Matthew Goodbun | Senior Privacy Consultant, BSI
Tell us about your journey into the industry
Initially I had career aspirations to become a museum curator and have undergraduate and postgraduate degrees in History of Art and Anthropology. When concluding that I was not in a financial position to pursue this due to the prevalence of unpaid and low paid work concentrated in larger cities I made the decision to build my way up in a new direction working in a local government contact centre. I became interested in welfare reform and information governance, progressing into different roles completing tasks and supporting projects related to compliance with Freedom of Information and Data Protection laws.
I then completed a Project Management apprenticeship and have continued to study and gain professional qualifications related to Privacy, Data Protection, and Information Security as my career has progressed. I moved from local government to a technology company providing software to the public sector, progressing into a leadership role responsible for managing a global privacy program. This involved developing training courses, raising awareness, implementing privacy standards, and managing the practical and operational application of requirements around governance, risk, and compliance.
Tell us about your current role.
In my current role as a Senior Privacy Consultant, I work at BSI, the British Standards Institution. BSI is the National Standard’s Body which also provides consultancy, including Digital Trust Consulting. Digital trust is the confidence individuals have in the ability of people, technology, and processes to create a secure digital world. It is given to companies that have shown that they can provide safety, privacy, security, reliability, and data ethics with their online programs or devices. To address this new era of digital trust, BSI has expanded its consulting practice beyond cybersecurity to take on broader questions around digital trust, helping organisations address everything from digital supply chain risk to the ethics of artificial intelligence.
As part of the Digital trust team I provide privacy advisory services to a wide range of organisations, big and small, public, and private, that operate across multiple countries, requiring compliance with different data protection laws. Depending on the maturity of an organisation’s data protection framework they may need support implementing additional standards and best practice, moving beyond the regulatory requirements to meet the needs of the organisation, and the expectations of their customers, where they have decided to take proactive steps to embed privacy in their culture and strategy.
I advise and guide organisations to ensure that they have the right processes, procedures, and mentality to consider the protection of employee, customer, and citizen personal data as part of business as usual. This involves translating regulatory requirements into practical and actionable tasks that can be implemented to make sure that the right organisational and technical controls are in place to protect individuals from harm, and to protect an organisations reputation by minimising the likelihood and impact from an incident involving personal data that could cause an individual harm due to their personal data to being unavailable, inaccurate, or accessed by those that shouldn’t be able to see it.
To varying extents, depending on our lifestyles, preferences, and attitudes we all value our privacy, it is a human right, and our constant interactions and transactions with organisations through apps, websites, and services to manage our daily lives generate a continuous stream of data. Much of that data, depending on the context, will be personal data if it can directly or indirectly identify us so it is vital that every organisation that holds it is doing what is required by law to protect it, and protect us from harm. My role is ultimately about risk management, specifically related to how an organisation manages the way they handle personal data and having the right governance and culture in place to ensure that it is appropriately protected to prevent reputational damage to organisations by minimising harm to individuals.
Salaries vary according to the size and complexity of an organisation, in-house and consultant, as well as the seniority of the role. As with all Cyber Security specialisms there is the opportunity to progress into well-paid roles in Data Protection and Privacy.
What does a typical day look like?
I work remotely with a range of organisations in industries including healthcare, government, charity, and technology across different countries. A typical day will involve a combination of virtual meetings and the delivery of specific tasks and actions related to an organisation’s requirements. This can vary considerably but will generally involve answering queries in the role of an external Data Protection Officer (DPO) as required under GDPR, undertaking gap assessments, maturity assessments, impact assessments, or providing breach response support. My core hours are 9 to 5 but there is flexibility in order to meet earlier or later depending on the locations and time zones of meeting attendees, and also to support any personal commitments. There is some travel involved to the offices of organisations, team events, and industry conferences in the UK and Europe, as well as the potential for international travel.
What are your career goals/plans for the future?
Where would you like to take your career next? What’s your ultimate aim? It’s also okay if you don’t have one – sometimes we need to showcase that people don’t always know their end destination.
My intention is to establish myself as a consultant, gaining greater experience and insights by working with more organisations, in more countries, on complex privacy programs. Further in the future I would like to progress into more senior consultancy roles, and perhaps at some point, move into a senior leadership role. I hope there will be plenty of options available to take my career in different directions depending on my professional and personal circumstances and preferences.
What is the best thing about working in the cyber security industry?
I enjoy interacting with a variety of people from different departments, organisations, and industries across the world, each with their own specific requirements and opportunities to build and maintain their compliance with regulations and standards, and continuously improve their level of maturity. This makes an organisation more effective, efficient, and resilient, and helps them to provide a greater level of protection so that if the worst does happen, then there are controls in place to minimise the harm that can be caused to individuals. The variety of different tasks and the ever-changing regulatory landscape and technological advancements means that you are always kept busy, gaining more experience and new knowledge.
It is particularly rewarding to see the positive impact that the appropriate guidance and frameworks can have on an organisation’s culture and on the improved protection of personal data by considering and mitigating risks at the right time. The best thing about working in Data Protection and Privacy is ultimately that the work we do as part of the Cyber Security industry has a specific focus on not only protecting an organisation’s data, but on protecting individuals from the harm that can be caused from a breach involving their personal data and the added value that prioritising preserving and protecting privacy can have on an organisation.
What advice would you give to others thinking about pursuing a career in cyber security?
Don’t assume that you won’t fit, and that there isn’t an appropriate pathway for you and the interests and skills that you already possess. ‘Cyber’ and ‘Security’ can seem like overly technical and intimidating words but look beyond those words and think about who you are, what matters to you, and the type of work that is best suited to that. Read other case studies, reach out to people working in the roles you are interested, and take a look at the UK Cyber Security Council Career Mapping Quiz to get you started and make you realise just how varied the specialisms are, and how you can pursue your career in the cyber security industry.
I certainly never imagined that I could successfully and naturally pivot my communication and project management skills into a Cyber Security career. There is something for everyone and there is no ‘right’ way to get into cyber security, or mandatory set of skills that you need to possess. You can think differently about your current experience, leverage your existing abilities, and grow your knowledge and understanding through practical experience, which can then be complemented by courses and qualifications where personal and professional circumstances allow.
What would you say are the 3 most important skills you use in your role, and why?
Curiosity – never assume, actively listen, ask questions, and continuously learn
Communication – know your audience, use the right methods, and ensure understanding
Consideration – of organisational culture, stakeholder needs, and potential impacts
What do you think we could do to encourage more people into a career in cyber security?
More outreach, awareness, and communication that a Cyber Security career is open to all, no matter where you are in your professional journey. With the right application of existing knowledge and skills anyone can gain the experience and develop the understanding to find a path to suit them. Make sure that entry-level positions have the appropriate requirements and job specifications that focus on the transferable soft skills that can be moulded and built with the right support and development pathways, rather than an arbitrary insistence on an unrealistic number of years relevant experience, or on specific professional qualifications.