Grailcast

Ep. 13

Timothy McIntyre,

VP, AGC - Privacy & Product at Okta

Apr 13, 2021

Timothy McIntyre shares how privacy requirements have evolved in product organizations, the impact a dynamic workplace has on privacy, and how Okta customers use privacy as a competitive advantage

Text Transcription

Daniel Barber  0:15  

Today, we’re delighted to welcome another industry leader in privacy. Tim McIntyre. Tim is the VP and associate General Counsel for privacy and product at Okta, and also serves as Okta’s DPO. Welcome, Tim.

 

Tim McIntyre  0:26  

Thank you, Daniel, for having me. Indeed.

 

Daniel Barber  0:29  

So I’ve been really been looking forward to this one. We did, you know, session with the team over at Tech GC last month. And so, you know, after that successful event, I thought, you know, I’d love to have you on the show. Just give us a little introduction of how you got to here and why Okta?

 

Tim McIntyre  0:45  

Yeah, sure thing. And it’s good to talk with you again. I had a octus Global privacy and product legal team and work in San Francisco. And before joining Okta, I was at Salesforce also on their privacy and product team. And I’ve been fascinated by law and technology, and really the internet since the early 90s. I think I got my first email account back in 1993. In my first job

 

Daniel Barber  1:13  

in Yahoo, or an AOL What was I have to die?

 

Tim McIntyre  1:17  

think my first email account was CSU A, which was computer science, undergraduate associate. berkeley.edu, way back in the day, and then I got my first job in Silicon Valley in 96. at Sun Microsystems. Wow. Yeah, I remember working on those old sun boxes, you know, running Solaris, and the sun OS, Unix variants back in the day, and just being in the valley at that time, there was so much boundless optimism about what was going to be accomplished and what developers were going to build. And obviously, in 2021, the world is quite different, in many ways for for better, and in some ways for worse, but I still draw so much of my own optimism from advances in technology, especially these days. And I really think that the the massive project of truly solving identity on the internet, you know, with everything that goes along with that is one of the great challenges of our time. And working in that space at Okta is what makes it exciting to get up and go to work every morning?

 

Daniel Barber  2:27  

Yeah, that’s awesome. Well, I definitely share that optimism and share the excitement to solve the problem. You know, I found your background particularly interesting. We were kind of talking about this earlier, you know, given your time at ahktar, and Salesforce, and specifically in the product group, you know, working privacy first product sort of second, just curious, like, how have you seen product organizations evolve and sort of change, given the, you know, increasing requirements that we see from a regulation standpoint?

 

Tim McIntyre  2:57  

Yeah, I think many organizations, especially those in the enterprise software as a service space, view, the privacy Council and product council work as two sides of the same coin. We had that view at Salesforce, and we do at Okta as well. And by that, I mean, if you’re providing a cloud service to your customers, and you’re processing personal data on their behalf, then your product has to take privacy considerations into account as it’s being built and iterated on over time. So yeah, ideally, you want the product teams to take privacy into account at every stage of the development process, you know, from ideation to architecting, all the way to QA. And then, you know, beta release and on into production. I also think there’s a growing appreciation across product organizations for the important nuts and bolts work that stems from legal requirements set forth in the GDPR, and other privacy regulations. So for example, data deletion can seem somewhat unglamorous. But it can be a pretty hard problem to solve, especially when you think about the need to delete data, not only in your own systems within defined timeframes, but to waterfall, those deletion requirements down to your processors and sub processors. And then to operationalize all of that so that it can scale. And, you know, to make that happen effectively, I think it helps to have privacy champions within stakeholder groups across the organization that the privacy team can partner with. But I think your your point is well taken the the point that’s kind of implicit in the question, and the idea that there’s real collaboration that can lead to meaningful and helpful outcomes for a company when you have product and privacy working very closely together.

 

Daniel Barber  4:55  

Yeah, it’s interesting that you sort of describe a couple of points there of just you know, Privacy working within the product development lifecycle and really being a connected piece as you know, product is delivered, right, ultimately to the customer. Yeah, we see that as sort of a successful path with the customers that we do work with an enterprise SAS. And that extends even into, you know, other industries as well. Along those lines, right, I think Todd doctor has been pretty pragmatic in in his description of, you know, the changing workplace. And as he describes it as kind of a dynamic workplace. This is seen, you know, over the last 12 months, we’ve seen this accelerated sort of impact of digital transformation. How do you see this impacting privacy?

 

Unknown Speaker  5:45  

to dynamic work in the wake of the covid 19. pandemic especially, has really shone a spotlight on cloud service providers Privacy Practices, and during the pandemic in virtually everyone families, schools, social groups, businesses, you know, us here today is using either video conferencing, audio conferencing, or other new technologies to communicate that you have errands working from home on zoom calls in one room with their kids in the next room doing school. And I think this really means that it organizations as well as privacy and security teams, need to put extra focus on which providers they use. And it’s it’s also caused privacy regulators to take a close look at that business practices. And I think that kind of oversight and scrutiny is generally a good thing for consumers and helps ensure that privacy rights are respected. And one of the biggest changes we’ve seen is that, you know, just about eight weeks ago, the Federal Trade Commission, which has the authority to regulate in this area, reached a settlement agreement with zoom after having conducted an investigation into how the company, misled users by advertising that it offered end to end 256 bit encryption, to secure users communications, when in fact, they were providing a lower level of security, and end to end encryption, of course, just being a method of securing communications so that only the sender and the recipient and no other person, not even the platform provider can read the content. Right. And yeah, and in reality, you know, it turned out that zoom was maintaining the cryptographic keys that could allow them to access some of the content of their customers meetings. And there’s a final settlement order now that requires zoom to put in place a robust security program, review any software updates for security flaws before each release, and ensure that the updates are not going to interfere with third party security features. And, you know, ultimately, that kind of oversight, I think, is a win for consumers. And it really puts companies on notice that they need to make sure that their communications are accurate and transparent. And it really does underscore the need for organizations to think about which systems they use. And it’s it’s a challenge. I think everyone understands that when you’re moving very quickly, in the midst of a crisis. It’s hard to make those decisions thoroughly and as diligently as you might want to. So I think there is an understanding that, you know, if if something goes awry, you need to be honest and transparent and fix it. And I think it’s it’s also critical for employers to consider the privacy considerations of their own employees,

 

Daniel Barber  8:51  

right?

 

Tim McIntyre  8:52  

Yeah, not every employee has the luxury of extra square footage for a home office. And not every employee necessarily wants to invite coworkers or, you know, distant business contacts that they’re on calls with, who they might not know very well, you know, into a virtual Yeah, into like a virtual version of their own home. And I think the world is kind of finding its way through those topics. And after noting the FTCS criticism, of zoom, I do have to give credit for zoom introducing that blurred background filter, which is almost the digital equivalent of like frosted privacy glass, which is cool. Yeah, yeah. Nice barrier.

 

Daniel Barber  9:35  

You know, I imagine that you’re speaking with Okta Customers every day, especially in your role as DPO. And I’m sure they asked for your guidance as well. Just kind of curious what you’ve seen from up to customers in sort of ways or creative methods that they are using privacy as a competitive advantage because they do think at this junction, you know, we’ve talked a lot about how privacy needs to be weaved into product. There is an opportunity to to lead with privacy and really use it as a competitive advantage. How do you see that when we talk to customers today and you have any examples that you can share with listeners?

 

Tim McIntyre  10:12  

Yeah, sure thing at Okta, we help our customers manage the identities of their users. And then we help them provision and de provision resources for those users. So if you’re using Okta, and you have a workforce use case, for example, to use some of our kind of internal lingo, you know, where your end users or your employees, then by using octaves single sign on product, you’re going to know and your employees are going to know precisely which applications have access to certain elements of their personal data, which I think is an advantage for an organization. And to your question. Another example would be the consumer credit reporting bureau Equifax, which is now using the Okta, Identity Cloud to secure access to internal assets for all of their employees. I think they have over 10,000 employees. And they’re also going to use the Okta, customer identity platform to enable secure user experiences for their partners and customers as well. Excellent. Yeah. And they suffered a major data breach in 2017. That was widely reported. And in the headlines, as I’m sure many listeners will remember that number. Yeah. And after that incident, their embrace of the Okta Identity Cloud was really a step forward for them in terms of internal security. And in the wake of what happened, they were transparent and open about wanting to reimagine their privacy positioning. And like, aka, they had worked with NIST on the development of the new NIST privacy framework. And also like Okta, they conducted internal reviews of their own Privacy Practices, so that they aligned with the new modern NIST framework. And we spoke about our respective companies work in that area together on stage at the 2020 RSA conference in San Francisco. So you know, privacy can absolutely be a competitive advantage. And trust is, it’s foundational to everything that we do at Okta and trust really has to be earned over time, you know, you can’t just say trust is important, and then not do the hard work. Yeah. And once you earn trust, there’s still never a finish line. Right? You have to earn and maintain that trust every day with your customers and partners and employees and other stakeholders. And I’ve always found that trust really only comes with transparency. And for us on the octave privacy team, you know, that means being clear and open with our customers about how we process their data so that they, in turn can be just as transparent with their end users about how their personal data is being processed.

 

Daniel Barber  13:03  

That’s great. Yeah, I mean, that Equifax story is a good one, especially because I think people will remember that incident. And I think, you know, taking taking a strong position there towards regaining that trust is is definitely a step in the right direction. Yeah, as we sort of move gears a little bit, I always love to ask this question to folks, because I just, I personally found sources myself, that I now read and enjoy on a regular basis. You know, if you were to sort of think about the three sources that you use for yourself as like a provider privacy Pro, where do you typically go to keep up to date with, you know, the happenings in privacy? Yeah, that’s

 

Tim McIntyre  13:42  

a great question. And there are so many resources online today. And it’s fun to poke around and find new ones. And you go back to the ones that are tried and true. And I always kind of start with the IAPP website, the International Association of privacy professionals, and they’re on the line with IAPP.org. If you’re a paid member there, you get access to premium content, but even their free main website is a treasure trove of useful info. You Yeah, in addition to that, one, the future of privacy forum fps.org is, is really a great organization. They do a lot of terrific work over there. And also just web browsing on my own. You know, Twitter, I think, is a platform that you know, sometimes has a bad rap, there’s a it can be sort of like a fast moving river of content. But if you if you really hone in on following folks in the privacy space, and then also clicking around and seeing who they follow, and following threads and links, and you just end up following folks and getting tidbits of information in real time. I always find their platform to be really helpful in that way. And then also I really like looking at other companies privacy policies and public messaging. Yeah, yeah. So content from peer companies and other organizations that we work with, you can almost kind of reverse engineer what they’re doing, you know, at the operational level by taking a look at their public facing messaging, which can be really helpful in terms of benchmarking and seeing how others are treating some of these cutting edge topics. And I know, companies like Salesforce, Twilio, AWS workday, leap to mind there.

 

Daniel Barber  15:35  

Yeah, that’s great. I always ask every person who joins the podcast to share this piece, you know, as you’re sort of thinking about in the early stages of your career, and we do have folks that listening that are aspiring to, to break into privacy and potentially take the path that you’ve taken right to a to an executive role in a company. You know, if there’s one piece of advice you would offer to your, your early yourself, or perhaps a listener who’s just starting out or trying to break into privacy? What would it be?

 

Tim McIntyre  16:05  

I think I’d encourage them to think about where they want to be within the privacy ecosystem, you know, do they want to be a privacy lawyer or an analyst or program manager or privacy engineer. And then there are so many privacy operations, roles that do such critical work across an organization. And those roles can sit in so many departments, human resources, marketing, product management, and engineering. And then if you can kind of home in on where you want to be a little later in your career, you can then point themselves at yourself, I guess, in that direction. And this might be somewhat limited to Silicon Valley. But, you know, in tech, in particular, you have small companies, big companies, medium companies, really a whole range of sizes, and they often grow and evolve contract, they get acquired go public quite quickly. And why am I telling you this? I think it’s because every company is on a different privacy journey. And if you’re at a 10 person startup, you’re simply not going to have a nor should you have probably a privacy compliance program that’s going to be anywhere near as sophisticated as a publicly traded company would have. Right, right. Yeah. And so the advice, I think, would be maybe to try to get experienced both at a smaller company and a larger company, in due time, and then by being at a small company, but really get an appreciation for what the essential requirements are. And it’ll give you a chance to really learn things and implement them from the ground up. And being at a large company should hopefully let you learn how a privacy program should work properly at scale. And then if you Yeah, and as you move through your career, you’ll see organizations at different phases in their growth cycles. And you’ll be more familiar with the choices and decisions that are going to present themselves at those various inflection points.

 

Daniel Barber  18:07  

I think that’s great advice. I think, interestingly, you’re the first person, I think, to share that sort of the difference between, you know, smaller companies and larger companies and how privacy’s involved and, and guided through those different stages. So I think that’s great advice, Tim. Well, yeah, definitely enjoyed the session with you today. always enjoy your conversations. And yeah, I want to thank you for coming on the show.

 

Tim McIntyre  18:31  

Likewise, thank you for having me.

 

Daniel Barber  18:33  

Yeah. So you can find Tim’s session and all the other sessions on all our major channels. So Spotify, SoundCloud, Google podcasts, and of course, Apple iTunes. Keep an eye out for our next show in a few weeks,

Share

Stay informed on privacy regulations, weekly insights, and the latest GrailCast updates with our weekly newsletter.