How can cybersecurity professionals balance both the regulatory requirements and the fundamentals of data protection?
Today, Trevor Dolan, VP Senior Director of Cybersecurity Data Protection and Governance at Fidelity National Financial, shares insights on balancing regulatory compliance with the fundamentals of data protection, designing holistic data protection programs, and the importance of strategic planning. He delves into the five main areas of developing data protection organizations: governance and leadership, risk assessment, policies and procedures, training and awareness, and team and organizational structure. Trevor also offers practical advice for young professionals starting in the field and discusses the significance of building trustworthy relationships with stakeholders. For organizations facing budget and hiring challenges, he suggests prioritizing top-risk areas and leveraging existing resources effectively. The episode concludes with Trevor reflecting on his career journey and sharing his contact information for further connection.
Takeaways:
- Establish Strong Governance and Leadership: Build a solid foundation by defining the scope of your data protection program.
- Conduct a Comprehensive Risk Assessment: Use frameworks like NIST CSF or CIS Controls to assess your current state and maturity. Be honest about gaps and deficiencies; use data to drive consensus and prioritize improvements.
- Develop and Maintain Clear Policies and Procedures: Ensure policies map directly to regulatory, legal, and contractual requirements. Create a hierarchy: policies, procedures, standards, and control implementation patterns.
- Invest in Targeted Training and Awareness: Go beyond generic security training; provide specific modules for privacy, incident management, and data protection. Reinforce training with assessments that encourage critical thinking, not just box-checking.
- Be Flexible and Resourceful with Budget and Staffing: If faced with budget or hiring freezes, focus on top-priority risks and use available tools creatively (“gold, silver, bronze” approach).
- Use Data to Drive Decisions and Build Consensus: Bring objective data to stakeholder discussions to resolve disagreements and focus on solving real problems.
- Continuously Improve and Adapt: Treat your data protection program as a living, evolving effort. Regularly revisit your risk assessments, policies, and training to ensure they remain effective and aligned with business objectives.
Quote of the Show:
- “ Make sure that those expectations are well communicated, but do it in a way that helps them to really incorporate that in their day-to-day so that they feel empowered as far as protecting the organization's data, and they feel part of the mission.” - Trevor Dolan
Links:
Ways to Tune In:
