Everywhere I’ve worked for the last 20+ years had formal NDAs and training on business confidentiality. Working at smaller companies before that was less formal.
I think I mostly formed my sense of “haven’t seen companies actually taking this seriously” at smaller new orgs, good to know it’s more common. I figured it’d be common for, like, lawyers and therapists, but hadn’t heard of it in other contexts. I’m curious what the training entails?
(There was one 3000 person company I worked at that didn’t seem to have any training re: privacy, although I was also only hired there as a contractor so not too surprising if I just missed it)
“training” may imply more than I intended. We have an annual stupid video to watch and a bunch of wiki pages about basic infosec behaviors and mechanisms to keep some info off of shared build systems, and some “loose lips sink ships” posters. It does include guidance on baseline “company confidential” behavior and not talking with outsiders except on the narrow topics related to their work. We do have formal classes (with tests and mock presentations) before we’re allowed to give talks or speak to groups on behalf of the company.
There remains a _LOT_ of cultural and ad-hoc expectations on the topic, far more than official policy or training. And there are ongoing debates about the very large value in open sharing of information compared with the cost of leaks. This leads to a fair bit of nuance regarding which topics are “just don’t talk about” and which are “have a good reason before discussing with someone” and which are “don’t advertise widely, but feel free to discuss if it’s relevant”.
At a very basic level, for both private and commercial secrets, you have a LOT of evidence about how seriously it’s taken, just by the fact and manner that the secret is given to you. “If you want it kept secret, why are you telling ME?” Asking this question is a great opener for understanding what the specific expectations are.
I think I mostly formed my sense of “haven’t seen companies actually taking this seriously” at smaller new orgs, good to know it’s more common. I figured it’d be common for, like, lawyers and therapists, but hadn’t heard of it in other contexts. I’m curious what the training entails?
(There was one 3000 person company I worked at that didn’t seem to have any training re: privacy, although I was also only hired there as a contractor so not too surprising if I just missed it)
“training” may imply more than I intended. We have an annual stupid video to watch and a bunch of wiki pages about basic infosec behaviors and mechanisms to keep some info off of shared build systems, and some “loose lips sink ships” posters. It does include guidance on baseline “company confidential” behavior and not talking with outsiders except on the narrow topics related to their work. We do have formal classes (with tests and mock presentations) before we’re allowed to give talks or speak to groups on behalf of the company.
There remains a _LOT_ of cultural and ad-hoc expectations on the topic, far more than official policy or training. And there are ongoing debates about the very large value in open sharing of information compared with the cost of leaks. This leads to a fair bit of nuance regarding which topics are “just don’t talk about” and which are “have a good reason before discussing with someone” and which are “don’t advertise widely, but feel free to discuss if it’s relevant”.
At a very basic level, for both private and commercial secrets, you have a LOT of evidence about how seriously it’s taken, just by the fact and manner that the secret is given to you. “If you want it kept secret, why are you telling ME?” Asking this question is a great opener for understanding what the specific expectations are.