Organisations have spent years investing heavily in cybersecurity solutions. Firewalls have been strengthened, identity systems refined, and monitoring tools deployed across increasingly complex environments. Yet despite this, data breaches continue to expose vast amounts of sensitive information, often with severe financial, operational, and reputational consequences.
The uncomfortable truth is that the industry has long been solving the wrong problem. Most security strategies are still built around protecting infrastructure such as networks, endpoints, and user access. But attackers are no longer trying to break through these controls in the traditional sense. Instead, they exploit stolen credentials, social engineering, and compromised third parties to gain legitimate access. Once inside, they go straight to the data.
And too often, that data is still readable.
This is why organisations continue to suffer the same outcome, even after investing in more tools. The perimeter may hold, authentication may work as designed, and yet the data is still lost. The problem is not that defences are failing. It is that the data itself is not being properly protected.
At the same time, a new and more complex challenge is emerging. Enterprises know that the cryptography they rely on today will not withstand the impact of quantum computing. They also understand that data stolen today can be stored and decrypted later as quantum capabilities mature – a “harvest now, decrypt later” model that quietly increases long‑term risk. However, most have no practical way to transition at the required speed and scale. Cryptography is deeply embedded within applications, spread across business units, and often owned by no one. The result is paralysis. Organisations face years of discovery, redesign, and migration projects that are likely to be outdated before they are even completed.
Boards are already asking whether they are quantum‑ready. CISOs are often forced to respond with roadmaps rather than outcomes, not because they lack awareness, but because they lack a simple and effective way to act.
This is where a fundamental shift in approach is needed.
Rather than continuing to focus on defending infrastructure, organisations need to focus on protecting the data itself. This means applying strong encryption directly to data in motion between systems, enforcing strict customer control over encryption keys, and ensuring that sensitive information remains protected at all times, regardless of where it resides, where it travels, or how it is accessed.
This approach changes the nature of a breach entirely.
Consider a typical ransomware attack. The attacker gains access, moves laterally within the environment, and eventually exfiltrates data before encrypting systems and demanding payment. The leverage comes from the value of that stolen data. If it can be read, sold or leaked, the organisation is under pressure to respond.
Now imagine the same scenario, but with the data itself persistently protected. Even if attackers gain access and extract information, what they obtain is unusable. It cannot be read, analysed or monetised. The incentive behind the attack disappears.
This is the essence of a data‑centric security model. It accepts that breaches will happen and focuses on limiting their impact. Instead of trying to prevent every possible intrusion, which is increasingly unrealistic, it ensures that when an attacker does get in, they gain nothing of value.
The implications are significant. Financial losses are reduced, operational disruption is contained, and regulatory exposure is minimised. Perhaps most importantly, organisations regain control over their data, even in compromised environments.
This approach also provides a practical path forward for addressing the quantum challenge. Rather than attempting to replace cryptography inside every application and system, protection can be applied around the data itself. This allows organisations to introduce quantum‑safe, crypto‑agile security as an overlay – with no application changes and no infrastructure rip‑and‑replace.
What organisations need is quantum‑safe protection for any application, across any infrastructure, anywhere, delivered in a way that is both practical and scalable. That means solutions that can be deployed quickly, operate independently of underlying systems, and adapt as threats evolve. It also means simplifying what has historically been a complex and fragmented problem, enabling security teams to enforce consistent protection without introducing operational friction.
Crucially, this approach supports both compliance and resilience. Regulators are increasingly focused on how organisations protect sensitive data, not just how they defend their networks. Demonstrating that data remains protected, even in the event of a breach, changes the conversation entirely.
There is also a broader strategic benefit. As organisations continue to adopt hybrid and multi‑cloud environments, traditional security boundaries become less relevant. Data moves constantly between locations, partners, and platforms. Protecting it at the source ensures that security travels with it, rather than relying on the integrity of each individual environment. Real control comes from ensuring that only the data owner can decrypt sensitive information, even when the underlying networks or platforms are compromised.
The reality is that cyber threats are not going away. Attackers are becoming more sophisticated, more patient, and more focused on outcomes. At the same time, the arrival of quantum computing will fundamentally change the assumptions underpinning today’s cryptography. Organisations cannot afford to wait for that moment to act.
The priority now is to design security for the world as it actually is, not as it was. That means accepting that breaches will occur, recognising that existing cryptography has a limited lifespan, and focusing on what truly matters.
When data is protected at its core, the impact of a breach is dramatically reduced. When that protection is quantum‑safe and adaptable, it becomes future‑proof.
The goal is simple but powerful: make stolen data worthless, because when attackers can no longer profit from what they take, the entire economics of cybercrime begins to change.
Simon Pamplin joined Certes in 2022, bringing with him his wealth of technical expertise and sales experience, previously within storage and data centre networking. Simon’s passion for business and technical solutions is shown by his strong track record of developing and managing high-performing teams of pre-sales professionals. His skills span across various areas, including on-premises and off-premises cloud, as well as large-scale consolidation and virtualisation of infrastructure. Simon has extensive experience working across different countries and cultures within EMEA and Russia, across multiple industries. Simon emphasises a practical approach to data security, urging organisations to prioritise safeguarding data above all else. With DPRM, he ensures customers can assess their security strategies effectively and make informed decisions to strengthen their security posture and enforce policies while mitigating risk.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.