James Eaton-Lee, Head of Information Security and Data Protection Officer, Oxfam

Eaton-Lee worked in various IT and consultancy roles, before moving into security consultancy, across security testing and assurance. After a spell as Information Security Manager at Travelodge, he came to Oxfam, where he now manages the cyber security and privacy team.

PrivSec: What are the challenges and the benefits of combining the data protection side and the cybersecurity side, coming from a technical background rather than a regulatory background?

James Eaton-Lee (JEL): There are ways that they complement each other and ways that they don’t. Even in very technical roles, you often can’t get away without really good engagement and communication skills.

As a security professional, a lot of your ability to do your job well hinges on being able to explain risk and complex technical problems to people who are accountable for making decisions, which is not a million miles away from activities that involve other forms of risk and compliance. And particularly when you come from a consultancy background, you have to get quite good at working with customers with different needs and different sets of requirements.

So that mindset – particularly if you come from an organisation or a background that has more of a business enablement mindset in its cybersecurity approach – adapts fairly well to data protection, particularly thinking about doing privacy by design in the context of change processes, and finding the balance that you often have to find in data protection between the needs of individuals and the needs of organisations and thinking about the risk space in between.

But it’s also a different technical set of skills. If you come from the very IT, technical end of cybersecurity, you don’t necessarily think about statutory frameworks or use a legal lens to unpick problems.

There’s sometimes also a difference in that cybersecurity is often more about thinking about risk to organisations and groups of people than risk to individuals.

Data protection is a very person-centric discipline. It’s about understanding the impact of tech and processes on individuals. How well that combines with the cybersecurity team or mindset depends, to some extent, what kind of kind of cyber security practitioner you are, what kind of organisation you are. There can be strengths and weaknesses.

Having them together in one place is quite useful in some respects because it lets you, especially if you work with a diverse range of stakeholders, give better blended advice.

If you have a team working on a new app, process or piece of organisational change that involves systems and data, you can consider the whole problem and give them a balanced piece of advice that considers how to keep the organisation safe, how to treat individuals respectfully, and it doesn’t have quite as many edges where you have to go: beyond this threshold, you need somebody else.

So it’s often quite useful because of the synergy there – you don’t have two teams having to work out what colleagues are working with data and building systems. You can do it through one framework.

PrivSec: Do you think that having that combined role helps with building influence across the organisation?

JEL: I think so. There’s sometimes a view of risk and compliance-oriented disciplines that their purpose is to gatekeep and sign things off and approve. And it’s sometimes the case and it’s sometimes necessary, but those are often not very good approaches for helping people do things well and safely. They’re often not cost effective and just not very good controls.

Thinking about a way of doing privacy by design, of doing security by design, of carrying out complex activities in a way that’s safe, as a team who position themselves primarily as specialists whose role is to give you the right advice to make decisions about risk, combining them, I think, does let you have more influence.

You give a fuller picture if you’ve got both strands together, and that mindset of my role is not to sign your project off or tell you that you can’t go live, my role is to help you do it safely and respectfully.

If you can do that well and give people strong advice, which is a slightly more consultative mindset or a more progressive way of empowering people to make good decisions, I think you become a more trusted partner that people can work with better.

PrivSec: Your role is also external facing, so you’re supporting colleagues in programmes overseas and working with other partners and external agencies? Is that correct?

JEL: It is. We are quite a complex organisation. Oxfam is a confederation of 20 organisations of different sizes with different kinds of programmatic and fundraising activity.

In the UK, we have about 600 retail shops, which are a part of the public engagement and of fundraising that we do. We have other sources of income, which include individual giving and grants which provide restricted funding which fund activity overseas. We work in about 90 countries.

My team directly supports a little over 20, across which we have a range of activities including very short-term humanitarian programming in response to floods, natural disasters, crises and so on; longer term development programming, which can involve digging wells, economic empowerment programmes about gender justice, or Protection (and other kinds of work that essentially enable individual safety), or public health – in a variety of contexts including refugee camps.

Some of it is very data centric. A lot of development and humanitarian work involves things like “Cash and Voucher Assistance”, which use prepaid topic cards or vouchers or sometimes linking with financial networks, so they can be effectively like a debit card to allow people to access food marketplaces, for instance.

The way that we do that as an organisation is quite porous: we work with a lot of NGO partners, a lot of local implementing partners. Our operating model involves moving as much of the decision making, power and control as possible, as close as possible to the communities that are benefiting from assistance, which in practice means a lot of local implementing partners in the countries that we operate in.

So the model that we operate in terms of tech, data protection and cyber security has to adapt to that quite porous, quite open network. So although we work with a lot of internal teams – IT teams, finance teams and programme colleagues – we also work with a lot of colleagues in our country offices to enable them to make the right decisions with their partners.

PrivSec: Does that create additional data protection, cybersecurity challenges for you? Is there a greater need to safeguard when you’re thinking about the supply chain and working with third-party providers outside the “four walls” of Oxfam itself?

JEL: It’s a different kind of model. A model which is built around restriction and control doesn’t work very well. We by design try to empower all of our staff to solve problems themselves.

As a security or a data protection team, if your approach to keeping people in the organisation safe is to lock everything down and stop people from doing stuff, that’s a pretty natural conflict.

The approach that the most progressive teams will take in any organisation which revolves around education and tools, as well as restrictive controls, becomes really important.

Our standard technology tools are built to be safe, and to be reusable as general purpose tools in a variety of situations: cloud data storage tools or data collection tools supplemented with really strong guidance on how to use them well, that essentially allow you to spend the finite resources that you have for building things safely or on awareness and education as widely as possible so that the advice and knowledge is spread as widely as possible.

We also cultivate in our UK and country office teams a network of focal points that we work through. We try to make sure that everybody is within reasonable distance of somebody, part of whose role it is to be able to answer questions and to signpost them to the right advice, and to be present on the ground and understand the local context. Because it’s much more empowering and effective to have as much of that capacity and capability locally, with an understanding of what advice will work contextually, than it is to dial in from 4000 miles away, make a pronouncement that won’t necessarily work and then disappear again.