In an era where enterprises are racing to deploy GenAI, a quiet contradiction is undermining progress: despite record spending on data security, breaches are rising, agility is suffering, and innovation is getting throttled.
According to Gartner analyst Andrew Bales, the issue isn’t the technology stack, it’s the strategy behind it.
“Data breaches happen because someone loses or steals the data, or shares it in an unauthorized fashion,” Bales explains. “This could be an attacker, or, more frequently and likely, an insider who accidentally or maliciously transferred data outside of the scope of the organizational policy.”
To Bales, the key failure is treating data as an isolated asset rather than a shared responsibility. “Security leaders should build data security policies and programs that rely on behavioral analytics tooling (including user intent detection) to prevent data loss,” he urges.
Symptom One: GenAI Stuck in the Pilot Lane
Despite the hype, most GenAI efforts are trapped in limbo. Only 22% of organizations are scaling or widely deploying GenAI, Gartner data shows. The bottleneck? Security systems built for structured data relational databases, schemas, and tightly controlled access points aren’t designed to handle the vast volumes of unstructured data GenAI thrives on.
From emails and documents to design files and customer chats, these unstructured assets remain largely invisible to legacy Data Loss Prevention (DLP) and classification tools. Without visibility or policy enforcement across these data sets, CIOs can’t ensure safe usage, so GenAI deployments stall.
What CIOs Can Do:
- Strategic shift: Implement Data Access Governance (DAG) to prevent unintentional data leakage via GenAI.
- Immediate first step: Evaluate whether current tools can discover, catalog, and classify unstructured data at scale.
Symptom Two: Security That Strangles Innovation
Security isn’t just protecting the business, it’s often slowing it down. More than 30% of organizations say cybersecurity initiatives constrain tech adoption, data value creation, or workforce productivity. At the root is a governance model where all authority lives in the CISO’s office, creating bottlenecks that conflict with the fast pace of business.
Bales advocates for a more agile approach: adaptive data security governance. This means giving departments more autonomy to define policies that align with their needs, within a shared enterprise framework.
“Agility-based approaches to DSG enable enterprise agility through distributed authority to make value-based decisions,” says Bales. “For example, a CISO might delegate the HR leader to define HR-specific data classification policies, based on the organization-wide template, to accelerate the time to value.”
What CIOs Can Do:
- Shift governance: Empower business units to tailor data security policies within a shared framework.
- Unlock value: A distributed model reduces friction between security and business, enabling faster innovation.
Symptom Three: DLP Fatigue and Insider Threat Blindness
Despite heavy investment in DLP, insider risk remains a persistent challenge. Gartner research reveals that over 30% of organizations experienced significant data loss in the past two years. Why? Because most DLP programs are too narrowly focused on the data itself, flagging files, and blocking transfers, without understanding the behavior behind it.
“DLP isn’t inherently bad,” Bales notes. “It’s too restrictive and narrowly focused. If you just look at data itself, and you’re not concerned about what users are doing with sensitive information, it’s going to be incredibly difficult to minimize data loss.”
Real progress requires understanding user behavior and intent. As Bales predicts, “By 2027, organizations incorporating intent detection and real-time remediation capabilities into DLP programs will realize a one-third reduction in insider risks.”
What CIOs Can Do:
- Upgrade detection: Integrate User and Entity Behavior Analytics (UEBA) with DLP and SIEM systems to flag high-risk actions.
- Future-proof: Shift from reactive alerts to proactive, intent-based risk prevention.
Symptom Four: Post-Quantum Paralysis
The quantum era is approaching fast, and with it, the risk that today’s encryption methods will be obsolete. Gartner predicts that by 2029, most conventional asymmetric cryptography will be unsafe. Yet many organizations remain unprepared.
“The most important thing CIOs and CISOs should be doing, even if they don’t feel ‘ready’, is building a Cryptographic Center of Excellence (CCoE),” says Bales. This group helps define the post-quantum cryptography (PQC) strategy and roadmap, gain visibility into current crypto usage, and start preparing now.
“Don’t wait three years before thinking about PQC,” he warns. “That’s going to be a world of hurt for your cryptography.”
What CIOs Can Do:
- Today: Launch a Cryptographic Center of Excellence to define your PQC strategy.
- Next 12 months: Conduct a crypto inventory, assess agility, and begin pilot programs for post-quantum algorithms.
Final Diagnosis: Focus on Fundamentals
Across all four symptoms, a common pattern emerges: most security programs are misaligned with how businesses operate today. “If you don’t know where or what your data is, you will not be able to secure it,” Bales emphasizes.
To close the gap, he recommends a phased roadmap:
- Start now: Audit DLP tools for behavioral capabilities. Draft an unstructured data policy. Align with business units on data needs.
- In the next 90 days: Launch a data classification initiative. Pilot DAG tools. Build your CCoE team.
- Over the next 12 months: Shift security investments toward unstructured data controls, deploy UEBA-enhanced DLP, and implement your PQC plan.
The Wrap
CIOs today walk a tightrope between protecting the enterprise and accelerating it. The answer isn’t more rules, it’s smarter, more aligned governance. With behavior-aware security programs and future-ready cryptography, organizations can reduce risk without losing momentum.
As Bales puts it, “Long-term success means taking one deliberate step at a time. But you have to start stepping.”
