The Cultural Shift Behind DSPM: From ‘Collect Everything’ to ‘What’s Necessary’

Technadu spoke with John Grancarich, Chief Strategy & Marketing Officer at Fortra, the company that breaks the attack chain, to learn about the growing importance of Data Security Posture Management (DSPM) in today’s evolving cybersecurity landscape. 

Known for his systems-thinking approach to strategy and product design, John has helped shape Fortra’s evolution into a modular, AI-ready cybersecurity platform while aligning innovation with real-world execution.

John explained how DSPM delivers critical visibility into sensitive data across cloud, SaaS, and AI pipelines, areas where traditional tools fall short. He also shared practical advice on integrating DSPM without increasing complexity, and why it’s relevant for regulated industries and zero trust initiatives. 

With Cybersecurity Awareness Month underway, John’s insights offer timely guidance for organizations strengthening their data security posture.

Vishwa: How do you define Data Security Posture Management (DSPM), and why is it emerging as a critical security capability now? 

John: DSPM is about continuously finding, classifying, and monitoring sensitive data across an organization’s entire environment and understanding how it’s being accessed and protected. It’s rising in importance because data is more dynamic than ever – it’s not only

 growing all the time, it’s also spread across clouds, SaaS platforms, and AI pipelines. 

That shift has created blind spots that traditional tools weren’t built to see. DSPM gives organizations the visibility and control they need to identify and manage risk in this new, distributed reality. 

Vishwa: What unique risks or blind spots in data security does DSPM address that traditional DLP or access management tools miss? 

John: DLP and IAM are critical tools, but reactive - they enforce policies after the data is understood. 

DSPM works further upstream by answering a number of key questions: 

• Where is all my sensitive data? 
• Who has access? 
• What is most valuable in that data? 
• Is it stored securely? 

It uncovers hidden stores, misconfigurations, overexposure, and shadow IT that other tools miss, allowing organizations to address risks proactively rather than respond after the fact. 

Vishwa: How can organizations effectively integrate DSPM into their existing security stack without adding complexity or tool sprawl? 

John: Treat DSPM as a visibility layer that strengthens existing tools instead of competing with them. Most platforms integrate via APIs and feed data context into SIEM, SOAR, DLP, and IAM workflows. 

Start with a clear objective - like mapping sensitive data in cloud storage - and expand from there. When done right, DSPM reduces complexity by giving other tools the context they need to be more effective. 

Vishwa: What industries or use cases stand to benefit the most from DSPM adoption in the next two to three years? 

John: Highly regulated, data-heavy sectors like financial services, healthcare, government, and defense will most likely benefit first, as will organizations building AI models where data exposure risk is growing fast. 

DSPM can also accelerate secure cloud migration and zero trust initiatives by delivering continuous visibility into where sensitive data lives and how it’s used. 

Vishwa: This October marks Cybersecurity Awareness Month. What single message would you emphasize for organizations looking to improve their data security posture? 

John: I often come back to the fundamentals, and here I think the fundamental idea is quite simple: you can’t protect what you can’t see. Most organizations still lack full visibility into where their sensitive data resides or how it’s exposed. 

Building that visibility is the foundation for everything else - policies, automation, and controls all flow from knowing where your data – and the resulting risks from that data - are. 

Vishwa: From your perspective, what governance or cultural changes are needed to maximize the effectiveness of DSPM solutions? 

John: DSPM is most effective when data security is shared across security, IT, compliance, and business teams. That means clear ownership, consistent classification, and well-defined lifecycle policies. Culturally, shifting from “collect everything” to “collect what’s necessary” is essential. 

Executive sponsorship and accountability ensure DSPM insights lead to real change, not simply improved reporting and dashboards. 

Vishwa: If you could recommend one cybersecurity tool, whether for beginners building a foundation or experts strengthening mature defenses, what would it be and why? 

John: A strong identity and access management platform is the single most important tool. Every cyber defense strategy hinges on controlling who has access to what. IAM enforces least privilege, supports zero trust, and reduces risk across the board — whether you’re building your first security program or refining a mature one. 

This naturally ties into DSPM as well as once you have full visibility into your data, you can utilize an IAM solution to properly manage who has (or doesn’t have) access to various subsets of that data.