Shane McGee, FireEye

FireEye has just appointed a privacy officer and handed him a big mission: Launch a new global privacy program. What is Shane McGee's strategy for this new role, and what will be his top challenges?

Formerly the general counsel and vice president of legal affairs at Mandiant, acquired earlier this year by security solutions vendor FireEye, McGee is charged to lead a new global privacy program to establish data protection standards and lead industry improvement initiatives.

McGee sees his role as three-fold: Ensuring privacy is built into FireEye's security products; educating FireEye employees about privacy; and then ensuring transparency when dealing with customers, partners and government regulators.

"You can have all the best policies in the world, but unless you communicate those policies effectively and tell your customers what you're doing with their data, then it's not going to engender the trust that you need," McGee says. "Creating that transparency and communicating our privacy practices, our data handling practices, to our customers is very important."

In an interview about his new mission as chief privacy officer, McGee discusses:

The scope of his new global initiative; The challenge of navigating disparate privacy regulations; Career paths for privacy pros.

McGee has worked as a practicing attorney in the areas of data privacy and security law for 15 years. He headed SNR Denton's (now Dentons) U.S. Data Protection practice prior to joining Mandiant as general counsel in 2011. Over the course of his career, McGee has counseled some of the world's largest technology companies on privacy and security issues; represented companies in front of the FTC and other regulators charged with protecting consumer privacy; drafted hundreds of data protection policies; responded to security breaches; and advised clients on how and when to notify customers when a breach occurs. Before becoming a practicing attorney, McGee was a programmer, consultant and instructor. He is a Certified Information System Security Professional (CISSP).

TOM FIELD: Why don't you outline for us what the mission is with this new role please?

SHANE MCGEE: FireEye already had a very good privacy program, to the extent that there were good policies that covered FireEye's products and services. Probably one of my first goals in this position is to review those policies and revise where necessary, to make sure that they keep pace with our rapidly evolving security offerings. As you know, we've introduced a number of new products and services. Every time we introduce something new, be it a feature, product or a service, we need to revisit our privacy policies and ensure that everything is consistently promoting our message.

Another part is educating our employees to make sure that they comply with those policies. The culture of security at FireEye is fantastic in making people understand that privacy needs to be a large part of that, and we need to take those obligations seriously. [What I'm doing is implementing] an ongoing program to educate employees and make sure that awareness is a very important part of any privacy program. Also, creating transparency for our customers. You can have all the best policies in the world, but unless you communicate those policies effectively and tell your customers what you're doing with their data, then it's not going to engender the trust that you need. It's not going to give them any comfort. Creating that transparency and communicating our privacy practices, our data handling practices, to our customers is very important. I like to boil that down and say, "Do what you say, and say what you do." It really is that simple in that regard.

Lastly, engaging with regulators, boards, councils and other official bodies both in the U.S. and overseas is incredibly important. There is a lot of sensitivity on the privacy side in Europe, especially when it comes to U.S. companies. The best way to take the distrust that flows out of that and replace it with more trust is to engage regulators, government entities, and talk about it. Tell them exactly what you're doing, and more importantly, what you're not doing

Regulators vs. Employees

FIELD: Which is the tougher communication challenge, with regulators or employees?