In a recent post, I explored the butterfly effect of cybersecurity - the idea that one small misstep (like an over-permissioned user or misclassified document) can cascade into a major breach. Today, I want to go a step further: because it’s not just about access - it’s about architecture.

Cybersecurity has always been about control. But what we’re controlling is changing.

As data sprawls across SaaS platforms, cloud systems, and unstructured repositories, CISOs are being pulled upstream - into data strategy, lifecycle management, and governance. They’re not just protecting endpoints anymore. They’re shaping how information flows throughout their business.

The shift: from defence to data-centric design

For years, the CISO focused on defending the perimeter. But Gartner, Forrester, and IDC all point to the same reality: the perimeter is gone. Data itself is now the security object of value. As Gartner puts it,  “Security must become data-centric to align protection with business value.” While according to Forrester: “CISOs must become stewards of enterprise data, not just defenders of infrastructure.”

That means asking:

• What data do we have?
• Where does it live?
• Who can access it—and why?
• What risk does it pose if exposed or misused?

These are information architecture questions—not just security questions.

Information sprawl = attack surface

Every enterprise is a patchwork of productivity:

• Files in Box
• Shared links in Google Drive
• Unclassified documents in SharePoint
• Shadow data in abandoned AWS buckets

This isn’t just messy - it’s risky. When information is unmanaged, security can’t protect what it can’t see.

Governance and cybersecurity are converging

Data protection regulations like GDPR, CCPA, and Australia’s Privacy Act reforms are raising the bar. It’s not enough to encrypt data or respond to breaches. Organizations must:

• Map sensitive data
• Classify it properly
• Apply risk-based controls
• Prove enforcement and accountability

That convergence is putting CISOs in the same room as Chief Data Officers, legal, privacy, and compliance teams - not to react to incidents, but to architect prevention.

The Modern CISO: Strategist. Steward. Architect.

The CISO of 2025 isn’t just a technologist or risk manager. They’re part data strategist, information steward and architect of trust.

Cybersecurity today isn’t just about stopping threats. It’s about enabling responsible innovation, privacy, and business trust—by understanding and protecting the flow of information.

Final thought

We used to ask. “How do we protect the network?” Then: “How do we secure identities and endpoints?” Now we ask, “How do we protect the data that powers the business—no matter where it lives?”

That’s not just a security challenge. It’s an information architecture mandate. And many CISOs are already quietly stepping into that role.

How is your security team evolving to handle information risk? Are you seeing the same convergence of data, governance, and cybersecurity?

Additional sources

ISACA, “Security teams are now responsible for classification, lifecycle, and access across business data.”

IDC, “Effective data security starts with understanding the value of the data being used within the organization.”

Greg Clark is a Director of Product Management in the Research & Development – Engineering department at OpenText with a focus on data security.