Transcript
Heidi is Principal Analyst of Security and Risk for Forrester, and Heidi's going to share with everyone Forrester's perspective of the growing DSPM market, which has captured a lot of industry attention in recent years and is predicted to continue to grow significantly over the next several years. So if we move on to the next slide, Heidi, I'm going to hand it over to you. All right, well, thank you for the introduction. I'm Heidi Shea, Principal Analyst here at Forrester covering data security within my research, and I am delighted to be here today to chat with folks about a view of the DSPM market. Hot topic, indeed. It's been one of those areas where one of the many SPM we've been seeing popping up, all things security posture management. It's like a bowl of alphabet soup these days, and DSPM is one of those, but what is it really? I get a lot of questions about this topic from enterprises and security leaders just trying to figure out what do they do with this, like where do they find this, and what's the value in this at the end of the day? And one of the key questions is also, is this really a new thing to which I respond yes and no? Some of the underlying capabilities that we would typically see within something that presents itself as DSPM, this stuff has existed. The ability to do things like discover where your sensitive data is located, the ability to help you classify it, understand what is sensitive in the data that you have. These are capabilities we've seen before, they've existed. What's a little bit different now is that we're combining a bunch of different things where you get this type of visibility into where's the data, what is sensitive, but more importantly, understanding what risks does this pose, and really having clarity or greater clarity over what those risks are, so we can then do something about it and have these risks surfaced in one place for you. It's also a question of, well, posture management, but where? So in some of the early days for these types of technology solutions, there was a high focus on cloud environments, whether that was public cloud infrastructure or your SaaS applications. So all things cloud is where it tended to cluster. But then increasingly, I'm starting to see these capabilities extend into on premises environments. It's also the question of, well, what types of risks do these solutions, does this capability actually surface for you? And especially what types of data risks specifically? So we'll see things like risks related to how you've set up your infrastructure. Maybe there's misconfigurations that you've overlooked. It could also be specific types of data risks related to data that may fall under a particular type of compliance requirement that you should be aware of and how it is moving. Maybe that's going against where you think it's going. So it's surfacing at different types of data risks, and that's something that we need to put a pin in and come back to later as well. If we're thinking about the scope of these types of technologies and tools, what you can do with them, as well as where these may be going in the future. Another question to ask when we're looking at DSPM is, is this a capability here that's now surfacing what is currently happening that these tools have visibility into and can see what's going on right now? Or can they also help you to surface insights and risks about what could happen based on how things are configured, how they see open access and how things are connected? So there's a distinction here when we're looking at these types of tools as well. I think a lot more of them can tell you more about the current state of how they see data moving around than trying to be more proactive and predictive. It's also this question of, OK, DSPM gives us visibility. It gives us observability into what's going on within our environment and what's going on with our data, essentially giving us a view of our posture. But then what? What do we do next? I think some of the tools that we see today, it can be disjointed in terms of that next question of what is that next action, because it can surface a lot of insights. But if it becomes one long to-do list and it makes it harder for you to then realize, well, what happens next? Do you then have to make integrations to enforce some type of control? Is this something that now requires a manual intervention to go fix? That's a pretty big distinction in terms of what the differences of that next step could be, whether how easy it is to then remediate the risk or is it something that's going to take a lot more work in order to do. And this question of why, I think this is a really critical question. Anytime we're looking at a new technology capability or something that we're evaluating because every so often I'll get a question about a particular technology. Could be DSPM, could be others. And we come back to the question of, well, why are you looking at this? Why are you looking to adopt this? And if the answer is, well, it's the hot topic or it's something that an executive is saying we have to look at, that's that's not good enough. We need to get more specific of what you're trying to achieve because that's going to help really unravel some of your key requirements for what you expect this technology to do for you and why you're investing in it. But it's not without its challenges either. So if I think about DSPM today, I hear complaints about redundancies. We see this as a feature that's popping up in so many different tools that may already be in your environment, as well as in new technologies and new solutions that are coming to market. So then it's a question of, well, how do you compare? And do you just wait for it to crop up in something that you already own? How do you deal with it if you have multiples of these within your environment? Do they overlap or are they telling you different things? It's also challenges around accuracy, especially if we're thinking of capabilities like data classification. And this is where the is this new or is this not new thing comes up as well, because while we do have startups that are cloud native, they came out of the gate focused on DSPM, you also have existing technology providers who've been doing bits of this already, and now they get to have a new label, a new way to describe what it is that they're offering you. So with this accuracy point, it's trying to evaluate the accuracy of things like classification is really challenging across solutions because you oftentimes find that there are at least reported accuracy rates in the high 90s, 95 percent accurate, 98 percent accurate. But what does that even mean? Because it's not a standardized way of measuring across tools either. It's very much customized, specific to your environment. And a lot of cases, it may be the rate that is trying to measure how things were done before and what that looked like within this particular enterprise versus what they look like now with this DSPM solution in place. And then there's also the question of actionability. So going back to the insights that are surfaced, all that visibility that these tools are giving you, if you can't really action on those recommendations in a meaningful way, it makes it really challenging to really feel like you are reducing risk and dealing with that whole long laundry to do list of items that pop up. And speaking of which, this is another challenge sometimes that I see companies facing is with reporting from their DSPM solution of what level of detail is it actually providing them? Is this something that is explainable? Is this reporting in the form of metrics that they could use if they were trying to track progress over time or report out status of their program? Is it reporting in the sense of, let's say, comparing where you are today with controls and what you're doing to meet a particular compliance requirement? And what is the gap? Like, what do you need to do to actually get there? So this could present different types of challenges depending on what the tool is able to provide for you. And as we started today off the discussion, this is it's a hot space, there's been a lot of startups, a lot of newcomers here, as well as acquisitions. Starting in 2023, we saw a couple happening. That was the early days of kicking things off. A couple more in 2024, a couple more in 2025. It's just been amazing to see the attention here. And what's even more interesting is that the types of companies that are acquiring for DSPM capability, they're all very different and for different purposes. You've got cybersecurity platforms in the mix. You have providers who are focused on endpoint. You've got your exposure management companies as well. Others who focus on DLP. You've got some in here that are looking more at the data resilience and data backup space. So it's a real variety and mixture here where you can start to see why this is so critical. We're getting that visibility and understanding about the data and the data risks that you're concerned about can feed into so many different things to deliver different types of outcomes. And I would imagine in 2026, we'll see a couple more. But how does this actually get used in practice? So this is one good example. If we're thinking about modern DLP today, it's really looking at a lot more types of different kinds of context to try to enable a risk based response, a smarter response, a more nuanced response to what we do with blocking or allowing or some areas that are in between. So we're looking at context, like understanding what what is this data context, such as who is this user? What should they be accessing? What's this user been doing? So a lot of the user behavior types of insights can come into play. We could also be expanding our view as well and looking at device context, device posture as a part of this understanding data flows, perhaps even data lineage, I think is coming up more and more and also understanding more about the environment where this data lives, as well as the environment and the context for what this access request looks like and how this data is moving. And so DSPM capabilities then become one component for surfacing relative relevant context across a number of these types of questions to deliver a risk based response. And if we're thinking about how this fits in to zero trust data security, it is a key component as well. So one of the misconceptions that I typically typically encounter with zero trust and data security is that folks, they believe it's data classification, it's DLP, it's putting encryption in place. And these are all important things when it comes to zero trust and data security, but they're not the only things. So if we're looking at trying to understand what is in this center pillar, this domain for data for zero trust, it's really trying to look at the entire lifecycle of data. How are we securely designing or use security access, securely maintaining our data? And so really embedding security controls across the entire lifecycle. And this is hard to do. It also starts to now branch out into other areas as well. So things like data resiliency, integrity, backup become critical parts of this. The controls that you put in place, they have to be risk informed throughout this lifecycle. So that's where something like DSPM has a role to play. In addition to helping you understand the data that you need to protect, like what is sensitive. This is also a difficult thing to do because with zero trust data security, this is the one domain of this model that requires non-security stakeholders for its success. So I say security folks, we we may make assumptions about how people need to use data, but the data folks, the business side, those stakeholders, those are the ones who actually have the answer for how they need to use data, the purpose of the data as well, and who needs access. So by collaborating together is where we get to this point of actually enabling the appropriate controls as well as understanding the risk related to data use. So as we are thinking about adopting DSPM today and bringing these capabilities into the organization, there are a couple of key things to consider, questions to work through and think through, because I think the last thing we want is to treat this as like a checkbox capability, thinking that it is commoditized because it is not. So first is going back to that why, what are the use cases for this, what are you trying to achieve as the the outcomes, so it could be something like trying to identify, you know, overexposed data because you want to enable copilot use, it could be things like identifying sensitive data and use cases involving shadow AI, it could be involving a it could be involving a use case around making DLP better, improving the experience, improving the detections. And so on, I mean, I've also seen this come into play where the why, the use case had to do with improving data hygiene within an organization as organizations focus on that lifecycle part of the data of identifying what's stale, what can they reasonably get rid of, as well as clarifying what they do need to retain and archive. So you can see how this starts to feed into different things, but if you can at least start off with a key use case or maybe a handful that you want to zoom in on, that can also help to identify what is an appropriate provider of this capability for you. As well as the what, so what does this actually cover in terms of environments, so if it's talking about this is a DSPM solution that covers cloud environments, really getting specific as to what do they actually, what do they mean by that? And are those cloud environments the ones that you care about for DSPM and for visibility? It could be that they cover all things cloud, from infrastructure as a service, public cloud platforms to things like SaaS applications, but it could also be that they specialize or focus on one or the other. And then identifying, well, what risk does this DSPM solution surface for you as well, and are those the ones that you can reasonably do things about? And then where does this capability sit? Because in some cases, it could be a standalone DSPM solution, the core capabilities of discovery, classification, risk identification, all in one, but that's primarily what they do. Sometimes you'll see solutions marketed as DSPM platforms. And that's similar to what I would call a standalone DSPM solution. In other cases, it's DSPM that is a part of something else. So it's in service of a larger platform that's being offered. So there may be a key technology or several key controls that this broader platform can can provide that these DSPM capabilities are attached to. And that can be good as well to look at, because in those cases, it could be a fairly seamless path from identifying the data, identifying the risks, and then implementing the control to remediate those risks rather than having an extra step in between where you may need to perhaps integrate with something else or create some new workflows in order to address those risks. And that leads us to the next part, the how does this all get done at the end of the day for risk remediation? So trying to uncover are there dependencies involved? So regardless of whether this is a standalone capability that you're getting or if it's a part of a broader platform, what are those dependencies that are required to get you to that outcome you want to achieve that those initial use cases that you've identified? Because this may be oftentimes when we think technology will save the day and it's only one part of the equation. Technology is often the last mile here as well. So it could be that DSPM that you're looking at is going to surface so much for you, shine a light and give you a ton of visibility about things that you need to do. But if there's not the corresponding people, staffing, processing, and so on, it's not people staffing processes internally to help you make use of that. That is going to to make things a bit bumpy going forward as well. So it could be processes and workflows in place for doing things like reviewing data access controls and entitlements, talking to data owners. If there's a another broader process in place around data governance that you need to stand up or at least shore up to try to get the most out of what DSPM can can surface for you. Same when it comes to trying to implement controls, whether that is DLP, whether that is access controls, encryption or something else and looking at how does this tool pull through to enable those controls? Because is it trying to act as that central engine that then orchestrates controls across different tools in your environment? And if so, which tool specifically would this work with or do they require additional work to to set that up? So the how becomes important, the ease of reporting as well, what's out of the box versus what might require some some customization for your needs, and then the usability of those posture insights sort of touch on a couple of these different areas and overlap a bit. And what I mean by that, the usability part of it is, are these things that come up, these recommendations for mediation going to be mostly things that require a manual intervention versus is it to the degree of depth of detail, specificity and the types of risks that are able to then perhaps be automated in terms of how they get remediated? And so what is what is next here, because this has been a space where we've seen evolve very quickly over the last couple of years where you saw a bunch of startups, new capabilities pop up, a rash of acquisitions to follow, continuing innovation in this space as well. So what's next? And I think that's a natural question to ask. And for something like this, this is one of those cases where I say to to figure out where we're going in the future here, it helps to look to where we've already been with DSPM. As it came out, it was trying to solve a key challenge around visibility and giving key things that people could do to understand the risks involved and how to address them. That remains, that is going to continue because DSPM has been a thing that really illuminates a path forward for people when it comes to understanding data in their environment, understanding risk and what to do about it. So it answers one of two key questions that I think is helpful to zoom in on. What do we need to protect? So much of the focus, the current focus within these tools today has been about what I would call regulated data. We're focused on things like personal information, protected health care information, a cardholder data as well. So the three Ps, which is really helpful because for compliance purposes, we need to make sure we are on top of things here. But I think if we're looking forward to the future, this is an opportunity for the technologies in this space to expand further. What is it that they can do more around helping you to identify intellectual property, trade secrets, identify other types of sensitive corporate information that you also need to protect and understand and do things about? It could also be about things like today, understanding AI usage, what models are in place, what data is going into these models and how it's interacting with AI. So that's another area as well. It's also one of those things where I've seen some solutions also try to do things like identify source code, identify secrets as well, where we do see a bit of overlap with some other tools in the application security realm of doing the ASPM in those areas. And I think that's going to be the story going forward as well for DSPM. It's as something that illuminates a path and insights about your data and data risk. There's value in having this start to be combined with different things, whether it's in the application security realm or the cloud security space or other types of data security tooling. The other key question to look at is what risks do we need to mitigate? So for the most part, if we are looking at DSPM tools today. They are identifying what I would describe as the risks that are to your data. And risks that come from your data, so back up a little bit and go over some more details here. So risk to the data is one type of data risk. Think of things like the ability for external actors, for hackers to to get to your data through some means. It's also the ability of your insiders to start doing things that may be malicious in terms of how they're accessing data. It's things like your own IT operations and practices that could introduce risk to your data. So things like a misconfiguration, for example, or things like, well, you thought you backed up your data, but you haven't really tested it, so you're not sure if you can actually recover data in time based on your objectives. Those are all things that would consider as risks to the data, as well as things like, let's say you have to decommission a server or device and you forget to securely delete things. Those are all risks to the data. And then we've got the risks that are coming from the data based on how you use or process it. So oftentimes compliance risk falls in here, especially privacy compliance. It's also noncompliance with your internal policies around data use as well. But what's next beyond this is a further understanding of data risk and expanding the scope of that. So I highlighted some of those risks to the data. There is risk from the data now where we can start to tie in things like data sprawl, unethical use of data as well. It's a risk based on how you're using, how you're processing data. The one where I don't see a ton of today in terms of capability is centered around risks that are in the data. So a better understanding of data integrity, of understanding, not just integrity in the sense of how your data management peers might be thinking about it, like data quality, accuracy and the like, but data integrity in the sense of, do we have a way to understand if this data has been tampered with or manipulated with or poisoned in some way and what those downstream impacts could be, what those downstream risks are coming from that type of action. Risks in the data also relate to the data lifecycle part of it, of your raw data. How do you deal with that? How do you identify that? You're redundant, obsolete, the transient or trivial data as well. So thinking of things like stale data. And I point to these because these are becoming increasingly critical if we're thinking about how do we maintain good data hygiene as well as prepare for broader use of AI within the enterprise and scaling with use of AI as well. So looking forward to the future a bit more, I think if we can get specific here, there are a couple of key areas of opportunity for where these DSPM solutions could be going, what they could be combining with. So we started our time today talking about the alphabet soup of SPM, all these different SPM things popping up. And I think there's a good chance that we'll see some of these spaces start to converge a bit. So then you've got DSPM combining with things that are around on the cloud security side, CSPM, SSPM, so cloud security posture management, the SAS security posture management as well. It's a natural fit to then have some capability around DSPM there. So that's a nice grouping, but increasingly within broader data security platforms and even within DSPM offerings, a core use case that they're trying to tackle is our AI data use cases. So then we have this other space of AI SPM that is bubbling right now as well. So I think we can also expect to see some convergence there between DSPM and AI SPM. It's getting harder and harder to separate out the data and AI security and governance types of tooling because they are so interrelated going forward. So securing AI across various use cases is going to be a key a key piece for. DSPM value, and there's different types of use cases that I think we can focus on as well. So within enterprises today, some of the more popular ones that I see have to do with trying to understand shadow AI use within the environment, trying to do things like prepare their data and. Their house essentially getting things in order if they're trying to take advantage of embedded AI within the tools that they have within the organization, the different copilots that are popping up in different enterprise tools have had a way of really shining a light on deficiencies around understanding your data and what's sensitive as well as data access governance. So these are some key risks around data access and sensitive data that DSPM is a core use case for. But as we go down the path of what are some other uses related to other use cases that start to get more advanced, it's when you as an organization are trying to develop your own application. It's when you are trying to develop and build your own enterprise agentic AI system. So that's where these underlying capabilities of really having that deep understanding of the data that you're working with, what's sensitive, what falls under compliance, what are the risks that come from using that data is going to be really critical as key foundational capabilities here. And then lastly, another one that is popping up is this need to prepare for quantum security. So preparing for things like your post-quantum topography migration, your PQC migration. It's a big undertaking. If so, I've heard some folks refer to it and make comparisons to preparing for Y2K, which I think downplays the issue quite a bit. So if you're thinking of if Y2K was going through your house and identifying every faucet that you had, replacing the filter inside the faucet, then your PQC migration is akin to having to replace all of the plumbing, the piping, all of that infrastructure within your house. So you're doing things like knocking down walls at this point, making surprise discoveries as you do this, as well as having to actually live in the house while you're undergoing this major renovation. That is the extent of what you could expect from a PQC migration. And a lot of times the key thing, the first step in all of this, in this migration planning, is to understand what encryption algorithms you have in use. So doing that cryptographic inventory, cryptographic discovery as a foundational part of it. So I'm starting to see some DSPM solutions that have either that encryption heritage or they're part of an encryption platform do things like also show you cryptographic posture alongside DSPM and combining the two. So some interesting things that are coming on the horizon, largely driven by the types of new challenges and growing challenges that organizations will be dealing with going forward. It's all good things to expect in terms of innovation. And with that, thank you very much. That's what I had in terms of presenting my view on DSPM today. And I know we're happy to take questions in a few as well. But I think we've got a couple of words as well before we get to that. All right, Heidi, thank you so much. Your DSPM knowledge with the new acronym SUP, Cloud Security Posture Management, Fast Security Posture Management, now Data Security Posture Management was outstanding. Loved all the concepts, questions, themes, trends that you shared. So amazing. We're seeing all of those things here at Fortra. So at Fortra, we've been doing data protection for quite some time. And I loved how you pointed out that the DSPM vendors, tools, where do they originate from? And for us, we've been doing data protection for over a decade. And it's always been about these three pillars. Discover my data wherever it is. Classify my data wherever it is. Ideally, classification can help improve the accuracy of protecting that data. When we protect it, we want to make sure we're accurately protecting the right data and not being overprotective, thus disrupting user experience in the business. But we do all three of these pillars and have been for over a decade. But what's exciting about DSPM is the ability to start to automate discovery. Historically, we would take a DLP platform product and focus it on identifying specific sets of data. Maybe PCI in the retail environment, HIPAA in a healthcare environment. But we'd be very specific. Now with DSPM, we can automate discovery of all data. So as a healthcare provider, you may know you've got healthcare data, but what about HR records that could potentially be exposed to the entire healthcare employee base? So how do you surface other data that's absolutely critical as well, assess the risk, and then automate the remediation? But Discover, Classify, and Protect is what we've been doing for quite some time. Next slide. And we just have two slides that we wanted to share to wrap up with. But with Fortra, we just launched our DSPM, focusing initially on the cloud, but the coverage is going to rapidly expand. Because across our entire data protection suite, we can discover, classify, and protect data, whether it's in the cloud, on-premise on an end-user device, in a file share on-prem or a database, or file share or database in the cloud, your public cloud infrastructure. So we can help you get an understanding of your entire data universe, whether it's structured or unstructured, known or unknown. So there is lots of shadow data that we can help surface. But beyond that, I really liked your point about actionability. A lot of DSPM tool sets today, that's what they do. They discover data. But now that you've surfaced it and you recognize risk, how do you put in controls to protect that data, remediate the risk? With Fortra's platform, we take care of the remediation as well. So we'll do the DSPM for discovery, which is a service that feeds into our DLP to protect. We can protect data at rest, endpoints, network file shares in the cloud, but also data in motion. Maybe it's being uploaded to a website, shared from your OneDrive folder. Attached to an email, we can apply protections to that transit data as well. But all in all, we have a very comprehensive data protection platform, and we're super excited to announce our DSPM this week. I think that takes us to the end. Yes. Good. So we do have a couple of questions that have come in from some of our attendees. So, Tony, this one is probably better for you. What are CRMs for which you offer DSPM integration? Salesforce is absolutely the top one. We've been doing Salesforce for probably 12 plus years. Maybe put in the chat any other CRMs you're interested in, and we can always follow up. But Salesforce has definitely been very strong for us for a long time. Great. I'll let you know if any follow-up comes to that. Next question. How could small and medium-sized organizations approach and initiating a DSPM project? Well, so at Fortra, we're offering a free data risk assessment. We have a form that you can fill out on Fortra.com where you can put in a request. We'll follow up with you to see kind of what your needs, interests are. But we offer a 30-day risk assessment. So we'll give you kind of a taste. You know, it's like buying a car. You go to the dealership, kick the tires, look under the hood. We'll give you a 30-day risk assessment, and then you can determine what are the risks this exposes, what are those use cases, how can this apply automated remediation. Because chances are you've got years and years of data that you may want to then license the product to do all of that. And a follow-up to the question on CRMs, what about Zoho? I will have to look up Zoho. I'm not familiar with them, but we can follow up post the webinar. And then the last one I have here, Heidi came in while you were speaking, so I'll direct this your way. If we've already invested in data classification and labeling elsewhere, do we still need DSPM? Ooh, that's a good one. It could be that it depends. What is the extent of the current investment? What does that existing tool do for you? Is that one also offering DSPM capability, or does it not? Or is it covering only certain environments that you needed to cover, but there's a gap in terms of where you really do need additional coverage? So being able to, I think, go back and identify what is the current scope of what you've implemented and done versus where do you want to be and seeing if there's a delta there. It's not all lost, because sometimes maybe the newer tool that's going to cover some of these gaps, they're still pulling from and able to use the insights and the work that you've already done. And one more just popped in. Would implementing a DSPM benefit organizations following compliance or regulatory frameworks or have cyber insurance? Absolutely. Again, the DSPM, it's going to automate the discovery of your data using a broad range of data identifiers that come together to form compliance frameworks. So you're going to be able to automate that discovery and then be able to validate, are you compliant? Or what actions should be taken to become compliant? But DSPM, again, it's it's kind of a new way, automated way of discovering data that we've been doing for years with traditional DLP tools. But now you can automate that, which really goes a long way to improving the administrator experience and not just surfacing known data like I know I need to look for HIPAA based data. What about intellectual property? What about mergers and acquisitions data? We can help you surface a great deal of insight above and beyond just your traditional known data requirements. Great, thank you. Oh, one more. What type of data leaves customer? What type of data leaves customer assets? What type of data leaves customer assets, so maybe customer records, you've got a list of customer records. How does could that be exfiltrated in a malicious or unintentional way? I've worked with a large retailer a number of years ago. Their biggest concern of data leakage was priceless. You know, large retail environment. They're adjusting prices every day by geography. And that was really critical data to them. But any type of data could be critical to the operation of the business. And you want to be aware of what that is. Where's the data? How is it accessed? How is it used? And DSTM is just it's a new way of automating the discovery of all of the data. Great, well, that's the end of the questions that I've seen come in. So with that, I will thank you, Heidi. Thank you, Tony. And appreciate all of you who joined us for today's webinar. Have a great afternoon.
