We've been through quite a journey thus far! From improving our understanding of privacy and looking at privacy and data protection regulations around the world to tweaking our cybersecurity program into a privacy-centric one.

Along the way, you may have noticed that this last piece, the tweaking, was not evenly applied to every part of your program. Critically, the area of cybersecurity program development most affected by privacy concerns is asset discovery. There, we underwent a discovery-in-depth exercise to make sure that we captured the necessary privacy variables necessary to formulate our control and defense-in-depth strategy. This discovery-in-depth is truly at the core of a privacy-centric cybersecurity program. The rest of the program remains largely unchanged: you still need to get a handle on threats, vulnerabilities, environments, controls, and so on. But the critical piece is the asset discovery work. At the end of the day, what does a good cybersecurity program do? It protects your assets! And, what does a good privacy-centric cybersecurity program do? The same thing! It protects your assets, only in this case, the assets are “sensitized” with the privacy dimension.

Which brings us to incident response. How different is incident response for a program that's privacy-centric ...