== Co-Authors: Myles Suer and Brian Lett ==
Cybersecurity has evolved in distinct stages. It began with firewalls that maintained system integrity and excluded unauthorized users. This “castle and moat” model worked reasonably well as long as there was a clear inside and outside. As landscapes shifted, the era of perimeter defense gave way to access control and identity management, focusing on verifying who could enter and what they could touch. But as threats grew more complex and data became more distributed, protecting systems solely by limiting access proved insufficient for data security or data privacy.
Today, the center of gravity has had to shift again—from protecting systems to explicitly protecting and governing the data itself. Data now lives everywhere: on premises, in the cloud, and increasingly inside generative artificial intelligence (AI) vector databases. As well, Anthropic’s latest agent signals that the threat from more advanced cyberattacks will require stronger defenses. Data must be safeguarded, regardless of source or environment. Doing so effectively requires acknowledging a critical distinction: even though data security standards increasingly support data privacy, security does not equal privacy. The demands of each lead to different business requirements.
Security is fundamentally about defense in depth—data loss prevention, security and information event management, and layered controls designed to prevent breach and misuse. Privacy, by contrast, is about embedding controls and measures into processes, systems, components, and products to ensure that personal information is only fairly and legitimately processed by those authorized to do so. To be effective, privacy requires intentional design to protect personally identifiable information. Technology can capture policies and procedures and connect them to privacy control mechanisms, but governance must extend across the enterprise. Without universal governance, unauthorized access will occur—from both inside and outside the organization.
Our research on analytical data infrastructure (ADI) demonstrates the centrality of these data security and data privacy concerns. Investment patterns show a clear enterprise priority: 58% of organizations report concentrating their spending on data security and privacy—the highest of any foundational capability. As outlined in our Special Report “The State of Analytic Data Infrastructure in 2026,” major cloud providers have become the primary infrastructure foundation, on top of which engineering teams continue layering specialized third-party tools to address functional gaps and economic bottlenecks. Numerous startups have emerged with robust data security and privacy technologies; however, the market has largely voted to treat data security as core infrastructure, rather than as a purely specialized add-on.
At the same time, vendors appear to have room to create unifying overarching policy engines and data governance engines—areas that many platforms have not fully aspired to own. Security and privacy rank highly across regions, achieving parity of concern that even includes organizations most exposed to the General Data Protection Regulation (GDPR) and other privacy regulations and penalties. Unsurprisingly, sales and marketing organizations—those closest to sensitive customer data—express the highest levels of concern and priority. Yet major obstacles remain: skills gaps, fragmented technologies, and immature processes continue to impede progress.
The trajectory is clear. Enterprises are moving beyond guarding the gates. They are being forced to govern the data itself—wherever it resides, however it is used, and increasingly, whatever way it is generated.
You do not have permission to access this document. Make sure you are logged in and/or please contact Danielle with further questions.