Enterprises today face mounting risks as sensitive data moves across clouds, partners, and internal systems. While digital transformation drives speed, it also multiplies blind spots that expand attack surfaces, complicate compliance, and inflate costs. The newly released 2025 Data Security and Compliance Risk: Annual Survey Report from Kiteworks shows just how costly that lack of visibility can be.
In this TechBullion Q&A, we speak with Tim Freestone, CMO at Kiteworks, and Patrick Spencer, SVP, Americas Marketing and Industry Research, about the report’s findings. They explain why so many organizations struggle with basic security visibility, how ungoverned AI and sprawling vendor ecosystems create cascading risks, and what Kiteworks’ new risk scoring algorithm reveals about industry and regional vulnerabilities. From hidden compliance costs to the “danger zone” of third-party relationships, they break down how enterprises can move from incremental fixes to transformative strategies that reduce exposure and improve outcomes.
Q: In Kiteworks’ 2025 Data Security and Compliance Risk: Annual Survey Report, you found that 46% of organizations don’t know their breach frequency. How does this basic knowledge gap affect their overall security posture?
Spencer: When organizations can’t answer fundamental questions about their security, it creates what we call a cascade effect. Companies that don’t know their breach frequency also typically can’t count their vendors, measure AI usage, or track compliance hours. This isn’t multiple problems—it’s one problem manifesting everywhere. The data shows these organizations face significantly higher security risks and breach litigation costs that can reach $3 to $5 million, and this doesn’t include lost revenue, regulatory fines and penalties, and brand damage. They’re essentially operating blind while threats multiply around them.
Q: Only 17% of organizations have implemented AI governance frameworks despite widespread AI adoption. What’s driving this gap?
Freestone: Speed broke traditional governance models. Cloud adoption took a decade, giving organizations time to develop policies. AI went from experimental to essential in under three years. By the time governance committees schedule their first meeting about ChatGPT, employees have already adopted five new AI tools. We found that 64% of organizations now track AI-generated content, up from just 28% last year, but tracking isn’t the same as governing. Among organizations unaware of their AI data exposure, 36% use no privacy-enhancing technologies at all, which creates massive blind spots.
Q: Your longitudinal data shows encryption adoption improved just 9 percentage points over four years. Why is progress so slow?
Spencer: Organizations are treating exponential threats with incremental responses. While encryption crawled from 47% to 56% over four years, vendor relationships multiplied, AI adoption exploded, and compliance requirements expanded dramatically. The fundamental problem is that steady, incremental progress can’t keep pace with rapidly evolving threats. Organizations need transformation, not iteration, to address modern security challenges.
Q: The report shows organizations using privacy-enhancing technologies detect breaches 67% faster and reduce costs by 81%, yet 14%-36% use none. What explains this adoption gap?
Freestone: It’s a perception problem more than a technology problem. Terms like “homomorphic encryption” intimidate people, but many PETs require no more expertise than standard security tools. Organizations also struggle to see the value until after a breach—”67% faster detection” sounds abstract until you’re paying millions for a breach that lingered for 90 days. The simple math is that PET implementation costs a fraction of a single breach, yet organizations keep choosing million-dollar risks over thousand-dollar protections.
Q: How do geographic differences shape security outcomes according to your data?
Spencer: Geography creates distinct patterns but doesn’t determine destiny. North America leads in encryption at 53% but has lower AI governance implementation at 21%—innovation pressure conflicts with security needs. Europe shows strong IT specialization at 56% of security roles, benefiting from GDPR driving real capability building. The Middle East shows the starkest disconnect: they require security certifications at the highest rate globally (60%) but provide the lowest training investment (18%). These regional patterns matter, but we see both excellence and failure in every geography.
Q: The report identifies 1,001-5,000 vendor relationships as a “danger zone.” Why is this specific range so problematic?
Freestone: This range represents a perfect storm of vulnerability. These organizations have outgrown manual vendor management—you simply can’t track 3,000 relationships in spreadsheets—but they haven’t yet invested in enterprise-grade automation. They’re stuck in a gap where complexity exceeds human capability but doesn’t justify million-dollar solutions in the eyes of budget-conscious executives. Attackers know this, which is why 24% of organizations in this range experience seven or more breaches annually, and 26% face $3-$5 million in litigation costs. In addition, our risk algorithm shows this danger zone has the highest average risk at 5.19.
Q: Your report introduces a 1-10 risk scoring system. How does this help organizations understand their security posture?
Spencer: The risk score transforms multiple security metrics into a single number that predicts breach probability and costs. It synthesizes three dimensions: breach frequency, financial impact, and detection speed. The median organization scores 4.84, which puts them dangerously close to high-risk territory. What’s revealing is that only 25% of organizations achieve low-risk status below 3.5. We’ve validated these predictions—organizations scoring above 6.0 experience major breaches within 18 months at a 73% rate, while those below 3.5 avoid major incidents 89% of the time. Industry variations are striking too: Energy and Utilities faces the highest risk at 5.51, while Life Sciences achieves the lowest at 3.37. This gives boards and executives a clear, quantifiable way to understand their security exposure and track improvement over time.
Q: On this note, your research uncovered a “confidence paradox” where organizations expressing moderate confidence actually face the highest risk scores. How do you explain this counterintuitive finding?
Freestone: This was one of our most surprising discoveries. Organizations with “somewhat confident” attitudes scored 4.73 on our risk scale, higher than both very confident organizations at 4.52 and those admitting low confidence at 4.26. We believe moderately confident organizations fall into a dangerous complacency—they think they’re doing enough, so they stop pushing for improvement. Very confident organizations have usually earned that confidence through investment and results. Organizations with low confidence at least recognize their gaps and often take action. It’s the middle group that assumes partial measures are sufficient while risks compound around them.
Q: You also found that organizations spend $2.33 in hidden costs for every dollar of visible compliance spending. What are these hidden expenses that executives miss?
Spencer: The hidden costs are staggering and mostly involve opportunity costs. When security teams spend 1,000-1,500 hours annually on manual compliance reporting, that’s time not spent on actual security improvements. There’s also knowledge loss—when experienced staff leave, they take undocumented manual processes with them, forcing expensive rebuilding. Error rates in manual processes create rework and audit findings. But the biggest hidden cost is innovation delay. While teams wrestle with spreadsheets and email trails, competitors using automated compliance move faster on new initiatives. The $2.33 multiplier makes clear that manual compliance isn’t cheaper—it’s just hiding its true cost.
Q: What’s the single most important action organizations should take based on this research?
Freestone: Measure what matters. You can’t secure what you can’t see, and our data proves that organizations operating blind face predictable disasters. Start with five basic measurements: count your vendors accurately, track what percentage of content is AI-generated, document your actual breach history, quantify compliance time investment, and measure detection speeds. These aren’t advanced capabilities—they’re foundational. Yet nearly half of organizations lack them, and they’re paying millions in preventable costs as a result. Our risk scoring algorithm, which synthesizes breach frequency, detection speed, and financial damage, consistently shows that organizations with strong visibility achieve dramatically better outcomes.
For deeper insights, see Kiteworks’ full 2025 Data Security and Compliance Risk: Annual Survey Report.
