{"id":7511,"date":"2026-03-18T07:00:00","date_gmt":"2026-03-18T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7511"},"modified":"2026-03-18T07:00:00","modified_gmt":"2026-03-18T07:00:00","slug":"cisos-rethink-their-data-protection-strategies","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7511","title":{"rendered":"CISOs rethink their data protection strategies"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Scott Kopcha witnessed what CISOs everywhere are seeing: employees eager to use artificial intelligence, whether through public models or custom AI tools, accessing company data at a breathtaking rate and volume.<\/p>\n

Kopcha already had a mature data protection strategy in place; as a law firm, his organization had a long history of safeguarding sensitive data. Still, Kopcha<\/a>, CISO at law firm Goodwin Procter, knew his firm\u2019s data protection strategy needed to evolve.<\/p>\n

\u201cWhenever you start breaking down these different types of AI models, you see there are seven or eight different ways they can interact with your data, and our tools weren\u2019t necessarily set up to provide the breadth of monitoring and protective capabilities required,\u201d he says.<\/p>\n

He added another protection layer that classified and tagged data based on whether it could be used with AI and in what circumstances. He invested in new tools to support that layer, and he\u2019s monitoring the vendor landscape for emerging capabilities that could further boost his data protection program.<\/p>\n

Kopcha\u2019s data protection strategy also calls for an evaluation of new technologies being deployed by the firm to determine whether new controls are needed for them, a move he says ensures protection keeps pace with technological innovations.<\/p>\n

\u201cThe idea is to be able to show anyone who comes to ask that you\u2019ve done your due diligence, and you\u2019ve done your due care,\u201d he says.<\/p>\n

Kopcha is not alone in that quest.<\/p>\n

Many CISOs are working to mature their data protection strategies, driven primarily by the explosion of AI use<\/a>. That has them rethinking policies, procedures, and their tools as well as how they make decisions and how often they need to revise their data protection plans.<\/p>\n

\u201cData has always been the lifeblood of the enterprise. What\u2019s changed is the convergence of pressures making data protection exponentially harder,\u201d says Chris Cochran<\/a>, field CISO and vice president of AI security at the SANS Institute. \u201cAI has made the traditional perimeter largely irrelevant. Employees are using unsanctioned AI tools for work at a pretty alarming rate, pasting source code and customer data into consumer-grade models. One of the problems is that it doesn\u2019t look or feel like exfiltration. Layer on expanding data sovereignty requirements, regulators now issuing guidance specifically on AI data security, and the looming reality of what encryption looks like post-quantum<\/a>, and you understand why this has become a board-level conversation.\u201d<\/p>\n

Factors driving strategy evaluations<\/h1>\n

CISOs, security experts, and data practitioners cite the expanding use of AI in the enterprise as the main reason they\u2019re rethinking their data protection strategies.<\/p>\n

\u201cAI is exposing more sensitive information as [workers] are taking that information and typing it into LLMs,\u201d says Errol Weiss<\/a>, CSO at Health-ISAC.<\/p>\n

AI tools make it easy for employees to easily expose sensitive data, Weiss says. They can quickly input protected information into a public AI model to tackle everyday tasks, thinking they\u2019re working efficiently without realizing the data privacy risks they\u2019re taking. \u201cWe now have hundreds of thousands of people using the technology that way today,\u201d he adds.<\/p>\n

But other factors are prompting CISOs to reassess their data protection policies and practices, too. They include the ever-increasing speed and volume of data generation, expanding attack surfaces, increasing regulatory pressure, a growing focus on operational resilience<\/a>, and AI-enabled cyberattacks<\/a>.<\/p>\n

Research shows that the vast majority of organizations are taking action. According to the Cisco 2026 Data and Privacy Benchmark Study<\/a>, 90% of organizations have expanded their privacy programs because of AI, 43% have increased privacy spending over the past year, and 93% plan to allocate more resources in the next two years to privacy and data governance due to the growing complexity of AI systems and expectations of customers, clients, and regulators.<\/p>\n

Dan Mellen<\/a>, global and US cyber CTO at professional services firm EY, says improvements are needed in most organizations.<\/p>\n

For example, many organizations do a poor job at data classification and data tagging, two vital steps for ensuring adequate security controls are applied to sensitive data, he says. \u201cWe\u2019ve seen countless examples where the right guardrails aren\u2019t in place,\u201d he adds.<\/p>\n

Many IT leaders are also finding that some technologies they implement for data protection are not capable of addressing their needs as AI advances, particularly for agentic AI deployments, Mellen says. For instance, not all data loss prevention (DLP) tools monitor lateral data movement between servers or workloads and instead only deliver perimeter defense, he says.<\/p>\n

Mike Baker<\/a>, vice president and global CISO at DXC Technology, uses the term \u201cdata sprawl\u201d to describe the growing amount of data on the move, something that accelerated first with cloud computing and now with AI.<\/p>\n

Like other CISOs, Baker is re-examining his data protection program to ensure he and his team \u201creally understand where our data is, understand the sensitivity of the data across our estate, how it\u2019s being accessed, and what environment the data is in.\u201d<\/p>\n

To that end, he\u2019s deploying best-of-breed tools to identify, discover, and classify data as well as to manage access to it and continually monitor data flow. He has also implemented a zero-trust security framework.<\/p>\n

Furthermore, Baker is now holding more ad hoc meetings, in addition to quarterly sessions with business leaders, to ensure the data protection strategy remains aligned with the business strategy and that it can keep up with changes in the company\u2019s technology and business environments.<\/p>\n

Not all organizations are taking such actions, however.<\/p>\n

For example, 20% of execs said their organizations don\u2019t monitor their privacy programs, according to the 2026 State of Privacy Report from ISACA<\/a>, a nonprofit association for governance, risk, security, and assurance professionals. Report authors called that \u201cconcerning, as these respondents do not have a way to evaluate their privacy program\u2019s progress or identify areas for improvement.\u201d<\/p>\n

Key areas of action<\/h2>\n

Organizations with immature data protection strategies need to quickly catch up, experts say. Regardless of where they are on the maturity scale, everyone can do better, they add.<\/p>\n

\u201cThey have a lot of work to do,\u201d says Pam Nigro<\/a>, vice president of security at Medecision and an ISACA board member.<\/p>\n

Nigro says companies in heavily regulated industries such as healthcare, as her company is, tend to have mature data protection programs. They\u2019re also more likely to regularly review their strategies and aim for continuous improvement she adds.<\/p>\n

Nigro reviews her data protection strategy nearly monthly to ensure its practices and policies keep up with the company\u2019s evolving technology and business plans.<\/p>\n

As called for in her data protection strategy, Nigro\u2019s team reviews how new technologies will use company data to determine whether new controls are needed; monitors traffic flow; and evaluates emerging data protection and security technologies for potential use.<\/p>\n

In addition, security leaders offer other actions CISOs can take to mature their data protection strategies and programs.<\/p>\n

Mike Aiello<\/a>, a former CISO at Goldman Sachs and now a partner with AllegisCyber Capital, suggests working collaboratively with other executives to understand the likelihood and impact of data breaches, \u201cso you know what money to spend on what controls and what data to prioritize protecting as opposed to focusing on ambiguous risks.\u201d<\/p>\n

Make identity and access management<\/a> a central part of your data protection strategy, Aiello advises. The ability to recognize and control who (whether human or machine<\/a>) is authorized to access what data is essential for preventing breaches and complying with regulations.<\/p>\n

Aiello also advises security leaders to have a strategy that addresses data provenance, as it ensures security teams can enforce integrity, trust, and compliance throughout the dataset\u2019s full lifecycle.<\/p>\n

And have a strategy for regularly evaluating emerging tools, especially those that use AI, to ensure the organization\u2019s data protection program can benefit from evolutions within the vendor space.<\/p>\n

Jeremy Koppen<\/a>, CISO at Equifax, says the \u201cspotlight\u2019s getting brighter\u201d on data privacy, noting that the company had created its Security and Privacy Controls Framework<\/a> years ago to manage both. (Equifax made the framework available to the public<\/a> in 2023.)<\/p>\n

The company\u2019s strategy has called for continuing evolution, which has included moving to a passwordless environment; continually tuning and refining tools to align them to the company\u2019s internal rules and control framework; focusing on automation and prioritization; and co-innovating with vendors on product and service enhancements.<\/p>\n

\u201cStaying ahead,\u201d Koppen says, \u201crequires a relentless focus on evolving our guardrails to protect every new way our data is being used and accessed.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Scott Kopcha witnessed what CISOs everywhere are seeing: employees eager to use artificial intelligence, whether through public models or custom AI tools, accessing company data at a breathtaking rate and volume. Kopcha already had a mature data protection strategy in place; as a law firm, his organization had a long history of safeguarding sensitive data. […]<\/p>\n","protected":false},"author":0,"featured_media":7512,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7511","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7511"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7511"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7511\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7512"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7511"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7511"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7511"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}