Early in the career of Neha Chandnani, CC, data security felt straightforward. Protect the network, lock down endpoints and restrict access – because, if the perimeter was secure, the data inside it was assumed to be safe. That assumption no longer holds; today, data moves constantly across cloud platforms, third-party services, APIs and AI pipelines.

AI Month: Building Data Trust in an AI-Driven World - Neha Chandnani, CCDisclaimer: The views and opinions expressed in this article belong solely to the author and do not necessarily reflect those of ISC2.

Data is accessed by employees, contractors, partners and automated systems. I’ve seen firsthand how relying solely on perimeter controls creates blind spots, leaving organizations exposed even when traditional security metrics look strong.

This realization has forced a shift in how I think about data security. Instead of asking “Is the environment secure?” the better question has become “Can I trust how our data is used, everywhere it goes?”

As organizations race toward cloud adoption and AI-driven analytics, traditional data protection models are no longer enough. Cloud-first architectures have blurred the boundaries that security teams once depended on. Applications span multiple providers, users work remotely and sensitive data is routinely shared with vendors and analytics platforms. In this environment, breaches don’t always come from sophisticated external attackers; they often result from misconfigurations, excessive permissions or lack of visibility into data flows.

Tackling the Fundamentals

I’ve worked with teams that passed infrastructure audits yet still struggled to answer basic questions:

  • Where is our sensitive data stored?
  • Who can access it right now?
  • How is it being used after access is granted?

If I can’t answer those questions confidently, my security actions become reactive rather than preventative.

The turning point is recognizing that data itself must become the primary security boundary. My data-centric approach necessarily focuses less on where data lives and more on how it is classified, accessed and monitored. This shift is especially important as data increasingly flows through cloud services, third-party platforms and AI systems that sit well outside traditional network perimeters.

Who Owns What

Adopting this mindset also forces me to rethink ownership. Data security is no longer just an IT responsibility; it requires me to instill collaboration across security, engineering, legal and business teams. When data owners understand how their information is used and protected, controls become more practical, consistent and easier to enforce.

Here’s how I determine controls:

  • Clear Data Classification: I start with clear data classification. Not all data carries the same level of risk, yet many teams protect everything equally, or worse, don’t classify data at all. This leads to either excessive controls that slow the business or insufficient protection for truly sensitive information. By prioritizing critical and regulated data, I’m able to focus controls where risk is highest – an approach that will become essential as AI systems process and reuse data at scale.
  • Identity-Driven Access: Next comes identity-driven access. Rather than static permissions tied to roles that rarely change, my access decisions account for who the user is, how they are accessing systems and the context of the request. This reduces the risk of over-privileged access that quietly accumulates over time. Over time, this approach also makes my team’s access reviews more meaningful. Instead of manually untangling legacy permissions, it can focus on validating whether access still aligns with current responsibilities and risk tolerance.
  • Accountability and Data Ownership: A data-centric model requires clear accountability. By assigning data owners I ensure responsibility for access approvals, usage reviews and response when issues arise, preventing sensitive data from falling outside defined controls. Together, classification, identity-driven access, monitoring and ownership form a scalable framework for building data trust as organizations adopt cloud and AI-driven technologies.
  • Continuous Monitoring and Logging: Finally, continuous monitoring and logging are critical. Trust isn’t established once; it’s validated continuously. Visibility into data access patterns helps teams detect misuse early, whether accidental or malicious. It provides valuable context during incident response. Consistent logging also supports regulatory requirements and audit readiness. When we can demonstrate how data is accessed, monitored and reviewed over time, compliance becomes a byproduct of good security practices rather than a separate exercise.

A lesson that stands out for me is that tooling alone doesn’t solve data security problems. I’ve seen organizations invest heavily in encryption and monitoring platforms without aligning them to clear ownership and processes. Without defined accountability of who owns the data, who reviews access and who responds to anomalies, even the best tools fall short.

A second insight is the importance of collaboration between security, engineering and business teams. Data security decisions often impact product design, analytics and customer experience. When my security teams operate in isolation, controls are more likely to be bypassed or ignored. When my teams collaborate, security becomes an enabler rather than a blocker.

Building Trust, Not Just Controls

Ultimately, data security is about trust – trust from customers, regulators and partners that their information is handled responsibly. Compliance frameworks provide me with a foundation, but trust is earned through consistent, transparent practices that go beyond audit checklists.

By focusing on data classification, contextual access and continuous validation, I can move from a defensive posture to one that actively supports growth and innovation. In a world where data is everywhere, protecting it effectively means redefining how I think about security itself.

Ultimately, my view is that the future of cybersecurity will be measured less by how strong our perimeters are and more by how confidently we can answer one question: Can we trust the way our data is used? Organizations that embrace data-centric security will be better positioned to manage risk, meet regulatory expectations and maintain long-term digital trust.

Neha Chandnani, CC, has 10 years of experience in IT audit, technology risk management, regulatory compliance and control oversight. She has held technical and supervisory roles, with responsibility for leading audits, supervising teams, assessing IT control environments and validating remediation of regulatory findings and internal control issues. Her cybersecurity work spans privileged access management, network security, business continuity and data protection controls.

For You, By You: Join Us and Build ISC2's AI Security Certification

As cybersecurity professionals evolve and adapt their skillset and job functions because of AI, ISC2 has announced the development of a new AI security certification to recognize and benchmark AI skills and competence within the cybersecurity workforce.

The AI security certification development process presents an opportunity for cybersecurity professionals to input into the process and help define parameters for the certification.

This is your moment to play a defining role at the foundation of this new certification:

  • Contribute to identifying the knowledge, skills and abilities necessary to securely design, implement and manage AI systems
  • Creating questions for a pilot exam
  • Participate in publicly available pilot exams to help ensure it accurately validates a candidate capabilities

For more information about the ISC2 AI security certification program and how to contribute to the various development activities taking place, go to https://www.isc2.org/new-ai-certification.

Related Insights