1 in 3 Firms Hit With Data Sovereignty Incidents

Patrick Spencer (00:01.932)
Hey, everyone. Welcome back to another KiteCast episode. I’m your host for today’s show, Patrick Spencer. Joining me is my colleague across the pond, Rick Goud. He is our chief innovation officer at KiteWorks. Rick, thanks for making time to speak to me today.

Rick Goud (00:16.108)
Yeah, I’m looking forward to it, Patrick.

Patrick Spencer (00:18.806)
Well, for anyone who’s been watching our podcast, you’ll know that Rick and I did a session, it’s been what, four five months ago, somewhere in that vicinity, on a sort of on the same topic on data sovereignty. But needless to one, things have changed since then. And two, we just released our brand new report on data sovereignty, which has a lot of interesting findings, particularly from the perspective of the Europeans in the Middle East and Canada.

Rick Goud (00:26.946)
Yeah, probably sure.

Patrick Spencer (00:48.542)
And we’re going to be honing in on some of the findings in the report during today’s call. If you’re interested in a full copy of the report, we do not gate them. You don’t have to provide your registration details in order to read it. You can simply go to kiteworks.com and search for data sovereignty report 2026. It’ll pop up and you can take a look at it as well as some of the blog posts that we’ve written on some of the findings. So Rick, just let’s do a quick introduction for our audience before we dive into the details.

He, as I mentioned, is our chief innovation officer where he leads innovation strategy for secure, compliant digital communications and content governance. He previously co-founded Ziffer, a secure digital communications platform, which Kiteworks acquired back in 2025. And he holds a PhD in medical informatics. Talking to a smart guy here, obviously. His path into data sovereignty started six years ago as a healthcare strategy consultant at Gupta Strategist where he saw firsthand the risk of sharing highly sensitive data through insecure channels. Today, he’s recognized as a European data sovereignty and privacy expert. He’s a frequent speaker on operationalizing strong data protection without sacrificing productivity. So Rick, I’m looking forward to this conversation as I’m sure our audience is.

Rick Goud (02:08.760)
Likewise, and thanks for the appreciative intro, Patrick.

Patrick Spencer (02:12.014)
Thanks to AI, as often as the case, right? So we are talking, as I mentioned about our annual or this will be our first report, but we’re planning to do it annually because it is certainly a salient topic in today’s marketplace. The 2026 data security compliance report, we surveyed almost 300 professionals across Canada, the Middle East and Europe, three different regions that are navigating very different data sovereignty realities today.

Rick Goud (02:15.108)
You

Patrick Spencer (02:41.390)
The central finding in the report from my perspective anyway, we’ll see if Rick agrees, is a striking paradox at roughly 80%, almost certainly a vast majority of the respondents feel well informed about data sovereignty requirements. Yet one in three said they experienced a data sovereignty related incident in the last 12 months. The report covers a full spectrum from awareness and incident rates to AI governance, compliance costs, two-year planning outlooks, cross analysis between the different regions, industry, role, organization size. It makes a compelling case as we’re going to discuss today, that data sovereignty shifting from a compliance checkbox to a competitive differentiator. And that gap between state awareness and provable control is where the real risk lies in our opinion. So, Rick, let’s dive into the report. The first thing, as I mentioned, know, awareness is high.

80% say they’re well informed. They understand data sovereignty yet as often as the case with cybersecurity or compliance related issues. One in three said they had a data sovereignty incident last year. Why do think there’s such a gap here?

Rick Goud (03:52.046)
Yeah, well, first, I think I want to challenge the fact that people are well informed. So I certainly agree that that, especially in Europe, so I can talk about the European context a lot because I’m from Europe. And if you would have told me two years ago that I would be talking every day about data sovereignty, would have called you crazy. But that is reality we do live in nowadays. I do see that everybody is aware.

I do not meet any stakeholder that does not talk about digital sovereignty and even the people that are not in IT. They often ask me what do I think about the US cloud, cloud tech, etc. However, the level to which people are really informed is sometimes a little bit less than they pretend to be or least they…

They are well informed and to some extent it is, but it’s based on a narrow source. So typically people think they know what sovereignty means and that then means, hey, that if I host my data on a US hyperscader, then under Cloud Act, and if I buy something from a local vendor, then suddenly I am sovereign. Well, that is absolutely not true. That’s a very narrow definition of sovereignty on the one hand, and B, it’s factually untrue because Cloud Act

it does not matter where your data resides because as the report also states, there’s an interesting OVSH case where indeed data stored in France had to be given to another country because of the fact or despite the fact it was stored in France, even data stored on European clouds can fall on the cloud deck or any other legislation. So the real location doesn’t matter. It matters how you actually protect and control it. So a lot of people think they are aware, typically they are not or they have a very narrow specific definition that is typically not sovereignty, how you should look at it.

Patrick Spencer (05:54.796)
Hmm. So it’s no surprise probably to you based on what you just said that one in three experienced a data sovereignty incident last year because of the rationale that you just provided.

Rick Goud (06:06.764)
Yeah, totally. And also, sometimes even is the opposite, right? That people think, I will get an open source tool that is maybe in Europe, and then I am sovereign, quote, quote. But yeah, typically, those tools were not, per se, built for security and need while actually making sure that sensitive information does not get in the wrong person’s hands. That is actually what you want to accomplish when you look at sovereignty, then where your data is located and where the software is developed is only very small piece because you can have very European software that you host on your own data center. But if the security is not up to the standards, then every state actor or every third party can access your data, which is the opposite of sovereignty. So it is a very complex, multi-dimensional model that every company for themselves should assess what do I consider to be important in sovereignty and just will create a framework for themselves on how they want to internally look at their software. And then you will find out that who built the software is only a very small piece of the puzzle. It is more of who controls it, who has the keys to the kingdom. And if you put that central, then typically you’re much more sovereign than where was my software built.

Patrick Spencer (07:25.838)
Interesting. Now the survey, we looked at three different regions, Canada, Europe, and the Middle East. And then we published the big report, but we also, for whatever it’s worth to our audience, you have individual reports. They’re shorter. They’re like six pages or so each. One on Canada, one on Europe, and one on the Middle East. When you look at these three regions, there’s similarities, but there’s also a lot of differences as well. Rick, what’s your perspective of the findings on this front?

Rick Goud (07:54.148)
Yeah, so I actually think that Canada and Europe are actually quite alike, so to say. I think Middle East is a little bit different. If you look at Europe and Canada, they were just used to using a lot of US hyperscalers and then suddenly they were talking about moving away. However, from a feature parity perspective, that is quite a challenge because it’s actually very hard to find good alternatives for the comprehensive a set of functionalities that Microsoft 365 or Google offers. While if you look at the Middle East, they were already used to already trying to buy local, use local software. They already started with sovereignty more in mind than Canada and Europe, which needs moves all to the clouds two or three years ago, and now suddenly want to move back. So I think that is an interesting paradigm shift between those two different regions, so to say.

Patrick Spencer (08:52.174)
Hmm. Well, that, you know, there’s also another finding in it that along the lines of what you were speaking, where the Middle East reports a 44% incident rate, which is almost double Canada’s, which was at 23%, despite to your point, saying with 93%, not 80%, but 93% saying regulations directly impact them. Is this a maturity problem? Is it a speed of regulation? both or something else. What’s causing this difference between the regions?

Rick Goud (09:23.758)
Well, actually, think a majority problem, Because so we in Europe, especially and also in Canada are talking a lot about sovereignty and then how can we move away from US hyperscalers? Well, if you look at ISO 27001 and if you look at all legislation, you have to take a risk based approach saying, okay, I want what are my real risks? And then of course, you start with the highest risk and mitigate it. If you look at that scale.

The real quote, quote risk of a sovereignty incident with US hyperscalers is not per se that big. It is, I think, a very good involvement that people want to control the keys of the kingdom and want to possess their own data. But typically there are not too many incidents yet historically. If you look at the transparency reports that AWS and Azure published, close to zero times or most times even zero times ever had to give away their data.

So if you use those hyperscalers, there were not that many sovereignty incidents really, but by of course moving away and using more local software that has not been around for that long and has not been extensively stress tested for security, the likelihood of some security incidents that actually impact your sovereignty because people get hold of your data is much, much bigger.

Patrick Spencer (10:49.676)
Retire.

Rick Goud (10:51.348)
I think it’s an interesting paradigm shift that people want to move away from non-local or non-regional vendors, but that comes with majority squeeze that will certainly result in a couple of data leaks in the months, two years to come, because you see people moving software that say they are secure, and everybody of course say they are secure, but the checks and balances and the certifications do not match the claims.

to shake a list.

Patrick Spencer (11:22.222)
Now you talked a bit about the hyperscalers. There’s an interesting finding in regards to Europe and hyperscalers. Europe, as our audience probably knows, they’re pursuing this GLOCAL, G-L-O-C-A-L, for those who are listening and can’t understand my Midwest English. But they’re pursuing this GLOCAL model rather than abandoning hyperscalers. Only 4% based on our findings in the report say they’re going to go fully local.

you know, smart pragmatism from your perspective, or is this a vulnerability?

Rick Goud (11:56.932)
Yeah, it’s pregnant isn’t and realism because so once you get used to all the Microsoft 365 or so functionalities and all the Azure managed services. It is very hard to get local equivalents and again there’s a strategic agenda to stimulate the development of the software across Europe, but that certainly will take another four to whatever years to get to a certain maturity level. So I think it’s just need to pragmatism slash realism.

for lot of services you unfortunately have to stay with those hyperscalers, but where you can, whether it’s for secure data exchange, which we of course know all about, there are some point solutions that you can put on top of the US hyperscalers to make it much more secure, but the bending them as a whole is just not realistic for most use cases. And then people say, but I go to Nextcloud or I go to something else. Ha, yeah.

again, most of those providers that try to do the bold one into a lot of feature gaps and a lot of compliance and security gaps. I think most, certainly governments and private institutions that I see, they are just realistic that moving away will be a long term play on the short term. US hyperscalers is the only way forward and to meet.

use a use case by use case based approach to slowly move away from the dependence.

Patrick Spencer (13:27.288)
Hmm. All right. Well, let’s jump back across the pond to Canada and I’m going to ask a Canadian question to a guy in the Netherlands. How’s that? So the report found that 40% of Canadian respondents flag changes to Canadian and US data sharing as their top concern. You know, if you’re a Canadian enterprise, how worried should you be about your dependency?

on US headquartered providers. Is this a legitimate concern?

Rick Goud (14:00.526)
So yes and no. So there are two aspects, right? So I think the shift again in Canada, the shift is actually quite similar to Europe and where we had a trusted partner in the US that over the last one and half, one year shifted to a realistic, okay, let’s not put our eggs all in one basket and we should be self-proficient.

And the same goes for Canada. There’s of course a difference between collaborating with US softwares and knowing that you hold the keys to your own kingdom versus giving the keys totally away to somebody else. And I think that is the balance that people are now trying to find. How can you use the best of both worlds because there is a lot of unique skill in the US in terms of software development, security, and hyperscalers.

But how can you use that power while making sure that you do not expose yourself to all kinds of risks? then encryption, where you hold your keys, is typically a measure that people then increasingly consider on top of the US-based software to make sure that the leverage, the benefits of those hyperscalers while not giving your keys to the kingdom away to whoever is in the White House.

Patrick Spencer (15:26.318)
Whoever asked, well, I wrote a Substack article, I think it was last week. be a couple, several weeks old by the time this podcast comes out. But there is the FBI instance where they ask, I forgot what entity it was for their keys and they handed it over to the FBI. It was a Microsoft related instance where, you know, they ask and they had to hand over their keys. So that key management question is particularly important when you’re considering your cloud providers to your.

Rick Goud (15:51.732)
Totally, right. And that’s part of the sovereignty that lot of people typically ask, do you guys encrypt? I hope everybody’s answer nowadays is yes. But the question should really be who holds a copy or the original of my keys. And then if you look then look at the typical hyperscaters, their service is built on having access to your data because then they can provide advanced search functionalities, all kinds of indexation, alerting.

And that is contradiction with cloud tech, where if somebody wants and knocks on the door, then technically they have the possession of the keys and are forced to hand it over. So finding a way that you make sure that, again, you have your keys and not your vendor is the only way to the problem. And maybe we can post that as a part of the podcast or so, Patrick, because actually that’s in the Netherlands, so the country where I come from, we have the National Cyber Security Center.

Patrick Spencer (16:33.505)
Important.

Rick Goud (16:46.338)
And actually already three years ago or so, they let a renowned law firm investigate how can in Europe we protect ourselves from cloud tech. And basically their conclusion was there is only really one way is to make sure that you hold the keys and not any vendor because by not having a possession of your keys, the vendor can deny the fact that they have control over data.

which means that they do not have to or cannot give the data to whatever subpoena or whatever government wants to have access to your data. So encryption is really key.

Patrick Spencer (17:26.606)
No, no pun intended, right? Now, any conversation of cybersecurity and compliance, it would be remiss without a discussion of your people. You know, even with AI, it still comes back to a people issue quite often. And there, there sort of is a people problem that was raised in the survey. We found that 63% of CISOs said they’re very well informed while

Rick Goud (17:29.058)
No.

Patrick Spencer (17:56.142)
from an IT management standpoint, the largest group of respondents said they’re doing well at 41%. That’s a pretty significant difference when you think of, particularly with our surveys, 41% compared to 60%. So, you know, when you compare these two, why is there a real world gap between the executive cybersecurity suite, the CISOs, and the IT managers who are managing it day to day?

Rick Goud (18:23.000)
Yeah, it’s a very good question. And I, to be honest, think it is really a knowledge gap. In practice, I see that the percentages that we see correspondence reporting, indeed, is based on their current perception of what sovereignty and what control is. I think if you look at IT, the people that work day to day with the systems, they see how challenging it actually is to

really be sovereign. On paper, you can of course make everything work and everything look sovereign. In practice, having to migrate, having to make sure that everything still works, that continuity is there, that is a really, really big challenge. Again, everybody is talking about moving away, but I’ve rarely seen experiments be successful. And of course, from the outside, I do hear some people saying it was awesome, but if you then talk to…

people actually using the system, it is typically quite painful because you do have to have a shift using tool A to tool B. Changing people behavior is typically the most difficult thing to do. We are habitual people that are used to something and then changing is killing for productivity and that’s what hurts in practice.

Patrick Spencer (19:40.426)
And I think the C-suite, you know, often even with my employees, our perception of, you know, it’s happening. It works, but we don’t understand the minutia, the detail that actually needs to happen in order for it to occur successfully. cause it just happens below us. assume it’s seamless when that really isn’t the case. Now that’s internal. when we’re talking about internal challenges around data sovereignty, how about third parties, right? This is an interesting question that we pose to.

our survey respondents, you found that third party compliance failures tied as the most common incident type at 17%. How much of data sovereignty is a vendor management problem with third parties versus other issues that we talked about in the…

Rick Goud (20:29.156)
Well, I think third party is essential, right? so typically you would rely on your vendors to make sure you are sovereign and maybe a sidestep for those readers. And maybe we can also post in this party podcast, the European committee or the EU, they published a sovereignty framework in October, where indeed they provide a framework of seven or so dimensions of sovereignty.

And one of the important dimension is actually the supply chain part of sovereignty. Because you can claim to be sovereign if you develop something in Europe or Canada. But a lot of those software use actually software as part of their own software that is then still developed in the US that they do not have version control over that does have a perpetual license, etc.

So there is no software engineer that builds all the software themselves. so understanding those dependencies is very important. And that’s why you see the importance of a SOC 2 type 2 publishing the S-BOM where you have to be transparent on what third party tools are using. That is becoming increasingly important. But that also comes with a challenge because it’s not easy to swap out component A for component B if it’s ingrained in your software.

Patrick Spencer (21:52.024)
had a downstream impact.

Rick Goud (21:53.972)
That is typically where the incompliance comes from. You might be developing Europe or Canada or the Middle East, but by using unsupervised components doesn’t make you more software.

Patrick Spencer (22:03.822)
All right. Well, any podcast that we do nowadays must include a question or two around AI. So we did in our survey, Roy, it’s worth, we did ask some AI questions. Probably has changed since we got the responses about two months ago. know, 21% of organizations said they’re still developing their AI data policy with the EU AI Act already in effect, right? It’s already in effect and

almost a quarter say, we’re not there yet. We don’t even have an AI data policy in place. How much more time do you have if you’re one of these 21% of the organizations? Are you in really bad shape? And how much longer do you have before you need to get this wrapped up and codified?

Rick Goud (22:52.900)
Yeah, great question. And if anybody knows the answer, please come forward after this podcast, right? that’s all. Exactly, right. And that is with the with Europe, where typically the US, you guys, if you say we need to be C&MC compliant, and typically, there is a relative quick and stringent enforcement in Europe. Typically, we tend to be a little bit slower, but especially with AI, I think

Patrick Spencer (22:59.754)
It depends on all the fines and penalties that are about to come.

Rick Goud (23:20.546)
companies have a big challenge, right? Because everybody understands the power that AI can bring in terms of workforce productivity. But the other hand, you also want to make sure that you do not expose your sensitive data to AI, but there are not that many tools that allow you to govern that control layer. How can you make sure that if somebody sends something to AI, it does or does not comply to your policy?

And there’s actually a topic that we at Kiteworks are working very intense on and we have some interesting solutions for, but it’s hard to have a policy that basically says we can protect all our data, or technically you can’t, and then the only solution is to ban the use of AI. But that will give you such a competitive disadvantage that most companies probably do not dare to do so. I do see that governments, by the way, I do see that governments have a policy.

thou shall not use JetGPT or Claude or whoever, but you also then do see that they do not reap the benefits of the productivity gain that you can accomplish. So also there, it’s probably a majority play that probably over the next nine to 12 months, you will see tools that do allow you to work with JetGPT or Claude or Co-Pilot while making sure that you only share the data that according to your compliance, should or can be shared with those tools.

Nowadays, the realism is that those tools do not yet exist to the extent that they’re usable, workable, et cetera. So it’s an interesting balance between non-compliance or non-productivity. Pick your pick.

Patrick Spencer (25:00.770)
Yep. No, that’s actually my next question. So you’ve already answered part of it, but you know, when we ask what type of AI strategy from a data sensitive standpoint do you deploy and it’s sort of a mixed approach, right? They’re trying to straddle that fence as you just described, where you minimize the risk, but at the same time, you don’t hamstring the organization in terms of innovation. know, this mixed approach sounds good on paper.

You know, but how hard is it when you have a mixed approach and, you know, do you really know how, where your data is and what type of data you have and who has access to it? Who doesn’t, you know, particularly when it comes to organizations and many in our audience fall into this bucket that cross various jurisdictions, right? They have operations in Canada, they have operations in the U S they have operations in Europe and Asia pack and so forth. And there’s different compliance laws in place in all of them.

and different repercussions associated to noncompliance at the same time.

Rick Goud (26:03.608)
Yeah, so to be honest, I think this is a totally unsolved problem. I try to monitor a lot of startups and scale ups that provide solutions for that. In Europe, I do not come across organizations that have solved this problem. I think in the next one to two years, this will be the place for startups to try to provide solutions that do allow you to govern. Because again, we’re…

Currently, you might have 100 employees in a couple of months or two year time. You double the number of employees that are actually digital because they are agents. If you don’t do that, then probably you’ll shoot yourself in the foot. But that does need to come with the guardrails and the compliance requirements that are required. again, if somebody in this podcast says, I’ve nailed it, reach out to us because then we can only learn from these best practices and spread the word.

I’ve not seen that working. And again, at GuideWorks, we’re working on awesome stuff related to it. But looking at the current state of play, I do not see any company that can really do what it tells you on paper.

Patrick Spencer (27:07.598)
We figured it out. Very, very true. Now, we looked at the organizational size in regards to data sovereignty compliance, the success, how often they actually are experiencing incidents from a data sovereignty standpoint. We found that there’s like a 15 to 25 point, depending on the question, that we ask.

difference between small organizations and large organizations and probably not a huge surprise that large organizations are doing better than small organizations just because they have probably more maturity when it comes to cybersecurity and data governance but then they have a lot more resources at the same time.

Rick Goud (27:52.258)
Yeah, totally. think especially the latter is important for those smaller companies that typically have to rely on their MSPs or so to provide that intelligence and that knowledge. And that is still underdeveloped as a service, so to say. So they just don’t have the expertise nor the money, right? Because for those smaller companies, you do see that budgets on AI probably exploded, but then they also have budget for the governance.

It’s a fine balance, it’s totally not surprising. And I see that in practice that the big organizations have the expertise to at least work on it and feel that they are in control within the limitations of their power. Small companies, just use the tools at hand and pray, slash hope that somebody else can help them solve the problem later down the road. But first want to reap the benefits of the productivity gain first.

Patrick Spencer (28:46.350)
Yeah, very, very true. Now, when we asked the question around, well, what’s your top priority when it comes to data sovereignty compliance? It was automation. 53% cited as one of their top three priorities. Not a big surprise. I mean, we talk about AI. Automation often percolates the very top of the list, particularly as we’ve seen AI agentics introduced in the last year, year and a half.

You know, where are your biggest wins if you’re an organization and you’re wanting to automate some of the compliance issues around data sovereignty?

Rick Goud (29:23.150)
Yeah, so I think, so typically your policy lives on paper and you try to implement the practice and whether you are able to prove that you really live up to the standard, probably with all of this you got away with some simple checks and balances. That you cannot permit yourself to do that anymore because you to

before you know that agents will be using or sharing your data without your consent. And I think that is actually where typically organizations look at use cases like secure emails, secure file transfer, file collaboration, which of course is the last mile for the problem to solve, but it is all about compliance and control. So first, I think the most important part is that you have to invest in this engine that no matter the channel you have.

control over slash you can protect your data because if you do that well, that engine can also collect all the relevant logging data that then allows you to create those reports that do allow you to say or claim that you are or aren’t compliant to HIPAA, CMMC, NISTU, DOORA, wherever it may be. So that centralized engine that is basically your universal lens towards all your sharing of your data, including all logging data.

can only be the first point you need or want to invest in because otherwise things will explode. You need to have the centralized policy decision point as typically it’s called in the digital.

Patrick Spencer (31:00.994)
Yeah, very, very, very true. And maybe that’s one of the answers to the next question that I’m about to ask you. We’re in an environment where it’s becoming more mature, the technologies and the processes and the systems that organizations are putting into place. And we’re sort of shifting from this perception of we believe that we’re compliant, right? Which makes the CEO happy sometimes.

to you got to prove it. We can actually prove that we’re compliant. And organizations are now being asked by their boards, by their C-suite, by the regulators to prove it. If someone’s asked on short notice, demonstrate that your AI usage is compliant with one of those regulations behind you on the board, for example. How can you prove it? What’s a mechanism that you can put into place that can get you from

aid to be as quickly as possible and you can focus on business issues rather than keeping the regulators happy.

Rick Goud (32:05.444)
Yeah, so a couple of aspects. So A, I don’t see it in practice, right? Again, you have to have this policy decision point that you put centralized in there that allows you to understand what is being collected, what you receive and what you store. And it’s not just about agents, right? That’s my second point is also what companies have. And a typical example is, so again, I’m from the Netherlands.

for the audience, have around 17 million inhabitants in the Netherlands. But one of the biggest telcos, Odido had a big data breach last week, where apparently for over five months time, hackers were in their systems and they exfiltrated the data of a little over 8 million. So that’s almost half of all the inhabitants in the Netherlands. And of course that can happen to everybody, but what is very, or can happen,

Patrick Spencer (32:51.855)
Have a great day.

Rick Goud (33:00.676)
everybody’s at risk to that to some extent. But what is interesting that is a part of the data set that’s been extracted that is now published on the dark web because they didn’t want to pay the fine or the ransom fine, so to say. It contains a lot of data from people that were no longer customers for a very long time. And according to their compliance on paper and on the website, the data should have already been deleted.

And I think that’s the general problem. People collect so much data, share so much data by humans, by AI, that the reality on paper just does not match the reality in practice. And again, only when you invest in those centralized data policy engines, policy decision points that allow you to add metadata to the files you collect to understand how long can or should I store this? Who can we share this with under wet conditions?

then you’re only able to protect it well and to generate the reports automatically that you need to prove to the authors that it’s not just a paper reality, that it’s a real reality. However, adoption of those tools is still very much in its infancy. But I do expect that to have incredible growth over the next 12 months. Because again, otherwise, with all the AI being adopted also by the malicious parties,

you will see that there will be more data leaks. if then, again, the paper reality and the practical reality of how you manage and protect your own data does not match, probably then we will see the fines coming.

Patrick Spencer (34:38.318)
Hmm. Interesting. You got me thinking, you have all this data that has retention policies associated with it and you want to expire it as soon as possible because retaining it actually, as you just noted, incurs higher risk. Tagging it and understanding what kind of data you have, I would assume, is a starting point. You know, we’ve had a couple announcements here at Kiteworks for those who’ve been watching the news with several different large data.

the security posture management companies in the marketplace that do that discovery and the identification and tagging. then KiWorx sort of takes it the last mile where it’s enforcement related as well. So I assume having the right DSPM in place is important. So you understand what data you have, it’s tagged appropriately and so forth. But then if you aren’t actually enforcing it in terms of who it can be shared with and so forth, you incur additional risk. So you have to have…

both of your bases covered, right? You gotta have the discovery and the tagging covered. You also gotta have the enforcement in place at the same time.

Rick Goud (35:40.896)
Totally, where I was talking about data policy engine, policy decision point, whatever you like to call it, which is growing, but certainly not as fast as all DSPM vendors, because that is the type of vendor that you’re talking about, data security posture management. And what those type of vendors need to do is allow you to basically get a…

overview is inside of where your sensitive data lies, what the properties are. So indeed, you can say, but this type of data needs to be removed within the X period of time. But again, it only provides you, let’s say with the Google Maps towards your sensitive data. But again, actually enforcing and applying those policies, preventing that sensitive information that should not be shared according to your policy is not really shared. That is typically where all of these DCPM vendors stop because they help you to navigate your sensitive data and not to protect.

And again, of course, it is a layered approach, but first you have to know where your sensor data is, and then put the controls in place and the engines in place that help you to allow and apply those policies that, again, you’ve written on paper, but now need to be enforced.

Patrick Spencer (36:48.376)
Great, great point. All right, for our audience, as we take a step back from the report, what are one or two of the key takeaways that you think a CISO or a compliance leader needs to be aware of from the report findings?

Rick Goud (37:02.628)
Yeah, so I think that the most important thing is sovereignty is here and will stay here for the next couple of years. Do make sure that you adopt internally a framework that allows you to objectively measure for internal stakeholder purposes, but also for vendor comparisons on what you as a company find important,

because otherwise you will see yourself discussing sovereignty with some IT colleagues, with C level suites, because everybody will use a different definition of sovereignty only if you adopt this framework that internally provides you with this language that allows you to understand each other, but also then to measure your vendors against. That will certainly make your life a lot easier because everybody thinks they are aware and well informed.

Practices, it’s not the case. universal framework will help you in that transition.

Patrick Spencer (38:00.526)
Some great recommendations there. All right, one more question for you, then I promise we’re finished. If you, you you’re crystal ball, you’re going to look out three years, four years from today. And organizations are obviously always interested in how do I manage to the future? You know, from a data sovereignty perspective, based on our report findings, as well as your expertise in regards to what’s transpiring in the market, you know, what’s going to happen with data sovereignty in three or four years? What should

the organizations anticipate so they can ensure that they have the right systems in place, the right technologies instituted.

Rick Goud (38:37.700)
Yeah, so I think there are two important points, right? So one, make sure that whatever you do, whatever you choose, you do not create a vendor login. You want to be agile, new tools, new solutions. They will arise in the next couple of years, claiming sovereignty, doing everything right. And you do not want to pick a solution that keeps you locked in.

Make sure that you can move your data and your processes and your workflows to another tool because the winner of today, certainly with all the agentic AI, VypCoding happening nowadays, will not be the tool that will be the winner in six to nine to 10 months. So keep your agility and keep your data in your own control. That’s one. And then B, please make sure that you do not trust a vendor by saying they are sovereign.

In practice, you are responsible. Supply chain management also in NIST 2 and Dora is extremely important. Make sure that you are in control. Do not trust quote, quote your vendors by their blue eyes or by what they are saying. Validate that they are as sovereign as you want them to be according to your framework. While keeping agile, those two components need to go ahead.

Patrick Spencer (39:58.798)
Great suggestions. Rick, it’s always a thrill to talk to you. Thanks for coming back to another Kitecast episode. We’re have to have you on again. We’ll figure out another topic for you to talk about AI, data privacy.

Rick Goud (40:10.852)
or some email security market guide. Awesome. Looking forward.

Patrick Spencer (40:13.746)
Precisely, we can talk about that based on your experience. I think we need a survey report on that topic probably.

Rick Goud (40:21.176)
Exactly. again, happy to be here, looking forward to the next time. Patrick, always a pleasure.

Patrick Spencer (40:26.324)
Absolutely. And thanks for our audience for joining another KiteCast episode. Check out other episodes at kiteworks.com forward slash KiteCast.