5 Questions CISOs Should Be Asking Regarding DSPM

The Data Security Posture Management (DSPM) market is on a meteoric rise, and CISOs are taking note. Gartner predicts that by 2026, one in five organizations will have invested in the technology (up from only 1% in 2022).

But in a market still in its early stages, the cement has yet to harden on what exactly a DSPM tool is (and isn’t) and what CISOs need to look for before investing.

1.     Does it cover all our data services?

A good DSPM solution needs to be able to find data across any of the varied services found in a modern-day enterprise. Its main selling point is that it can find, classify, track, and secure data regardless of where it’s kept or how it travels, so make sure to get your money’s worth by finding one that delivers on those promises. DSPM should be able to track data in the following locations:

• On-Premises: Many critical infrastructure organizations still rely heavily on on-premises resources (like SCADA systems), both because they are naturally air-gapped and because digital transformation can be a slow process for architecture that’s run effectively on-premises for so long. Over half of organizations still rely on on-premises resources, so it is imperative that your DSPM solution be able to accommodate this.
• Cloud: One of DSPM’s biggest boasting points is that it can simplify the identification, classification, and management of data in the cloud. Your DSPM tool should be compatible with the major cloud services (Google Cloud, AWS, Azure), be able to handle multi-tenant environments, operate within the shared responsibility model, and offer cloud-native encryption, discovery, and access controls.
• Hybrid: Today, 89% of companies use a multi-cloud approach. However, the mixing of on-premises resources with cloud-based ones can create a special brew of particular problems. Make sure your DSPM tool can track data, assign policies, and help maintain compliance in the face of unique hybrid challenges if yours is a hybrid model.

Ultimately, CISOs need to adapt to changing digital times and create environments where all types of services interact and thrive. This includes social media platforms, various file types and images, messaging apps, SaaS solutions, audio and visual recordings, and more. Sensitive data could be stored in any one of these, and so when choosing a DSPM solution, one overarching question CISOs need to ask is: Can it track both structured and unstructured data? If so, all of your above data sources should be fine.

2.     Can it track the flow of data between those services (in real time)?

Next, CISOs need to make sure that their DSPM solution can secure data as it flows between its various at-rest locations. Traditional tools can secure those “boxes” in which data is stored, but what about when it is removed from those places and transferred to a place beyond traditional controls? And what if that is all above board but still not safe? For example, say a manager with elevated permissions accesses a protected repository to pull out some financial reporting information for an upcoming internal presentation. Everything is fine and good – until they send the presentation to themselves via WhatsApp. Now, sensitive internal data is in a place where internal data visibility (much less control) cannot be reached.

CISOs need to make sure their DSPM tool can track data transfer instances anywhere and to anyone and give them the transparency they need to see when something goes amiss. In the DSPM world, the process of “tracking the flow of data over time, providing a clear understanding of where the data originated, how it has changed, and its ultimate destination within the data pipeline” is known as data lineage.

3.     How much control do we get over permissions?

A CISO should have the flexibility to implement a risk-based permissions system if they choose, or any other that suits their organization’s needs. As data security firm Cyberhaven states, “This includes setting access controls based on roles, departments, and individual users,” noting that the DSPM tool “should [also] support role-based access control (RBAC) and attribute-based access control (ABAC) to accommodate different security models.”

Before investing, make sure your DSPM platform gives you granular control over who gets access to what data and when. In addition, you might want to consider one that gives you:

• Automated permission remediation | Automatically denying unauthorized access attempts and adjusting current (or outdated) permissions to align with your corporate permissions policy.
• Dynamic permission management | When a user’s role changes, their permissions also often change. However, those specific adjustments can be nearly constant and hard to keep up with in a large enterprise. Dynamic permission management enables DSPM to automatically adjust permissions (up or down) depending on changes, from different roles to different levels of sensitivity, classification, and compliance mandates.

4.     Where does it analyze our data (important for compliance)?

DSPM is a tool that discovers, ingests, and analyzes a lot of data – sensitive data and all types – and then optimizes your data security based on the findings. One thing for CISOs to consider is, to perform this process, where would they be most comfortable having DSPM analyze all that data?

• On-premises analysis gives you more ground-level control of your data (good in highly regulated environments and safer from third-party risks) but has higher infrastructure costs.
• Cloud-based analysis offers the ability to leverage cloud-based analytics and scale and deploy with ease but demands robust encryption and access controls in order to ensure safety as data might be processed in third-party environments.
• Hybrid analysis gives you the option to combine cloud-based insights with on-premises compliance requirements, but it also can present a bit of a challenge when mixing the security needs of both.

Like in most things, there are no clear-cut roadmaps for CISOs here. The question to ask is, what risk is our organization most suited to take? Then, go from there.

5.     Is this the right size for our business needs?

This is what matters once the rubber hits the road. Procuring new solutions is a delicate balancing act, and as any CISO knows, you can’t have everything. Narrow down your DSPM options to a few choices based on key criteria like the ones above and then vet them against other practical implications like:

• How fast will deployment be?
• How long does it take to train on this DSPM platform – or is there a managed option?
• Does this offer deep data context (or do we need it)?
• This works now – will this scale with our business in the next five years?

And, of course, the overall cost investment. A DSPM solution can run anywhere from $50,000 to $500,000 annually, depending on the size of your business. But then again, the cost of an average data breach is $4.88 million, so when CISOs take a step back, perhaps the final question to ask is: Is it worth the risk?