Cybersecurity is crossing a threshold. What was once managed mainly through tools and controls now depends just as much on how data is collected, analyzed, shared, and governed. Security teams rely on signals, patterns, and context drawn from large volumes of information to detect threats and respond in real time. That growing dependence is prompting organizations to confront a harder question: How do you govern security when it relies on data that was never originally designed for this purpose?
In this episode of #shifthappens, Bojana Bellamy, President of the Centre for Information Policy Leadership (CIPL), explores how this shift is reshaping the relationship between cybersecurity, privacy, and governance. The discussion moves beyond compliance checklists to examine how organizations are adjusting decision‑making structures as security becomes increasingly intertwined with data use, sharing, and accountability. She also draws on CIPL’s ongoing work in the European Union, where new cybersecurity regulations are forcing organizations to confront these tensions directly.
Editor's Note: This kicks off a series of podcasts featuring security leaders and practitioners tackling the toughest topics in information security, featuring guest co-host Dana Simberkoff, AvePoint Chief Risk, Privacy and Information Security Officer.
What emerges from the conversation is a clear shift in emphasis: Modern security no longer begins solely with technology. It increasingly starts with deliberate, leadership‑level decisions about data.
Security’s Dependence on Data is no Longer Optional
Today’s cybersecurity environment is built on observation. To identify anomalies, trace attacks, and anticipate emerging threats, security teams collect and analyze large numbers of signals — often spanning borders, systems, vendors, and time. As Bojana explains, “Cyber needs brilliant data, and it needs data to be able to deliver its mission.”
This operating reality introduces a persistent tension. Much of the data that strengthens security programs is personal, sensitive, and subject to regulation. Modern threat detection relies on inference, monitoring, and correlation. These are approaches that can strain long‑standing privacy principles such as data minimization, purpose limitation, and transparency.
Treating this tension as a temporary or exceptional issue does not resolve it. At CIPL, this challenge is now the focus of a dedicated project examining how data protection and cybersecurity intersect under Europe’s expanding regulatory landscape. When privacy and cybersecurity remain separate domains, the gap widens between how security functions in practice and how governance frameworks were originally structured. Organizations adapting more effectively are increasingly those that recognize this mismatch and revisit how security and data governance decisions are made, rather than attempting to manage the tension through isolated controls.
Treat Data as Security Infrastructure
Security programs already rely on data as heavily as they rely on networks or endpoints. Yet, data is often governed indirectly through fragmented policies, overlapping ownership, and inherited practices rather than explicit security decisions. Choices about what data can be collected, how long it is retained, who can access it, and where it can be shared are frequently distributed across teams and systems without a single point of accountability.
Bojana’s takeaway is straightforward: If data underpins security, it should be treated as security infrastructure.
CIPL’s project examines how organizations can consider cybersecurity, safety, and privacy together, rather than treating them as separate compliance exercises. For leadership teams, this means clearly defining what data security teams are authorized to collect, analyze, and share, and for what purpose.
It also requires recognizing that collecting more data is not inherently reckless when those activities are governed with clarity and proportionality. In practice, overly rigid or poorly aligned data restrictions can weaken security by limiting visibility across systems and time, making it harder to detect and respond to real threats.
As she underscores the connection between these disciplines, “You can simply not have privacy unless you have robust data security.” When data decisions are made deliberately rather than by default, privacy and security reinforce each other rather than operate in tension.
Align Privacy and Cybersecurity Around Data
Many organizations still organize privacy and cybersecurity as parallel functions that engage most closely during incidents, audits, or regulatory reviews. The conversation highlights why this structure is increasingly difficult to sustain.
Security teams now depend on continuous monitoring, behavioral analysis, and cross‑organizational data sharing. Privacy teams, in turn, are responsible for ensuring that these activities remain proportionate, lawful, and accountable. When these perspectives converge late in the process, or not at all, necessary tradeoffs can quickly become friction points.
CIPL’s work highlights how regulations such as the NIS2 directive and the Digital Operational Resilience (DORA) Act accelerate this convergence, forcing privacy and cybersecurity teams to engage in shared conversations earlier in the lifecycle. Aligning privacy and cybersecurity around data means bringing both disciplines into the same planning and risk‑definition discussions at the point where data use is determined.
Which signals are genuinely required to detect threats? What personal data is essential, and what is not? How is that data protected, communicated, and governed over time? Without this shared context, organizations risk either collecting data without sufficient guardrails or limiting data in ways that weaken threat detection.
Build Shared Accountability Across Teams
As regulatory requirements continue to expand across cybersecurity, privacy, AI, and sector‑specific resilience, many organizations respond by adding assessments, documentation, and processes. The result is often overlapping requirements and effort, without a corresponding increase in insight.
One of Bojana’s strongest insights is the value of integrated accountability. Rather than running separate privacy impact assessments, cyber risk assessments, and AI‑specific evaluations, organizations can move toward shared risk models that assess benefits and risks together.
This approach aligns with CIPL’s accountability‑based frameworks, which are being extended beyond privacy to support cybersecurity and digital compliance initiatives under EU law. Elements such as leadership oversight, risk assessment, transparency, training, and verification already exist within many privacy programs. Extending these structures across cybersecurity and AI can reduce duplication while improving consistency.
This shift also reshapes leadership roles. As Bojana observes, “I’m afraid some privacy officers, they see their role as saying no, but that has to change.” A similar reframing applies to security leaders whose responsibilities have traditionally been defined in defensive terms. Shared accountability positions both functions as enablers of responsible progress.
From Siloed Controls to Leadership‑Led Governance
Taken together, the discussion points to a broader change in where security decisions now sit. Cybersecurity is no longer something organizations can manage purely through technical implementation or isolated programs. As security becomes more dependent on data – across systems, functions, and jurisdictions – the most consequential decisions move upstream.
This dynamic is accelerating as AI and agentic systems expand what security teams can observe and automate. Because these systems depend on broad data access and faster decision‑making, they often outpace existing governance models. They may strengthen defense, but they also expose gaps in how data‑driven security decisions are managed — an area CIPL’s work is examining as new regulatory frameworks take shape.
Organizations better positioned for what comes next are those building coherence rather than coverage. They treat data as foundational to security, align teams where data decisions are made, and replace fragmented oversight with shared accountability. Modern security does not begin with control. It begins with a leadership choice to govern data deliberately — establishing trust and resilience as operating conditions the organization can sustain as risks continue to evolve.
Episode Resources
#shifthappens Research: The State of AI Report
#shifthappens Insights:
- The Power of Data in Shaping AI: Maximizing Impact
- Securing Cloud Collaboration in the Age of AI
- Bad Data: Real AI Risk & the Opportunity to Build Smarter
- Operationalizing AI TRiSM: The Information Governance Layer
#shifthappens Podcasts:
- Prevent Before You Respond: Mastering Cybersecurity
- AI Trust Builds When Leaders Prompt First
- How to Make AI Work for Your Business
- Insight to Impact: How Quality Data & AI Shape the Future
- AI, Deepfakes & Cybersecurity: Why Protection Matters
- MSPs, AI, Security and Strategic Partnerships
Bojana Bellamy on LinkedIn
Dux Raymond Sy on LinkedIn
Dana Simberkoff on LinkedIn
CIPL website
