Citi Ventures and Cervin Ventures Co-Host Data Security Event During 2022 RSA Conference

Matt Carbonara

Managing Director, Venture Investing, Citi Ventures

Vibhor Rastogi

Global Director of AI/ML Investing, Citi Ventures

Nick Sands

Vice President, Venture Investing, Citi Ventures

Daniel Karp

Partner, Cervin Ventures

The RSA Conference, one of the world’s largest information security conferences, returned to San Francisco June 7-9, 2022, bringing thousands of security professionals together for an in-person exposition and series of conversations on the changing nature of cybersecurity.

In conjunction with the conference, Citi Ventures’ Enterprise Investing team co-hosted a Data Security Breakfast & Roundtables event with Cervin Ventures, an early-stage, enterprise tech-focused venture fund. Bringing together security leaders from across Citi, other large enterprises, Citi Ventures’ Security & Enterprise IT startup portfolio (including Immuta and, and Cervin’s Security portfolio, the event featured roundtable discussions on the emerging enterprise data security trends participants found most compelling.

Those trends and insights included:

Balancing Security Needs with Unlocking the Value of Data

The security industry stands at a critical juncture, participants in this roundtable said. In order to motivate a company’s employees to take ownership of its security practices, the industry must shift its educational approach from “tell me and I’ll forget” to “involve me and I’ll understand” (i.e., demonstrate that a security breach places employees’ livelihoods at risk because it can put the company out of business).

In turn, however, security practitioners must themselves understand that employees’ resistance to adopting more secure behaviors and solutions may stem at least in part from a legitimate business need: the need to “unlock” client data so that it can be used in a safe and compliant fashion, in the face of increasing demand and market opportunity.

To help balance those critical but often opposed goals, security practitioners should shift from a default mindset of “just say no” to one of seeking greater flexibility—and, when that is not possible, explaining why not. A potential middle ground could be to adopt the European model, in which data is owned by the individual and can be erased after it has been used to inform and improve a company’s business/marketing model.

Security professionals also need to better educate consumers about the need for preventative behaviors and, when breaches occur, active threat response. This task is difficult, as even consumers who have previously been breached rarely opt-in to more onerous security solutions. Moreover, having an elaborate and transparent disclosure can help vendors that are breached earn back customer trust and demonstrate their continued commitment to responsibly unlocking the value of data.

Finally, participants said, the security industry must better motivate organizations to eliminate data sprawl—perhaps by making it more costly. Data cleanups (to ensure proper categorization, storage, access controls, encryption, etc.) and erasures should be made part of default tooling, and timed access expiration should become the norm.

Cloud Data Protection

As companies shift to the cloud, they are increasingly relying on multiple external vendors to store, manage, and help mine their data, the Cloud Data Protection roundtable began. Typically, each cloud provider introduces its own security elements and credentialing systems, making it incumbent on each company to set unified policies, orchestration, controls, and monitoring to detect abnormalities.

In particular, unifying and protecting the different streams of information created by “as a service” solutions (e.g., Software as a Service [SaaS] and Infrastructure as a Service [IaaS]) requires tools that translate policy into implementation, participants continued. In order to protect their data as it flows through this ecosystem, companies need to identify the best points in their systems to track and monitor it—both when it is “at rest” (stored on a hard disk) and “in transit” (traveling between destinations). Companies may also want to create different “zones” for different types of data based on sensitivity, risk, and other factors, participants said.

Supply Chain Vulnerability

As global supply chains struggle with ongoing disruption, companies working to safeguard their supply chains must begin with visibility, participants in this roundtable said

First and foremost, that means identifying all the vendors and assets the companies rely upon. In the 2020s, global supply chains take a variety of forms, from goods and services to software. From a security professional’s perspective, the unifying component of these supply chains is the company’s exposure to vendors and other third parties—which offer a lucrative attack vector for bad actors attempting to penetrate an organization’s defenses. Thus, the group agreed, the first step in defending against this attack vector is improving the visibility of the users, data, and devices accessing proprietary systems.

One of the key challenges firms face in dealing with this issue, participants went on, is authenticating third-party vendors and others who have access to their data. New solutions to this problem include “device fingerprinting”—using information about the software and hardware of a remote computing device for the purpose of identification—and “data fingerprinting,” a scalable technique for identifying sensitive information so it can be tracked and protected.

Data Discovery: Classification, Visibility, Who Has Access

In today’s business world, data is king—and there is more and more of it every day. Protecting and accessing that data is a must for businesses to stay competitive and meet regulatory standards, the Data Discovery roundtable said. Since upwards of 80% of all data is unstructured, however, many firms are grappling with a fundamental problem: quite often, no one knows where that data is or what it contains.

To improve data discovery, the roundtable determined, firms must rapidly develop three key capabilities:

  1. The ability to locate data by its business context – that is, to search for and recognize it according to its specific area of importance to the organization.
  2. The ability to map data according to the specific vulnerability and business risk it would create if it became exposed.
  3. The ability to protect data in data repositories, file systems, and the thousands of SaaS applications that bring data into and through an organization. Developing that proficiency begins with knowing who has access to what kind of data.

Back Together Again

As shown above, the Data Security Breakfast fostered a valuable exchange of ideas between industry leaders and helped establish personal relationships that we hope can drive growth for all participants in the future.

Equally importantly, the breakfast marked an important milestone for Citi Ventures: our first in-person event since the pandemic began. We look forward to hosting more in-person gatherings in the future, and thank our partners at Cervin Ventures for helping make our return to live events a tremendous success.

For more information, email: