Cybersecurity experts Heather Noggle and Dr. Arun DeSouza discussed Kiteworks' Data Security and Compliance Risk: 2025 Annual Survey Report, which introduces the industry's first quantitative risk scoring algorithm. The comprehensive study of 461 organizations reveals that 46% now operate in high- to critical-risk territory, with the median enterprise scoring 4.84 on a 10-point scale—dangerously close to the high-risk threshold of 5.0.

The experts analyzed a counterintuitive finding about third-party risk management: Organizations managing 1,001-5,000 external partners face the highest security risk (average score 5.19), surpassing enterprises with over 5,000 third-party relationships. Dr. DeSouza explained this "danger zone" phenomenon: "By nature, managing over 5,000 means you're a much bigger organization with more resources ... Many times you've got a platform-based approach." These larger enterprises can monitor risks in real time, while mid-sized partner ecosystems struggle with enterprise-level complexity on mid-market budgets—resulting in 24% experiencing 7+ annual security incidents.

Industry-specific findings revealed surprising risk disparities. Energy topped the risk charts due to legacy IoT devices and 30-year-old technologies vulnerable to exploitation. Technology ranked second, which Noggle attributed to the "overconfidence factor" and rapid employee turnover. "Tech companies are losing people so fast, they want to implement things so fast. That to me is a perfect storm," DeSouza noted. Conversely, heavily regulated sectors like life sciences demonstrated lower risk scores due to compliance-driven security investments.

The report exposed a dangerous "confidence paradox" where organizations claiming to be "somewhat confident" in data governance showed 19% higher risk scores than those acknowledging uncertainty. "Without governance you can't manage," Noggle emphasized, adding that overconfidence breeds complacency in rapidly evolving threat landscapes.

AI governance emerged as a critical vulnerability. While 64% of enterprises track AI-generated content (up from 28% in 2024), only 17% have deployed technical governance frameworks. The stakes are high—the IBM Cost of a Data Breach Report found that 97% of AI-related breaches lacked proper controls, with AI breaches costing $670,000 more than average. DeSouza warned about inherited risks like "Echo Leak," a zero-click vulnerability exploiting AI's use of historical data, demonstrating that organizations must secure not just AI models but their entire operational environment.

Poor data visibility creates cascading failures: Organizations unable to count their third parties showed 46% correlation with unknown breach frequency, while 31% of those with 5,000+ partners take over 90 days to detect breaches. As Noggle noted, "If we're back at identify and we're at detect, detect should not be that difficult if identify is done well."

Heather Noggle LinkedIn: https://www.linkedin.com/in/heathernoggle/

Arun DeSouza LinkedIn: https://www.linkedin.com/in/arundesouza/

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Dr. Rick Goud brings a unique perspective to the data sovereignty conversation, combining medical informatics expertise with entrepreneurial technology innovation. As co-founder and Chief Innovation Officer of Zivver, a secure digital communications platform acquired by Kiteworks in 2025, Goud's journey began with an unexpected twist – missing out on medical school in the Netherlands' lottery system led him to medical informatics, where he discovered his passion for solving healthcare's data security challenges. His background as a strategy consultant in healthcare, where he witnessed firsthand the alarming frequency of sensitive patient data being shared through insecure channels, sparked his mission to create solutions that balance robust security with user-friendly functionality.

The podcast reveals a fundamental tension in European data sovereignty: While Europe boasts the world's strongest data protection laws like GDPR and the upcoming EU Data Act, organizations remain heavily dependent on foreign cloud infrastructure. Goud explains that the challenge extends beyond mere infrastructure – it's the absence of true European alternatives for essential software services that creates vulnerability. He highlights recent incidents, including a French Microsoft executive's court admission that Microsoft cannot prevent U.S. government access to data without customer notification, and the shocking case of a Dutch criminal court judge whose email was blocked by Microsoft at the behest of American authorities. These examples underscore how data sovereignty encompasses not just data protection, but also continuity of service and freedom from foreign interference.

When addressing the economic realities of data sovereignty, Goud advocates for a pragmatic, risk-based approach rather than wholesale abandonment of U.S. cloud services. He emphasizes that organizations should start by identifying their specific risks – whether it's human error (the leading cause of data breaches), email interception, weak passwords, or phishing attacks. The solution often lies in implementing encryption layers where organizations maintain control of their own keys, effectively rendering data unreadable even if accessed by unauthorized parties. This approach allows organizations to continue using familiar tools like Microsoft 365 and Gmail while adding crucial security layers for sensitive information, avoiding the massive costs and behavioral changes required by complete infrastructure migration.

The conversation concludes with practical advice for organizations beginning their data sovereignty journey. Goud recommends starting with "low-hanging fruit" – simple security measures that can be implemented quickly, such as activating DANE (DNS-based Authentication of Named Entities) for email encryption, which despite being available for a decade, sees adoption rates of only 15% to 20%. He stresses the importance of email and file security as the primary risk points where data leaves organizational boundaries. Rather than embarking on multi-year infrastructure overhauls, organizations should focus on immediate, achievable improvements while building partnerships with trusted vendors and peer organizations facing similar challenges. This collaborative approach ensures organizations aren't navigating the complex data sovereignty landscape alone.

LinkedIn: https://www.linkedin.com/in/rickgoud/

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Scott McCrady's path to becoming CEO of SolCyber started in the server rooms of the early 2000s. Back then, he was installing Nokia security appliances and building some of the first security operations centers for major corporations. McCrady spent years at companies like Symantec and FireEye, where he learned that keeping businesses safe requires more than just technical know-how. He built Symantec's security services across Asia Pacific, managing teams in multiple countries and learning how different businesses approach security challenges. Later at FireEye, he helped launch their partner strategy during the rise of nation-state attacks. Today, he runs SolCyber with a simple mission: help companies protect themselves from identity-based attacks that bypass traditional security tools.

McCrady explained something that might surprise you: hackers don't break into networks the way they used to. Twenty years ago, they looked for open ports and vulnerable servers. Ten years ago, they targeted employee laptops and phones. Today? They steal usernames and passwords, especially administrative accounts. Insurance companies tell McCrady that nine out of ten breaches happen because someone's login credentials got compromised. The problem gets worse because IT teams often give employees more system access than they need. Why? Because it's easier than figuring out the exact permissions each person requires. McCrady shared a real example: a company with 500 employees had over 70 administrative accounts. Some hadn't been used in nine months, then suddenly started browsing the internet—a clear sign that hackers had taken control.

McCrady works with organizations that can't answer simple questions like "Where are all our security logs stored?" or "Who can access our customer data?" These aren't startups or small businesses—these are established companies with IT departments and security budgets. They have data scattered across different systems, some going to one security vendor, some to another, and some not being monitored at all. While vendors push artificial intelligence and machine learning solutions, most businesses just need help organizing what they already have. As McCrady put it, they need to get their house in order before worrying about advanced threats.

So what actually works? McCrady keeps it simple with five must-haves. First, turn on multi-factor authentication everywhere, even though software companies charge extra for it. Second, add email security beyond what Microsoft or Google provides because business email compromise is how most attacks start. Third, install endpoint detection software that catches modern malware. Fourth, run security awareness training so employees recognize phishing emails (and to keep your cyber insurance valid). Fifth, buy cyber insurance now while it's affordable. McCrady's company, SolCyber, packages these essentials into what they call "foundational coverage"—basically, outsourced security for businesses that need protection but can't afford a full security team. For larger companies, they handle the complex stuff like managing security logs from dozens of systems and responding to attacks in real-time.

LinkedIn Profile: https://www.linkedin.com/in/scottmccrady/

SolCyber Website: https://solcyber.com/

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.