Data security has the distinction of being both a high priority and an initiative that organizations struggle to address. Why? Data security today is overhyped and undefined.

Here are two examples that illustrate what I mean:

  • Any cybersecurity technology’s value can be tied to data security, but that doesn’t make it a data security control. Much like how compliance is not equivalent to security, data security as an outcome is different from data security as a technology control — a control that is applied directly to data or a data-centric security control.
  • The meaning of “data” is not universal, and the term “data security” can describe very different controls. Consider an offering that enables secure collaboration on files with rights management and file encryption capabilities. Contrast that with another offering that enables compliance with database encryption and data masking functionality. The data-centric security controls and approaches to data security in each case are very different.

These are just two out of many factors that I have highlighted in my recent research and commonly point to in my discussions with security leaders about why data security is so nebulous.

Next Steps Toward A New Data Security Approach

To advance Zero Trust data security, we must first recognize that it is not solely a security-focused initiative. Zero Trust data security requires tight alignment between data security and data management in order to build and embed data security controls and processes into data lifecycle management. Data leaders and stakeholders are at the forefront of their organization’s vision and roadmap for data use. As such, chief data officers will and must have a seat at the security table to provide their input, to reduce the friction surrounding data use, and to leap forward in innovation.

How data security was handled traditionally will not serve your organization going forward. The scope of data we need to protect and the types of data risks we must address have changed and continue to evolve. Technology capabilities to help us define our data through data classification are changing rapidly. The scope of data-centric controls available to choose from has also expanded. While data loss prevention and encryption are core controls for data, they are not your only options. Meanwhile, emerging data risks from quantum computing and AI systems will also change the capabilities and controls that we need from data security technologies.

Planning for post-quantum security and migration efforts to post-quantum cryptography is one pressing catalyst for advancing your data security program now. There are also other new stakeholders that you must pull together to advance your data security program, including your AI committee, to ensure proper governance and compliance. This is especially relevant as organizations encounter generative AI functionality in the tools that they use, as well as push for greater use of AI systems for competitive advantage.

Learn More At Security & Risk Summit

The time is now to reimagine and pioneer your new data security strategy. Join me at Forrester’s Security & Risk Summit on December 9–11 in Baltimore, where I will present a keynote presentation entitled “Data Security Reborn: Pioneering Strategies For AI And Post-Quantum.” During the keynote, I’ll unpack what elements of your strategy can remain the same and what aspects require a different approach to advance your data security program for the future. I’ll also be copresenting a session in the Prevention, Detection, & Response track with my colleague Joseph Blankenship focusing on insider risk management. Be sure to check out the agenda to get more details and learn how to register for the event.