In the basic primer on cybersecurity in Chapter 11, we defined the four broad types of controls: preventative, detective, corrective, and compensatory. Some analysts include a fifth type, called a targeted control or a countermeasure, which addresses a specific threat or a specific vulnerability. But for simplicity's sake, I am going to include targeted controls as part of the four categories, depending on how they function.

What about Privacy controls? This is, after all, a privacy-centric cybersecurity program. that's true—it is! But remember this?

We are operating within these boundaries—in other words, there are many aspects of a privacy program that are beyond the scope of a cybersecurity program. Consequently, we are also operating under the assumption that our colleagues across the hall doing the privacy program have established the necessary privacy controls and rolled them out across the enterprise and implemented them appropriately in all data processing areas.

That's not to say that we don't have a lot of collaborative work to do. For one, we need to understand where the boundaries are between the two programs. It's one thing to say we're dealing only with “cybersecurity-related privacy events”; it's quite another to define these for your specific organization. The boundaries between the programs are there, ...