Data Privacy Day: Risk Assessment, Governance, and 2 Other Ways to Protect Your Data

Data Privacy Day is here once again. How will you be celebrating?

By now, every business (hopefully) understands that they need to make data protection a priority. There have certainly been enough breaches, ransomware attacks, and other incidents in the news since the last Data Privacy Day to drive the point home. Nobody wants to get on camera and say to consumers, “We weren’t careful enough with your information.” So, take the reminder presented to you by Data Privacy Day and prove to your users that you consider privacy and data protection to be important issues.

It’s not just about adopting the latest technology or embracing the latest innovative approaches. You need a framework that manages people, policies, and processes. You need to be resilient.

Here are four tools and initiatives your organization can leverage to protect its data, not just on Data Privacy Day but the other 364 days of the year as well:

Risk Assessment

Risk assessments come in different shapes and sizes, but the goal for every one is the same: to identify, prioritize, and measure your organization’’s cybersecurity risk. The type of risk assessment you need will depend on your industry, regulatory requirements, and business strategy.

Unfortunately, many organizations have reactive security controls that have only been put in place after data has been compromised and a security incident has occurred. Time-strapped information security professionals sometimes struggle to identify and prioritize the business’s cyber risks. The threat landscape evolves every day. Your cybersecurity program should do the same. But how can you meet that goal when you don’t know the amount of risk that’s acceptable to your business – or how close you are to reaching that state? By performing a risk assessment, you can identify the gaps in your security and learn how to close them.

A risk assessment will help you focus on the truly critical areas and keep you from getting distracted by low-hanging fruit. The action plan you develop based on your risk assessment findings will allow you to effectively manage risk and pursue cybersecurity initiatives in a thoughtful manner – and you’ll be in a better place to prove and argue your position to executives, auditors, regulators, and the public.


Your documentation should not just be words on a page. You need to develop and maintain a documented framework that matures your business model. A cybersecurity governance framework should be risk-based, business-friendly, and address all of your organization’s cybersecurity needs to meet the objectives of confidentiality, integrity, and availability of information assets.

An effective cybersecurity governance implementation allows your organization to make informed decisions. Do you have a defensible position to enforce each policy, procedure, process, and business objective? When leveraging communicable and actionable intelligence, you can make smarter decisions about what resources are needed, how to identify compliance and regulatory needs, change management, incident response, organizational risk, identifying meaningful metrics, and more.


People are your greatest cybersecurity risk. Poorly written source code, misconfigured firewalls, clicking on phishing links – these all start with the failure of employees. But the good news is: they don’t have to. People are motivated by convenience, not cybersecurity best practices. Once you understand this, you can begin to build a cybersecurity awareness program that changes user behaviors and reduces people risk. (And annual training is actually required by HIPAA, PCI, NERC-CIP, and other regulations and mandates.)

The action (or inaction) of your employees can have a big impact on your organization, whether it’s financially, reputationally, or legally. They need perspective on how risk can hurt both your business as well as their own jobs.

A more aware and better educated workforce means better data protection across an entire organization.

Cybersecurity Virtualization

Having a virtual cybersecurity team or a vCISO on your side both gives you access to deep technical expertise and can help you develop high-level strategies. The cybersecurity worker shortage is close to 3 million globally. This shortage has made it harder than ever to recruit and retain top cybersecurity talent and caused salaries for experienced professionals to skyrocket. Now think about how many experts you’ll need to hire to maintain high data privacy and protection standards.

Even if you’re lucky enough to hire the right professionals, they can only be an expert at just so many things. Cybersecurity is a big job that requires expertise in a variety of areas, and at some point even the most brilliant expert will run out of room in their brain to stuff more cybersecurity information into.

When you virtualize your cybersecurity team, you get all of the same expertise, services, and benefits of a highly-certified cybersecurity team – without the worry of them leaving for a better job somewhere else. Your cybersecurity risks will be addressed in the same manner as a full-time team, ensuring your business always follows data privacy and protection best practices, is secure, and maintains compliance.

In Conclusion

Data protection is an ongoing initiative, one that requires consistency and maintenance. While Data Privacy Day only comes around one a year, its message of data protection should be a year-round concern for every organization.