Even if you've never worked in cybersecurity, you've probably noticed that every so often, a huge data breach incident makes mainstream news. Data breaches happen every day, whether we know about them or not. One of the most disturbing things I learned in my years of reporting cyber incidents in the media is that the breaches we're aware of are only the tip of the iceberg. Many breaches lie undiscovered, like the underwater portion of an iceberg.

There is no data to back this up, but I have heard anecdotes. My experience in the industry has taught me that for every big data breach story in the news, there are at least 20 that companies know about but are keeping to themselves and 100 that not even their targets know about. I will examine some actual data breach research later.

Step 3 focuses on regulatory compliance. The regulatory compliance your business should be concerned about here pertains to data privacy. No matter which industry you're in or where in the world you are, chances are at least some data privacy regulations apply to your company, and you could be heavily fined (often in the millions of dollars) if you're discovered to be in violation.

In this chapter, I will summarize some of the most relevant data privacy regulations. I will cover some scary but useful data breach research. Then I will introduce the concepts of governance, risk, and compliance. I'll explain why even though compliance is a must, it doesn't ensure security. ...