Matters
Book a Demo

Platform

How It WorksWhy Matters

Key Features

Advanced Data Detection & ResponseData Security Posture ManagementInsider Data Risk ManagementExternal Data Risk ManagementData Loss Prevention & Mitigation

Use Cases

Read What Matters

BlogsEventsTech BlogsSecurity Fundamentals

Company

About UsCareersPrivacy PolicyTerms of ServiceTerms of Use
Understanding data’s why, where, who, and when
Data Security

Understanding data’s why, where, who, and when

Dhiraj Khare avatar

Dhiraj Khare

Cdr. Praveen Kumar avatar

Cdr. Praveen Kumar

NOVEMBER 2025

Introduction

The way enterprises operate has undergone a seismic transformation over the past century, from centralized mainframes to distributed cloud ecosystems, from siloed departments to interconnected digital workflows, from physical boundaries to borderless collaboration. Yet amid this revolution, security practitioners have remained stubbornly anchored to an infrastructure-centric worldview. For decades, we’ve fortified networks, hardened endpoints, secured servers, and now scramble to protect cloud environments, always chasing the perimeter, always focused on the containers rather than what they hold. What has been fundamentally missed in this evolution is the most critical shift of all: the need for a data-centric security paradigm. While data has become the lifeblood of modern enterprises, flowing across systems, crossing borders, and driving every business decision, our security models still revolve around the infrastructure that merely transports and stores it.

It’s time to flip the script: to stop asking “How do we protect our systems?” and start asking “How do we protect our data, wherever it goes?”

This article reimagines that conversation through a simple yet powerful lens understanding data’s why, where, who, and when.

Background: The Lesson That Started It All

Nearly four years ago, I had my first meeting with Commander Praveen Kumar. My objective was clear: pitch our new cloud security solution. But like many tech conversations between engineers and CISOs, it started with uncertainty.

How do you explain innovation to someone who’s seen it all? We walked through our story, a problem-driven, outcome-oriented pitch that earned us a proof of concept (POC).

The product worked wonderfully in surfacing complex misconfigurations across cloud infrastructure. But during the live trial readout, the most basic query, listing publicly exposed endpoints failed.

For a few seconds, silence filled the room. In my head, I could already see the deal slipping away.

That’s when Commander Praveen said something that reframed my entire perspective:

“It’s good to solve for complex challenges, but never overlook the small things, because it’s the small things that eventually matter.”
– Commander Praveen, CISO, Nykaa

That single observation planted the seed for everything this article explores.

The Small Things in Security

In the years that followed, I began to see “the small things” show up everywhere inside teams, customer relationships, and even in how organizations define success.

It is in the small things that cybersecurity finds its foundation:

  • Admitting when a control isn’t working, instead of hiding behind jargon.
  • Understanding a customer’s ‘why’ before pitching a feature.
  • Knowing not just how to defend a system, but why that system needs defending in the first place.

That reflection inspired a social experiment, one that exposed a surprising truth about how we approach data protection in the industry.

A Simple Experiment

I reached out to a mix of CISOs, security analysts, and IT auditors across different sectors. The goal was simple, to understand how seasoned professionals perceive their own roles and data responsibilities.

I started with five simple questions:
  1. What does your job description really mean to you?
  2. Why do you do what you do?
  3. What tools are non-negotiable in your role?
  4. What happens if you lose access to those tools for a week?
  5. Do you truly know what you’re protecting?

The responses were intriguing. Most could clearly list tools and processes, but very few could precisely define what their data actually was, or where it truly resided.

That gap between securing infrastructure and understanding data is where modern security challenges are born.

The Problem: Shifting from Fortresses to Fluid Borders

To picture this, imagine an ancient kingdom. The ruler’s fortress is his enterprise; the citizens are his data. Guards, walls, and watchtowers represent the firewalls, IAM, and network controls of today.

But as the kingdom prospers, trade expands beyond its walls just as modern data now flows across cloud providers, SaaS platforms, and third-party ecosystems.

Soon, those fortress walls become less effective. The protective perimeter you relied upon no longer keeps your citizens safe because your citizens/ your data now live and work everywhere.

This is the new normal.

Organizations have invested years and millions building defenses for on-prem systems, only to find that their most critical workloads and data no longer reside there. Data now lives in borderless ecosystems. And while ownership remains internal, control often doesn’t.

Data Reality: Discovery Before Defense

For most mid-sized to global enterprises, the very act of discovering where all data lives can take six to eighteen months. During that time, businesses continue to grow, security tools continue to multiply, and visibility continues to shrink.

Without discovery and classification, data protection becomes guesswork.
Traditional DLPs, CASBs, and Zero Trust architectures often focus on movement control preventing data exfiltration. But that’s like guarding every citizen equally, regardless of their role or value.

The more meaningful approach is to first identify which data is sensitive, where it travels, and how it interacts. Only then can organizations right-size their controls.

Modern cybersecurity isn’t about securing the perimeter, it’s about safeguarding intent and purpose.

The Framework: Why, Where, Who, and When

CISOs who embrace this mindset articulate data protection through four guiding questions:

Organizations that master these four can build trust not just with regulators but with customers, partners, and employees.

Redefining Modern Security Leadership

For CISOs and technology leaders, this fundamental shift from infrastructure-centered defense to data-centered understanding is both a challenge and an opportunity.

Security is no longer about imposing control. It’s about enabling safe collaboration, where every data decision is rooted in purpose and awareness.

The goal? To move away from reacting to threats, toward anticipating them through visibility. Because true resilience starts with understanding the small things  the things we often assume are already known.

Closing Reflection

That day years ago when my product demo failed now feels like a turning point. I walked into that meeting aiming to sell a solution. I walked out with a philosophy.

As Commander Praveen said:

The small things eventually matter.

In today’s world, the smallest truths often define the biggest outcomes.
In cybersecurity, that truth begins with four simple questions: Why, Where, Who, and When.

You may also like

Matters brings Intelligent Data Security to the Databricks Lakehouse
Data Security

Matters brings Intelligent Data Security to the Databricks Lakehouse

Keshava Murthy & Jeevanth DMarch 3, 2026
Arrow Right
Endpoint Data Classification Agents: Why They Need A Separate Security Layer
Data Security

Endpoint Data Classification Agents: Why They Need A Separate Security Layer

Ravi Bhushan & Dhiraj KhareJanuary 29, 2026
Arrow Right
Enterprise Agent Security: A Practical Checklist For CISOs
Data Security

Enterprise Agent Security: A Practical Checklist For CISOs

Ravi Bhushan & Dhiraj KhareJanuary 27, 2026
Arrow Right
Show all Data Security