The rapid adoption of generative AI (GenAI) tools, along with the expanding distribution of data across multiple locations and evolving compliance mandates, is intensifying data security challenges for chief information security officers (CISOs). As data breaches and other security incidents continue to rise and international regulations grow more complex, cybersecurity leaders face increasing pressure to balance two seemingly competing goals: protecting organizational data assets while ensuring that data remains accessible and usable to support business objectives. This balance has become even more difficult to maintain as GenAI introduces new data‑exposure pathways and accelerates the speed at which data moves across the enterprise.
CISOs continue to struggle with this balance for two primary reasons. First, cybersecurity teams often lack a clear understanding of how employees interact with data in their daily workflows, including how data security controls affect productivity and decision‑making. Second, as organizations evolve, they accumulate multiple and sometimes overlapping governance structures and processes, which can make data security measures rigid, inefficient and difficult to adapt to changing business needs.
To address these challenges and strengthen data security, cybersecurity leaders should focus on the following two initiatives they must undertake to improve data security.
- Make It Easy for the Business to Inform Data Security Strategy
Business teams across the organization frequently interactwith data assets without giving cybersecurity leaders insightinto their workflows or the reasoning behind using specific data assets. As a result, cybersecurity teams end up with only a surface‑level understanding of how employees workwith data and how current security measures influence their daily work. Efforts to align data security with business priorities often ends up being a one‑time or, at best, an infrequent activity, creating a gap between security intent and operational reality. This disconnect leads to data security policies and standards that, while well‑intentioned, may not reflect actual business needs and can unintentionally slow down or hinder how work gets done.
Cybersecurity leaders must collaborate closely with business stakeholders and cross‑functional partners such as data and analytics (D&A) and privacy teams to gain better visibility into business requirements.
To align data security with business priorities and improve security outcomes in the process, CISOs must establish a clear and repeatable process that enables them to evaluate and manage data security–related exception requests and invite employees to provide feedback on data security policies and standards.
Viewing data security exception requests as opportunities rather than obstacles, allows cybersecurity leaders to understand whether existing controls align with business needs. Evaluating these requests gives CISOs deeper insight into employee workflows and the practical impact of security measures, enabling them to advocate for updates to existing policies or the introduction of new ones. Similarly, establishing a structured feedback process for both business leaders and end users helps identify whether data security practices are enabling or constraining business objectives. When end users are involved in the creation of policies and standards, they are more likely to support and adhere to them. This involvement also ensures policies are better tailored to the specific workflows and requirements of different teams.
- Review and Simplify How You Govern Data Security
Organizations establish governance structures to coordinate and strengthen their data security efforts. However, over time, as new risks emerge and regulatory demands evolve, additional policies are added, new committees and subcommittees are formed, and multiple functions begin addressing overlapping aspects of data security without adequate coordination. These layers accumulate without a review of what already exists, resulting in a governance model that becomes bloated, slow, inefficient and inflexible. For CISOs, this creates challenges in driving coherent and timely data security decisions across the enterprise.
A governance review becomes especially important when organizations begin adopting emerging technologies such as GenAI. Security teams often treat the adoption of GenAI as entirely new and fundamentally different from previous technologies, leading them to rapidly design new governance roles, structures and processes without evaluating existing mechanisms. This tendency can result in multiple governance bodies with overlapping mandates, duplicated efforts and limited internal coordination, ultimately weakening the organization’s ability to secure data effectively.
To avoid this “governance quagmire,” cybersecurity leaders must work closely with other internal functions to evaluate existing data security governance initiatives and determine their ability to support the organization’s GenAI adoption plans. By reviewing and simplifying what is already in place, CISOs can eliminate redundancies, streamline decision‑making processes, and improve the organization’s ability to achieve its data security goals.
Gartner analysts are discussing top trends, technologies and cybersecurity strategies that will help security and risk management leaders address key business priorities at the Gartner Security & Risk Management Summit, taking place today in Mumbai.
By Rahul Balakrishnan, Sr Director Analyst at Gartner
