Notifications
Clear all
Topic starter
08/06/2026 5:06 pm
TL;DR: Data security programs often fail because teams build isolated controls instead of a coherent strategy, and because the business treats protection as a security-only concern, according to Cyera’s DataSec 2024 conference recap. The takeaway for identity and access teams is that governance breaks when visibility, control, and ownership are not designed together.
NHIMG editorial — based on content published by Cyera: Tips to Build a Successful Data Security Program
Questions worth separating out
Q: How should organisations move from reactive data security to a real data protection strategy?
A: Start by mapping sensitive data, the identities that can access it, and the business processes that depend on it.
Q: Why do data security programmes fail when only the security team owns them?
A: They fail because data use is cross-functional, but the programme is not.
Q: How can security teams tell whether their data protection controls are actually working?
A: Look for two signals: whether sensitive data is discoverable and traceable across systems, and whether business teams can use it without creating workarounds.
Practitioner guidance
- Build a shared data visibility model Catalogue where sensitive data resides, which systems expose it, and which identity types can reach it so controls can be evaluated in context rather than in isolation.
- Replace control sprawl with policy-based governance Review overlapping DLP, encryption, and access restrictions, then consolidate them into a policy model that maps approved use cases to auditable access paths.
- Assign cross-functional data ownership Name privacy, compliance, legal, business, and security owners for each major data class so programme decisions are not trapped inside the security team.
What's in the full article
Cyera's full blog covers the practical detail this post intentionally leaves for the source:
- Yabing Wang's conference framing on why data protection must move beyond isolated controls
- The specific ways security teams and business stakeholders can co-own a data protection programme
- The article's examples of how better visibility supports cleaner audits and safer access decisions
- The conference context around DataSec 2024 and the original takeaways from the session
👉 Read Cyera's analysis of why data protection programmes fail →
Data protection strategy gaps: what IAM teams are missing?
Explore further
08/06/2026 7:07 pm
Piecemeal controls create a visibility illusion, not a protection strategy. Adding DLP, encryption, and access restrictions in separate places can reduce specific risks, but it does not produce a governable view of sensitive data. The deeper failure is the absence of a unified control model that can connect discovery, access, and usage. Practitioners should treat fragmented enforcement as a design flaw, not a tuning problem.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: What is the difference between blocking access and enabling data protection?
A: Blocking access is a narrow control objective. Enabling data protection means users can still work with sensitive information through governed, auditable paths that respect privacy, compliance, and business needs. The difference is whether security is merely denying action or shaping safe, accountable use.
👉 Read our full editorial: Data protection programs fail when visibility and buy-in lag
