Cybersecurity is a pressing concern for businesses worldwide, yet many modern cybersecurity methods fail to adequately protect their most valuable asset — data. As organizations strive to protect their sensitive data, they often face the challenge of striking a balance between security and usability. Data and business teams focus on the value and consumption of data while security teams are more aware of regulatory and security requirements.
Despite the juxtaposition of motives, unlocking sensitive data consumption is one of the most important things any company can accomplish in the next six to 12 months. The KISS (Keep It Simple, Stupid) method is a simplification discussion; data security isn’t easy. You need to consider not just the security risk, but that businesses need data to be moved, consumed, trusted and shared. The solution is simplifying the approach by embedding security into the data itself.
The KISS method explained
The KISS method focuses on protecting the data itself, rather than building complex barriers around it. For example, data de-identification removes the sensitivity of the data and replaces that with a token. Therefore, the protection flows with and is attached to the data itself.
By using data-centric security techniques such as encryption, tokenization and anonymization, organizations can ensure that their data remains protected, even if it falls into the wrong hands. These approaches allow data to move freely across borders, free from regulatory compliance blockers, and free to move to the cloud. At rest, in transit or in use, data is secure by default because the data itself is being protected, not just the access, infrastructure, or perimeter that surrounds the data.
Challenges with traditional cybersecurity
According to Gartner, worldwide cybersecurity spending is projected to increase by 15% in 2025, totaling over $200 billion. Yet, data breaches reached historic levels in 2024 with victim notices increasing by 211% compared to the previous year. With billions of dollars being spent annually not solving the problem of usability versus security, it’s evident that something isn’t working.
Traditional cybersecurity methods often involve surrounding data with multiple layers of security, such as access controls, network hardening and infrastructure protection. However, the data itself stays in the clear. While a defense-in-depth strategy is important, it falls just short of the goal line. If the data is the most valuable commodity, it’s time we stop just surrounding the data with protection and instead embed protection into the data.
Therefore, even if the bad guys break through the other walls or layers of security, they can’t exploit what they’re looking for – the data itself.
Data-centric security in the age of AI
Another big disconnect in the world of cybersecurity is that traditional security of the past is going to be unable to address the data and AI problems of the future. Traditional security models focus on locking down infrastructure and managing access, but they miss the mark in today’s AI-driven environment.
Large language models (LLMs) rely on vast amounts of data, especially unstructured information, and interact with it in ways that bypass conventional controls. As data flows more dynamically across systems, legacy protections struggle to keep up. GenAI introduces new demands, with users querying data in real time, training models on the fly, and augmenting them with additional datasets. These patterns challenge traditional security, which often restricts access rather than enabling it.
A data-centric approach, on the other hand, allows you to give more people access to data in real time without compromising security.
Real-world applications
Implementing the KISS method in the real world means choosing data protection techniques that match the specific use case. While methods like anonymization and masking are available, the central idea is de-identifying data, which means altering it from its raw form to meet both business and security needs.
One example involved a major credit reporting agency managing a cardholder data environment subject to PCI DSS. By de-identifying credit card data, they were able to reduce the scope of systems under PCI oversight. Their auditor confirmed that de-identified data did not require the same level of compliance as raw credit card information, leading to savings between $40 and $60 million in audit and security costs.
In another case, a large broker-dealer aimed to take advantage of new AI and ML pipelines but faced pushback from security, audit and compliance about moving sensitive data to the cloud. Through de-identification and tokenization, they gained approval to share the data securely across cloud vendors, AI models, and third-party partners. Anonymization was then applied within the model so that the prediction engine could get the most out of the data as opposed to just being able to operate on de-identified information.
Overcoming challenges
While the KISS method offers a simpler approach to cybersecurity, it is not without its challenges. Organizations may face concerns about complexity and performance when it comes to the implementation of data-centric security, especially in large environments with sensitive data flowing through many systems.
But not every system needs access to raw data. For example, analytics platforms often just need consistent values to correlate information, not the actual raw data. This means security can be applied in a way that minimizes disruption. While performance is always a consideration, there are multiple ways to integrate data protection depending on business constraints, including proxy-based intercepts, APIs, SDKs or native agents.
The key is choosing the right method for each use case to keep security practical and scalable.
The KISS method reminds us that effective cybersecurity doesn’t have to be overly complex. By focusing on the data itself rather than the systems around it, organizations can better align security with business needs. As data continues to drive innovation, especially in areas like AI and cloud computing, the ability to protect and use that data responsibly will set companies apart. Keeping security simple, practical, and centered on the data itself can help businesses move faster while staying protected.
