Smart Cookies with Shanna Crawford, Director of IT Privacy at Costco

Overview

This conversation feels like a coffee with a thoughtful builder who happens to run privacy. Shanna shares how she grew into technology by solving real problems, then kept saying yes to harder ones. She talks about what it means to lead with curiosity, how to create space for people to learn, and why privacy is really about control and trust. The discussion is practical and honest, with a focus on habits that any team can use.

• Finding your path: Start where you are, learn the business, and let curiosity pull you into new skills.
• Leading teams: Set clear goals, remove blockers, and give people room to grow.
• Privacy in practice: Use clear principles like Fair Information Practice Principles to guide decisions, then adapt to local needs.
• Culture and training: Teach people how to protect the org and themselves, and keep lessons short and timely.
• Early AI steps: Begin with strong intake and review, try simple use cases like policy Q and A or help with assessments, measure what works.
• Mindset: Curiosity, inclusion, and respectful challenge lead to better outcomes than rigid checklists.
• Takeaway: Privacy is not about hiding. It is about giving people clear choices and honoring them.

Transcript

Smart Cookies Podcast Transcript: Shanna Crawford, Director of IT Privacy at Costco

Bryon Scharenberg
Well, thank you. Thanks for being here. I’m excited for today. Welcome to our listeners to Smart Cookies. Smart Cookies is a space where we spark conversations at the intersection of leadership, security, and change. My name’s Bryon Scharenberg, and today I’m joined and excited to talk to somebody that, quite honestly, Shanna, I know we’ve been back and forth for months trying to make this happen. But Shanna Crawford is the Director of IT Privacy over at Costco. So welcome today. Thank you so much.

Shanna Crawford
Thank you so much. Yeah, I know you’ve been trying to connect, but now we’re here.

Bryon Scharenberg
We’re here. So I want to give a little bit of your background, Shanna, as I’ve been getting to know you over these past few months and just a little bit of context to some of your role. Feel free to correct me if needed. You lead global privacy programs for one of the most trusted retail brands in the world. We’re familiar with Costco, specifically for those here in the Pacific Northwest, we know Costco is headquartered here. Part of your role involves building strategy and structure across the international footprint for Costco. A lot of that within the privacy space is considering evolving regulations and helping shape what effective privacy looks like for your organization today. So I think we’re in for a good one. A little more on you, has it been over 20 years you’ve been with Costco?

Shanna Crawford
I hit my 25 this Friday.

Bryon Scharenberg
Oh my gosh. Well, congratulations. That’s a significant milestone. Very cool. I know your role has changed over those years, but now you’re leading the global IT privacy efforts. That involves building international teams, leading design and operations around privacy platforms. Now you’re dealing with data subject rights, cookie and tracker governance. I probably can’t list everything. But today, I’d like to learn more about how you’re navigating all of that. For those listening, all of us as professionals are navigating different leadership challenges. Specifically in your domain, I’m curious to hear more about what that looks like. Before we dig into the more functional areas of your career, I want to throw you a softball. Prior to 25 years ago when you started with Costco, what did you want to be when you grew up? Is this what you had in mind?

Shanna Crawford
This was definitely not on the list of careers I was vying for. I don’t think it even existed at that point in any significant way.

Bryon Scharenberg
Yeah, it wasn’t on the list in the high school guidance counselor’s office. So what did you think you’d end up doing?

Shanna Crawford
I was certain I was going to be an elementary school teacher. I was so interested in shaping the next generation. That was the path I was going to take. I wasn’t able to go directly to a four-year college. I needed to pay to live. So I worked at Costco during the day and put myself through night school. I fell in love with the culture of this company and never left. I’ve moved around to, I think, five positions here, leaning in to do my best, leave things better than I found them, and support the people around me.

Bryon Scharenberg
That’s awesome. I’ve got three kids, and high on my list of things I want them to consider as they grow is looking at Costco. Not only are the benefits great, but the leadership culture, which you just explained, is incredible. How does someone go from needing to pay to live to building a successful career? That’s cool. Give us a snapshot of how your path led from, I’m assuming, working on the floor at a Costco warehouse to now leading in the privacy domain. How did that happen?

Shanna Crawford
Yeah, long story. Just kidding. Twenty-five years’ worth. I first started in membership processing. You either came into Costco through a warehouse or through membership processing. I had worked for a company coding POS, and a bunch of people from my team moved over to Costco when that company filed Chapter 11 and went out of business. They kept telling me, you’ve got to come over. This company is amazing. I let them convince me. But I was so new, so young in the market, that I had to start at square one. I started processing membership renewals on day one, then put in my year there and moved over to supply chain and transportation. I spent 13 years there, responsible for everything coming into the US. That was my first exposure to management.

I had two kids while I worked on that team. I learned so much. I worked with the buyers, understanding their perspective and the struggles they face. For me, it was about how I could solve their problems. I fell in love with that and jumped over to IT to support them from a technical standpoint. I knew there was only so much I could do on the business side. Sure, I could get a shipment from here to there, but technically, how could I help them focus on the exceptions, not just what was going well? How could I help them generate a dashboard or something like that to focus on what mattered most? So I made that jump to IT.

Bryon Scharenberg
That’s really interesting. I talk with professionals in the technology or IT space, and you hear different career backgrounds. Often it’s someone who says, I’ve always had a passion or interest in this, or I went to school and got a degree in computer science. Then there are those of us who come from untraditional backgrounds. Was IT something you had on your radar, or was it more that an opportunity presented itself and you figured out how to solve problems there?

Shanna Crawford
Not something I ever thought I would be doing. I could turn on my computer, but I really couldn’t do much beyond that from an IT standpoint. It was extremely intimidating. But I had amazing friends in IT who convinced me that if I understood the business, I’d be just fine. They would teach me. I took a leap of faith, stepped back in my career, went from a manager to an analyst one on the IT side, and earned my way back.

Bryon Scharenberg
Wow. So now fast forward to where you are today. Your role involves a lot more complexity and responsibility than it did back in analyst one. Give us a brief overview of what your job looks like today. What’s within your wheelhouse?

Shanna Crawford
I have three teams today. First is the security governance side, responsible for NIST assessments and maturity, understanding where our security posture is, and helping build out remediation plans. We take a risk-based approach to identify the most critical things we need to focus on and how to get the funding to do it.

Then I have my privacy team. That team is now extending services to other countries. They’re calling us, asking for help, and that’s why we leaned in. I had nine years of international IT experience, so we can now leverage those relationships and that network to scale and support countries from a compliance and privacy standpoint.

The third team is the security culture, training, and awareness team. They ensure all mandatory training takes place, including warehouse training, security training, and privacy training, and that we have a way to manage and monitor it. We’re also responsible for phishing campaigns and programs, teaching everyone not just how to protect Costco but how to protect themselves at home. The industry is changing rapidly, and threat vectors are everywhere, so we need to stay aware. This team puts together training and teaching moments. It is National Cybersecurity Awareness Month, so we’re leaning into that with guest speakers coming in.

Those are the three teams under my remit today. My goal as a leader is to understand, provide opportunities, and then get out of the way.

Bryon Scharenberg
Wow. That’s a massive footprint. Thinking about the three teams you’re leading and the number of employees and end users you must impact, what’s the scope geographically? How many regions is Costco present in?

Shanna Crawford
Yeah, we’re across 14 countries.

Bryon Scharenberg
Okay, 14 countries. Maybe putting you on the spot, but do you have a rough idea of number of employees and warehouses?

Shanna Crawford
About 330,000 employees, and I think we’re around 910 warehouses.

Bryon Scharenberg
Okay, massive footprint. I’d like to shift to this idea of leading your teams and your organization often without a map. As leaders, rarely is there a playbook that says, here’s the map to do your job successfully. In the privacy governance domain, things are constantly changing. New regulations, cross-border complexity, geopolitical factors. Where are you feeling that most right now? Are there unknowns or tensions that are making this moment different or challenging for you?

Shanna Crawford
I think it’s more on the opportunity side. I always flip things into a positive. The opportunity we have right now is really to understand AI. I’m sure that would be a consistent answer across the board. Every board call, every community call I’m on in this industry is about how you’re using AI, what you use it for, what governance program you have in place. Honestly, we’re all just trying to figure it out. Costco tends to be really conservative in our approach to emerging technology. We’re not going to be the first to adopt something. We take our time to understand it, identify the value to us, to our members, and to our employees. We do our due diligence to make sure it’s a cultural fit before we implement any new technology. So for me right now, the question I’ve been posing to the team and to the industry is: what are you using it for? How are you leveraging it? How are you using it ethically? How do we create efficiencies? Because all of our remits are growing, but our teams are not. We’re not going to get additional resources. So how do we work smarter?

Bryon Scharenberg
I hear a lot of curiosity in what you’re saying, which I think is a crucial skill for a leader. Across this global footprint, you have teams in the US, probably in Europe or elsewhere. It doesn’t look the same in all those places. Regulations and governance vary. Data in the US versus the EU, for example. How do you keep consistency or unity across teams when things might look different globally? Does that make sense?

Shanna Crawford
Yeah, it does. I would lean into my international experience from my previous position. That’s something we’re exploring now within the privacy realm. We’ve done discovery with one country, and our plan is to do discovery with a new country each year. It’s going to take us a long time to get through all of them because we’re not just going to come in, understand your pain points, and walk away. We come in, understand what you have in place, identify the gaps, understand your local regulations, and what governs each country individually. Then we look at how we can help create consistency. What can we centralize? What services can we provide? What technology do we have? We’re not building technology for today. We’re building technology that’s scalable and can be used globally. So we consistently evaluate our tech stack and make sure the tools we use here can be leveraged anywhere.

Bryon Scharenberg
So you mentioned, this rollout, for example, of the country, the country specific, doing a country each year. In terms of navigating that whilst, while, my assumption is rules will not be the same, five years from now within those countries. And so with rules are evolving, every country is a little bit different. Are there certain principles you keep in mind to how we do it right? like where you replicate that each year, the outcome won’t be specifically the same across those countries. But are there principles or methods that you keep in mind for how do we do it right when everything’s a little bit different across the board?

Shanna Crawford
Yeah, I mean, I think it’s what you said earlier, coming in curious, right? So the framework we use is FIPS. across the board, but we do come in and just really try to understand what do you have in place, what processes, we don’t want to damage anything that’s already there. Our goal is to enhance, not detract. So we really, truly are trying to be business enablers. So a lot of it just comes down to understanding, hopefully I’m answering your question the way that you want me to, but a lot of it’s just understanding what they have in place and then in building based on what they need, our number one item of our code of ethics is obey the law. And so what we have to do is understand, well, what is the law state? What is our interpretation of the law? Everyone has a different interpretation of the law. So what is Costco’s stance? We have lawyers embedded in each country. specific to privacy. And so we really leverage their expertise. We collect a lot of the requirements from them. We also try to inform our ICs and our engineers and our SA and get them the necessary training so we can ask tough questions if we don’t necessarily agree. But ultimately, we do defer to our corporate counsel.

Bryon Scharenberg
Yes, and just for clarity, I feel like my brain is inundated with acronyms all the time. FIPS stands for Fair Information Practice Principles, ok.
So that’s what you use and stand by. It sounds like there’s a standard level of expectation. You talked about doing what’s legal, and I assume acting with integrity. So even if there are differences across regions, that is your baseline. It’s not just reacting to each environment, although you certainly have to do that as the law requires. But more so, you’re setting a uniform standard across the board with a high bar that you aim to meet, regardless of local regulation. Does that make sense?

Shanna Crawford
Absolutely, yes. It is foundational for us. That’s the framework we use to protect individual privacy and ensure fair handling of personal data across the board for all countries. Then we look at the local laws to make sure we’re adhering to them. And if there are conflicts, which there always are, we take a risk-based approach. What makes the most sense for us, based on our interpretation of the law? We do a lot of consulting with outside firms and companies to get their interpretations as well. We try to do our due diligence across the board for all countries.

Bryon Scharenberg
Shanna, you said something earlier where, you know, rather than seeing the challenges and the complexities of all that we’re dealing with, you know, what are the opportunities that we’re faced with? And You brought up AI earlier. How are those technologies changing? I’m curious to maybe go back to that a little bit with this idea of emerging tech, generative AI, different kinds of advancements in technology. How are those influencing the privacy space? I don’t know if you have any use cases that you’re seeing or anything that you might be able to detail a little further. Is there anything that you’re seeing influence specifically the security and legacy space, whether positively or negatively.

Shanna Crawford
Yeah, I mean, I was on a call earlier with senior leaders at several different companies, and we’re having open conversations. And one of the questions I asked, how are you using it? What are you leveraging it for? And so we’re having these very open, transparent conversations across the board, and no one has all the answers. No one is mature in this space. We are truly all just trying to figure it out. So as I said, we have not even begun our journey in AI, really. We do have an essential intake. We have a governance committee, an AI governance committee in place, and every use case is getting reviewed and approved. And so we’re in the very early stages of AI and how to really leverage and use it and find the full value from it.

Bryon Scharenberg
So it sounds like even taking, if this is accurate, my interpretation is that Costco takes more of a conservative approach around, and understandably so, with their impact, footprint, et cetera, but beginning to look at, and it sounds like you as a leader, learning from some of your peers across other companies and organizations and just learning how are they leveraging those things? Where can we find efficiencies across our teams? How can it improve some of our workflows? So it sounds like the world is still a bit of your oyster in terms of what, you know, what you might implement.

Shanna Crawford
I will say there’s a couple of things that are intriguing to me, and that’s utilizing an agent to answer questions around policy. So a quick and easy way for people to ask different questions about the policies and standards that we have in place as a company. And then PIAs, processing PIAs, it takes a lot of time to collect the necessary information to process a PIA appropriately. And it sounds like a lot of people are leveraging AI to fill the PIAs for them. So that will probably be a couple of the places that we begin utilizing this or at least evaluating what it can do for us.

Bryon Scharenberg
That’s interesting. Yes, significant in terms of taking what can be a complex process. I mean, you mentioned policy that, so even thinking about how that may impact, it’d be interesting to see some metrics around, you know, how does an agent, like a policy agent or something, improve compliance over time or improve some of those, kind of the governance metrics. I want to do just maybe as we begin to wrap up here, do a few maybe just broad, broad questions. You can give hot takes, quick takes, you know, whatever you want to this. But if you think about, now you’ve been embedded within the security privacy industry for a long time. What’s something that you wish more people understood about the space, about privacy today?

Shanna Crawford
I wish that people understood that privacy isn’t about hiding something, it’s about controlling something. So too often, privacy gets conflated with secrecy or compliance checkboxes. Modern privacy is really about data autonomy, ensuring individuals and organizations understand what data is collected, how it’s used, and whether that aligns with its values, ethics, and trust. So I think that is something that isn’t well understood at this point across the industry.

Bryon Scharenberg
When you said that, I hadn’t thought of this idea, but I think it’s true. The word “privacy” brings up a connotation of hiding. But instead, it’s about how we control data and use it. Do you have advice for anybody who’s younger in their career, maybe starting out in this field? What would you say to them?

Shanna Crawford
I think I would say the same thing whether you’re early or late in your career: stay curious. That is your greatest asset. Come in, ask questions, understand, and add value. For those newer to this space, don’t pigeonhole yourself too quickly into one area. Learn how privacy connects to security, product design, and business strategy. The people who truly excel aren’t just rule followers, they’re translators. You need to be able to bridge compliance, engineering, and business goals.

Bryon Scharenberg
I like what you said, even for those in the later stages of their careers. That was going to be a follow-up question, but I think for those of us who are farther along, and I include myself in that category, it’s encouraging to hear that. Stay curious. I haven’t had the opportunity to sit on your team, but I’ve worked with curious leaders who ask good questions, and it’s extremely impactful. Not just for how someone late in their career can stay open to new ways of doing things, but also for the human element. It shows empathy, a willingness to hear, to change, and to understand something differently. So I just want to commend you on that. My hope is that it continues to be impactful in your career and leadership. And thank you for that reminder to all of us, myself and our listeners, to stay curious as we navigate this space where, like we said earlier, there’s not always a map or a playbook.

Shanna Crawford
For me, the thing is, we’re all in the room together and no one is smarter than anyone else. We all have our areas of expertise. We all have different lenses and perspectives, and we need to celebrate that more. We challenge each other all the time, but there’s a right way to do that. True inclusion is about diversity of thought. We need to celebrate people who challenge us and bring a disruptive way of thinking, because that’s how we get better.

Bryon Scharenberg
Awesome. Well, Shanna, thank you for your input today. Thanks for sharing your story and your career. I also just want to say, as a Costco member, thank you for protecting my data and safeguarding information at a company I love doing business with. I’m glad to be a customer, and it’s been fun to learn about what you have in your scope. Thanks for joining us today, and we’ll talk with you soon.

Shanna Crawford
Thank you so much for having me.