The Blind Spot – Part 1 (DSPM)

The Blind Spot – Part 1 (DSPM)

You’ve invest in your security stack. Firewalls. EDR. SIEM. CASB. Zero Trust Architecture. And yet you still can’t answer the question the board is asking.

Most enterprise security teams can tell you who accessed the network.

They can tell you which endpoints were compromised. Which alerts fired. Which policies were violated.

What they often can’t tell you is this:

Where is your sensitive data right now? All of it. Who has access to it? Is that access appropriate? Has it drifted from policy? Is it feeding an AI model it shouldn’t be?

This isn’t a technology failure. It’s a category gap.

The perimeter didn’t break because of AI. It broke when smartphones arrived and data started moving freely outside the boundaries organizations thought they controlled. Cloud accelerated it. SaaS fragmented it further. Remote work dissolved whatever remained.

AI didn’t create the problem. It made the consequences impossible to ignore.

Because now data isn’t just moving. It’s being consumed, transformed, and acted on by autonomous systems at machine speed. Often without users knowing what’s happening or what data is involved.

The security discipline built to address this is called Data Security Posture Management (DSPM).

Over the next six weeks I’m going to break down what DSPM actually is, why your existing stack doesn’t solve for it, and what a mature data security posture looks like in practice.

If you followed Series 1 on ROT data, this is the natural next layer. Cleaning your data matters. But knowing where it is, who can touch it, and whether it’s governed? That’s what keeps the board from asking the question you can’t answer.

Derran Guinan
Field CTO · Americas

Field CTO for the Americas at Veeam. 30+ years in IT and cybersecurity. I write about data protection, security architecture, and AI from the field — honest takes for practitioners, not press releases.

Related Articles

The Blind Spot – Part 4 (Classification)

𝐘𝐨𝐮 𝐜𝐥𝐚𝐬𝐬𝐢𝐟𝐢𝐞𝐝 𝐲𝐨𝐮𝐫 𝐝𝐚𝐭𝐚. 𝐍𝐨𝐰 𝐰𝐡𝐨 𝐜𝐚𝐧 𝐚𝐜𝐭𝐮𝐚𝐥𝐥𝐲 𝐫𝐞𝐚𝐜𝐡 𝐢𝐭? Classification tells you what your data is. Access governance tells you who can touch it…