DSPM Is Shadow IT All Over Again

By Tony Frum - Distinguished Engineer, Product Management

March 19, 2026 5 Minute Read

Data Security Posture Management (DSPM) is a bit of an enigma for a lot of people, including me.  I often find myself engaging in somewhat academic discussions about what, exactly, DSPM really is.  After many such debates, I found myself settling on this – DSPM, at its core, is nothing more than a data security solution that discovers data you didn’t tell it to look for.  You don’t have to define classifications (which are how you determine what is sensitive) or policy (which describes where to look for sensitive data and what to do when you find it).  You just unleash it, and it finds sensitive data that you might not have known about, and it catalogs everything it finds.  Simple.

I stand by this definition today, but one of my colleagues, Suhaas Kodagali, captured it in a much more insightful way, and I can’t stop thinking about it.  He said, “DSPM is Shadow IT all over again,” and this statement blew my mind.  Let me explain what is essentially an inside joke.

Go back in time roughly 10 years, and the Secure Web Gateway (SWG) market was already very well established and basically old hat.  SWG solutions can see all your web traffic, block whatever you want, record every single HTTP request coming from just about any device in your environment.  It is a powerful technology and generally considered to be absolutely paramount in any complete security stack.  Then comes the Cloud Access Security Broker (CASB) market, mainly started by Skyhigh Networks, one of our ancestor companies, who developed a solution we still call “Shadow IT” today.

What does Shadow IT do?  Let me explain with a question of my own.  Do you know what the domain twtimg.com is?  Likely not, but it’s short for Twitter images – one of the many domains associated with X, formerly Twitter.  If you saw that in the reporting data from a SWG solution, you likely would have no idea what it was.  Let’s take another random example, sanpdf.com.  If you’re not familiar with it, a quick Google search will tell you that SanPDF is a set of tools for converting documents.  The domain is clear, but how easily could you answer security-related questions about SanPDF?  Does their legalese give them the right to use your converted data for their own purposes?  Do you know if they store data securely?  In short, do you know if you should allow your users to use it?  Chances are you wouldn’t know.  This is what Shadow IT does.  It helps you make sense of your SWG reports and helps you build a sensible policy based on business risk.

What’s interesting here is that Skyhigh Networks, as a Shadow IT vendor, didn’t have the fundamental ability to inspect any web traffic or to block anything.  They would import SWG log data and build valuable reports to show you where your risk was, and then you could use that to define policy.  Shadow IT could generate web policy building blocks by allowing you to define certain risk elements that were unacceptable, and that would create lists of applications to block along with all their associated domains. Here’s the punchline of the joke – Shadow IT couldn’t enforce its own policies by itself.  They were forced to either integrate with a SWG who could, or they had to build their own proxy.  Shadow IT was forced to either remain reliant on SWG or to become a redundant proxy, and neither option was attractive for their customers.

This is a perfect analogy for pureplay DSPM solutions today.  Security Service Edge (SSE) vendors today have all the visibility and control needed to protect your data in your sanctioned cloud applications, your web traffic, private apps, etc., so what does DSPM offer you?  DSPM helps you use your SSE data security technology more effectively just like Shadow IT helped organizations use their SWG technology more effectively.  With modern SSE portfolios, you can accurately classify and protect your data, but no matter what you do, you will find yourself worrying, “What don’t I know about?”  What apps are your users sending sensitive data to that you didn’t build a policy to prevent?  What types of sensitive data does your business work with that you never considered?  Are you violating some law that you’re totally unaware of?  DSPM aims to answer these questions.  It looks for any kind of sensitive data wherever you allow it to search.  It tells you what you don’t know so you can build a policy to protect yourself just like Shadow IT did.

The challenge is that many DSPM vendors are now stuck in the same situation Shadow IT was – they are forced to either remain reliant or to become redundant.  Most pureplay DSPM solutions are strictly discovery tools that do not protect data.  Now those vendors either have to rely upon established SSE vendors to enforce protections around the data that is discovered, or they have to build a set of capabilities to get protection capabilities many of their customers already have deployed with their SSE investments.  Their choice appears to have already been made as many vendors have already built API integrations with IaaS and SaaS applications that are fully redundant with the CASB portion of established SSE solutions.

Put yourself in the shoes of an organization who has a robust SSE solution deployed and has also invested in a pureplay DSPM vendor.  The DSPM solution has shown you where you have sensitive data deployed, but you have to use the SSE solution to actually protect what’s discovered.  You have two separate solutions integrated with, for example, Microsoft 365, and they’re likely bumping up against Microsoft’s API rate limits while both tools try to scan the same data.  Does this approach make sense?  And, if you’re the pureplay DSPM vendor, how do you solve this problem?  Do you go build a solution to a problem that was solved by the CASB market roughly a decade ago?

I’m no market oracle, but the parallels between DSPM and Shadow IT are undeniable.  I think it’s at least logical to consider that DSPM might be on the same trajectory of being subsumed into the technology stack it aims to augment – primarily SSE.  Why should organizations be forced to implement both a DSPM and an SSE solution in order to discover and then protect their data?  Wouldn’t it make sense to have DSPM’s approach of automatic discovery be an integral part of the SSE stack which is ultimately required to actually protect the discovered data?  I suspect the market will eventually reach the same conclusion it did with Shadow IT: discovery and enforcement belong in the same platform.

Back to Blogs