May 12, 2023

Last Updated on January 14, 2024

I’ve been predicting for a while that emerging data privacy requirements from legislation like GDPR and California’s CCPA/CPRA will lead forward-looking businesses to improve data governance capabilities for more/all of their sensitive data. From what I gathered at the most recent RSA Conference (RSAC) 2023 in San Francisco, this trend is advancing rapidly in terms of wider data governance solutions and use cases beyond privacy.

View our free ISO 27001 downloadable resources »

And why not? Once you get to a point where you know exactly what data you have, where it’s stored, how to retrieve it, how do delete it, how to manage it—which are all prerequisites for processing a data subject access request (DSAR)—why wouldn’t you want the ability to do that with all your sensitive data?

How data privacy and data governance relate

Data privacy is a subcomponent of data governance. To “govern” data, you need to know what data you have, where it’s stored, how it flows through your IT environment, and how you and others use or transmit it. When you have this level of control over your sensitive data, you can respond with much greater agility to new business demands to leverage it—without compromising its confidentiality, integrity, and/or availability.

Overall, you can safeguard well-governed data much more efficiently and effectively, knowing for sure that your controls are operating as intended to reduce data privacy risk and overall data security risk. Most data privacy and data governance programs are supported by technology, as well as mature policies, processes, and best practices. An overarching goal of data governance that is so critical with data privacy specifically is to make sure that data is not used improperly, and that no data errors are introduced.

Data security posture management

There’s even a new buzzword for privacy-driven data governance capabilities that I heard quite a bit at RSAC 2023: data security posture management.

This capability and emerging market space will become increasingly important over the next few years, especially among businesses that are subject to privacy laws or whose customers are pushing them to privacy compliance.

Zero trust is a model, not a product

In line with managing an org’s data security posture, I saw growing recognition and refinement of messaging at RSAC that Zero Trust is a model, not a product. Too often vendors have painted their security products as being “zero trust products.” But there’s really no such thing.

It’s a positive development that at this influential conference there was less misleading hype around Zero Trust. Instead, vendors need to concretely illustrate how a given tool or product set can support an org looking to move towards Zero Trust architecture.

What’s next?

For more insights on this topic, tune in to Episode 117 of The Virtual CISO Podcast, featuring Pivot Point Security CISO and Managing Partner, John Verry.