In an era where enterprise data sprawls across cloud platforms, collaboration tools, and SaaS environments, CISOs are under constant pressure to reduce risk without becoming the department that slows everything down. That tension sits at the heart of a recent episode of the Security Strategist, where host Jonathan Care speaks with Ariel Zamir, founder and CEO of Ray Security, about what pragmatic, modern data security actually looks like.
Their conversation cuts through the noise around cybersecurity tools and frameworks and focuses instead on how CISOs can think differently about enterprise data, risk management, and control.
Understanding Enterprise Data Risk Starts With Reality
One of the most grounded points Zamir makes is also the simplest, and that is, most enterprise data is not being used. At any given time, around 98 per cent of enterprise data sits dormant. From a data security perspective, that should immediately raise questions. Why is data that no one needs today exposed in the same way as data actively driving the business?
For CISOs, this reframes the challenge. Instead of trying to secure all data equally, the priority becomes understanding which data is actually accessed, by whom, and when. This shift matters because risk does not come from volume alone, but from unnecessary exposure. Dormant data with overly broad access control is often invisible to the business, yet highly visible to attackers.
By grounding cybersecurity decisions in how data is really used, security teams can reduce enterprise data risk without introducing friction for employees who are simply trying to do their jobs.
Permission Hygiene, Access Control, and Dynamic Security
A recurring theme in the discussion is permission hygiene. Over time, access rights accumulate. People change roles, projects end, contractors leave, but permissions rarely get cleaned up. The result is an expanding attack surface that no amount of policy documentation can realistically govern.
Zamir argues that improving permission hygiene and access monitoring should come before heavy data classification initiatives. Tightening access control, understanding access patterns, and removing unnecessary permissions can dramatically reduce risk with relatively low operational impact.
Crucially, this does not mean locking everything down. Dynamic controls play a key role here. Instead of blocking access by default, organisations can monitor for unusual behaviour and respond in context. Alerts, step-up verification, or temporary restrictions allow security teams to manage risk while preserving user experience. From a business perspective, this approach aligns far better with how work actually happens.
This is also where agentic AI and agentless monitoring enter the picture. As autonomous systems increasingly access data on behalf of users, traditional identity-based controls struggle to keep up. Agentless approaches help close coverage gaps without requiring intrusive deployments, while agentic AI introduces new questions about accountability and oversight that CISOs can no longer ignore.
When Security Turns Predictive
Why CISOs are moving from static defense to predictive controls that shield the specific data attackers are most likely to target.
Just-in-Time Classification and the Legal Implications of Automation
Traditional data classification has long been treated as a foundational security activity, but the podcast challenges that assumption. Classifying vast amounts of dormant data upfront is expensive, slow, and often disconnected from real risk. Instead, Zamir advocates for just-in-time classification, applying context only when data is accessed.
This approach supports more effective risk management while easing the burden on security teams. It also aligns better with regulatory expectations, where proportionality and intent increasingly matter.
However, automation and agentic AI introduce legal implications that CISOs must consider when developing their strategies. When autonomous agents access, move, or transform data, organisations need clarity on responsibility, auditability, and compliance. Dynamic controls and temporal insights into data access are not just technical safeguards; they are essential for demonstrating governance in an environment where human and machine actions intersect.
Taken together, the conversation highlights a more measured path forward. By focusing on how enterprise data is actually used, improving permission hygiene, and applying controls dynamically, CISOs can enhance data security without slowing down the business. It is less about adding more tools and more about making smarter, context-aware decisions in a landscape where risk is shaped by time, access, and intent.
For more information on this, visit: https://raysecurity.io/
Qwen As Enterprise AI Stack
Dissects Qwen’s open-weight models, Alibaba Cloud integration and tool-calling agents as a backbone for scalable automation.
Takeaways
Around 98% of enterprise data sits idle, creating hidden security risks.
Focusing on data dormancy helps prioritise protection and reduce exposure.
Permission hygiene and dynamic controls reduce risk without slowing business workflows.
Just-in-time classification cuts overhead by securing data only when accessed.
Agentless monitoring and oversight of agentic AI improve coverage and accountability.
Legal and governance frameworks must evolve to handle autonomous data access.
Chapters
00:00 Introduction to Cybersecurity Challenges
01:38 Understanding Data Dormancy and Its Implications
05:10 Focusing on Critical Data for Security
08:21 The Importance of Permission Hygiene
10:53 Just-in-Time Classification for Data Security
12:28 Dynamic Controls for Business Needs
16:43 Agentless Monitoring and Coverage Gaps
19:32 Integrating Logs and APIs for Security
21:34 Future Trends in Cybersecurity
Comments ( 0 )