One thing I see, no matter where I land, is that information security and data privacy are driven by culture.
In over a decade working for the US Navy, the culture was expectedly one of security consciousness. Our government has many enemies; the threat to national security is very tangible. Data protection, in that environment, is a kind of obvious tenet.
Having left DoD and re-entered the private sector, I have found a real dichotomy between organizations bound by ubiquitous regulatory requirements – FIPS, PCI, HIPAA, SOX – and those who are not.
Call regulatory requirements what you will, but in the end, they are guiding structure that influences a culture of information security awareness for the better. The notion of compliance drives business decisions, and typically, it drives good decision making. If nothing else, even if it drives bad decision making, the organization does have an awareness – there is no ignorance on the topic of information security, let’s say.
But those organizations not clearly bound by such regulations or industry standards, I have found, tend to flounder when it comes to decisions surrounding data protection. Choices can be made by semi-informed individuals and committees, often making dangerous assumptions along the way. Many, many organizations experience this, spanning all sizes, representing the entire spectrum of measurable success. An information security knowledge gap quietly dilates here, into which sensitive competitive data, customer records, PII, and all measure of everything else falls, awaiting third-party exploitation, insider exfiltration, and inevitable future liability.