the past like I was a 'resource to be deployed' and not an autonomous human. Right? Like, "We've got someone got us this project, our sales team got us this project. We need to match a human to it. You're a human and available, we're matching you to it."

Debra J Farber:

Right? That's sometimes how, at least in the past, I've kind of felt - like I didn't have enough autonomy and flexibility to pick what I want to work on or say, "This is a project we shouldn't have even picked up in the first place because of X, Y or Z." So I do love this flexibility of what you call "part-time, perpetual work in a contracting setting; it still gives you that sense of "I'm not going to take a job or I'm not going to take a project through TRU staffing, for instance, if I think the project is going to be boring or if I don't think there's enough buy-in from the executives, or whatever my own personal valuation is of the project. I still feel like I can make self-determination as to whether or not it's a good fit, as opposed to like a consulting firm; you don't always get that choice.

Jared Coseglia:

Well, one of the big differences, particularly with working with my organization versus working at a consulting firm, is consulting firms going out looking for business and then pushing people they have on staff into those roles. When working with us, we're going out and looking for contracts that would be appealing to the people that we're representing, who are looking for lifestyle contracts. And you're right - I mean, we used to have a marketing campaign a few years ago that was "take control of your career by being a contractor," because in a lot of ways, moving from full-time job to full-time job lacks some of the control that a lot of very seasoned privacy engineers, or privacy professionals in general, are looking for to stay both satiated and engaged in the work that they're doing day- to- day.

Debra J Farber:

That makes a ton of sense. So, what trends have you been seeing generally when it comes to privacy job seekers, how they're trying to find privacy engineering roles? Also, I guess in the same answer, you can also answer, how do hiring managers typically find candidates for privacy engineering roles?

Jared Coseglia:

Yeah, so this is a big can of worms, but let's go ahead and open it up, Debra. [Debra: Let's do it!] So, let's start with the latter part of your question and then I'll probably ask you to come back and ask me the first part again, because the latter part, I've got some really compelling statistics for you.

Debra J Farber:

Oh, great! Everyone get your pen and paper or get your notes ready.

Jared Coseglia:

The way that most people in corporate America are looking to staff privacy engineering jobs is DIY. And what do I mean when I say DIY, 'DIY staffing?' DIY staffing usually consists of a couple of different avenues with which to pursue. . .

Debra J Farber:

Let me just spell that out for any of the non-native English speakers that. . . well, you actually did spell it out, DIY is 'Do- It- Yourself.'

Jared Coseglia:

Do- It- Yourself, which means you're not engaging a company like me, who's sitting on a bench of talent all the time and constantly increasing that bench. We like to brag that when someone gives us a job order - privacy engineer or any privacy professional - you're getting at least 3 to 5 resumes in 48 hours. Here's what most people are doing with the DIY. They're either posting the job on the internet, on their company website; posting it on a LinkedIn job board, using their own LinkedIn channel to solicit talent; using their internal human resources or talent acquisition teams, many of whom, just like a lot of engineers in Q4 of 2022, got fired because, guess what? If you're not going to hire people and you're firing thousands and thousands of people at your organization, who are you going to fire? Well, you're going to fire the people whose job it is to hire people, and that's your internal recruiters. So, in addition to a lot of privacy engineers getting laid off at the end of last year and throughout the course of this year, so too did a lot of internal recruiters who: A) had a lot of institutional knowledge about the companies that they worked for; but, B) also had a lot of niche subject matter expertise about the specific divisions in those businesses that they were staffing for, a la privacy. Those people all got fired - not all of them, but lots of them got fired - because companies were not planning to rehire for the next 12 months. Then what happens? They hire somebody that hasn't worked at the company before that is going to post the job online and essentially be the lynchpin for sifting through, or parsing through, all inbound resumes.

Jared Coseglia:

Here's the statistic that blows my mind and will probably blow all our listeners' minds. We did an analysis and we went through the last 5 years - and that's thousands and thousands and thousands of applicants. Tens, if not 100,000+, applicants that have applied to jobs that we've posted online. Of all the applicants - and we get 100+ a day conglomerate between all the jobs that we post in privacy - of all the applicants who sent us their inbound resume for a job we posted, only 8% of those candidates actually get those jobs. Only 8%. That means 92% of the time when we're filling a job requisition from a client, it is not coming from someone that has applied to a job posting and thus, we have then reverted their resume and candidacy to our customer. It is coming from a million other sources, like networking at conferences, like hardcore recruiting, like peer referrals.

Jared Coseglia:

Most corporate America is relying on inbound resume submission to fill their jobs, which is why 1 of 3 things is happening" Either A the jobs aren't getting filled because the quality and caliber of the candidate is not matching the desired hire. Or B the right candidate is slipping through the cracks somewhere in the process of parsing resumes, because the human resource professional isn't necessarily an expert on privacy or the company and doesn't know a good resume when they see one. Or C) they're hiring somebody who's less expensive; isn't at the caliber that they want; and then 3 to 9 months later, they're having to replace that person because it's not the best hire for the job that they needed because they're looking at the people that are only winning 8% of the time, not the 92% that are passive job seekers who are relying on experts in the space to broker the next move for their career.

Jared Coseglia:

Privacy Engineers are very calculated about the moves that they make and the kinds of companies that they want to go to work for.

Jared Coseglia:

So, this DIY approach has not only net people being unsatisfied with the talent they're getting, or people missing out on talent because it's not being parsed correctly, or people mis- hiring. It's also led to a lot of people saying, "I'm just going to go contract, I'm not going to look for these full-time jobs because they're trying to get me at a discount, or this person doesn't really understand the nuance of what I do, or my resume got lost in the shuffle. We see that happening day and day again. The net of this is also that jobs stay open for a really long time. We fill an average privacy engineering job in about 35 to 45 days and I see a lot of customers that are trying to do it themselves; and those jobs have been open for 120, 200, 220 days because they're essentially waiting for the right candidate to apply for the job. For the most part - 92% of the time - the right candidate isn't applying for the job. They're waiting for somebody to approach them about it.

Debra J Farber:

When you say approach them about it, are they looking for somebody to see their LinkedIn and reach out and say we need someone who's doing exactly what you're doing but at our company? Are the job seekers actually going to networking events for purposes of job seeking? Or, is it something a little more on the down- low, where it's like "I'm looking but I'm not actively applying?

Jared Coseglia:

It's a little bit of all of them, but let's take networking at conferences as an example. Most of the people who are hiring managers for privacy engineers are going to conferences and generally socializing with other hiring managers for privacy engineers. They're not necessarily, unless it's a few very choice events, getting surrounded by a pool of potential people that will be subordinates. You go to a lot of these executive leadership conferences and it's peers. It's not necessarily subordinates. So, I don't know how effective that going to conferences has been for leaders in privacy engineering unless it's a very few targeted events.

Jared Coseglia:

Also, because of the pandemic, so many events have moved virtual. One thing that does not translate from an in-person conference to a virtual conference, though I think knowledge sharing and knowledge transfer does, but networking does not. It is not the same getting on a Zoom or getting on a Teams call where you're presenting information that you would at a panel at a conference and then being able to have one-on-one interactions during cocktails afterwards or on the vendor floor the way that you and I did at PSR. It's just not the same virtually, when you have virtual events. Because so many people have moved to that, it's very difficult to recruit without the help of a recruiter on a virtual event. And, add to that - when everybody thought we were going to go into a recession this year and everybody started getting laid off in Q4 of 2022, guess what else got pulled?

Jared Coseglia:

Not just headcount, but budget to go to conferences. Most of the people that you're looking to hire are mid-market, which means 3 to 8 years of experience; and those are the people who lost the budget to go to conferences. You and I are both at PSR. It was filled with a lot of high-end people. It was not filled with what I would consider the masses of the middle market for privacy engineering. It was filled with a lot of sales, executive, leadership professionals with some middle market professionals in there; but those people didn't get the budget to go to these conferences. That's not really been an effective recruitment tool for a DIY approach.

Debra J Farber:

Right. That actually tracks with what I've seen, too. Although, I know there's a Privacy Engineering Section, but I don't feel like IAPP is the champion of engineers or anything. So, it's not exactly like privacy engineers are flocking to a conference predominantly about privacy law, consulting, privacy ops. Right? That's mostly what IAPP is for. While they're trying to capture some of the privacy engineering market and build community around it, I wouldn't say that they've fully succeeded in bringing in those engineers into the fray, where they're spending their precious budgets on going to an IAPP conference rather than engineering-focused conference.

Jared Coseglia:

I also think the engineering managers are smart enough to know not to send their highly desirable employees to go get poached at a conference. I've had a lot of my customers say it outright. "No, I'm not going to send my people to that. Why? So that they can go get poached by one of my competitors?".

Debra J Farber:

That's a fair point I hadn't considered. It makes sense that you would think about that. So, I've seen salaries and job requirements for privacy engineers that are all over the place, right, depending on company size, the type of company, BigT ech versus anything else, based on location, industry vertical. . . . Can you unpack for us why you see these discrepancies all over the place and maybe give us some insight into how salaries are calculated for privacy engineers?

Jared Coseglia:

The first 2 buckets that I think are the easiest to help define the discrepancies in compensations are regulatory scrutiny and business opportunity. Sometimes those go hand- in- hand. If there's an organization that has tremendous regulatory scrutiny - but also tremendous business opportunity by bringing in skilled engineers that can help take products to market or improve the enterprise in a way that drives client acquisition, client retention, or just overall revenue growth - that's where you're going to see inflated salaries compared to peers in the marketplace. For example, if you're a retail company, but you do not use any customer data, you do not repurpose that data, you don't market that data, you're a family company and you are a subscription-based organization, you're not be selling ad tech, you may not pay a lot for a privacy engineer because the impact on the business may not be dramatic enough to warrant paying the same amount that a BigT ech company who is making lots of money on ad tech would. Now, in the same token, if you're a bank or a healthcare company who is under tremendous regulatory scrutiny, but may not have the same business opportunity that a BigT ech company have, you may wind up paying a premium for a privacy engineer because the risk associated with a failure to have good privacy- by- design baked into your products or your process could be disastrous from a financial perspective, much less a reputational damage perspective. Therefore, salaries would be increased in those verticals. Now, I'll also say this this is part of the reason why the birth of privacy engineering in contracting has been such a boon - and will continue to be as we see it for the next 6 to 12 months - is because so many of these companies want to use some of that great expertise that comes out of these highly- regulated companies in their organizations. They just don't need that expertise forever. They need it for this moment in time when a new product, or a new service, or an annualized or bi-annual revision to a piece of technology needs updating. That's where the impact opportunity comes in for a contractor. Those are the main driving forces. Look, the other is geographic, and this is something we haven't dived deep into yet, but it's worth mentioning.

Jared Coseglia:

Part of what has changed forever in the workforce is we will not all be required to work in an office 5 days a week ever again. Most companies are pushing for hybrid and the ones that are pushing for fully in- office are struggling to retain their people with those changes in policy. So, as certain people choose lifestyle over financial success or the desire to be at a big company and in their office and have the ping-pong tables and the catered lunches and all the other perks that come with going into a campus-like environment - which Big Tech has built a reputation of attracting and retaining talent with - may no longer be the cultural appetite for job seekers, particularly in the privacy engineering vertical. Being able to work remotely from home may supersede some of those previous incentives that drove people to go work for organizations. That's a real change in our overall global culture, but definitely in our domestic U. S. culture. I think a lot of organizations are struggling to mandate an in-office policy. Some of them may be doing it, in fact, in hopes that people will quit, because sometimes it's easier when people quit than it is to fire them and pay severances and buy out employment contracts or whatever the case may be, and instead get people to quit and then you don't have to pay unemployment either. But, a lot of people will say, "listen, I'll take $10,000 or $20,000 less a year or on this contract in order to be able to work remotely from home and have the flexibility I'm looking for, and that's a bigger priority than even base compensation.

Jared Coseglia:

The number one motivator for job seekers for the last 3 years in a row has been remote work- from- home flexibility. So, when candidates come to us for representation - and we probably talked to 50 to 60 different candidates a day across my organization - we always ask them what's motivating you to consider seeking opportunities? The #1 motivator for the last 3 years has been remote flexibility, because of either people changing their policies or people wanting more flexibility; and, the #1 way way to get people to quit is to change your work- from- home policy. That can go in a lot of different ways. Right? It doesn't just mean 5 days or no days. You could be working no days in the office and your company says you've got to come in 2 to 3, and now you have a whole segment of your employee population that is going to go looking for work because they do not want to come in 2 to 3. You could be 2 to 3 days a week and say now you got to come in 4 to 5, and you will have a segment of your population that is going to go look for employment elsewhere because they do not want to adhere to those in- office policies.

Jared Coseglia:

Keep in mind, a lot of these engineers, who are making solid salaries, often well north of $200,000 a year in total compensation, if not base compensation moved further away from the epicenters of the pandemic during 2020 and 2021. And, they're not moving back because the cost of living is too high, especially when they're not getting paid, if they were laid off, the same guaranteed base compensation that they were prior to the pandemic. So, this has also created a tremendous amount of dissonance in the marketplace and; yes, people will have to pay a premium to get people who are not currently working in an office to decide they're going to change their lifestyle and start coming into an office.

Jared Coseglia:

Before 2020, we were paying you this and now I have to pay you 20 to 30% more to get you to come back into an office that you were comfortable coming into prior to the pandemic." Well, I hate to break it to you but yeah; yeah, you are, and that's about the percentage of increase in base compensation or hourly rate that a contractor or a full-time employee - whether it's privacy engineering or any other kind of privacy - asks for when they say, "okay, I'd be willing to go into an office, but I need to see my compensation go to this level. To even consider it, it's about 25 to 30% more than whatever they were making before.

Debra J Farber:

I can understand that, too. I mean, I don't want to just say that priorities have changed, but I think people have realized during the pandemic and being remot, that there's a certain power that they have over there. Like, "Hey, I could do my job remote. You as my manager now know that because you've seen it happen and I'm efficient and it's good and you want things to change and me to come back in,

Jared Coseglia:

Well, and not only that, but companies have always been able to bank on, when things go into recession or seemingly into a recession, job seekers who are out of work or willing to take less than what they were making in order to get back on employment. That's not the case anymore. It's just not. They'd rather go contract and they'd rather wait out the market. And you know, we're not talking about people who are making $50,000 a year and need to put food on the table making money somehow. We're talking about people who are making hundreds of thousands of dollars a year, generally speaking, and these people can wait it out 6, 12, 24 months to see if the market rebounds and take that gamble.

Jared Coseglia:

There are plenty of contracts available in the interim and there are going to be even more in next year, because the reality is people have not won the battle of getting sufficient headcount to grow their programs, specifically in privacy engineering, even in 2022. The E&Y IAPP report says they only grew by 12% in 2022, and this was the busiest year in my company's history for data privacy staff. We placed more people in 2022 than we have any other year; and even that indicates that there wasn't enough growth in privacy programs to really meet the demand of what the business needs from privacy professionals. And, that's gone down, not up, in 2023.

Debra J Farber:

So, I was going to ask you what are your predictions regarding the privacy engineering and privacy operations job market for 2024 and beyond? You started to answer some of what you, before I even asked the question, started to talk about what you kind of see for the future a little bit. But, I want maybe a fuller answer, because you were waxing philosophical, and now I would love for you to make some predictions. What do you foresee, and what kind of advice would you give to folks looking for privacy engineering roles based on your predictions for 2024?

Jared Coseglia:

Yeah, so I'll start with some stats that kind of drive the predictions that we've been making, one of which is nearly 82% of all open job requisitions in 2023 have been in corporate - meaning not in law firms, not in third- party consulting firms, and not in software companies. I think software companies were probably hit the hardest during the down economy and laid off the most amount of people. OneT rust laid off, I think, a fourth of their staff, something like that, or an eighth of their staff. What we've seen is, you know, they haven't hired them all back. They're running much leaner, and so a lot of these opportunities are in corporate and they're in programs. As that increases the amount of opportunity to go in- house increases in privacy, it is putting increased pressure on the people who work at law firms and consulting firms and software companies to do more with less, and that includes fewer people. So, the quality of life for a lot of people working at law firms and consulting firms and software companies over the last 12 months has really deteriorated; and a lot of people coming out of those verticals are coming to us saying I am burnt out and I want to go in- house because I do not have the resources (in terms of human capital) to sufficiently service my customers, and so I'm really working the job of 2 to 3 people. What we're going to see is continued attrition from those employer verticals into corporate America, in addition to the increase in corporate America getting buy-in to attract and retain that talent, whether it's in a contract or a full-time capacity. So, in terms of a prediction, I think what we're going to see is more people bringing privacy engineering in- house, leaning a little less aggressively on outside third- parties to help them with those agendas because, quite frankly, they can't get the service; or they're not getting the quality of the service they want; or it's taking too long for them to get the service, which is also why people are coming to us aggressively to hire contractors.

Jared Coseglia:

Hey, we didn't talk about this earlier, Debra, but one of the differences between contract and full-time hiring is speed to hire. The average timeline for placement for a contractor in privacy is about 14 days right now, and in two of 2022, in the peak and height of hiring frenzy, it was 7 days, so less than a week. So, if you're looking for someone to come and impact your program as a privacy engineer, it'll take you 14 days or so with my organization to get somebody hired from the time we send a resume to the time somebody gives a verbal acceptance. That's what we call 'speed of hire.' But, if you're trying to DIY staff it yourself and you're trying to hire it in a full-time capacity, and you're 30% to 40% below market of what people want in terms of compensation, and you don't know how to parse resumes that come in bound to your organization and that's the primary means with which you're trying to recruit, your search could stay open for 200 - 300 days. I mean, I know a couple of big household name companies that have had the same job open the entire year, and at a certain point they're either going to lose that headcount or they're going to have to engage a third-party agency and stop being penny-wise pound foolish about paying an agency fee to get that person hired; or they're going to have to turn to hiring a contractor because eventually the work has got to get done. As I like to say, over the next 6 to 12 months "the levy is going to break and it will break right around Q4 of 2024. And that's when we're going to see competition increase dramatically and when competition increases dramatically, so do salaries. That's what we saw in 17, 18,. That's what we saw in '21 and '22. That's what we're going to see in '25 and '26: lots of people needing to hire because they waited 2 years to do so; lots of people coming to market; lots of competition. You're not going to always get your first candidate. You may not get your second candidate. Job seekers being able to entertain 3 to 5 full-time offers, as opposed to 1 or 2, which is what it's been more like this year.

Jared Coseglia:

A quick sidebar: the 'offer acceptance rate' is one of the things we track here at TRU, meaning if a job seeker gets multiple offers, which one do they take? What we found in Q1 and Q2 and Q3 of this year is that nearly 80% to 75% of people were taking the first offer that they received. So, if you were fast, if you were quick, you were more likely to get a yes than if you took your time. Now, part of that is because job seekers weren't getting a second, third and fourth offer. But, if you go back to Q2 2022, when we were at the peak of post-pandemic hiring, only 45% of the job seekers we were working with were taking the 1st offer they received. They were waiting to get that second. They were waiting to get that third, sometimes a fourth and a fifth, either to use as leverage against the one that they really wanted or because they thought they could get a better offer later on. People haven't been thinking that way. People right now generally - 3 out of every 4 - are taking the first offer they receive, if they're an active job seeker.

Jared Coseglia:

So, going to market now and being fast is going to give you competitive advantage. You may not have that same advantage in '25 and '26, when competition increases, when salaries then also increase and inflate as they did in 2021 and 2022. I mean, look, according to the IAPP Salary Survey, people got raises to the tune of 7%, which is the highest year- over- year percentage of raises. This is not moving jobs; this is just staying in the job you're at. A 7% increase is almost unheard of. The average is somewhere between 2% and 3%, but the point of higher salary increase in 2022 for mid-market between 3 and 8 years was between 20% and 40%. So, that's probably what's going to happen in 2025 and 2026. If you're looking to get great talent accepting quickly at a reasonable price, my advice is go to market now and get the budget and buy- in that you need now to hire in 2024 before things get crazy again.

Debra J Farber:

That's actually perfect timing. We're at the end of this year. I know it's usually October for a lot of companies, maybe November, where they're looking to get their budgets approved for next year towards the end of one year and the beginning of the next. So, that's really great advice. I had intended on asking you later what words of wisdom you might want to leave the audience with, but I think that's actually a really good one: plan for next year now. I'm not sure if we actually covered this, but what are some of these annualized compensation ranges that you've been seeing this year? Obviously they're all over the place. But then next year, given what you're seeing and like what you said - you saw 7% raises to stay in the same job for instance - what do you think 2024's compensation ranges would be? To stay the same?

Jared Coseglia:

Well, I can categorically tell you we're not going to see a 7% bump in raises for people between 2023 and 2024.

Jared Coseglia:

[Debra: I think that makes sense]. They're not going to get big raises, if at all, are going to get raises. So, if you want to make more money - as always, but certainly this will be exacerbated in this annualized cycle - you're going to get more money by changing jobs than you are by asking for a raise. Having said that, I still think we'll probably see low single digit raises across the board in privacy, because privacy people are valued and they are unique and they are special in the ecosystem of corporate America. But I think, in terms of salary increases, what we saw in 2023 as a counterpoint to 2022 was about a 12% to 24% increase at the point of hire. So, despite it even being a down economy, job seekers are still commanding 12% to 24% increases in base compensation compared to what they were making in their current positions, which is still a very sizable increase. That's mainly for people in the 3 to 8 year window. What I would say in terms of salary ranges is it really depends on industry, and you have to look at both base comp and total compensation. With the Fortune 500 - and there are outliers that are exceptions to the numbers I'm about to give you - and BigT ech, if they're not in the Fortune 500, though most of them are,

Jared Coseglia:

we're seeing anything for privacy engineers between $175K and $300K on base compensation.

Jared Coseglia:

But, those total compensations, depending on the size, scale, and complexity of the role - whether they're managing people, processes, technology, or all of the above - can range anywhere from $250K total comp to a $600K a year total compensation. When we move into banking or financial banking and brokerage or healthcare or healthcare tech, it's less by about 25% to 30%. So, we've seen engineers anywhere from $130K, $150K base all the way up to $200K, $225K. Total compensations at a bank: sometimes you can double your base at a bank, but usually it's about somewhere between 25% and 75% bonus on top of your base. So, somebody making $150K might make $300K, might make $225K, $250K; it really just depends. Then, I think we go into this next tier, which we'll call "elecom, food services, retail. Those engineers often can make similar to big banking and healthcare on the base, but often do not see nearly as lucrative of bonus. So, base salaries can range anywhere from $130K to $200K in those areas, but often the total comp hovers around $160K to $250K on those high and low ends.

Debra J Farber:

That's fascinating. I was sitting there just taking in those numbers and thinking about my own experience working in different verticals. I guess I could see why some of the highly- regulated verticals would pay a little more, given how, if you're a payment processor or a bank, you need to have high fidelity of your data. There's just a lot more regulators that are breathing down your neck. I could see why there'd be a willingness to pay more versus retail, which has a lot of privacy issues but might be a little more immature when it comes to compliance and engineers that are integrated into the compliance life cycle, so to speak.

Jared Coseglia:

I think that's very accurate. I would also add that when you start hybridizing those industries, for example FinTech or healthcare tech, that's where you start to hybridize those salaries, too; and certainly a healthcare tech company is going to pay more than a healthcare company. Fintech company is probably going to pay more than a bank. I would also add this, the volume of jobs is going to be bigger in BigT ech - despite the salaries maybe seeming aligned - than it is in the banking, brokerage, and healthcare space. You just won't see the same number of human beings doing privacy engineering and the healthcare community as you will in the technology community. So, the amount of jobs available is very different, even if the salaries are somewhat aligned.

Debra J Farber:

Yeah, it's also making me think about the privacy regulations that kind of drive these things. HIPAA doesn't have as much uncertainty in it. There's processes and ways of addressing risk in privacy and security that are very specific in HIPAA; and where you see something like GDPR, there are a lot of requirements there but some of it is principle-based, then it needs a lot of legal interpretation. Because it's still such a new global framework that business are trying to deal with, there's a lot more uncertainty about whether or not approaches are correct or will stand up to legal scrutiny.

Debra J Farber:

So, I could see that it'd be easier to maybe scale something in the healthcare space without as much risk. You can quantify it better without as much unknown risk, I guess. I could wax philosophical. You just have me thinking about my own background in different industries and so I'm just thinking about them as we're talking today. As we near the end of this year, what's your advice for privacy engineers who will seek contracting roles in the new year to best position themselves to hiring managers?

Jared Coseglia:

I'll give a twofold piece of advice, the first of which is AI is going to have a very dramatic impact on how engineers - any style or fashion, much less privacy - are valued; and so, understanding the complexities of AI is going to be a differentiator that both commands a higher salary and, over time, will broaden the amount of opportunity that you will be competitive for.

Jared Coseglia:

So, understanding whether it's regulatory frameworks or best practices or competitive intelligence or creative ingenuity, baking AI into your knowledge base is going to be advantageous. It remains to be seen how or when, but I think that inevitability is nigh. The second thing I would give advice and guidance for privacy engineers when seeking jobs is you've got to focus both on your resume and on interviews in talking about what you've done, not about what you know. Where we often find our privacy engineering candidates faltering or not getting the jobs is because too much time is spent during the process, either on paper or in person, speaking about the hypothetical instead of talking about the actual and the practical. People really want to hear what you've done, how you've done it, and what your process is or was on those projects; and often, I think engineers - particularly privacy engineers who like to wax poetic - often talk about the things they know and not the things they've done, and that's where things tend to get off track in the interview process. So, really focus on good storytelling that is historical and not hypothetical.

Debra J Farber:

That's really good advice. Thank you. What resources do you recommend for privacy engineering job seekers? I know you have some resources through TRU Staffing. Are there ones you'd like to direct people to?

Jared Coseglia:

We have a ton of resources. We have our Annual Data Privacy Jobs Report, and that gives you insight into Speed of Hire. That gives you insight into Volumes of Jobs and what industries they're in. It gives you insight into Point of Hire Compensation, which is very different from the IAPP Salary Survey - which we sponsored and co-developed this year with the IAPP - because all of that is what people tell you they're making. Our data really comes from what we're actually placing people in, or what we know people are accepting in terms of offers, and those numbers are very different.

Jared Coseglia:

So, I would check that out. Our Annual Data Privacy Jobs Report comes with lots of valuable information and market intelligence about what's happening in our community. If you've never been a privacy contractor or you've never hired privacy contractors, we have tons of resources available about what you can hire, what's available out there, how you can silo your experience to become a privacy contractor, how to maneuver in the ecosystem as a contractor or as a hiring manager looking to hire contractors. You can find all of that at trustaffingpartners. com. It's all available there and free for all to consume.

Debra J Farber:

Awesome. Thank you so much. I'm going to put those resources, links to that, in the Show Notes so that everyone has access to them. Do you have any closing words of wisdom you'd like to leave everyone with today?

Jared Coseglia:

Privacy is an amazing industry. It's an amazing community. If you've found your way into it, either by accident or deliberately, you're blessed. Don't leave. We need you. There's high demand for your skill sets. Thanks for having me, Debra. I really appreciate it.

Debra J Farber:

Oh, it was my pleasure. Thank you so much for joining us on Shifting Privacy Left to talk about contracting for privacy engineering roles. Until next Tuesday, everyone, when we'll be back with engaging content and another great guest or guests. Thanks for joining us this week on Shifting Privacy Left. Make sure to visit our website: shiftingprivacyleft. com, where you can subscribe to updates so you'll never miss a show. While you're at it, if you found this episode valuable, go ahead and share it with a friend; and, if you're an engineer who cares passionately about privacy, check out Privado: the developer-friendly privacy platform and sponsor of the show. To learn more, go to: privado. ai. Be sure to tune in next Tuesday for a new episode. Bye for now.

People on this episode

Podcasts we love

Check out these other fine podcasts recommended by us, not an algorithm.

The AI Fundamentalists Artwork

The AI Fundamentalists

Dr. Andrew Clark & Sid Mangalik
She Said Privacy/He Said Security Artwork

She Said Privacy/He Said Security

Jodi and Justin Daniels
Privacy Abbreviated Artwork

Privacy Abbreviated

BBB National Programs
Data Mesh Radio Artwork

Data Mesh Radio

Data as a Product Podcast Network
Luiza's Podcast Artwork

Luiza's Podcast

Luiza Jarovsky