I recently went one-on-one with Glen Day, founder and CEO of the data risk intelligence platform NVISIONx. Glen was the first-ever Chief Privacy Officer for Los Angeles County and has served in senior leadership roles for the cybersecurity practices for Booz Allen Hamilton and EY.
Adam: What should leaders know about cybersecurity?
Glen: They need to understand that cybersecurity is not just a compliance requirement. It is a strategic function designed to protect their most valuable data assets. While risk management and regulatory obligations are important, the real focus should be on securing the information that fuels their competitive advantage. For many organizations, that means intellectual property. These are the assets that can drive billions in revenue and define the company’s future. If they’re not properly protected, the business may not survive. Data is often compared to oil or gold because it powers innovation, builds brand identity, and creates market differentiation. If a company fails to protect the information that makes it unique, it shouldn’t be surprised if it ends up competing against its own stolen ideas or losing its place in the market entirely.
Adam: What are the best cybersecurity practices that leaders should follow?
Glen: It’s interesting that even the top cybersecurity frameworks, whether NIST or ISO, all come down to one thing: the value of the asset. These are federal standards that define the minimum controls and the level of effectiveness expected. At the core, it’s a business decision. Should you protect your most valuable data the same way you protect the least valuable data? It wouldn’t make sense. It creates inefficiencies, adds unnecessary cost, and becomes nearly impossible to manage.
First: treat your data like an asset. Not just a file or an obscure dataset. That file is a business record created for a specific purpose. That purpose tells you how long to keep it, who should have access, how it should be protected, and when it should be deleted. Most data, whether people want to admit it or not, needs to die at some point.
The real issue is keeping everything forever. That is how data hoarding starts. Then, when you need something important, you can’t find it because it’s buried under everything else. It becomes harder to identify what really matters and even harder to act on it.
However, if you treat data like another business asset, the picture gets clearer. If you do not, no one takes ownership.
Adam: How do you determine the value of the data that you possess?
Glen: It usually comes down to who owns the data and who owns the record. Who is going to make the most noise if something goes wrong? Who will not care at all? It’s typically the people who collect or process the data who can tell you what kind of record it is, not what file it is. That is one of the biggest fallacies, Adam. Too much of this has been dumped on cybersecurity teams.
How are cybersecurity teams supposed to know how to value someone else’s data? They do not have the background. They do not have the experience. They can say they found a Social Security number, a credit card, or a bank account. What they’re saying is more like, “Look at my shiny little nickel.”
The real question is, whose credit card is it? Is it tied to an employee, a customer, a third party, or a board member? Each one of those scenarios carries a completely different level of value. Everyone agrees it is sensitive. Everyone agrees it is confidential. But the next set of questions is, what should we do with it? Who should have access? Who should never have access? How long should we keep it?
These are the kinds of questions that, until recently, were almost always ignored. Especially before modern privacy laws came into play. Take one of the most basic laws: the right to be forgotten. That alone has changed the landscape. Why? For years, the easy answer was to just buy more storage, keep everything forever, and deal with it later.
Now regulators are taking a different stance. If you hold personal data even one day beyond its retention period, and there is no legal reason to keep it, you have lost the authority to retain it. You have also lost the consent that gave you permission to hold it in the first place.
What they are seeing now are breaches where customers are asking, “Why was my data even there?” It’s like someone saying, “I stopped using that phone company 15 years ago. Why is my data showing up in this breach notice?”
That is the issue: Over-retention. It’s failing to treat data like an asset and avoiding the involvement of the business. Cybersecurity teams are overwhelmed. They do not have the tools or the methodology, and they were never meant to solve this on behalf of the business. Until the business steps in, this problem is going to continue.
Adam: That last point is a particularly interesting point, as leaders may not have the subject matter expertise in cybersecurity, but understand that security is important, and might be wondering, “How can I foster a culture of security?” And it sounds like the first point is treating security as a global issue: not just siloing security to your cybersecurity team, but taking ownership as a leader and really integrating and incorporating cyber into what you are doing as a leader.
Glen: I appreciate that, Adam, and here is how I look at it. First, this needs to be treated as a data governance issue. Cybersecurity and data governance are a team sport. Every player has a role. If someone does not play their role, the whole team is at risk, and we are not going to win.
But the game is not about avoiding headlines. That kind of fear has lost its power. Most people are numb to breach news. The real game is whether we can protect what matters most so we can stand out in the market and generate the most value for the company, the shareholders, and the engineers who built the product.
Do we get rewarded for what we created, or does someone else steal it two weeks later, slap their name on it, and walk away with all the value we worked so hard to build?
From my view, there are three or four primary groups that make up this team. The first starts with the business. It’s their data. Only they can reliably distinguish one business record from another, especially when the data does not include obvious privacy attributes like a credit card or a social security number.
I doubt they would be okay with an employment agreement, board minutes, or intellectual property leaking out into the public domain. None of those are tightly regulated, but all of them could cause real damage.
If you empower the business to govern their own data in a complete and accurate way, and you do it in a way that does not feel like a burden, you have a real shot at success. They need tools that are powerful and scalable across a large enterprise, yet simple enough to let every data owner be their own business analyst.
If they can tell you what something is and account for it, cybersecurity teams only need to focus on what matters. They do not care about low-value or non-sensitive data. Just tell them what is sensitive, tell them why, and then tell them who should or should not have access.
That kind of business input lets cyber teams apply their intelligence in minutes. They can take the right actions with confidence and speed.
Then there is the group that includes legal and records management. Their job is to help stop data hoarding. This is important because when someone hoards data, it’s harder to find what they need when they need it. A compliance burden becomes much heavier than it should be because they’ve kept everything.
And let us not forget the cost. Storage costs double just about every two years. That is the cost of hoarding digital data. It has to live somewhere. If you never let data die, it is going to haunt you.
Eventually, that data will come back and say, “You ignored me for too long, and now this is going to be expensive until you finally take accountability and let me go.”
Adam: What framework would you provide to leaders to determine what data to let die and when?
Glen: That is a really good question, and I think that is part of the problem. There really are not well-defined data governance frameworks. I’m not talking about cybersecurity frameworks. The last thing a cybersecurity team wants is to be held accountable for managing business data. That is not their responsibility, and it is outside of their scope. However, they benefit from proper governance because it reduces the attack surface.
From my experience, this gap has existed throughout my entire career. I served as a Naval officer focused on information warfare, held executive consulting roles at Booz Allen, Accenture, and Ernst and Young, and also served as the Chief Privacy Officer for Los Angeles County – one of the largest healthcare jurisdictions in the world. L.A. County alone is bigger than most states. In that role, I had to understand the full complexity of data governance.
There are some frameworks out there—the eDiscovery framework, like EDRM, the Records Management model from ARMA, and a handful of others. None of them are complete. They each focus on a specific part of the problem. None provide full-spectrum governance from cradle to grave. That is what we built in my company. We call it the Data Risk Playbook.
There are seven phases in the playbook. The first three are owned by the business. It starts with inventorying the data, not discovering it. When you discover, you miss a lot. The concept of dark data proves it. This is the data people know exists but do not understand. If I do not know what I am looking for, I will never be able to find it. If I inventory every file in every folder, across every device, I can get it accounted for.
Phase two is contextual classification. That word matters. Cyber teams are still relying on legacy methods. They scan for a Social Security number or a credit card. That’s not enough. A Social Security number might show up in fifteen different record types. Without context, I cannot make informed decisions. The business owns the context. They can quickly tell you what the record is, what it is used for, and why it matters.
Phase three begins the crossover between business and IT. This is where we start looking at access rights, directory services, and control lists. Who has access to legal records? It should be everyone in legal, and maybe a few others. That is how you start mapping security to real-world roles.
Once that foundation is set, cybersecurity teams are now able to act. They can apply protection controls, monitor the right data, and enforce policies without disrupting the business. If something leaks or if there is ransomware, they know exactly what was impacted, what it means to the business, and how to respond.
The final phases are retention and purge. Retain what you are required to, based on regulations. Tax records must be kept for seven years. Now, for personal data, you must delete it once that period ends. Not at least seven years. No more than seven. The last step is to purge or archive. Let the data go. Take it out of business view. Reduce your footprint. Eliminate clutter.
That is how we look at it. Full spectrum. Everything is accounted for. Everything is treated appropriately, and there is a true lifecycle.
Adam: What cyber threats should leaders especially be aware of, and what steps should they take to protect against them?
Glen: Honestly, the biggest cyber threat is complacency. Digital threats, insider threats, all of it is constantly evolving. It always comes back to the same core question: “Is this tied to sensitive data?” If it’s not, I should not care if someone walks out with an outdated HR policy. No harm. No foul. No impact.
The real focus needs to be on what matters most. If you can do that, you have a much better chance at defending against insider threats, ransomware, and everything in between. Ransomware is still very active. With AI, the threat landscape is getting more complex. These tools are producing threat profiles we have never seen before. That means attacks are going to become harder to detect.
Here’s the good news: If you apply the right controls around your most critical data, you give yourself a real shot at staying safe and staying compliant. It starts with access controls. That is always the first line of defense. You confirm who someone is and whether the access they have is both appropriate and authorized.
Adam, what we often see, especially when working with banks or healthcare systems to classify their data, is that they quickly realize they are not compliant. A common example is an employee saying, “I did not know that was a patient’s health record. I just gave someone access because they asked for help. I thought I was doing the right thing.”
That is how unintentional breaches happen. It is not malicious. It is just someone trying to be helpful. Bad actors are not making these innocent mistakes. They are intentional. That is why access controls alone will not cut it.
You need data loss prevention (DLP). DLP ensures that sensitive information only flows between approved endpoints. It monitors, permits, or blocks data transfers based on policy. Even when someone has access, DLP steps in to prevent a mistake from turning into a breach. It is the safety net.
Additionally, you need strong threat management and encryption. The good news is these controls work when they are configured the right way. The real issue is most organizations lack the business intelligence to do that well. Without the right context, without insight into what the data actually is, these tools cannot be tuned to reduce risk effectively. That is what leaves companies exposed.
Adam: Do you have any other tips for leaders to follow or pitfalls for leaders to avoid?
Glen: What is making this even more challenging is the growing pressure for businesses to truly understand their data. That pressure is being driven by generative AI. Tools like ChatGPT and Copilot are no longer just experiments. They are becoming strategic platforms. Companies want to feed legacy data into these systems to unlock intelligence, whether that means designing better products, writing better code, accelerating financial analysis, or building entirely new business models.
The problem is that most organizations have not been treating their data as structured and managed records. Now they are scrambling to sift through disorganized files, trying to figure out what can safely and effectively be used in these AI engines.
Once again, if your data house is not in order, both from a risk and compliance standpoint and a value creation perspective, you are going to fall behind. Competitors that have clean, classified, and well-governed data will move faster. They will move smarter and they will move more securely.
