State of the industry report shows data security rising in priority

At a glance

What this is: This is a state-of-the-industry report on cybersecurity priorities, with data security emerging as a top investment area for 2024.

Why it matters: It matters because IAM, NHI, and autonomous identity programmes all depend on data visibility, control, and governance choices that should align to broader security investment priorities.

By the numbers:

• 40% of CISO executives are prioritizing investments in data security in 2024.

👉 Read Cyera's annual state of the industry report on data security priorities

Context

Cybersecurity investment is being shaped by a simple reality: organisations cannot secure what they cannot reliably see, classify, and govern. In data security programmes, that problem shows up as discovery gaps, inconsistent policy coverage, and weak alignment between operational controls and business priorities.

This report sits in the broader governance conversation because people, process, and technology are not separate lanes. Data security decisions increasingly affect IAM, NHI, and autonomous identity controls, especially where sensitive data is distributed across SaaS, cloud, and AI-enabled workflows.

Key questions

Q: How should security teams prioritise data security investment across IAM and governance programmes?

A: Start by mapping where sensitive data is concentrated, who and what can access it, and which teams own the controls. Prioritise investments that improve discovery, reduce excessive access, and connect data governance to identity lifecycle processes. If those links are missing, tooling alone will not close the gap.

Q: Why do people, process, and technology matter together in data security planning?

A: Because data security failures usually come from misalignment between ownership, operating procedures, and tooling coverage. A strong product without clear process and accountability still leaves exposure paths open. Mature programmes use all three layers to keep classification, access, and remediation in sync.

Q: How can organisations tell whether their data security programme is actually improving?

A: Look for fewer unknown data stores, clearer ownership of sensitive datasets, faster access review completion, and measurable reductions in overexposed information. If the same high-risk data keeps appearing in audits or incidents, the programme is producing activity without control.

Q: What is the difference between securing data and securing access to data?

A: Securing data focuses on protection mechanisms such as classification, encryption, and storage controls. Securing access to data focuses on who or what can reach it, for how long, and under what justification. In practice, both are needed because exposed access can defeat strong data controls.

Technical breakdown

People, process, and technology in data security planning

This report uses the classic people, process, and technology model to benchmark cybersecurity priorities. In practice, that model matters because data security failures rarely come from a single control gap. They usually come from misaligned ownership, incomplete operational workflows, and tooling that lacks enough visibility into where sensitive data lives and who or what can reach it. For IAM teams, the relevant question is whether identity governance and data governance are being planned together or left to separate programmes that only meet during incidents.

Practical implication: review ownership boundaries between IAM, security operations, and data governance before adding more tooling.

Why data security investment is rising across security programmes

Data security has moved higher on the agenda because modern environments spread sensitive data across cloud services, SaaS applications, and increasingly AI-enabled systems. That expands the number of identity types that can touch the data, including humans, service accounts, and agent-like software. When data flows faster than governance, classification and control decisions lag behind actual usage. The result is not just exposure, but governance drift, where policy says one thing and access behaviour says another.

Practical implication: map sensitive-data paths to the identities and workloads that can access them, not just to repositories.

Benchmarking priorities against business objectives

A benchmarking report is only useful if it translates into programme decisions. Data security investment should be tied to business outcomes such as reduced exposure, faster classification, better auditability, and clearer ownership for high-risk datasets. For identity leaders, that means treating data protection as an access and lifecycle problem as much as a storage or encryption problem. The controls that matter are the ones that show whether access is still justified over time.

Practical implication: align data security roadmaps with access review, lifecycle governance, and sensitive-data discovery milestones.

Breaches seen in the wild

• Zacks Investment Research breach — Zacks breach exposed 12M customer records including credentials.
• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Data security is no longer a back-office control stack, it is a governance priority that shapes identity strategy. When 40% of CISO executives prioritise investment in this area, the message is that visibility and control over data have become board-relevant questions. For IAM teams, that pushes data security out of a tooling conversation and into programme planning. The practitioner conclusion is that identity controls should be designed around where data risk concentrates, not where organisational charts place ownership.

Identity blast radius: the real problem is not just who can log in, but how far a successful identity can reach once data is exposed. That matters across human, NHI, and autonomous programmes because data access is what turns an identity into an incident path. Once sensitive information is distributed across SaaS and cloud systems, the governance challenge becomes limiting the reachable set of data, not merely issuing stronger credentials. The practitioner conclusion is that access scope and data scope must be managed together.

Data security maturity now depends on whether people, process, and technology are operating as one control system. Reports like this are useful because they expose a common failure mode: organisations invest in tools without closing the operating gaps around ownership, classification, and review. That leaves policy, detection, and remediation out of sync. The practitioner conclusion is to treat data security as an operating model problem, not a product selection problem.

Sensitive-data governance is becoming the common layer across IAM, NHI, and AI governance. The same data can be reached by human users, workload identities, and increasingly autonomous systems, so the control objective is no longer actor-specific. That shifts the programme question from which identity type is involved to whether the organisation can continuously explain and justify access. The practitioner conclusion is to build shared governance signals across identity domains instead of isolated control planes.

From our research:

• 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• For a broader governance lens, see Ultimate Guide to NHIs for how lifecycle, visibility, and ownership decisions shape identity risk.

What this signals

Data security investment is increasingly a proxy for governance maturity. As organisations spend more on discovery and control, the differentiator will be whether that spend closes the gap between policy and actual access behaviour. Identity teams should expect tighter demand for auditability across SaaS, cloud, and emerging AI-linked data paths.

Sensitive-data visibility is becoming a shared requirement across identity programmes. The same control failures that create NHI exposure also complicate broader data governance, especially when service accounts and automation touch regulated information. Teams that connect classification, entitlement review, and ownership will be better placed to defend budget and reduce drift.

For practitioners

• Align data security investments to identity governance priorities Map the report's people, process, and technology themes to your current IAM, NHI, and data governance roadmap. Identify where ownership is split across teams and where access decisions are made without shared review criteria.
• Inventory sensitive-data access paths across all identity types Trace which human users, service accounts, and application identities can reach sensitive data in SaaS and cloud environments. Focus on the paths that bypass normal review cycles or create broad data exposure.
• Tie classification to lifecycle controls Use data classification outputs to drive access review, offboarding, and entitlement reduction for accounts that touch high-risk datasets. Treat stale access as a governance issue, not just a clean-up task.
• Benchmark security spend against measurable exposure reduction Define metrics such as fewer overexposed datasets, faster remediation of risky access, and stronger ownership for critical information assets. Use those metrics to evaluate whether data security investment is improving control outcomes.

Key takeaways

• The report shows data security moving from a technical concern to a board-level governance priority.
• The key management problem is not only protecting data, but aligning identity controls to where that data can be reached.
• Security teams should use the investment signal to tighten ownership, access review, and lifecycle governance across all identity types.

Key terms

• Data Security Posture Management: Data Security Posture Management is the practice of discovering, classifying, and reducing risk around sensitive data across cloud and SaaS environments. It connects visibility, policy, and response so teams can see where data lives, who can access it, and whether that access is justified.
• Identity Blast Radius: Identity blast radius is the amount of data, systems, or business process an identity can reach if it is misused or compromised. It is a practical governance measure, not just a threat concept, because it shows how far a single access path can extend across human, NHI, and autonomous identities.
• Sensitive Data Access Path: A sensitive data access path is the route by which an identity or workload reaches protected information through applications, APIs, or storage systems. The path matters as much as the data itself because weak lifecycle governance or over-broad permissions can expose records even when storage controls are intact.

Deepen your knowledge

Data security governance across human, NHI, and autonomous identity is covered in the NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme is trying to connect discovery, access review, and lifecycle control, this is a practical place to start.

This post draws on content published by Cyera: Cyber Security Tribe’s Annual State of the Industry Report. Read the original.