FireEye Tackles Global PrivacyNew Privacy Officer to Implement Data Protection Initiatives
FireEye has just appointed a privacy officer and handed him a big mission: Launch a new global privacy program. What is Shane McGee's strategy for this new role, and what will be his top challenges?
See Also: 2021: A Cybersecurity Odyssey
Formerly the general counsel and vice president of legal affairs at Mandiant, acquired earlier this year by security solutions vendor FireEye, McGee is charged to lead a new global privacy program to establish data protection standards and lead industry improvement initiatives.
McGee sees his role as three-fold: Ensuring privacy is built into FireEye's security products; educating FireEye employees about privacy; and then ensuring transparency when dealing with customers, partners and government regulators.
"You can have all the best policies in the world, but unless you communicate those policies effectively and tell your customers what you're doing with their data, then it's not going to engender the trust that you need," McGee says. "Creating that transparency and communicating our privacy practices, our data handling practices, to our customers is very important."
In an interview about his new mission as chief privacy officer, McGee discusses:
- The scope of his new global initiative;
- The challenge of navigating disparate privacy regulations;
- Career paths for privacy pros.
McGee has worked as a practicing attorney in the areas of data privacy and security law for 15 years. He headed SNR Denton's (now Dentons) U.S. Data Protection practice prior to joining Mandiant as general counsel in 2011. Over the course of his career, McGee has counseled some of the world's largest technology companies on privacy and security issues; represented companies in front of the FTC and other regulators charged with protecting consumer privacy; drafted hundreds of data protection policies; responded to security breaches; and advised clients on how and when to notify customers when a breach occurs. Before becoming a practicing attorney, McGee was a programmer, consultant and instructor. He is a Certified Information System Security Professional (CISSP).
TOM FIELD: Why don't you outline for us what the mission is with this new role please?
SHANE MCGEE: FireEye already had a very good privacy program, to the extent that there were good policies that covered FireEye's products and services. Probably one of my first goals in this position is to review those policies and revise where necessary, to make sure that they keep pace with our rapidly evolving security offerings. As you know, we've introduced a number of new products and services. Every time we introduce something new, be it a feature, product or a service, we need to revisit our privacy policies and ensure that everything is consistently promoting our message.
Another part is educating our employees to make sure that they comply with those policies. The culture of security at FireEye is fantastic in making people understand that privacy needs to be a large part of that, and we need to take those obligations seriously. [What I'm doing is implementing] an ongoing program to educate employees and make sure that awareness is a very important part of any privacy program. Also, creating transparency for our customers. You can have all the best policies in the world, but unless you communicate those policies effectively and tell your customers what you're doing with their data, then it's not going to engender the trust that you need. It's not going to give them any comfort. Creating that transparency and communicating our privacy practices, our data handling practices, to our customers is very important. I like to boil that down and say, "Do what you say, and say what you do." It really is that simple in that regard.
Lastly, engaging with regulators, boards, councils and other official bodies both in the U.S. and overseas is incredibly important. There is a lot of sensitivity on the privacy side in Europe, especially when it comes to U.S. companies. The best way to take the distrust that flows out of that and replace it with more trust is to engage regulators, government entities, and talk about it. Tell them exactly what you're doing, and more importantly, what you're not doing
Regulators vs. Employees
FIELD: Which is the tougher communication challenge, with regulators or employees?
MCGEE: I'd have to say the regulators. There really is so much distrust, especially in some areas of the world right now. It's not impossible. We've had very good, constructive discussions with European regulators; sitting down talking to them about things like information sharing, how sharing various intelligence can be very helpful to protect their citizens. But it's difficult. The Snowden disclosures and other incidents have made that hard.
FIELD: What's your most relevant experience that prepares you for this new role?
MCGEE: I've been practicing in privacy law since the late 1990's when I was a young associate at a large law firm. I was pulled into a lot of very interesting privacy issues, mostly because I had a passion for technology. Privacy always involves some type of new technology that a lot more traditional attorneys don't comprehend like they should. I was lucky enough to be pulled into those important cases early on. It was important to practice at a firm because I got a large variety of cases pulled from every industry, dealt with all types of online and offline information privacy issues. Also, I got to deal with a lot of security issues that came along with that. Just being able to speak the language gave me a lot of opportunity to be assertive on a number of cases.
Global Privacy Program
FIELD: How do you intend to carry the global privacy program out in so many different regions?
MCGEE: It's a different strategy for each constituency. When it comes to employees, my current strategy is to be as accessible as possible and make sure to insert myself everywhere I can in the company. One of the things I'm doing is moving out from the Washington D.C. area to Milpitas, where FireEye's headquarters is, so I can be involved in more important meetings. I get to sit in on discussions about new products and new features before they're implemented. So, I can help them implement the concept called Privacy by Design.
Privacy by Design makes sure that privacy issues are considered early on in the design process, so you can make small changes if you need to. To accommodate privacy issues and make sure you're doing what you're communicating to customers, without having to go back later which delays products, which makes things very expensive. Being out there and involved in those discussions is probably the best way to conquer that. Also, trying to become engaged and involved in different industry events. Making sure to be involved on customer calls where there is anything approaching a hint of a privacy question; just being fully forthcoming and transparent there. Engaging customers at events, conferences, and trying to get speaking engagements. Just getting yourself out there and making sure that people understand that you are A, accessible and B, willing to tell people the unvarnished truth about your practices. Offering them that level of transparency is the best way to accomplish that.
Culture of Privacy
FIELD: How would you describe the culture of privacy at FireEye?
MCGEE: The culture of privacy at FireEye is really good, and a lot of that comes from the fact that so many of the professionals at FireEye have such a root in the security field. Now, privacy and security are two halves of the same coin. People that understand security generally have somewhat of an understanding about privacy. They are different though, and what you don't want to do is assume that all your security professionals who take security seriously automatically know how to comply with privacy policies, know what's important to customers from a data-handling perspective, things like that. So a lot of times [I insert] myself on the security side a little bit and then change the conversation over to privacy issues to educate people. It helps that I have a security certification as well, so that I can get myself invited to those conversations in the first place.
FIELD: What's your philosophy on where privacy belongs in the security discussion?
MCGEE: When people talk about the tension between privacy and security, that's a legitimate argument. For example, you're an employee of a large company. That company and its security officers and employees have to have full visibility into what you're doing so that they can maintain the security of the company. By having that visibility, some people would say you're sacrificing a level of privacy. I would say that visibility doesn't necessarily end your privacy. It is how the company handles that visibility, whether they abuse it or restrict themselves to use it only in certain ways and actually abide by those restrictions. That's what determines whether there's tension between privacy and security. How the party that has transparency into that visibility, into what you're doing, treats that authority. If they set certain guidelines, strong privacy policies, and comply with them, then I don't think there is necessarily a tension there. When you talk about privacy and security as part of the same discussion, it really is. When you break it down, privacy is how you try to handle or prevent misuse of information that you have by internal employees or contractors, by internal forces. Security is trying to protect the same exact information from external forces. It should always be part of the same discussion. I've talked to a lot of privacy lawyers over the years that really don't understand or acknowledge security as a very important part of it, and brush it off as something someone else needs to handle. But I truly don't believe you're doing your job as a chief privacy officer if you don't have a good working knowledge of security. In my case, [I have] a very close relationship with our chief security officer, Greg Rosin, and that helps me do my job better.
FIELD: What sort of challenges do different regional nuances when it comes to privacy regulations and legislation present to you?
In Europe and elsewhere, they do look at it from a very different angle. There are more layers of protection in making a promise and keeping with it. There are several different levels of regulation and bureaucracy you need to cut through to be able to do business in those areas if you are a part of that business collecting and processing consumer information. One is not necessarily better than the other. I just want to make sure that people understand that the U.S. does have an effective privacy regime. It's just very different than what is used and promulgated in Europe.
The challenges are great. The best way to address those challenges is engaging with regulators and the EU, and elsewhere. Making sure they understand what we are as a company, what we do with data, and what we don't do. Shining that light on it, making it very clear with the benefits of what we do. Once the current cloud of the Snowden disclosures and other things blow over, it's going to be a lot easier going.
Taking Privacy Seriously
FIELD: What do your European colleagues tell you when you tell them that the U.S. takes privacy seriously?
MCGEE: My colleagues that are privacy attorneys or professionals, they understand it. They know that is the truth. That's it is matter of perspective and different ways of handling it. There have been some big cases and big fines here on privacy issues. I will say that those that aren't as steeped in privacy do sneer at that comment. They are absolutely convinced that the U.S. is just a wild west when it comes to privacy rights and that we're not doing anything worthwhile. There is unfortunately that element with them, and it comes down to education and engagement. We have to prove to them that's not the case.
FIELD: For someone that wants to enter the profession and make a difference, what advice do you offer them?
MCGEE: When it comes to privacy, the best career path is still through law school. If you're lucky enough to get into a large firm that has a strong privacy practice and is willing to let you be a part of it from the beginning, that's a fantastic path to take. I was incredibly lucky to be able to do that. There are also a lot of smaller boutique firms. It would be a little bit easier in the long run to get involved with one of those firms. But if you want to practice privacy law and you're not steeped in technology, then you're going to be at a disadvantage. You need to understand the technology. You need to be a hobbyist on the technology side, at the very least. Follow both paths, and where they converge is the sweet spot for future privacy professionals.
FIELD: What do you recommend in terms of a security background for privacy professionals?
MCGEE: CISSP is a very good start. The reason I got that certification was so I wouldn't have to walk into a room and spend five minutes explaining to the security employees so that they would take me seriously from a technology and security perspective. This at least lets me walk in [like], "We know he has at least this level of knowledge when it comes to the technology and security." That is important for lawyers, because so many people assume that attorneys have no technical knowledge. The certification is both good because it forces you to sit down and learn some of it, but also it just cuts the conversation short and you don't have to prove to people what you're talking about when you walk into a room.