Security teams entering 2026 face a familiar truth dressed in new clothes. The technologies change, the tools get smarter, but most compromises still trace back to two core areas of any organization: identity and data. Securing them with separate programs is an invitation to gaps and blind spots. Treating them as the two columns that support the whole security architecture makes resilience practical and achievable.
This article explains why identity and data must be managed together, highlights the most common operational pitfalls, and offers a practical roadmap that teams can apply without overwhelming the business.
Why Two Columns, Not Two Projects
Nearly every real-world breach involves either identity abuse or data exposure; in most cases, it’s both. Attackers phish credentials, escalate privileges, or exploit over-permissioned service accounts to reach valuable information. Sometimes the initial vulnerability is technical, but the impact travels through identity and ends at data. That pattern makes identity and data the logical pillars of defensive strategy.
This is not academic but operational. If identity controls are weak, detection tools will drown in false positives while attackers move laterally. If data is unmanaged, even careful access controls can fail at preventing exfiltration or misuse. The goal is to reduce the blast radius when something goes wrong. Strong identity and well-governed data do that together.
Where Organizations Often Struggle
Several predictable pitfalls hinder progress and tend to appear across industries and regions.
- Trying to transform everything at once. Organizations frequently attempt broad, company-wide identity or data initiatives that stall under their own weight. The better approach is to start small. Pick a department, a business process, or a group of privileged accounts, solve for that scope, then scale what works.
- Classifying data without enforcing controls. Many organizations enthusiastically label data as confidential or sensitive but fail to connect those labels to retention rules, access restrictions, or monitoring. Classification without attached action limits security value.
- Over-permissioned identities. One of the most common findings in breach forensics is the presence of unused or overly broad access rights. Marketing users with access to financial records, vendors with lingering permissions, or temporary workers for whom access is kept alive permanently. These scenarios enlarge the attack surface and complicate detection.
- Not understanding how the business actually works. Security programs fail when they are based on assumptions instead of business-driven realities. If security teams do not understand how employees use data day-to-day, they will design controls that either break operations or get bypassed.
A Practical Four-Step Playbook
The following four steps suggest a simple path from chaos to control. Each step is deliberately operational and short enough to start bringing the right balance into an organization’s data and identity security in weeks, not years.
1. Map Critical Processes and Owners.
Identify the processes that rely on sensitive or regulated data. Document who owns them, which teams operate them, and which identities have access. This is not just a technical exercise; involving process owners and business leaders ensures accuracy and buy-in. It also forces clarity: if no one can define how a process works, securing it becomes a matter of guesswork.
2. Classify and Locate Data with Purpose.
Classification works only when it drives decisions. Start with a small number of categories that map to real obligations and risks: internal, sensitive, regulated, high-value. For each category, define specific actions related to access requirements, monitoring thresholds, retention, and encryption.
Use automated discovery where possible to locate forgotten data sets, shadow storage, and cloned environments. Reducing unnecessary stored data immediately reduces the potential impact of theft or misuse.
3. Govern Access Through Least Privilege and Just-In-Time Controls.
Identity security should focus on fit-for-purpose access. Apply role-based or attribute-based controls where stable roles exist and just-in-time access for administrative or sensitive operations.
Regularly review accounts with elevated privileges and require justification for keeping them. Pay attention to vendors, contractors, and service accounts. These identities are often left unattended and become easy entry points for attackers.
4. Protect and Monitor What Matters Most.
Encrypt sensitive data in transit and at rest. Enable immutable logging. Establish monitoring for things that represent real risk: unusual access patterns, large transfers of sensitive data, and privilege escalation. Monitoring should be tied to a business context. Alerts that cannot be interpreted or acted upon quickly only add noise. Focus on signals that directly indicate risk to the processes and data previously identified.
Start Small, Measure, and Iterate
When security leaders launch a resilience-program rewiring, they often feel pressure to deliver sweeping change. However, controlled progress beats ambitious promises every time. My suggestion is to start with a bounded area of the business where identity and data intersect clearly. After that, run the four-step playbook along with other necessary actions based on the business context. Finally, make sure to measure practical outcomes, including:
- Reduction in unnecessary privileges
- Clarity around data ownership
- Percentage of sensitive data with enforceable tags
- Time required to revoke a compromised identity
- Ability to reconstruct an access event for audit
These metrics matter more than tool adoption percentages or dashboard scores. They indicate whether the two columns are strengthening.
Regular testing of a security program helps too. Security teams should simulate the misuse of a compromised identity, check how far an attacker could get, and validate whether sensitive data would be detected leaving the environment. These exercises expose real vulnerabilities and demonstrate progress to stakeholders.
Conclusion
Identity and data have always been at the center of cybersecurity, but 2026 will make their connection even more important. They are not separate programs. They are two columns that keep the organization standing when attackers inevitably find a way in.
By mapping business processes, classifying data with purpose, controlling access based on real need, and monitoring the areas that matter, organizations can create resilience that does not depend on luck. Latest technologies, like AI, can help, but the foundation must be built on clear identity governance and disciplined data management.
The path forward is not about perfection. It is about progress that strengthens both columns one step at a time.
Dirk Schrader is VP of Security Research at Netwrix. A 25-year veteran in IT security with certifications as CISSP (ISC2) and CISM (ISACA), he works to advance cyber resilience as a modern approach to tackling cyber threats. As the VP of Security Research, Dirk is working on focused research for specific industries like healthcare, energy, and finance.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.