Data Is the New Gold: Russia Is Shaping a New Model of Digital Security

In an interview with IT Russia, Sergey Kryukov, CEO of ExploidDog (R&D), explained how companies are beginning to transition toward new cybersecurity models, how they assess risks, and where organisations most often lose control over their data.

– How is the approach to cybersecurity changing today, and why are data themselves becoming the central focus?

– Today, cybersecurity is no longer viewed primarily as a matter of protecting infrastructure. The focus is increasingly shifting toward data governance and control. Companies are rethinking their security strategies because data have become both the most valuable asset and the main source of risk. Against that backdrop, a data-centric model is taking shape - one in which data are effectively the new gold.

International companies are increasingly moving away from perimeter-based security models in favour of approaches centred on data themselves and direct control over them. In Russia, that transition is already happening at the operational level. According to recent research, 56% of corporations increased their cybersecurity spending in 2025 by an average of 20% to 40%. At the same time, 49% of surveyed companies reported a significant rise in interest in information security among chief executives over the past two years.

– What is driving that shift?

– The growing focus on data protection in Russia is being driven by several factors. Among them is the rapid increase in both the number and sophistication of cyber threats against the backdrop of widespread digitalisation, which has turned data into a highly valuable asset and a primary target for attackers. At the same time, companies are responding to mounting regulatory pressure and a growing awareness of the substantial financial and reputational risks associated with data breaches.

Finally, geopolitical factors are accelerating the development of domestic cybersecurity technologies aimed at strengthening technological independence in the sector.

– What core principles underpin data-centric security, and where should companies begin the transition?

– Data-centric security still rests on three fundamental principles: data integrity, availability and confidentiality. At the same time, security itself should not be viewed as the deployment of a single class of tools, but rather as an ongoing process. That is why the transition should begin with a data audit and classification exercise. Before a company can protect data, it first needs to determine exactly what requires protection.

Without a proper data audit, security simply does not work. That is why companies first focus on understanding what information they actually store, how it moves through the organisation and where control is being lost.

– How does a data audit work in practice, and why is it such a critical stage?

– In practice, audits can be conducted in several ways. The traditional approach involves working directly with data owners. At that stage, it is important to reconstruct the entire data lifecycle, understand who creates the data, why the business needs them, where they are transferred and how they are subsequently used. At the same time, companies must answer a basic question about the consequences of compromise. If data are altered, exposed or lost, the organisation needs to understand the scale of potential damage in advance. For example, the substitution of banking details leads not only to direct financial losses, but also to a loss of trust among clients and partners.

Within that framework, security becomes directly tied to trust. And ultimately, any data-related issue translates into financial costs - whether through breaches, regulatory fines or the investigations that follow.

– How do companies assess cybersecurity risks today, and how does Russian practice differ from international approaches?

– In cybersecurity, there has long been a recognised practice of risk acceptance, where the acceptable level of losses is defined at the CEO level. Internationally, that threshold is typically set at around 2% to 3% annually. According to ExploidDog (R&D), in Russia it can reach as high as 10%.

Businesses then compare the cost of cybersecurity measures against potential losses. Russian companies are generally more willing to tolerate those risks, whereas international organisations tend to invest more aggressively in reducing them. At the same time, a more mature approach is gradually beginning to emerge within Russia’s cybersecurity market itself. Companies are increasingly learning how to quantify cyber risks properly and incorporate them into broader business economics.

– What approaches do companies use when implementing data-centric security?

– From an implementation standpoint, companies generally rely on two approaches to data-centric security.

The first is a manual approach. It begins with an audit, followed by data classification and inventory. After that, organisations build a role-based access model. Specialists determine who should have access to specific data and to what extent, while also documenting how information is created, transferred and used across the business. Only after those stages are complete is a DLP system introduced as a tool for enforcing and monitoring the established framework.

The second approach is automated. In this model, a DLP system is deployed at an early stage. It is a costly solution capable of analysing data transmission channels, including email and internet traffic, as well as user actions such as copying, printing and transferring files to external media. At the same time, DLP does not solve the classification problem by itself. The system can help identify and block violations, but it cannot independently determine which data are genuinely critical to the business.

That is why, in practice, companies often adopt a hybrid model. DLP is connected during the audit stage, followed by manual refinement and the development of role-based access structures. Only after that does the system become part of an ongoing monitoring framework.

From there, continuous monitoring becomes essential. This is an automated and cyclical process designed to identify, track and control sensitive information on an ongoing basis.

– What common problems do companies encounter during the data inventory stage?

– One of the most common issues is a poor understanding of their own infrastructure. In such cases, organisations may have undocumented storage environments with elevated access privileges operating inside the company. That is precisely why a preventive approach matters at this stage. Without a clear understanding of where data reside and how they move across internal systems, any further protection efforts lose much of their value.

A second problem emerges when businesses do not fully understand why data classification is necessary and begin treating the process as a purely formal exercise.

A third category of risk is linked to classification errors, which can result in sensitive information being stored in insecure environments. A separate issue involves the handling of personal data. If a company lacks dedicated specialists in this area, mistakes quickly lead to breaches and regulatory penalties.

That is why asset inventory is no longer just a technical formality. It becomes the point at which the long-term resilience of the entire data protection system is established.