As AI accelerates data sprawl and policy fragmentation, Fortra lays out a unified, posture-centric model for securing what matters most: the data itself.
Data is Outpacing Control
Over the years, security programs have shifted focus again and again. First the perimeter, then the endpoint – now cloud, SaaS, and identity (again). But no matter how well we adapt, the data always seems one step ahead of the controls meant to contain it.
Sensitive files now live across SaaS platforms, emails, collaboration tools, unmanaged cloud storage, and now AI pipelines. Non-human agents generate and transform data at a pace most security teams can’t track, let alone govern. The result isn’t just complexity but a visibility gap that traditional controls were never designed to close.
To understand how security leaders are responding, Cybersecurity Insiders spoke with Matt Reck, CEO of Fortra, shortly after the company launched its new Data Security Posture Management (DSPM) platform. The conversation focused on the strategic implications of DSPM: why it matters now, how it changes the operating model for security teams, and what AI means for posture and control.
“It’s always been a challenge to know where your critical and sensitive data sits,” Reck said. “Now it’s nearly impossible. And if you can’t get that data under control before an attacker finds it, nothing else matters.”
What follows is how that shift is reshaping security programs, and why posture management has become the CISO’s new control surface.
The Expanding Data Problem
Security leaders have long understood the risks of fragmented data visibility. But in distributed, AI-driven environments, sensitive data spreads faster, lands in unexpected places, and is touched by more entities – both human and machine – than most teams can track.
That reality shaped the launch of Fortra’s Data Security Posture Management (DSPM) platform. Built for real-time visibility across cloud, endpoint, and hybrid systems, the platform helps teams discover sensitive data, understand its context, and respond before an attacker exploits the weakness.
“Most organizations don’t have a reliable way to answer the question: where is our sensitive data, and who has access to it?” – Matt Reck, CEO, Fortra
For many teams, that challenge extends beyond sanctioned systems. Sensitive information also drifts into shadow apps and unsanctioned services. Teams find customer lists in personal Dropbox accounts, code snippets pasted into AI assistants, or regulated data sitting in unmanaged chat channels. DSPM brings that shadow data back into the light so it can be governed instead of ignored.
Why Visibility Alone Isn’t Enough
DSPM isn’t another visibility tool. When implemented properly, it becomes the control plane that links data discovery, classification, policy enforcement, and remediation.
Most DSPM products stop at surfacing exposures in SaaS apps. Fortra’s platform closes the loop. Its DSPM layer connects directly to the broader data security stack – classification, DLP, cloud controls – so teams can move from discovery to enforcement in a single workflow. Findings can be acted on immediately: revoking access, quarantining sensitive files, or applying DLP policy without switching tools. That integration turns posture management from passive awareness into operational control.
Discovery alone gives you the map. Classification tells you what in that map actually matters. Fortra’s engine goes beyond attaching labels – it evaluates sensitivity, regulatory weight, and business value so security teams can focus on the data that carries real impact rather than chasing noise.
As Reck described it, posture management is the reconnaissance layer that maps the terrain. “It shows you where the crown jewels are,” he said, “and the rest of your tools – identity, DLP, SSE – become the lockboxes and guards that protect them.”
Reck also sees classification as the mechanism that separates the jewels from the clutter. “Most organizations have far more data than they can govern,” he said. “Classification is how you decide what gets protected first.” By distinguishing sensitive, regulated, and business-critical information from the background noise, DSPM helps teams prioritize what moves the risk needle.
This is where the DSPM protection pillar becomes decisive. Once DSPM identifies sensitive or regulated data, the platform can enforce the right control automatically. It can block uploads to AI tools like ChatGPT or Gemini, prevent oversharing in Slack or Teams, stop files from being moved into personal cloud storage, or restrict USB transfers. Because classification and protection operate inside the same ecosystem, the response is immediate and tied directly to the data itself, not to static policy.
Classification also drives every protective action the platform can take. Once sensitive data is tagged with meaningful, contextual attributes, the DSPM platform can automatically trigger the correct DLP rule, apply encryption, or restrict movement. It is the classification engine that turns posture management from passive awareness into precision response.
The payoff is felt across the entire control stack. Strong posture management makes every downstream control more precise, because decisions are grounded in what the data actually is, not where teams hope it lives.
AI Changes the Rules of Engagement
Most of our security controls were built for human behavior: users make requests, systems evaluate, policies respond. But AI doesn’t behave that way. It operates continuously at scale, makes independent decisions, and often in ways that are difficult to anticipate. When machine identities begin moving or transforming sensitive information, policy enforcement must follow the actor, not just the activity, because AI systems don’t operate inside the same predictable patterns as humans.
Fortra’s DSPM platform accounts for this shift. It treats AI systems and service accounts as policy subjects, enabling guardrails based on behavior, access patterns, and data sensitivity.
Classification becomes even more important in AI workflows because data often loses its original structure or metadata once it enters a model. DSPM anchors these flows by classifying information before it enters AI systems, reducing the chance that high-value or regulated data is unintentionally fed into a public model or automated chain.
Protection becomes essential here. DSPM can prevent sensitive information from entering public AI tools, being copied into uncontrolled chat channels, or drifting into workflows with no governance.
Between Paralysis and Recklessness – Toward Adaptive Response
Matt Reck sees a widening gap in how organizations approach AI. Some delay AI initiatives out of fear – others push forward without guardrails.
“Either you’re frozen by uncertainty, or you’re charging ahead blind,” he said. “DSPM gives you a way to regain control, so you can innovate strategically, not reactively.”
Posture management helps teams understand what data is involved in an AI workflow, where it flows, and who, or what, touches it. It gives CISOs a way to calibrate risk in real time rather than relying on assumptions.
Fortra’s roadmap points to DSPM evolving from visibility to adaptive response. Machine learning will surface misconfigurations, rank risks, and adjust enforcement dynamically.
Early iterations remain human-in-the-loop, but the direction is clear: posture-driven controls that adapt as the data landscape shifts and as machine identities become more central to daily operations.
Imagine a user who repeatedly fails phishing tests downloading sensitive documents. Or an AI agent extracting unusually large datasets after hours. In both cases, a posture-aware system can restrict access, require re-authentication, or alert the security team – without waiting for an analyst to react.
“The data moves too fast for static controls,” Reck said. “The system has to help you defend it, not just describe it.”
Where to Start: Discovery Is the New Minimum
One of the clearest messages from Reck’s interview was the need to reset expectations: discovery isn’t a maturity milestone anymore. It’s a basic requirement.
“You can’t govern what you can’t see. You can’t protect what you don’t know exists.”
His guidance for CISOs is refreshingly direct: just start. The biggest risks today aren’t advanced persistent threats or AI-enabled attackers but basic, everyday exposures. A file in the wrong place. A misconfigured bucket. A phishing email that reached the wrong inbox. DSPM surfaces these issues early, where they’re easiest to fix.
DSPM, he argued, now belongs in the category of security fundamentals, right alongside MFA and awareness training.
“Doing the basics well still covers 80% of the risk,” Reck said. “And discovery is now one of those basics.”
Repositioning Security Around Data
DSPM reflects a broader shift in how security programs operate. Perimeters will keep changing. Identities will keep expanding. But the data – the asset attackers want – remains the one constant.
Posture management helps CISOs make decisions based on fact instead of assumption, whether the trigger is a breach investigation, a board audit, or a new AI deployment. Fortra built its DSPM platform to make that shift real – from discovery to classification to protection.
Explore more: https://www.fortra.com/products/data-security-posture-management
Join our LinkedIn group Information Security Community!
