TL;DR: Data security programs often fail because teams build isolated controls instead of a coherent strategy, and because the business treats protection as a security-only concern, according to Cyera’s DataSec 2024 conference recap. The takeaway for identity and access teams is that governance breaks when visibility, control, and ownership are not designed together.
At a glance
What this is: This is an analysis of why data security programmes stall, with the central finding that fragmented controls and weak business buy-in undermine effective protection.
Why it matters: It matters to IAM practitioners because data protection depends on who can access sensitive data, how that access is governed, and whether security, governance, and business teams share ownership.
👉 Read Cyera's analysis of why data protection programmes fail
Context
Data protection fails when organisations confuse more controls with better governance. The problem is not simply whether a DLP tool or encryption policy exists, but whether teams can see where sensitive data lives, who can access it, and how that access is used across the business.
That governance gap matters to identity programmes because access control, visibility, and accountability are inseparable. When security teams build data protection in isolation, they get isolated alerts, fragmented enforcement, and weak adoption from the people who actually use the data.
Key questions
Q: How should organisations move from reactive data security to a real data protection strategy?
A: Start by mapping sensitive data, the identities that can access it, and the business processes that depend on it. Then replace isolated controls with a shared governance model that supports approved use, auditability, and clear ownership across security, privacy, and compliance. That is how data protection becomes an enterprise strategy rather than a tool stack.
Q: Why do data security programmes fail when only the security team owns them?
A: They fail because data use is cross-functional, but the programme is not. If privacy, compliance, legal, and business teams are not co-owners, users experience the programme as friction and will work around it. Shared ownership creates accountability and gives the controls a chance to fit how data is actually used.
Q: How can security teams tell whether their data protection controls are actually working?
A: Look for two signals: whether sensitive data is discoverable and traceable across systems, and whether business teams can use it without creating workarounds. If controls generate isolated alerts but do not improve visibility or approved access, the programme is controlling noise rather than risk.
Q: What is the difference between blocking access and enabling data protection?
A: Blocking access is a narrow control objective. Enabling data protection means users can still work with sensitive information through governed, auditable paths that respect privacy, compliance, and business needs. The difference is whether security is merely denying action or shaping safe, accountable use.
Technical breakdown
Why piecemeal data controls fail to reduce risk
Piecemeal security happens when organisations add isolated controls such as DLP, encryption, or blocking rules without a unifying data protection model. The result is fragmented visibility and inconsistent enforcement, because each tool sees only part of the environment. Data security then becomes a collection of local restrictions rather than a coherent control plane for sensitive data. In identity terms, the programme can detect some access events but cannot answer the governance questions that matter: where the data is, who can reach it, and whether that access is appropriate in context.
Practical implication: map data protection controls to a shared visibility and access model instead of adding one-off enforcement layers.
How data protection differs from data security
Data security often focuses on preventing unauthorized access, while data protection adds the operational question of how the business can use data safely. That shift matters because protection is not only about blocking action. It is about making access understandable, governable, and auditable across privacy, compliance, governance, legal, and product teams. When the programme is framed only as restriction, users work around it. When it is framed as responsible enablement, the control model can support both protection and productivity.
Practical implication: design controls that support approved use cases and auditable access paths, not just denial rules.
Why data protection needs cross-functional ownership
A security-only programme fails because data governance touches multiple operational owners. Privacy teams care about lawful use, compliance teams care about auditability, and business teams care about speed and trust in data access. If those stakeholders are not co-owners, the programme looks like a set of hoops rather than an enterprise capability. In practice, this is the same lifecycle problem that appears in identity governance when access decisions are made by one group but experienced by many. Shared ownership creates the conditions for durable adoption.
Practical implication: define co-owners for data protection decisions and review them alongside identity and access processes.
Breaches seen in the wild
- DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.
- Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Piecemeal controls create a visibility illusion, not a protection strategy. Adding DLP, encryption, and access restrictions in separate places can reduce specific risks, but it does not produce a governable view of sensitive data. The deeper failure is the absence of a unified control model that can connect discovery, access, and usage. Practitioners should treat fragmented enforcement as a design flaw, not a tuning problem.
Data protection fails when it is treated as a security function instead of an enterprise operating model. The article’s central point is that privacy, governance, compliance, legal, product, and data teams all shape the real control surface. When security owns the programme alone, business users see friction without value and route around the process. The implication is that ownership must be distributed across the people who create, approve, and consume the data.
Visibility is the named concept that separates control from guesswork. Data protection programmes do not mature by adding more blocking rules, they mature by making sensitive data discoverable, understandable, and traceable across use cases. That is the practical meaning of visibility in a governance programme: it turns scattered controls into a defensible policy layer. Practitioners should measure the quality of their data visibility before they measure the sophistication of their enforcement.
Enablement is not the opposite of control, it is the condition for durable compliance. The article correctly frames responsible use of data as part of protection, not a trade-off against it. That means programmes need to support approved access, audit readiness, and business workflows at the same time. Teams should evaluate whether their governance model helps people do their jobs securely or merely makes access harder.
From our research:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
- For a broader governance lens, read NHI Lifecycle Management Guide for provisioning, rotation, and offboarding practices.
What this signals
Data protection programmes are moving toward governance models that connect discovery, access review, and business enablement rather than treating them as separate workstreams. For identity teams, that means the quality of the access model matters as much as the technology used to enforce it.
Visibility debt: when organisations can deploy controls faster than they can explain where data lives and who can use it, the programme accumulates hidden risk. That gap becomes visible in audit friction, user workarounds, and inconsistent policy enforcement across teams.
For practitioners
- Build a shared data visibility model Catalogue where sensitive data resides, which systems expose it, and which identity types can reach it so controls can be evaluated in context rather than in isolation.
- Replace control sprawl with policy-based governance Review overlapping DLP, encryption, and access restrictions, then consolidate them into a policy model that maps approved use cases to auditable access paths.
- Assign cross-functional data ownership Name privacy, compliance, legal, business, and security owners for each major data class so programme decisions are not trapped inside the security team.
- Test whether controls enable safe business use Validate whether employees can reach clean data faster, pass audits more easily, and avoid workarounds when the protection process is used as designed.
Key takeaways
- Data security programmes fail when controls are added piecemeal without a shared governance model for visibility and access.
- The strongest indicator of maturity is not how many tools are deployed, but whether security, privacy, compliance, and business teams share ownership.
- Practitioners should optimise for governed, auditable data use that supports the business, not only for blocking and alerting.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | GV.OV-01 | Governance oversight is central to a cross-functional data protection model. |
| NIST Zero Trust (SP 800-207) | PR.AA-01 | Identity-centric access decisions depend on verified, contextual access to sensitive data. |
| OWASP Non-Human Identity Top 10 | NHI-01 | The visibility and ownership gaps discussed here also apply to non-human identities reaching data. |
Inventory non-human identities that access data and review their permissions on a lifecycle basis.
Key terms
- Data Protection Strategy: A data protection strategy is the operating model for discovering sensitive data, governing access, and supporting approved use across the business. It combines security controls with ownership, auditability, and policy so protection is measured by how well data can be used safely, not just how well it can be blocked.
- Visibility: Visibility is the organisation's ability to locate sensitive data, understand who can reach it, and trace how it is used across systems. In identity programmes, visibility is the prerequisite for meaningful governance because controls cannot be trusted if the underlying access and data flows are unknown.
Deepen your knowledge
Data protection strategy, visibility, and lifecycle governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a programme that needs to connect access, ownership, and operational use, it is worth exploring.
This post draws on content published by Cyera: Tips to Build a Successful Data Security Program. Read the original.
Published by the NHIMG editorial team on 2025-06-16.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
