From Chaos to Control: How to Get Started Building a Sustainable Data Security Program

As organizations scramble to meet cybersecurity and compliance standards, especially in high-risk environments like defense contracting, many find themselves overwhelmed by the current state of their sensitive data. During “Hidden Data. Thriving Threats.”, Spirion CEO, Kevin Coppins, laid out a truth many leaders need to hear: “Step one is to start now. Step two? See step one.” 

In every sector, especially those intersecting with the Department of Defense, data is growing in volume, velocity, and complexity. Spirion is frequently called into organizations whose sensitive data environments resemble an overstuffed garage bag: disconnected systems, outdated files, fragmented ownership, and unclear value. 

Kevin shared the example of a uniform manufacturer. At first glance, not exactly a cybersecurity red flag. But if military uniform production is scaling up and shipments are tied to sensitive destinations, even basic logistics data, like production schedules and shipping manifests, becomes national security–grade sensitive. 

The lesson? Everything is connected. And if you don’t know how your systems, data, and departments intersect, your risks multiply fast. 

Data doesn’t neatly belong to one department. HR, finance, operations, and logistics often operate in silos, each assuming the other is responsible for sensitive data stewardship. But in our modern compliance landscape, especially with frameworks like CMMC and regulations such as DFARS 7012, that mindset is no longer tenable. 

Just like a cluttered garage doesn’t clean itself, your data sprawl won’t organize without intentional, cross-functional effort. 

“This is a community problem because data doesn’t really belong to any one person or function specifically. Data stewardship, and the accountability that goes with it, is key.” 

–Kevin Coppins, CEO, Spirion 

Scott Giordano, Esq., The Ciso Law Firm, drove home a critical point: the key to strong Data Security Posture Management (DSPM) is understanding what data matters most. “Start by asking: Is this sensitive? How do I know it’s not?” he advised.

Using the 80/20 rule, Scott recommends identifying the ~20% of data that presents 80% of your risk. That often starts with a defensible data inventory; not a one-time checklist, but a living system that adapts as your business evolves. 

He also warned against generic definitions of sensitivity. For example, a logistics client had to treat something as simple as the weight of a pallet as highly sensitive. Why? Because in the context of military equipment, weight alone can reveal the nature and intent of the payload. 

“Don’t just assume PCI data or PHI are the only things that matter,” Kevin added. “What’s sensitive is specific to your mission and the data you handle.” 

Trying to clean up your data as a one-and-done initiative is one of the most dangerous mindsets in modern cybersecurity. 

As Kevin emphasized, “The moment you finish, it’s already outdated. Your data is constantly moving and changing.” 

The key is to build a sustainable data governance program, not just a temporary fix. That means assigning ownership, automating classification where possible, and embedding data sensitivity into how your business operates. 

If your organization is serious about compliance and reducing risk exposure, you need to: 

1. Start now. Not when you’re ready, not after your next audit, but now.

2. Inventory and classify sensitive data by context, not just compliance checklists. 

3. Move beyond project mode and embed DSPM into an ongoing governance program. 

4. Assess the data value chain, from source to storage to sharing, including vendor risk.

5. Validate independently. Relying on spreadsheets and internal attestations won’t cut it. 

Spirion’s Sensitive Data Platform helps you get started by giving you visibility, context, and control over your data so you’re not reacting after a breach, whistleblower, or audit. 

Whether you’re dealing with covered defense information, unstructured marketing lists, or endpoint sprawl, your organization exists in the left image above: disorganized, uncertain, and exposed. 

The goal? Become the image on the right: structured, secure, and audit-ready. 

And as Kevin summed it up, “Pick up a few books. Label them. Put them on the right shelf. Then keep doing that…forever.” 

Watch the full clip on this topic.