More Than Just a Team Effort

How Healthy Collaboration Builds Resilient Organizations

Bogotá, Colombia – May 15, 2025.

Introduction

In an era where AI-driven data risks are escalating, the recent Microsoft RSAC 2025 highlighted the urgent need to address data oversharing and overexposure. While the industry is rapidly advancing with automated agents, security tools, and governance frameworks, the real challenge lies in redefining organizational processes, roles, and responsibilities to create a culture of accountability and resilience. The focus must shift from reactive technology deployment to proactive business alignment, where data protection is not just an IT mandate but a shared responsibility across every layer of the organization.

What remains fundamentally unchanged is the human and organizational dimension. The real challenge lies not in technology, but in redefining processes, procedures, roles, responsibilities, and permissions. It’s about establishing a culture of education and awareness, where everyone understands their role in protecting information assets.

Pillars of a Cultural Change

Process and proceduresRoles and responsabilitiesPermissionsEducation and awareness
Redefine information protection practicesClarify accountability in safeguarding dataEstablish appropriate level of accessPromote understanding of AI-related risks

At the core of this transformation is accountability. True resilience against AI-driven data risks begins when organizations recognize that safeguarding information is not solely a technical effort-it is a shared responsibility across all business functions. This cultural shift is the real key to confronting the evolving risks introduced by AI.

image 1-01

Main Content

During the recent Microsoft RSAC 2025, we witnessed an impressive showcase of innovation: new capabilities, smarter tools, and increasingly powerful AI models promising to protect us… from other AI models. The message was clear that technology is evolving fast, and so are the threats.

But amid the excitement, we may be missing the bigger picture.

It’s time to take a step back-and maybe a few more-to ask ourselves:

These aren’t just technical or procedural questions-they are organizational ones. The common thread in all of them is clear: the protection of information assets. And the hard truth is this:

Accountability vs. Responsibility – Who Owns the Data?

There’s a fundamental confusion that must be addressed: IT, Security, and Compliance teams are responsible-but they are not accountable.

Compliance, security, and IT teams can:

Provide visibility

Suggest controls

Implement classification and protection mechanisms

Inform about regulatory obligations

But only business can answer:

What data matters?

Who should access it?

How should it be used?

What is the impact if it is lost or leaked?

Until organizations shift their mindset to recognize this accountability, tools alone will not solve the overexposure or oversharing problem.

The Countdown Has Already Started

Most organizations are investing heavily in AI, DLP, DSPM, and Insider Risk Management—but we are only discovering what we already know.

What about the unknown?

What about the unclassified, unstructured, ungoverned data hidden across collaboration platforms, shadow systems, or AI interactions?

We rely on policies that cover what’s been formally defined, but the gaps are growing wider. This is the real risk landscape.

Education + Culture = Sustainable Governance

The ultimate source of oversharing and overexposure? The end user.

And no matter how much we try to enforce, restrict, or monitor every single user action, we won’t win this war with control alone.

The solution lies in education and cultural transformation:

Educating business areas on the value and sensitivity of their data.

Empowering end users to understand the consequences of their decisions.

Clarifying roles and responsibilities: who is accountable, and who is supporting.

Accountability and Responsibility – From Concept to Practice

When discussing the protection of information assets, one of the most persistent misconceptions is that IT or Security teams are solely responsible for everything that happens with data. Accountability must be clearly defined and shared across the organization, with business leaders and end users playing a pivotal role.

While security, compliance, and IT departments are responsible for implementing protections, monitoring access, and ensuring regulatory alignment, the accountability – the ownership of the data and the decisions about its lifecycle—belongs to the business.

Real-World Examples: Accountability in Action

To better understand how this distinction plays out in practice, several recent case studies provide valuable insights:

Public Sector Lessons from Stockholm Municipality

A study within Stockholm’s municipal departments revealed significant gaps in how information assets were identified and managed. Each unit had different levels of maturity, and no standard process existed for defining ownership of data like financial transactions or HR records. The lack of a unified accountability model weakened overall governance, despite strong IT support systems.
(Source: diva-portal.org)

In this implementation case, DemoCorp used the COBIT 5 framework to structure the role of the Chief Information Security Officer (CISO), mapping not only security responsibilities but also the data accountability path across departments. This made it possible to assign clear business owners for every type of information, enhancing collaboration and reducing compliance risk.
(Source: ISACA Journal)

The traditional CIO role is expanding. According to a 2023 ISACA article, CIOs must now align IT strategies with business outcomes, enforce ownership policies, and drive accountability beyond the technical teams. In this model, business leaders must define what data matters, who owns it, and what acceptable usage looks like.
(Source: ISACA Journal)

Organizations operating with federated or decentralized IT face unique challenges. A recent professional analysis emphasized the role of structured frameworks like COBIT and NIST CSF to ensure that even in distributed environments, each information asset has a defined owner, supported – but not replaced – by the security teams.
(Source: LinkedIn Article)

The UK’s Information Commissioner’s Office (ICO) provides applied models from organizations that implemented robust accountability strategies, including governance councils, automated logs of ownership, and proactive communication with business stakeholders. These models reinforce the idea that ownership is strategic, not operational.
(Source: ICO Case Studies)

What This Means for Compliance Leaders

From these cases, one pattern is clear: compliance cannot be successful in isolation. Data protection requires:

This shift – from security teams owning protection, to business units owning information – must be supported by tooling, training, and, above all, clear expectations. Microsoft Purview and Defender solutions can enable this with metadata tagging, role mapping, and risk-based monitoring, but the foundation lies in shared responsibility.

Toward a Culture of Healthy Collaboration

To truly achieve data security and compliance, we need a shared understanding of roles and mutual accountability.

Only with this mindset can we move toward a Healthy Collaboration Culture, where protecting data is not a burden for a few – but a shared priority for all.

Let’s stop asking who should own the data and start making everyone aware of the data they already do own.

Conclusions

The discussions held during RSAC2025 and the broader analysis of current enterprise challenges confirm a critical shift: technology alone is no longer enough to safeguard information assets in the face of growing complexity and AI-powered threats. Organizations are facing systemic issues related to data overexposure, oversharing, and unclear accountability-factors that no single tool or control can remediate in isolation.

Across various incidents and statistics from the past year, a consistent pattern emerges:

More than 70% of data exposure events

are the result of misconfigured access, ungoverned sharing, or end-user misjudgment-often exacerbated by the integration of AI agents that act without contextual boundaries.

continue to be held responsible for outcomes beyond their reach-often without having clear visibility into business-critical information or ownership definitions.

face the burden of enabling and enforcing policies that depend on accurate metadata, robust classification, and user awareness-all of which are often incomplete or poorly implemented.

These findings reinforce a key message:

Data protection is not just a technical challenge-it’s an organizational responsibility.

The solution does not lie in deploying more agents or dashboards, but in embedding clear accountability frameworks, shared understanding of information assets, and educational initiatives across business units. Cultural change is imperative.

Key lessons include:

Considering these reflections, several open questions remain which every organization must address in the coming months:

Until these questions are addressed, any technical solution will remain incomplete.

 

Synergy Advisors provides consulting services and proprietary solutions to help you start to address the issues I’ve discussed in this article.  Email us at [email protected] to chat with one of our architects about how we can help you discover and act on your sensitive information in today’s evolving landscape.

Beyond our consulting and managed services, our E-Inspector solution can help you automatically find and act on sensitive data at risk of overexposure.  For more information about E-Inspector, email us or visit our webpage: E-Inspector – Synergy Advisors.

Author

Sebastian Zamorano

Architect Consultant

Scroll to Top