As in previous years, the first quarter is the time for prognostications. Publications and social media are flooded with articles discussing 2017 security predictions, trends and priorities. They range from the obvious to the obscure.
Although I find these articles interesting and entertaining, I would love to see score cards from year to year on who got what right!
My domain is data security and privacy, so rather than focus on 2017 predictions, I will focus on what can help achieve data security  in 2017.
Rather than predicting what may or may not happen, let’s look at what organizations can consider the key performance indicators (KPIs) of their data-security efforts. My suggested KPIs reflect current challenges, upcoming legislative requirements and recommendations to help organizations protect their legacy and their transformative cloud and big data initiatives.
So here we go. The three KPIs that could help most organizations create a more secure, breach-resilient and lower-data-Risk infrastructure are the following.
Sensitive data location and Risk. It may seem obvious that organizations should have a current and accurate inventory of sensitive data. In a 2016 study  conducted by Ponemon Institute , Scale Ventures  and Informatica , however, only 12 percent of organizations said they knew where all their sensitive data existed across the enterprise.
So, the first data-security KPI for 2017 is understanding where sensitive data exists, continuously, to improve the prioritization and effectiveness of security programs and investments.Most organizations have a long way to go. In the survey mentioned above, only 12 percent reported they did at least monthly assessments of sensitive-data location and risk.
Additionally, 54 percent of organizations reported they had no set schedule for assessing sensitive-data risk. How much is your data growing? If we accept that data is doubling every 18 months, then each month data grows approximately 4 percent. If you have one million sensitive records, you can extrapolate 40,000 new sensitive records per month (compounded of course). Most organizations have high sensitive-data-record counts.
General Data Protection Regulation (GDPR) risk. This may be the year for GDPR compliance; with May 2018 getting closer, many organizations are working on ensuring they meet standards, but much more is needed to understand potential gaps .
Number two on our data-security KPI list is to evaluate GDPR risk with relevant factors that will help prioritize GDPR efforts and actions. Risk factors include location, protection, cost, user access and activity, data movement, and data volume.
The risk scoring should be tuned to organizational GDPR policies; the key is automation of the data-risk scoring process for a continuous and accurate view of your GDPR risk scores.
An alternative focus would be HIPAA regulated data. In 2016, the U.S. government issued several HIPAA fines exceeding two million dollars. Enforcement for 2017 and beyond is likely to grow—as will the severity of the fines. Details of the Office of Civil Rights (OCR) enforcement activities are here , including information on cases, settlements and fines.
Detect and protect. To help improve breach resistance and recovery, organizations should strive to automate the detection of high-risk data access or movement—and the orchestration of remediation. In other words, continuously assess sensitive data location and risk, access activity, movement, and user behavior, and couple that assessment with automatic remediation.
