I’m both excited and concerned to write about data security as one of the hot trends to monitor in 2021. Data security is a tough topic to summarize and I’d argue it may be the most misunderstood category in security right now. We’re a raw industry that has been shaken up multiple times for years. We’ve gotten micro-services, Agile software development, public cloud, GDPR, multi-cloud, work-from-home, federal regulations and SaaS applications all disrupting how we lived and worked.
It’s gotten to the point now that if you were to ask a CISO what they’re doing to protect their data, you’d get different answers; there is no consistency. Yet, if you were to ask those same folks who the leading data storage, analytics, processes and vendors were, clear market leaders would quickly emerge.
Yet the idea of protecting data is still ubiquitous with cybersecurity. Data continues to be a top-3 security topic within the board. “What are we doing to protect our customers’ and the organization’s data?” If the many, many public breaches have told us anything over the years, it’s that losing data escalates a “security incident” into a “data breach”. Lawyers get involved when we lose control of our data. How else would we figure out our liability to our suppliers and customers?
[ Related: The VC View: Hot Trends in Security After the Pandemic ]
There is a reason we’re in this situation: for the longest time, security was architected with “defense in depth”. Data was the soft, shishy middle of a hardened perimeter. We protected data by first making sure our endpoints weren’t compromised, then by making sure threats weren’t moving around in our networks undetected, then by making sure our applications weren’t vulnerable to data leaks. Now that we’re all moving towards the multi-cloud, SaaS world, the castle walls we’ve built over the years no longer works. It’s impossible to monitor data flowing across clouds, microservices, internal, external applications, geographies, data centers and technologies.
Considering all of this complexity, it’s clear to me that most projects will adopt a “back to the basics” theme. Even though each company doesn’t have the same crown jewels, business models or customers, I envision most data security projects this year will align to the first two parts of NIST’s Cybersecurity Framework: Identify and Protect. The remaining three (Detect, Respond and Recover) will come later as the industry starts to train the people, mature the processes and develop the technologies to begin to reasonably protect disparate data via the 80/20 rule.
Aligned to Identify and Protect, I expect to see two camps of data security projects: Visibility & Control. One set of folks interested in visibility: How much data do I have? Where is it stored? Who has access to it? What is our current risk profile due to accessible data and our threat model? How can I protect the data? Are there any quick wins that we can do to significantly reduce risk? Perhaps we can delete sensitive data in our staging environment?
Another set of folks will be interested in control. How can we protect our data by design? Are there ways for us to segment data by groups & roles? What technology is out there that allows us to enforce policy as data is being generated, moving across the network and in production?
In the end, I envision a “data firewall” being created to merge those two paths and as an important milestone in this category. We’ve had every version of the firewall to protect the endpoint, the network, the application. These firewalls complemented technology changes from personal computing, local networks, the internet, mobile, IoT. It’s only logical we’ll see a new firewall being created due to multi-cloud and the firewall moving closer to data; a pattern we’ve seen for multiple decades now.

Will is a Managing Director and a founding team member at ForgePoint Capital. He has been an avid technology enthusiast for decades: building his first computer in elementary school and starting online businesses while completing his bachelor’s degree from the University of California, Berkeley. Focusing on security startups for a decade, he has worked with more than 20 cybersecurity companies to date. In his spare time he’s a foodie with friends, enabling serendipity and building communities.
More from William Lin
- The VC View: The AppSec Evolution
- The VC View: The DevSecOps Evolution and Getting “Shift Left” Right
- The VC View: Incident Response and SOC Evolution
- The VC View: Vendor Risk Management
- The VC View: Digital Transformation
- The VC View: Enabling Business via IT Security
- The VC View: Identity = Zero Trust for Everything
- The VC View: Cloud Security and Compliance
Latest News
- Chinese Gov Hackers Caught Hiding in Cisco Router Firmware
- CISA Unveils New HBOM Framework to Track Hardware Components
- Gem Security Lands $23 Million Series A Funding
- Misconfigured TeslaMate Instances Put Tesla Car Owners at Risk
- Firefox 118 Patches High-Severity Vulnerabilities
- Stolen GitHub Credentials Used to Push Fake Dependabot Commits
- Google Open Sources Binary File Comparison Tool BinDiff
- macOS 14 Sonoma Patches 60 Vulnerabilities
