A seminal report conducted by Eureka Security in conjunction with the Venture Advisory Board of YL Ventures serves as a wake-up call for data security leaders and practitioners. Leading global CISOs in companies spanning various sizes and industries were surveyed on their data security practices. More than 20% of those polled classified upwards of 50% of their data as sensitive and almost 40% reported they experienced a data breach.

Data breaches continue to be one of the leading cyberattack vectors of the past several years. Aimed at CISOs, security practitioners, business executives and decision-makers, the report’s insights will serve to augment their understanding of how critical data is presently managed, controlled and secured within cloud environments – and more important – how it should be.

“There are real-world financial, reputational and logistical consequences to data breaches,” said Liat Hayun, co-founder and CEO of Eureka Security. “Forty percent of companies have experienced a data breach. This is an unsettling figure that screams to the urgency of prioritizing data security as a leading and critical concern.”

Ensuring that data can be easily discovered, classified and secured using guardrails and regulations is a crucial cornerstone of a sound data security strategy. Data is increasingly being used by various teams and users within companies, which in turn, makes its attack surface grow rapidly.

While data was once commonly segregated within on-prem infrastructure, its presence and growth in the cloud have greatly increased the risk of breaches and theft. Using only one cloud provider has proven to be limiting for business, so companies are rapidly shifting towards a multi-cloud approach, making things even more challenging for security professionals. All of this makes the survey’s outcomes even more alarming – 22% of survey respondents stated that more than half of their data can be classified as sensitive – but 20% of them do not know where this sensitive data is stored within their company.

The data breaches of 2022 have shown that access is the key target for attackers as they search for a ‘way in.’ “We were pleased to learn that most CISOs do employ tools and methodologies for limiting access – 51% use network policies and 92% use dedicated groups,” said Hayun. “But these surface-level legacy tools are not specific to data security and leave companies at risk of compliance breaches.” Only 30% of CISOs surveyed shared that they use advanced controls to limit and secure access to sensitive data.

Implementation of controls and other critical data security processes including identification and classification (only 20% of CISOs indicated that they have a robust data classification process in place), across numerous teams and users, is another significant challenge for CISOs. Eighty percent of CISOs surveyed shared that more than one team within their company is responsible for enforcing data security controls, and 50% of them indicated that this responsibility is split between three or more teams including security, privacy, compliance, DevOps, engineering, CTO, SRE (Site Reliability Engineering) and others. Without clear ownership and specific expertise, enforcement of data security policies will become even more difficult to oversee or manage.

Accordingly, access management was the top CISO data security pain point (57%) and the top area they plan to invest their resources in over the next three years. Furthermore, 51% of CISOs stated that visibility, monitoring and alert fatigue are also of increasing importance in their strategy, most probably due to the myriad of point solutions and the lack of comprehensive visibility into the company’s security program. Data classification was the third future data security priority that CISOs chose, with 43% of them indicating that current data classification solutions – manual, partial and selective – are insufficient and require a new approach.

The data analyzed and presented in this report should serve security leaders and practitioners, as they strive to make data security a company priority. It is clear from the data that CISOs must contend with gaps, legacy processes and slow discovery times in current data security practices, and these insights can assist them in enhancing their approach to data security and implementing stronger, more streamlined measures to safeguard their companies’ assets against potential breaches.