Hey, everybody. Thanks for joining us today. We're going to be talking about sensitive data, specifically empowering your ability to mitigate that risk that is associated with sensitive data across the enterprise. If you who don't know me, I am reasonably new with Quest but have been in this business for a long, long time. I came as part of the Irwin acquisition, but really, my entire career has been focused on data. It's probably one of the few things where I've been ahead of the curve.
And really, in all the roles that I've had, whether it's been in industry building data warehouses and getting information to people that need to make decisions, or working for vendors, looking at database design, data modeling, data governance-- throughout it all, really, it's all about trying to get more value out of your data and really mitigating the risks that are related to that data. So hopefully, you'll find this an interesting and exciting presentation.
This one may be a review from one of the past-- or, a couple of the past sessions. But if you're not aware, there's so much going on in business today, and in the world around those businesses, that are driving change in the way that we approach the markets that we serve, the way that we go to our customers and really try to interact with them.
Digital transformation, Gartner says 91% of all organizations are in the middle of some digital transformation. And by 2023, they're going to be-- I think 52% of all the services and products that are available to you will be available from a company that has undergone that transformation. So it's pretty exciting times. When you look at data, data is everywhere. And that's really at the foundation of what organizations are trying to do, in terms of how they change their way of going to business.
It's taking data and making sure that data is at the front of what they do and all of the decisions that they make. But it's not easy. It's a tough world out there. There's a pandemic that's going on. There's all sorts of corporate data breaches and things, people trying to do nefarious things around these organizations. We've got all sorts of compliance and data privacy legislation that we have to deal with.
And all this time, we're trying to deal with a huge proliferation in data and modernizing all of the infrastructure, applications, and capabilities that we have around data so that we can democratize that data and get it out there for all the people that need it so that they can have data when they need it, how they need it, so that they can make the decisions that are going to drive us into that next stage of capability as a business.
So net customers are reinventing and transforming their businesses from the data out, which means everything they do, every decision they make either involves having looking at the data and what it means, or actually driving insights from that data to drive their transformation. So very exciting time, which now takes us to the topic that we have at hand. Sensitive data, and specifically, governing that sensitive data across your organization.
So what's driving the need for this sensitive data governance? Well, in a simple answer, it's not all data is created equal. We have lots of data, tons of statistics out there about how much data we have, but sensitive data still boils to the top in terms of the priority for businesses. And when we talk about sensitive data, the sensitive data most people are aware of is your personally identifiable information, or maybe your sensitive health care-- or, health care identifiable information.
But there's a lot of data, and there's different classifications of sensitive data within your organization. So adding to those are any information about our customers, any information about how we run our business, and then intellectual property, things that are specific, and our secret sauce that we bring to the market. So all of these things are sensitive data, and all of them are at risk.
And the numbers bear it out. If you look at the market size from market and market, they're looking at $5.1 billion spent last year and growing at a very, very high rate around addressing sensitive data in organizations. That's a good thing. It shows that people realize the risk and realize the need.
The bad thing is that the majority of those dollars are in the form of services engagements, where people are trying to patch holes in the ship, if you will. Especially as they move to the cloud and modernize their infrastructure, they're worried about sensitive data and whatever control they may have in their sort of nice, cozy, on-premise environment, and worrying about it being at risk as we move into these more modern platforms.
And if you look at IDC, that affects just about every organization. I think it's 96% have 10 different types of data across-- or, six different types of data across 10 different types of data management technology. And 94% of them are in some sort of model where they have some data in the cloud, some on-premise, and then different versions of the cloud as well.
So it is a serious problem. It's a problem that impacts every business, no matter who you are. If you have customers, if you have a product to sell, you're guaranteed to have sensitive data that you're storing, managing, and that can pose a potential risk to you as an organization.
We talk about the data breaches, and these are just some of the largest ones in terms of number of records breached. And what are they looking for in terms of these breaches and hacks? Well, they're looking for either sensitive data to potentially expose, or they're looking to shut down your operations and really hold your organization hostage by the data that you have. So it's massive. It's becoming more and more-- and those guys are getting smarter and smarter all the time in terms of ways to disrupt your business and really put you at risk based on the data that you have.
When we look at threats in inside the organization-- it's not just the external threats. There's also a lot of companies that are feeling vulnerable to the attacks are seeing the number-one priority as being insider attacks. And not just nefarious insider attacks, but even accidental breaches, where people are just doing things with their data that they don't know is wrong, that they don't know is risky, and that they don't know is causing some problems.
Also, in terms of the highest risk IT asset that you have out there, it's your corporate databases. There's data flying everywhere, but those databases are what really hold the gold, and those are the ones that are being focused on. And those are the ones that are, quite frankly, a challenge to get your arms around in terms of data through the entire lifecycle.
Then we talk about GDPR penalties. I'm sure you've all seen the statistics of-- there was the long run up to GDPR, what we needed to do, and what the potential problem was. Now, we're starting to see those fines that are associated with not doing the right thing by your customers and their data. And it's significant to organizations. Not just monetarily, but, even more importantly, from a reputation perspective.
If you are not seen as a good citizen, as a good custodian of your customers' data, then maybe they are going to take, share that data with somebody else, and do their transactions there. So very, very risky, very, very high profile. And also, it's not just GDPR. We're all now bringing CCPA into our messaging.
Well, the reality is, is that there's data privacy laws all over the world. Most of them are very similar in terms of what they're trying to achieve, but they add to the complexity, especially if you're an organization that's doing business across the world. Because they're not all the same, and, in actual fact, these regulations, just like all regulations that we have to be in compliance with in our businesses, sometimes are at odds with each other. Where they want you to keep data for a certain amount of time, but you have to give people the right to be forgotten, and the right to be anonymous, and all of these other things.
So a huge, complex world, and that's giving the c-suite, the stakeholders, everybody a lot of indigestion when you combine those data breaches, the potential for internal hacks, and then just having to be in compliance with all of these strict and complex regulations and making sure that your organization is up to the tops.
Now, most organizations do have a common sense in terms of what they're trying to achieve, in terms of dealing with sensitive data. They realize-- and we've seen the rise in the priority of data governance and organizations when you look at it. I would say that, in our latest research, over 89% of organizations have data governance somewhere in their top 10 priorities, with a slightly smaller amount in the top 5. And then I think it's somewhere around 60% to 70% where it is their number-one priority.
And the reason they want data governance is because-- not just sensitive data. All their data. They really are challenged to understand what data they have, how it impacts the business, where it poses a risk to them, and how they can get more out of that data in terms of really understanding it and being able to leverage it to solve the problems that it could solve for our business. So they're all trying to get that harness around there with a data governance framework to get a better picture of what data do we have, what does it mean, and how can we use it, how is it a risk.
They're also looking to tightly tie that to business functions, especially as they go through digital transformation. Because as we move different processes out into, say, the cloud, or into a digital approach, as we monitor application modernize applications to support that, quite frankly, that's a big risk in that move, that we don't miss all of the work that we've done to make sure that we're already in compliance.
And then there's just the sheer number of places where data, and specifically sensitive data, can be at risk through your organization. It's not just the hacks. It's just not being in compliance and not being able to reach that. It's running it through the development lifecycle and using production data to test new applications, and then having that data not be in that same safe container as what you consider your regular corporate data and exposing yourself to risk.
And then finally, responding to audits, it's generally-- from your priority perspective-- number 11 on a list of 10. It's never the right time to have an audit, and it generally takes people away from real value-add tasks in the organization as you struggle to bring together a very disjointed approach to looking at this and then respond to a very rigorous audit in order to avoid any negative implications.
So if you just stay that way, you're always going to have that indigestion, you're always going to have that risk, and you're going to miss opportunities in your business as you take valuable resources and put them somewhere else in a very reactive way to compliance and to sensitive data in general.
So really, when you look at what Quest brings to the table, we're really proposing a better way. It's a proactive way to manage sensitive data, to get that visibility, that capability, and orchestration across the entire landscape of your business as it pertains to sensitive data so that you can do this in a much more efficient and effective way. And really not impact the business negatively and have a high degree of confidence in terms of your capability to meet those challenges that we've just outlined.
So let's start with the platform for data empowerment. And again, if this is a review, I apologize, but it really puts it into context. Quest, as we were looking at the problems that our customers were trying to solve, we realized that we did a lot of good things around data. There was some things that we needed to do, and that was part of the acquisition of Irwin earlier in the year, but now we've brought together these three key disciplines in a way that makes it useful and usable for any organization across a myriad of their initiatives that they're trying to undertake.
So whether it's migrating to the cloud, or whether it's modernizing applications, or governing sensitive data, when you bring together all of these capabilities around protection, operations, and governance, it really gives you that intelligence and capability across the organization to put together a very, very effective and proactive framework that puts you in a good position to reduce your risk and not disrupt your business around that data.
So when we look at empowering sensitive data governance-- break it down, it's really not about those three pillars. It's not about the individual products, although they are important in the mix. But it's really about a process to go about approaching sensitive data in an ongoing and sustainable way. So it's really about defining, what is sensitive data in your organization, how does it impact the business, how is it managed and stored through the organization, and have a clear classification, not just what is sensitive data, but what kind of sensitive data is it? What does it pertain to? Give us that context.
Then you want to discover where that actually lives all across your organization. What databases is it in, what pipelines is it flowing through, so that you can really not just have a good definition of what sensitive data is and a general understanding, but really start to apply the appropriate policy, tagging regulatory compliance initiatives to the physical data that you have there, and really dig down into the data and have that capability to profile that data so that if it doesn't appear on the face of it to be sensitive, we can find out from the contents of that data if it truly is sensitive and something that's slipped through the net.
And then, finally, defending that data in a number of different ways. It starts with the ability to encrypt, mask, and redact sensitive data throughout the entire lifecycle. So whether it's production, and it's sitting in your warehouse, and people are hitting it every day to do analytics and business intelligence, if it's data that you're sharing with other organizations, or if it's data-- as I said before-- that's going through the development lifecycle and being used to test the results of your digital transformation initiatives, you want to be able to make sure that you apply the right and appropriate capability to that so that that data is in the right state, not only through the process, but once the process is finished, and that data is left sitting there somewhere.
Then, there's the ability to audit what's going on in your databases around that sensitive data and set policies, test those policies, and mature those policies over time. And, of course, you want to make sure that you have good backup and recovery around all of your data, sensitive data especially because there are regulatory requirements around that, and to make sure that, as you start to take those backups and restore them into your production environment, that your sensitive data is remediated with all the processes that are applying to it.
And then, of course, all of the devices that this sensitive data is traveling through and to, you want to make sure that they are hardened using our unified endpoint management solutions to make sure that data is not slipping out through USB ports, dealing with the Australian government. The number one risk to sensitive data that they identified in your organization is people putting it on USB drives, and then giving that USB drive to their kids to go do something for school, and next thing you know, sensitive data is sitting out in the world.
So making sure that those endpoints are hardened through the life cycle, right down to when a hard drive is moving from one employee to another, make sure that hard drive is appropriately destroyed and rebuilt so nothing slips through the cracks. So this process will give you that framework to really start applying different capabilities, and then taking that into a more holistic approach to sensitive data.
So starting with enterprise architecture and business process, if you think about what that is, it's all about your business goals, strategies, capabilities, processes. It brings data into that view, along with applications and technology, to give you full context into your business. So what do you do here? Well, you can start to map your sensitive data to your different business components, to the applications that are serving it up, to the business processes that are consuming it, to the overall business capabilities that enable you to go out and be successful in the market and all of the technology underneath.
You can also start to use this to define your actual GDPR remediation, GDPR processes, to make sure that you're in compliance, and document them at a great level of detail, including the data that is associated with it. But it gives you full architectural governance and context to your data so that you can understand those key questions of, where does sensitive data touch my organization, where am I at risk, where do I need to put those protections up, how do I orchestrate an enterprise view into sensitive data.
Then, we get into metadata management. This is where we go and we harvest every piece-- or, physical data asset that you have out there, both data at rest in databases, files, data sources, data in motion as it's moving between those different applications or streaming data, those types of things, and understanding where data is, where it's being impacted, how it's being managed, and really start to curate those assets with sensitivity classification tags and descriptors.
So again, when I want to get a view into all of the data sources associated with GDPR, if I've tagged it with GDPR, I'll be able to get a consolidated view and get educated insights out of that. And really, starting to provide that foundation so people can drill into the data that's available to them and understand the policies and risks behind that data, as well as the appropriate way to use it.
Then, we extend out with the business glossary. Having that business glossary, well, it does a number of things. It'll give you a view into what's sensitive out in the industry using different ontologies like FIBO for financial services, health care ontologies. People have done the work of classifying sensitive data elements and have that documented. You can bring that into the glossary, leverage the artificial intelligence mapping capabilities within our technologies, to then connect all of this down to that physical world, that physical metadata catalog that you just created.
And then you can start to build, again, dashboards, insights, graph use so people can navigate sensitive data and understand the relationships, associations, and connectivity between it. All very, very powerful in educating all of your stakeholders, but also an excellent tool to guide that audit response when the auditors come knocking to find out, are you doing the right thing by your data.
Right down to data modeling. What's data modeling got to do with it? Well, everything starts with data modeling. That's where you design new data elements. That's where you want to go out to the catalog and find out what type of data you can already use, bring that into your new design. Is it sensitive? Have that visibility.
As you're creating new data elements to bring into the organization, you can classify it up front so that there's no guesswork and no discovery required. It's there. It's documented. And again, all of this in a reusable model that you can then put back out into your data management and data governance environments to educate them and accelerate their ability to get their arms around everything that's going on around data and sensitive data in general.
And then we get down into some of the protection capabilities. And we have a number of technologies, depending on what the database target is. We have TOE database management and TOE for sensitive data. We have Apex SQL, where we have the audit and policy management capabilities. This is where you get down to brass tacks and can actually start to profile the data, find out if there's sensitive data that's fallen through the cracks of that framework that you've created with enterprise architecture, data catalog, and business glossary, and then pass that information back up and enhance that global view of sensitive data in your organization, and then take action against the risks of sensitive data.
So whether it's, like I said, encrypting data, whether it's masking it, redacting specific aspects of it to meet the requirements of regulatory compliance, and making sure that you're doing that in all aspects of the lifecycle so that there are no cracks and leaks in your sensitive data ship. And then, be able to use these technologies to go back and audit the transactions in there from a sensitive data perspective, and really find out if you're in compliance or not, and then leverage the content of that information to ensure that you have the right response, all of the data that's required.
And it was one of our customers-- I don't think this is a guarantee, but it's a great story. When they showed the framework that they had in place around responding to their GDPR audit, the auditors sort of took a magic wand across it and said, based on the rigor that you had in terms of explaining your ability to respond, I don't need to dig too deep. That looks good enough for me. I'm moving on to the next one. So that's a very, very powerful end result from taking on this capability.
So to finish the session-- and I know we're getting close to time here-- sensitive data empowerment is really what you're looking for. Because there's a lot of places and a lot of things you could do to protect yourself against the risks associated with sensitive data, but they don't always give you the full benefit that you're looking for. They don't always give everyone in the organization a strong feeling of confidence that we have all of this covered. So they spend a lot of their time asking and questions and making sure and prodding.
Then we have the places that you don't think data is at risk. So having that end-to-end not only deals with potential breaches, regulatory compliance, but really just day-to-day common things that happen with people, where you're busy, and you're just not paying attention. The risk is the same because you're still out of compliance if that data is leaving the boundaries of that framework that you've established.
And at the end of the day, it's really making sure that you stay out of the news when it comes to bad things around data, and that your reputation as a business is maintained, and your customers have that trust in you to be, truly, a partner around that data, and make sure that you're doing all the right things as a corporate citizen and a custodian of their data.
So with that, I hope this was an interesting, insightful view into the importance of sensitive data, the risk behind sensitive data, and how Quest can help you empower yourself to be a true achiever in the world of mitigating the risk that is associated with that sensitive data.
Got lots of great information out there for you to dig into deeper. We'd love to talk to you about it, see where you are on that sensitive data journey, and we can show you how we can help you and really amp up to your capability to meet this challenge as you interweave this challenge with all of the other challenges that you're facing as you move your organization into the digital future.
Thanks so much for your time.
Hopefully you'll join us over in the Q&A session that's going to follow this as we're finishing here, and we can dig into some of your questions, maybe hear some of your stories, and really move this conversation forward to some real benefits across the board for everyone. So thanks again, and we'll talk soon.