How to Stop Running Standing Still In Your Data Security: The Red Queen Effect
When it comes to securing data, organizations and their CISOs are often like Alice in Wonderland.
In this article, we’re going to answer how and why.
But first, some literary background. Then, we’ll follow it up with some modern, concrete examples.
In Lewis Carroll’s "Through the Looking-Glass," the sequel to “Alice in Wonderland”, Alice and the Red Queen find themselves running faster and faster but staying in the same place.
The Queen stops running, stops Alice, and tells her to rest.
Alice looked round her in great surprise. ‘Why, I do believe we’ve been under this tree the whole time! Everything’s just as it was!’
‘Of course it is,’ said the Queen, ‘what would you have it?’
‘Well, in our country,’ said Alice, still panting a little, ‘you’d generally get to somewhere else — if you ran very fast for a long time, as we’ve been doing.’
‘A slow sort of country!’ said the Queen. ‘Now, here, you see, it takes all the running you can do, to keep in the same place.
If you want to get somewhere else, you must run at least twice as fast as that!’
Like Alice, we have to run twice as fast to keep up.
Why organizations keep running
In business, this phenomenon is often called the Red Queen effect, illustrating the constant need to evolve just to maintain the status quo. The same theory applies to cybersecurity: as cybercriminals develop new attack methods, defenders must continuously adapt to keep up. Driven by the growth in remote work, online collaboration, and massive cloud migration, attackers are increasingly targeting users and the data they manage.
According to the 2024 Verizon Data Breach Investigations Report, the number of data breafhes analyzed has doubled over the past year. And in Concentric AI’s most recent Data Risk Report, we found that nearly 32% of an organization’s unstructured data is business critical (where its distribution should be controlled). This means data is stored in files and documents created, controlled, and secured primarily by end users. Alarmingly, 90% of business‑critical data are shared outside the C‑suite. The widespread adoption of hybrid work models has further degraded data security, and security professionals and CISOs alike are acutely aware that data exfiltration is a primary concern.
How to outrun the Red Queen: identify, protect, and monitor
To counter these threats, cybersecurity must evolve in two critical ways.
First, organizations must enable their users to protect the data they create and control. It’s no longer sufficient to leave critical data security decisions — such as file access privileges, storage locations, or sharing practices — solely in the hands of end users.
Second, security principles once reserved for networked resources, specifically zero trust and least privilege, must now be applied to unstructured data to raise the difficulty level faced by potential attackers.
The OWASP Cyber Defense Matrix provides a robust framework for outlining the necessary steps. The matrix maps security domains — devices, applications, networks, data, and users — to activity categories: identify, protect, detect, respond, and recover. It also emphasizes the balance between technology-centric and people-centric activities.
The entire OWASP model is beyond the scope of this article, so we’ll focus on three key elements with the highest potential to help us outrun the Queen: data identification, data protection, and data monitoring.
Data identification
The first step in data identification is to inventory and categorize all unstructured data to achieve comprehensive visibility into file meaning and criticality, regardless of the data’s location.
Data protection
Currently, data is protected by access control and sharing managed by the end user, making it invisible to security professionals. To enhance data protection, start by identifying inappropriate sharing and access grants. Notify users and rectify any critical security issues. The goal should be to enforce file access and sharing controlled by least privilege levels, with zero trust applied at the file level.
Recommended by LinkedIn
Data monitoring
Once data is identified and protected, the final step is to monitor changes and risk levels not visible to security professionals. Begin by defining the critical data to be monitored and establish continuous coverage. The objective is to have full visibility into data duplication, risky user activities, and exfiltration.
How AI can help beat the Red Queen
Identification, protection and monitoring require a technological approach capable of autonomously processing the millions of documents routinely used by organizations.
Fortunately, artificial intelligence technologies like deep learning and natural language processing (NLP) have evolved to help defenders stay ahead of the Red Queen.
Data Discovery and categorization
NLP offers a scalable, automated method to uncover the meaning and context of each file under management. The technology is highly capable of categorizing data and identifying data peer groups. Discovery and categorization are crucial first steps for securing unstructured data.
This newfound understanding of document meaning and peer groups enables a truly innovative approach to unstructured data security.
Risk Assessment and Monitoring
With categorized data, we have the foundation for automated risk assessment and ongoing monitoring. Within a group, the security practices followed by files in aggregate — such as storage locations, sharing practices, and access control — create a baseline for evaluating individual files.
For example, if a peer group of legal contracts is never shared outside the legal team, it’s a simple, automatable exercise to identify similar contracts that deviate from this practice.
This approach automates least privilege enforcement and applies zero trust at the file level. Without this capability, unstructured data will remain opaque, unknown, and highly vulnerable to compromise.
Meeting the moment
These new AI tools for unstructured data security offer powerful defenses against today’s most pernicious attacks, such as:
Spear-phishing and credential theft
AI tools provide tighter access controls that limit data loss and harden against island-hopping attacks (moving laterally within a network). Fewer duplicate files mean less data exposed to compromise, while attackers face exponentially higher barriers overall.
User error
AI’s dynamic monitoring tracks document oversharing while identifying specific file risks, such as unnecessary access privileges — which can be corrected. Automation also allows for the monitoring and protection of millions of files.
Data exfiltration
With AI, data is centrally categorized and classified without relying on end users, eliminating error-prone rules managed by IT generalists instead of content experts. This improves the accuracy and efficacy of existing data loss prevention tools without additional overhead.
_______
Perhaps the day will come when cybersecurity can completely outrun the Red Queen.
But for now, our best strategy is to double down on our efforts to protect data, leveraging the latest technology to stay one step ahead.