What Is Shadow Data? Examples, Risks and How to Detect It

Finding My Voice: From Kenya to the Global Stage

I was born and raised in Kenya, the youngest of three and the only daughter. My parents, who never had the chance to finish their education, sacrificed everything to give me opportunities they never had. Their courage became my foundation.

‍

At sixteen, my mother signed me up to speak at a community event, without telling me first! I stood before 500 people and spoke about something that had long bothered me: there were no women on our community board. That same year, two women were appointed for the first time in our community’s history. This year, I was given the recognition for being a Community Leader at the Global Gujrati Gaurav Awards in BC for my work in educating seniors on cyber safety and helping many immigrants secure jobs.

‍

I didn’t realize it then, but that moment would define my purpose: to speak up for those whose voices aren’t always heard.

From Isolation to Empowerment

When I moved to the UK to study Financial Economics, I faced a different kind of challenge - isolation. My accent made me stand out, and not always in a good way. There were times I felt invisible, even rejected. But I made a promise to myself in those lonely moments that no one else should feel the same way.

‍

Years later, as a founding member of WiCyS Western Affiliate, I helped redesign how networking happens at cybersecurity events. Instead of leaving it to chance, we introduced structured networking that ensured everyone left with at least one new connection. It was a small change, but it made a big difference. Today, that format has been adopted by organizations like ISC2 and ISACA, creating spaces where every person feels they belong. 

Breaking Barriers and Building SHE

When I pivoted into cybersecurity sales after moving to Canada, I encountered another wall. I applied for a senior role and failed a personality test, one that unfairly filtered out many talented women. I refused to accept that. I focused on listening, solving real customer challenges, and eventually became the top seller. That success helped eliminate the test altogether, opening doors for many more women who came after me. That experience planted a seed that would grow into one of my proudest initiatives: SHE (Sharing Her Empowerment).

‍

It started as a simple fireside chat on diversity and inclusion - just 40 seats over lunch. Within minutes of sending the invite, we had 90 people signed up. Executives moved us into a larger room, and that event changed everything. SHE became our first employee resource group focused on empowering women, increasing representation in leadership, and amplifying women’s voices within the organization. Even with just 19% women, we created a ripple effect that reached the boardroom and beyond.

‍

SHE showed me that when women stand together, transformation happens.

Creating Pathways for the Next Generation

Mentorship has always been close to my heart. During the pandemic, I met incredible women, who were trying to break into cybersecurity but kept facing barriers. I challenged hiring norms, advocated for fair opportunities, and helped launch internship programs that gave women hands-on experience. Today, many of them are thriving in their cyber careers, a true reflection of what’s possible when we lift as we climb.

‍

Through Standout to Lead, I partnered with Women Get On Board to help women in cybersecurity gain board seats. Watching more women step into decision-making roles reminds me that leadership isn’t about titles, it’s about creating pathways for others.

Women in Cybersecurity: Our Collective Story

This year, I’m deeply honored to be named among the Top 20 Cybersecurity Women of the World by the United Cybersecurity Alliance. Their mission - to empower women, elevate diverse voices, and drive equity in our field, mirrors everything I believe in.

‍

I’m also thrilled to be part of the upcoming documentary premiere, “The WOMEN IN SECURITY Documentary,” proudly sponsored by Sentra, Amazon WWOS, and Pinkerton among others. This film shines a light on the fearless women redefining what leadership looks like in our industry.

‍

As a member of Sentra’s community, I see the same commitment to visibility, inclusion, and impact that has guided my journey. Together, we’re not just securing data, we’re securing the future of those who will lead next.

Asante Sana – Thank You

My story, my safari, is still being written. I’ve learned that impact doesn’t come from perfection, but from purpose. Whether it’s advocating for fairness, mentoring the next generation, or sharing our stories, every step we take matters.

To every woman, every underrepresented voice in STEM, and everyone who’s ever felt unseen - stay authentic, speak up, and don’t be afraid of the outcome. You might just change the world.

‍

Join me and the Sentra team at The WOMEN IN SECURITY Documentary Premiere, a celebration of leadership, resilience, and the voices shaping the future of our industry.

‍

Save your seat at The Women in Security premiere here (spots are limited).

‍

Follow Sentra on LinkedIn and YouTube for more updates on the event and stories that inspire change.

<blogcta-big>

Why Data Visibility Belongs in Your 2026 Cybersecurity Budget

As the fiscal year winds down and security leaders tackle cybersecurity budget planning for 2026, you need to decide how to use every remaining 2025 dollar wisely and how to plan smarter for next year. The question isn’t just what to cut or keep, it’s what creates measurable impact. Across programs, data visibility and DSPM deliver provable risk reduction, faster audits, and clearer ROI,making them priority line items whether you’re spending down this year or shaping next year’s plan. Some teams discover unspent funds after project delays, postponed renewals, or slower-than-expected hiring. Others are already deep in planning mode, mapping next year’s security priorities across people, tools, and processes. Either way, one question looms large: where can a limited security budget make the biggest impact - right now and next year?

‍

Across the industry, one theme is clear: data visibility is no longer a “nice-to-have” line item, it’s a foundational control. Whether you’re allocating leftover funds before year-end or shaping your 2026 strategy, investing in Data Security Posture Management (DSPM) should be part of the plan.

‍

As Bitsight notes, many organizations look for smart ways to use remaining funds that don’t roll over. The goal isn’t simply to spend, it’s to invest in initiatives that improve posture and provide measurable, lasting value. And according to Applied Tech, “using remaining IT funds strategically can strengthen your position for the next budget cycle.”

‍

That same principle applies in cybersecurity. Whether you’re closing out this year or planning for 2026, the focus should be on spending that improves security maturity and tells a story leadership understands. Few areas achieve that more effectively than data-centric visibility.

‍

(For additional background, see Sentra’s article on why DSPM should take a slice of your cybersecurity budget.)

Where to Allocate Remaining Year-End Funds (Without Hurting Next Year’s Budget)

It’s important to utilize all of your 2025 budget allocations because finance departments frequently view underspending as a sign of overfunding, leading to smaller allocations next year. Instead, strategic security teams look for ways to convert every remaining dollar into evidence of progress.

‍

That means focusing on investments that:

• Produce measurable results you can show to leadership.
  
• Strengthen core program foundations: people, visibility, and process.
  
• Avoid new recurring costs that stretch future budgets.
  

Top Investments That Pay Off

1. Invest in Your People

One of the strongest points echoed by security professionals across industry communities: the best investment is almost always your people. Security programs are built on human capability. Certifications, practical training, and professional growth not only expand your team’s skills but also build morale and retention, two things that can’t be bought with tooling alone.

‍

High-impact options include:

‍

• Hands-on training platforms like Hack The Box, INE Skill Dive, or Security Blue Team, which develop real-world skills through simulated environments.
  
• Professional certifications (SANS GIAC, OSCP, or cloud security credentials) that validate expertise and strengthen your team’s credibility.
  
• Conference attendance for exposure to new threat perspectives and networking with peers.
  
• Cross-functional training between SOC, GRC, and AppSec to create operational cohesion.
  
  

In practitioner discussions, one common sentiment stood out: training isn’t just an expense, it’s proof of leadership maturity.

As one manager put it, “If you want your analysts to go the extra mile during an incident, show you’ll go the extra mile for them when things are calm.”

2. Invest in Data Visibility (DSPM)

While team capability drives execution, data visibility drives confidence. In recent conversations among mid-market and enterprise security teams, Data Security Posture Management (DSPM) repeatedly surfaced as one of the most valuable investments made in the past year, especially for hybrid-cloud environments.

‍

One security leader described it this way:

“After implementing DSPM, we finally had a clear picture of where sensitive data actually lived. It saved our team hours of manual chasing and made the audit season much easier.”

‍

That feedback reflects a growing consensus: without visibility into where sensitive data resides, who can access it, and how it’s secured, every other layer of defense operates partly in the dark.

*Tip: If your remaining 2025 budget won’t suffice for a full DSPM deployment, you can scope an initial implementation with the remaining budget, then expand to full coverage in 2026.

‍

DSPM solutions provide that clarity by helping teams:

‍

• Map and classify sensitive data across multi-cloud and SaaS environments.
  
• Identify access misconfigurations or risky sharing patterns.
  
• Detect policy violations or overexposure before they become incidents.
  
  

Beyond security operations, DSPM delivers something finance and leadership appreciate, measurable proof. Dashboards and reports make risk tangible, allowing CISOs to demonstrate progress in data protection and compliance.

‍

The takeaway: DSPM isn’t just a good way to use remaining funds, it’s a baseline investment every forward-looking security program should plan for in 2026 and beyond.

3. Invest in Testing

‍

Training builds capability. Visibility builds understanding. Testing builds credibility.

External red team, purple team, or security posture assessments continue to be among the most effective ways to validate your defenses and generate actionable findings.

‍

Security practitioners often point out that testing engagements create outcomes leadership understands:

‍

“Training is great, but it’s hard to quantify. An external assessment gives you findings, metrics, and a roadmap you can point to when defending next year’s budget.”

‍

Well-scoped assessments do more than uncover vulnerabilities—they benchmark performance, expose process gaps, and generate data-backed justification for continued investment.

4. Preserve Flexibility with a Retainer

If your team can’t launch a new project before year-end, a retainer with a trusted partner is an efficient way to preserve funds without waste. Retainers can cover services like penetration testing, incident response, or advisory hours, providing flexibility when unpredictable needs arise. This approach, often recommended by veteran CISOs, allows teams to close their books responsibly while keeping agility for the next fiscal year.

5. Strengthen Your Foundations

Not every valuable investment requires new tools. Several practitioners emphasized the long-term returns from process improvements and collaboration-focused initiatives:

‍

• Threat modeling workshops that align development and security priorities.
  
• Framework assessments (like NIST CSF or ISO 27001) that provide measurable baselines.
  
• Automation pilots to eliminate repetitive manual work.
  
• Internal tabletop exercises that enhance cross-team coordination.
  
  

These lower-cost efforts improve resilience and efficiency, two metrics that always matter in budget conversations.

How to Decide: A Simple, Measurable Framework

When evaluating where to allocate remaining or future funds, apply a simple framework:

‍

1. Identify what’s lagging. Which pillar - people, visibility, or process most limits your current effectiveness?
   
2. Choose something measurable. Prioritize initiatives that produce clear, demonstrable outputs: reports, dashboards, certifications.
   
3. Aim for dual impact. Every investment should strengthen both your operations and your ability to justify next year’s funding.
   
   

Final Thoughts

A strong security budget isn’t just about defense, it’s about direction. Every spend tells a story about how your organization prioritizes resilience, efficiency, and visibility.

‍

Whether you’re closing out this year’s funds or preparing your 2026 plan, focus on investments that create both operational value and executive clarity. Because while technologies evolve and threats shift, understanding where your data is, who can access it, and how it’s protected remains the cornerstone of a mature security program.

‍

Or, as one practitioner summed it up: “Spend on the things that make next year’s budget conversation easier.”

DSPM fits that description perfectly.

<blogcta-big>

Data Security Posture Management (DSPM) has quickly become a must-have for organizations moving to the cloud. By discovering, classifying, and protecting sensitive data across SaaS apps and cloud services, DSPM gave security teams visibility into data risks they never knew they had before.

‍

But here’s the reality: most enterprises aren’t 100% cloud. Legacy file shares, private databases, and hybrid workloads still hold massive amounts of sensitive data. Without visibility into these environments, even the most advanced DSPM platforms leave critical blind spots.

‍

That’s why DSPM platform support is evolving - from cloud-only to truly hybrid.

The Evolution of DSPM

DSPM emerged as a response to the visibility problem created by rapid cloud adoption. As organizations moved to cloud services, SaaS applications, and collaboration platforms, sensitive data began to sprawl across environments at a pace traditional security tools couldn’t keep up with. Security teams suddenly faced oversharing, inconsistent access controls, and little clarity on where critical information actually lived.

‍

DSPM helped fill this gap by delivering a new level of insight into cloud data. It allowed organizations to map sensitive information across their environments, highlight risky exposures, and begin enforcing least-privilege principles at scale. For cloud-native companies, this represented a huge leap forward - finally, there was a way to keep up with constant data changes and movements, helping customers safely adopt the cloud while maintaining data security best practices and compliance and without slowing innovation.

‍

But for large enterprises, the model was incomplete. Decades of IT infrastructure meant that vast amounts of sensitive information still lived in legacy databases, file shares, and private cloud environments. While DSPM gave them visibility in the cloud, it left everything else in the dark.

The Blind Spot of On-Prem & Private Data

Despite rapid cloud adoption and digital transformation progress, large organizations still rely heavily on hybrid and on-prem environments, since data movement to the cloud can be a year’s long process. On-premises file shares such as NetApp ONTAP, SMB, and NTFS, alongside enterprise databases like Oracle, SQL Server, and MySQL, remain central to operations. Private cloud applications are especially common in regulated industries like healthcare, finance, and government, where compliance demands keep critical data on-premises.

To scan on premises data, many DSPM providers offer partial solutions by taking ephemeral ‘snapshots’ of that data and temporarily moving it to the cloud (either within customer environment, as Sentra does, or to the vendor cloud as some others do) for classification analysis. This can satisfy some requirements, but often is seen as a compliance risk for very sensitive or private data which must remain on-premises. What’s left are two untenable alternatives - ignoring the data which leaves serious visibility gaps or utilizing manual techniques which do not scale.

‍

These approaches were clearly not built for today’s security or operational requirements. Sensitive data is created and proliferates rapidly, which means it may be unclassified, unmonitored, and overexposed, but how do you even know? From a compliance and risk standpoint, DSPM without on-prem visibility is like watching only half the field, and leaving the other half open to attackers or accidental exposure.

Expanding with On-Prem Scanners

Sentra is changing the equation. With the launch of its on-premise scanners, the platform now extends beyond the cloud to hybrid and private environments, giving organizations a single pane of glass for all their data security.

‍

With Sentra, organizations can:

‍

• Discover and classify sensitive data across traditional file shares (SMB, NFS, CIFS, NTFS) and enterprise databases (Oracle, SQL Server, MySQL, MSSQL, PostgreSDL, MongoDB, MariaDB, IBM DB2, Teradata).
  
• Detects and protects critical data as it moves between on-prem and cloud environments.
  
• Apply AI-powered classification and enforce Microsoft Purview labeling consistently across environments.
  
• Strengthen compliance with frameworks that demand full visibility across hybrid estates.
  
• Have a choice of deployment models that best fits their security, compliance, and operational requirements.
  
  

Crucially, Sentra’s architecture allows customers to ensure private data always remains in their own environment. They need not move data outside their premises and nothing is ever copied into Sentra’s cloud, making it a trusted choice for enterprises that require secure, private data processing.

Extending the Hybrid Vision

This milestone builds on Sentra’s proven track record as the only cloud-native data security platform that guarantees data always remains within the customer’s cloud environments - never copied or stored in Sentra’s cloud.

‍

Now, Sentra’s AI-powered classification and governance engine can also be deployed in organizations that require onsite data processing, giving them the flexibility to protect both structured and unstructured data across cloud and on-premises systems.

‍

By unifying visibility and governance across all environments while maintaining complete data sovereignty, Sentra continues to lead the next phase of DSPM, one built for modern, hybrid enterprises.

Real-World Impact

Picture a global bank: with modern customer-facing websites and mobile applications hosted in the public cloud, providing agility and scalability for digital services. At the same time, the bank continues to rely on decades-old operational databases running in its private cloud — systems that power core banking functions such as transactions and account management. Without visibility into both, security teams can’t fully understand the risks these stores may pose and enforce least privilege, prevent oversharing, or ensure compliance.

‍

With hybrid DSPM powered by on-prem scanners, that same bank can unify classification and governance across every environment - cloud or on-prem, and close the gaps that attackers or AI systems could otherwise exploit.

Conclusion

DSPM solved the cloud problem. But enterprises aren’t just in the cloud, they’re hybrid. Legacy systems and private environments still hold critical data, and leaving them out of your security posture is no longer an option.

Sentra’s on-premise scanners mark the next stage of DSPM evolution: one unified platform for cloud, on-prem, and private environments. With full visibility, accurate classification, and consistent governance, enterprises finally have the end-to-end data security they need for the AI era. Because protecting half your data is no longer enough.

<blogcta-big>