How CISOs Can Reduce Enterprise Data Risk Without Slowing the Business скачать в хорошем качестве

How CISOs Can Reduce Enterprise Data Risk Without Slowing the Business

In an era where enterprise data sprawls across cloud platforms, collaboration tools, and SaaS environments, CISOs are under constant pressure to reduce risk without becoming the department that slows everything down. That tension sits at the heart of a recent episode of the Security Strategist, where host Jonathan Care speaks with Ariel Zamir, founder and CEO of Ray Security, about what pragmatic, modern data security actually looks like. Their conversation cuts through the noise around cybersecurity tools and frameworks and focuses instead on how CISOs can think differently about enterprise data, risk management, and control. Understanding Enterprise Data Risk Starts With Reality One of the most grounded points Zamir makes is also the simplest, and that is, most enterprise data is not being used. At any given time, around 98 per cent of enterprise data sits dormant. From a data security perspective, that should immediately raise questions. Why is data that no one needs today exposed in the same way as data actively driving the business? For CISOs, this reframes the challenge. Instead of trying to secure all data equally, the priority becomes understanding which data is actually accessed, by whom, and when. This shift matters because risk does not come from volume alone, but from unnecessary exposure. Dormant data with overly broad access control is often invisible to the business, yet highly visible to attackers. By grounding cybersecurity decisions in how data is really used, security teams can reduce enterprise data risk without introducing friction for employees who are simply trying to do their jobs. Permission Hygiene, Access Control, and Dynamic Security A recurring theme in the discussion is permission hygiene. Over time, access rights accumulate. People change roles, projects end, contractors leave, but permissions rarely get cleaned up. The result is an expanding attack surface that no amount of policy documentation can realistically govern. Zamir argues that improving permission hygiene and access monitoring should come before heavy data classification initiatives. Tightening access control, understanding access patterns, and removing unnecessary permissions can dramatically reduce risk with relatively low operational impact. Crucially, this does not mean locking everything down. Dynamic controls play a key role here. Instead of blocking access by default, organisations can monitor for unusual behaviour and respond in context. Alerts, step-up verification, or temporary restrictions allow security teams to manage risk while preserving user experience. From a business perspective, this approach aligns far better with how work actually happens. This is also where agentic AI and agentless monitoring enter the picture. As autonomous systems increasingly access data on behalf of users, traditional identity-based controls struggle to keep up. Agentless approaches help close coverage gaps without requiring intrusive deployments, while agentic AI introduces new questions about accountability and oversight that CISOs can no longer ignore. Just-in-Time Classification and the Legal Implications of Automation Traditional data classification has long been treated as a foundational security activity, but the podcast challenges that assumption. Classifying vast amounts of dormant data upfront is expensive, slow, and often disconnected from real risk. Instead, Zamir advocates for just-in-time classification, applying context only when data is accessed. This approach supports more effective risk management while easing the burden on security teams. It also aligns better with regulatory expectations, where proportionality and intent increasingly matter. For more information on this, visit: https://raysecurity.io/ Takeaways Around 98 per cent of enterprise data sits idle, creating hidden security risks. Focusing on data dormancy helps prioritise protection and reduce exposure. Permission hygiene and dynamic controls reduce risk without slowing business workflows. Just-in-time classification cuts overhead by securing data only when accessed. Agentless monitoring and oversight of agentic AI improve coverage and accountability. Legal and governance frameworks must evolve to handle autonomous data access. Chapters 00:00 Introduction to Cybersecurity Challenges 01:38 Understanding Data Dormancy and Its Implications 05:10 Focusing on Critical Data for Security 08:21 The Importance of Permission Hygiene 10:53 Just-in-Time Classification for Data Security 12:28 Dynamic Controls for Business Needs 16:43 Agentless Monitoring and Coverage Gaps 19:32 Integrating Logs and APIs for Security 21:34 Future Trends in Cybersecurity #CISO #RaySecurity #SecurityStrategist #EnterpriseData #DataRisk #CloudSecurity #SaaSSecurity #PermissionHygiene #AgenticAI #cyberleadership