Helping Leaders Understand Their Blind Spot Around Data Security: Advice From an Operator

Defending a company’s data, IP, and proprietary information requires a level of alignment between the C-Suite and IT leadership that most organizations simply don’t have. We’re long past the era where executives and technical teams can afford to speak different languages and only reach mutual understanding after a breach has occurred.

Attackers are outpacing companies because they’re focused, and their targets aren’t.

As Kevin Schwartz, CISSP, Cybersecurity Expert, put it in our recent conversation: “Executives tend to become interested in the details of cybersecurity post-breach or when news of a competitor’s breach has hit the news. Unfortunately, the typical dialogue around data security is one where leadership is looking for the general affirmation to the question ‘We’re secure, right?’”

Like any problem a company wants to solve, it is about priorities and trade offs. 

Asking a question as general as “Are we secure?” is of the same value as asking your head of sales, “We are talking to people, right?” The core value to the communication is in a specific level of detail. 

Nowhere is this communication gap more dangerous than in the protection of sensitive data: the company’s actual crown jewels.

Here’s the quickest way to test whether your organization has the right conversation happening internally:

Ask your head of IT or cybersecurity: If someone is inside our network using a valid username and password, can our sensitive data be stolen by an employee or a bad actor?

This single question exposes the heart of today’s security crisis. More than 80% of data theft occurs after an attacker has obtained valid credentials.

And in most organizations, the existing stack simply cannot stop exfiltration in this scenario.

Fixing the Communication Gap Around Data Security

The core issue is the communication gap around how data is actually stolen and what today’s security stack can (and cannot) defend against. 

Traditional security architecture is focused on keeping attackers out: perimeter defenses, hardened endpoints, identity controls, and in some cases, early-stage Zero Trust. These are valuable, complex systems that are often implemented under resource constraints.

But they’re designed for an older threat model.

These days, it’s the equivalent of installing reinforced doors and bulletproof windows while the intruder is already sitting on your couch with a working key.

Remember, 80% of data theft occurs when the bad actors are inside. This means that the bad guys are very successful at getting inside and getting past all your perimeter security. If they want to get inside they will. Almost half of data theft and loss is due to employees or employees on their way out of the company. The other half is bad actors finding one of many ways to steal valid credentials and use them to steal your data. 

The enemy is inside your perimeter most of the time and this is the little dirty secret that IT teams and C-suite aren’t communicating on. 

It is this gap of communication that the bad guys are able to exploit. 

Leadership is not asking the question they are afraid to hear the answer to, and IT and cybersecurity teams are not making it clear that the data security emperor has no clothes. 

Data Encryption and Its Misunderstanding

Schwartz puts it simply: the conversation has changed. 

“Every [sales] quote I bring to leadership starts with encryption,” he says. But between self-encrypting drives, FIPS encryption, and so on, encryption is already everywhere in the ecosystem. The problem is that few at the executive level understand the difference between that and protecting the data itself. 

This is why the new generation of CISOs, IT directors, and cyber operators increasingly lead with file-level, data-centric protection:

1. Because breaches don’t stay inside the perimeter

Most modern breaches begin with legitimate credentials. Once an attacker logs in, perimeter tools don’t matter. As Schwartz frames it, “Hackers don’t stop where your access stops. They pivot until they find something worth stealing.”

Data-level encryption flips that model: even if credentials are compromised, the files remain unreadable unless the device, identity, and key all align.

2. Because executive teams want clear ROI (not jargon)

Security leaders are constantly selling their strategy internally. And “We need more encryption” no longer lands. It sounds redundant. File-level protection gives CISOs a different, clearer narrative: We’re protecting the asset (not just the system).

That framing makes spending far easier to justify in rooms full of CEOs, CFOs, and boards.

3. Because legacy systems won’t get modern overnight

This is one of Schwartz’s biggest warnings. Many organizations run on equipment, operating systems, or OT infrastructure that can’t be fully patched or modernized.

“You can’t secure Windows 2000,” Schwartz says. “But you can secure the data coming off it.”

Data-centric encryption is the only practical path forward for environments that can’t be rebuilt from scratch.

4. Because AI-accelerated attacks change the timeline

Exfiltration now happens within minutes of initial access. There’s no detection window left. When speed favors the attacker, only protections that travel with the data - and lock automatically - can slow the blast radius.

5. Because it fits the compensating-controls mindset

Modern security isn’t one control - it’s a stack of compensating protections. File-level encryption strengthens everything around it: identity, endpoint defense, OT segmentation, even basic hygiene.

“It’s not impossible to bypass,” Schwartz says. “Nothing is. But it raises the difficulty so high that an attacker will move on.”

That’s the definition of a strong compensating control.

6. Because it lets security leaders deliver what the business actually needs

Every executive says the same thing in every budget meeting: Keep us safe. Don’t slow us down.

Data-centric encryption is one of the few controls that improves security without increasing friction. Users operate normally. Workflows stay intact. Only attackers encounter the locked door.

The Leaders Who Win Will Lead With Data

The organizations that succeed against the next data leak or ransomware attack will be the ones able to answer a single, defining question:

How is our data protected when the attacker is already inside the network using valid credentials?

Perimeter tools still matter. Identity still matters. Basic hygiene still matters. But none of it is enough if critical files can be opened, copied, or exported the moment someone logs in with a stolen username and password.

That’s why the next generation of CIOs, CISOs, and IT directors are recalibrating their strategies around data-centric protection. It’s a structural shift driven by credential-based attacks, aging infrastructure, AI-accelerated threat speed, and the simple reality that a company’s most valuable asset is now digital.

And in a world where breaches are inevitable, the organizations that thrive will be the ones whose data remains unreadable, unusable, and inaccessible to anyone who shouldn’t have it.

Walk into any modern business operation and you’ll see layers of protection. You’ll encounter firewalls, MFA, VPNs, DLP, endpoint detection, server hardening, SIEMs, offline backups, the works. Most companies have spent years building strong defenses. 

But here’s the hard truth: Those layers aren’t enough anymore.

“We’ve built a lot of resiliency in cybersecurity - identity resiliency, endpoint resiliency, technology resiliency,” says Gary Clark, Principal Cybersecurity Consultant at Yearling Solutions. “But where we haven’t spent enough time is with data resiliency.”

That missing layer - protecting the data itself - is what’s leaving even well-funded security programs vulnerable.

The “Pre-Boom” Mindset

Clark uses a term that resonates with anyone who’s been through an incident response: pre-boom and post-boom.

• Pre-boom covers everything that happens before an attack: prevention, detection, and containment.

• Post-boom is what happens after the breach, when the attacker already has a stronghold and data begins to move out of the network.

“We’ve conditioned ourselves to think that if we implement all of the Pre-boom controls to protect the environment, we’ll have the resiliency we need to survive a ransomware attack,” Clark says.

But have we, as cybersecurity practitioners, been overly focused on building resilience around the controls protecting the crown jewels - instead of building resilience into the jewels themselves?

A simple analogy brings this into focus: banks didn’t stop robberies by reinforcing the glass. They added dye packs to the cash. Even if the money is stolen, it’s permanently marked - rendered useless to the thief.

It’s the same with data. Protecting the network and systems alone doesn’t guarantee protecting what’s inside.

Exfiltration Happens Faster Than Detection

Attackers don’t wait anymore. “Now as soon as they get an account, they’re exfiltrating data,” Clark explains. “You might be lucky if it’s a low-privilege account, but even then, they’re pulling internal data immediately and then moving to get more accounts and ultimately elevating to more privileged ones.”

The bottom line is that most breaches start with a legitimate username and password, either through an internal threat or through a classic phishing scam (the sort of email racket that’s only becoming more pervasive in B2B spaces). 

Tools, like DLP and zero trust, can help reduce the blast radius, but none can stop exfiltration 100%. Once data leaves your network, it’s out of your hands unless you have data resilience. 

What “Encryption Everywhere” Really Means

Encryption has been around for decades. But too often, it stops at the network boundary - protecting data at rest and in transit, but not in use.

Clark describes a more intelligent approach: “You have to understand the context of how the data is being used and whether  it’s fallen into adverse hands. You don’t want to allow it to be unencrypted if it’s in the wrong place.”

That’s the core of file-centric encryption; each file carries its own logic. It knows who can open it, on what device, and under what conditions. If a file leaves your network or ends up on an unapproved device, it stays encrypted. Ciphertext. Unreadable. Even outright unusable, like the cash with the dye packs the thief stole from the bank in our earlier metaphor.

That capability, offered through solutions like FenixPyre, allows manufacturers to enforce “encryption everywhere,” a model where data protection travels with the file itself, not the network.

Encryption Everywhere: What It Looks Like in Practice

​​Manufacturing

From CAD designs to production schedules, manufacturing data moves constantly between plants, vendors, and design partners. A single compromised file can expose proprietary processes or customer information. With file-centric encryption, each file carries its own protection logic: It can only be opened by approved users, on approved devices, in approved locations. That means intellectual property stays safe, even when it travels far beyond the shop floor.

Health Care

Hospitals and labs exchange enormous volumes of patient data daily - test results, insurance records, diagnostic images. With file-centric encryption, every document carries its own protection. Even if it’s shared across systems or accessed on an unapproved device, the data remains encrypted and unreadable.

Finance

Trading firms, banks, and advisors all rely on shared documents full of sensitive client information. File-level encryption ensures that even if a user’s credentials are compromised, the underlying data stays secure. This protects not just the customer, but the firm’s reputation.

Aerospace + Defense

When engineering drawings or CAD files leave your organization, they shouldn’t lose their protection. File-centric encryption enforces access controls that travel with the data, so only approved users, devices, and locations can ever open it. Everyone else sees ciphertext.

Energy + Utilities

Operational data flows constantly between utilities, contractors, and regulators. File-level encryption gives these organizations the power to revoke access instantly, protecting critical infrastructure even if a partner or supplier suffers a breach.

Frictionless by Design

No cybersecurity strategy works if employees can’t do their jobs or customers can’t access services they’ve purchased.

“Users just want to do their work,” Clark says. “Cyber tools should be as frictionless as possible.”

In practice, that means embedding security quietly into normal workflows. A user should never have to change how they save, send, or access a file unless they’re breaking the rules. Then, and only then, the file simply won’t open.

That’s how file-centric encryption succeeds where traditional security fails: it makes protection invisible to users but absolute against adversaries.

The Bottom-Line Business Reality

For most businesses operating at the scale of the manufacturing industry or the health care space or other sprawling markets, the stakes are especially high. Intellectual property, equipment configurations, process documentation–all of it is valuable to competitors and attackers alike.

Even small and mid-sized companies can be targets. 

As Clark puts it: “We’re all struggling with the same thing. Whether you have a lot of resources or just a few, focus on what the attacker actually want - your data and your operations. Build resilience into those two things and you’re in a much better place, no matter what your cybersecurity budget is.”

That’s the mindset shift Industry 4.0 demands: less focus on building higher walls, more focus on protecting what’s inside them.

Because at some point, your business’s digital environment probably will be breached. What happens next - whether your data is stolen or stays safe - depends on how ready you are for the post-boom.

Across the IT and cybersecurity landscape, organizations are investing significant time, money, and human resources into data classification and tagging initiatives. 

The rationale seems sound: We need to classify and label sensitive data first so we can properly protect it. This makes sense, right? But, what if this effort to classify your data is only delaying the time it takes to properly protect the data and worse yet, may result in never implementing policies to protect the data?  

Below, we explain: (1) Why data classification is often not leading to better data protection in today’s risk environment. (2) Why, if you haven’t started a data classification project, you may not need to, and yet still achieve better data security with less burden on your users and IT team.

What Are We Really Trying to Solve?

The objective of any data protection strategy is straightforward: to ensure sensitive data is not stolen, leaked, or misused, whether by: 

• Insider threats (malicious or negligent),

• Ransomware attacks, 

• Or improper or insecure sharing with third parties. 

Data classification doesn’t prevent any of these outcomes on its own. 

The ultimate goal isn’t classification, it is making sure sensitive information is handled in a secure way. Classification is just a means to an end. Therefore, the critical question is: does classifying data consistently result in stronger protection?

In practice, the answer is often no. Without strong policies and persistent, automated safeguards applied directly to the data, classification alone leaves sensitive files exposed.

Defining Sensitive Data: We Already Know What Matters

Companies typically have a sense of what qualifies as sensitive data: 

• Data under legal or regulatory protection (e.g., CUI, PII, PHI). 

• Data whose theft would financially cripple the business (e.g., IP, contracts, product designs). 

• Data that, if lost or exposed, could cause reputational, legal, or human harm. 

Most organizations already have a strong understanding of what types of their data fall into these categories. And most organizations have a good idea of where the vast majority of this data is stored. What they tend to be most insecure about is (1) the accessibility and security around all this data and (2) the percentage of sensitive data not being stored in the proper way or location. 

Organizations seek to classify and tag data so they can ultimately implement policies that use these classifications to ensure every piece of sensitive data is handled in a compliant and secure way.

The Core Problems For Classifying Data

A solution that relies on data classification to ensure all sensitive files are secure must first make sure that every document is classified and tagged correctly. Unfortunately, this has two major problems. To classify the data you must rely on employees or an algorithm to determine what is sensitive.

Problem 1: Classification is inconsistent

Manual tagging relies on users. Employees often mistakenly mislabel or intentionally mislabel so that the classification does not create friction in their ability to use and share the data. Automated tagging is limited by pattern-matching and context inference, often producing false positives and negatives. Neither method guarantees complete or correct coverage. And just a 3% to 5% miscategorization will result in IT support tickets that can overwhelm the IT team and create a lot of business friction. Not to mention leaving critical data unsecure.

Problem 2: Classification adds operational drag

Building taxonomies, training users, integrating tagging tools, and maintaining classification policies introduce friction, delay, and cost, often without measurable risk reduction. It becomes a compliance checkbox, not a practical defense.

Problem 3: New data is created constantly

New sensitive data is generated daily by employees, contractors, and partners. Relying on a tagging process to catch it in real-time is unreliable and inefficient. If the tags are missing, misapplied, or ignored, the data becomes invisible to policy enforcement systems.

Problem 4: Classification is not a control

Tags are just metadata. On their own, they do nothing to stop a file from being emailed externally, shared to a personal Dropbox, or exfiltrated by malware.

Security Is Only As Effective As The Foundation

Classifying the data is only the first step toward implementing user policies that define who can access the data and how they can use it. These policies rely on the classifications being correct because if they are not, then sensitive data will be unprotected and people who should have legitimate access to certain information are now blocked from being able to access it.

Remember that 3% to 5% mis-categorization rate? Multiply this by the number of documents in your organization and the number of people who need to access these documents and you can get an idea of how much work and friction will be created. The typical way of dealing with this problem is to avoid implementing policies that meaningfully control the access and use of the content. This results in diluting much of the security benefit, which was the original objective.

The core challenge of classifying accurately is the main reason why 90% of those purchasing a traditional DLP solution, which relies on data classification and tagging, ever implement policies to properly secure the data. This results in a tremendous amount of time, effort and cost to classify data but often still leaves the data unsecure.

File-Centric Security is an Alternative to Data Classification

A file-centric security solution offers a compelling alternative to a strategy reliant on classifying data. It offers greater file security, lower cost, quicker speed to implement and is less burdensome for users and IT teams. Here are some of the most compelling differences:

Key Benefits 

• Eliminates reliance on classification: Security is applied universally to any folder and file. Each file is secured using AES-256 encryption. Who can access files and how they can access them is programmed into the data and is easily integrated into your existing Identity Access Management System.

• Encryption by default: Files are encrypted at creation, and access is controlled at the file level.

• Policy enforcement everywhere: Access rules, usage restrictions, and time-based controls travel with the file. 

• Speed to protection: Most organizations already know (1) which departments and (2) which folders have the bulk of their sensitive data. These folders can be protected in a matter of minutes or hours.

• Transparent to Users and Easy on IT: Because there is no reliance on classification, file-centric security removes all of the false alerts and support tickets from users and IT. 

With file-centric security, the question of "Is this file tagged correctly?" becomes irrelevant because every file is protected with less business friction. 

Curious to learn more about how file-centric security differs from traditional DLP? Read this: File-Centric Security vs. DLP: What CISOs Need to Know

FenixPyre’s File-Centric Security Platform 

FenixPyre provides a comprehensive file-centric security solution, enhancing data security through advanced file encryption and dynamic access controls in a platform that is easy to use, setup and manage: 

• Military-Grade Encryption: Utilizes FIPS 140-2 validated modules and AES-256 encryption, securing any file type, from standard office documents to specialized formats like CAD files. 

• Access Files Through Their Native App: Any file can be encrypted but with FenixPyre, no matter what the file type, encrypted files are accessed from their native application making the experience seamless to users.  

• Milliseconds of Latency: Encryption and decryption are optimized with no noticeable impact to the end-user. 

• Integrates with existing IT stack: FenixPyre integrates into your existing Identify and Access Management System to manage user permissions and security groups, offering automatic user provisioning and de-provisioning. 

• Strong and Performant Key Management: Every file is encrypted with a distinct file encryption key. File encryption keys are encrypted with a Customer Master Key that is hosted in a Hardware Security Module. Customers can manage their own HSM. File contents are zero-knowledge to anyone outside of the client’s access list, including the possible external data management or cloud hosting solution. 

• Comprehensive Compatibility: Supports encryption across various environments, including network shares, cloud storage platforms (SharePoint, AWS S3, Azure), and local file systems. 

• Real-Time Monitoring and Analytics: Integrates seamlessly with SIEM tools to provide real-time logs, behavioral analytics, anomaly detection, and proactive threat response capabilities, further enhancing organizational security posture. 

  
  

Take a look at our recent article to learn more: Rethinking Your Security Investment (RoSI): Protecting Data, Not Just Networks

Conclusion: Protect the Data, Not the Label

It is hard to argue with the logic of first needing to classify data. But, as examined above, if your goal is data security then classifying the data may not be the best prerequisite to achieve this goal.

File-centric security provides a more secure and direct path to securing sensitive data. It also doesn’t just reduce risk, it redefines control. FenixPyre ensures your data stays protected no matter where it goes or who tries to access it.

Ready to secure what matters most?

View our resources below and see how file-centric security can transform your data protection strategy.

• Connect with FenixPyre on LinkedIn

• View our industry blog for more strategic insights

• Talk to an expert to see how file-centric security can work for your business