• United States




Data privacy, a growing strategic initiative

Jan 22, 20184 mins
Data and Information SecurityPrivacyTechnology Industry

The aggregation of new threats, laws and consumer activism makes data privacy a strategic initiative for today’s businesses to adopt as part of their core business operations.

January 28 is Data Privacy Day, an international event to create awareness about the importance of respecting privacy, safeguarding data and facilitating trust. In our current dynamic business environment where everything seems to be connected, millions of businesses are unaware of or uninformed about how their personal and business information is being used, collected or shared.

In a study conducted by the Ponemon Institute in September 2017, there were several alarming statistics around the state of today’s businesses being able to protect their sensitive information. These issues paint a picture of the escalating threats that businesses face as many of their security programs and initiatives lag or are static at best.

  • 52% of respondents reported they had experienced at least one ransomware attack, with over 79% stating that the ransomware was unleashed due to phishing or social engineering attacks.
  • 54% of respondents reported that their breach involved sensitive information about customers, employees or business plans, with the average breach now involving over 9,000 records.
  • Organizations continue to struggle to provide budget, technology and personnel to manage security – 36% of respondents reported they are now outsourcing their IT security operations to outside partners.
  • The toll of a cyberattack is becoming costlier, the impact to the business due to damage/theft is averaging $1.2 million and the disruption caused by a cyber-incident is also averaging $1.2 million. Examples of these costs include:
    • cost to forensically recover lost or damaged sensitive information;
    • liability costs to the business from lawsuits (customers, vendors, partners etc.);
    • cost of fines due to not meeting compliance/regulation requirements or contractual requirements; and
    • cost due to the loss of business opportunities from brand damage or loss of data, facilities, etc.

As businesses face the shock of these threats to their operations, they also must be aware that consumers are now more concerned than ever about the security of their private information. Every day, people are beginning to feel the effects of the hyper-connected society we live in where their private data is requested by companies to receive services. In these transactions, consumers assume their private information is being protected. Businesses must be cognizant that consumers are now willing to change their buying behavior and shift brands if they feel a business is at fault for a data breach to their sensitive data.

To help businesses understand this convergence of data privacy and cybersecurity, there are several recommendations they can incorporate to better manage the risk exposure to their organization and the sensitive data entrusted to them.

1. How your company manages data privacy shouldn’t be a secret

Your customers need to understand why you need their information, what you will use it for and how long you will keep it. Consumers are educating themselves about privacy, your company’s policy on data privacy should be available and easy to read.

2. Data privacy is an “everyone initiative”

If your business has sensitive information on employees, consumers, partners, etc., then you should have your whole company involved in protecting this data. Incorporate a data governance program that uses training, processes, personnel and technology to manage this information when it is at rest, in transit, being processed and finally decommissioned when no longer needed. All staff, partners and vendors need to be involved and understand the importance of managing the data entrusted to the organization.

3. Data governance and the management of privacy is continuous

To effectively manage protected data, an organization’s security and risk management programs will need to leverage a blend of technologies, frameworks, processes and personnel. With all of these resources, it is still a continuous life-cycle of monitoring, remediating and improving. To not short change themselves, businesses should assign resources to manage this risk and understand the value it provides to business operations through creating a risk-aware culture.

4. Don’t forget the small things

As you train your staff, build a security and risk management program and incorporate new policies. Remember that data is like water and can easily slip out of an organization’s control. Bring in a trusted partner for a risk assessment to check on how your data is being accessed and if it is being transferred to employees’ smart phones, portable USB devices, copiers or legacy storage devices. Use a partner to review your security controls and verify that the data entrusted to your company is safe.

These recommendations are just some ideas of what businesses can implement to better manage their data privacy requirements. Data privacy is becoming more visible and is a driving international initiative with the upcoming European Union’s “Global Data Protection Regulation” (GDPR) law. It is the aggregation of new threats, laws and consumer activism that makes data privacy a strategic initiative for today’s businesses to adopt as part of their core business operations.


As Chief Information Security Officer (CISO), Gary Hayslip guides Webroot’s information security program, providing enterprise risk management. He is responsible for the development and implementation of all information security strategies, including the company’s security standards, procedures, and internal controls. Gary also contributes to product strategy, helping to guide the efficacy of Webroot’s security solutions portfolio.

As CISO, his mission includes creating a “risk aware” culture that places high value on securing and protecting customer information entrusted to Webroot. Gary has a record of establishing enterprise information security programs and managing multiple cross-functional network and security teams. Gary is co-author of “CISO Desk Reference Guide: A Practical Guide for CISOs” focused on enabling CISOs to expand their expertise and scope of knowledge.

Gary’s previous information security roles include CISO, Deputy Director of IT and senior network architect roles for the City of San Diego, the U.S. Navy (Active Duty) and as a U.S. Federal Government employee. In these positions he built security programs from the ground up, audited large disparate networks and consolidated and legacy network infrastructure into converged virtualized data centers.

Gary is involved in the cybersecurity and technology start-up communities in San Diego where he is the co-chairman for Cybertech, the parent organization that houses the cyber incubator Cyberhive and the Internet of Things (IoT) incubator iHive. He also serves as a member of the EvoNexus Selection Committee where he is instrumental in reviewing and mentoring cybersecurity and IoT startups. Gary is an active member of the professional organizations ISSA, ISACA, OWASP, and is on the Board of Directors for InfraGuard. Gary holds numerous professional certifications including: CISSP, CISA and CRISC, and holds a Bachelor of Science in Information Systems Management and a Master’s degree in Business Administration. Gary has more than 28 years of experience in information security, enterprise risk management and data privacy.

The opinions expressed in this blog are those of Gary Hayslip and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author