How all data security companies fail

Is it a feature, product, or platform?

Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.

Photo by Luke Chesser on Unsplash

I’ve written in the past about how specific companies, such as Wiz, Vanta, Snyk, etc. fail. I’ve also talked about how categories of products, such as email security, are difficult. In this newsletter, I’m trying something different. I’m going to discuss how a category of security products might fail. I’ll bring up specific companies but won’t discuss them in too much detail. The format will be a bit different since it doesn’t involve a specific company, but I will provide my broader thoughts/frameworks on how I’m thinking about this space.

What is data security?

Honestly, I don’t know if anyone has a good answer here. Traditionally, independent data security products have been focused on data loss prevention (DLP). DLP security detects sensitive data loss through breaches and exfiltration. However, before the cloud, this was much easier. With on-premise data centers and self-hosted applications, an organization can easily monitor its data flows. Monitoring its network perimeter and endpoints was sufficient. In essence, this was possible because the data was “centralized.”

However, today’s reality is more complicated. Data is highly decentralized. We have SaaS applications, multiple clouds, different types of endpoints, etc. On top of that, there’s no static perimeter to monitor. As a result, traditional DLP won’t work.

Another issue is that the organization doesn’t have control over how data is managed or used in a SaaS application. In other words, there’s no way for an organization to manage DLP for a SaaS application. Of course, the application itself can offer this as a feature, but if it doesn’t and it’s a critical application, there’s not much the security team can do about it. Even if they offer DLP as a feature, the security team has no control over how it’s implemented.

The problem still remains that there is sensitive data in various parts of an organization’s stack. How do we secure it? Also, is data security a platform, product, or feature?

With the cloud, data security is no longer a platform.