In a survey earlier this year, cybersecurity firm Proofpoint found that 74% of CISOs said that humans were the most significant security vulnerability and that 80% saw human risk – particularly negligent employees – as the most significant concern in the next two years.

The company’s annual Voice of the CISO report echoed what many other vendors have reported, that despite an expansion of security awareness training programs, the humans continue to be the weak link in data security.

Proofpoint is looking to address the issue with its proposed acquisition of Normalyze, a four-year-old startup in the increasingly competitive data security posture management (DSPM) space whose eponymous platform uses AI to help organizations identify and protect data at scale in public, private, and hybrid cloud environments and on-premises data centers.

Normalyze’s DSPM technology “will further enhance our [human-centric security] platform, allowing organizations to fill the security gaps caused by people in today’s complex, data-driven cloud era,” Proofpoint CEO Sumit Dhawan wrote in a LinkedIn post.

The acquisition – the first for the Proofpoint since Dhawan became CEO a year ago – is expected to close in November. No financial details were released.

More Data Visibility and Control

Dhawan wrote that he and other Proofpoint executives have been speaking with their Normalyze counterparts – including CEO Amer Deeba, a longtime veteran of cybersecurity firm Qualys – for several months.

“Upon the close of our acquisition of Normalyze, Proofpoint customers will have not only consolidated visibility and control of their sensitive information, but also the ability to classify and protect data at scale and across digital environments,” he wrote. “This is a big win for companies as they race to adopt DBaaS [database-as-a-service] and GenAI [generative AI] platforms, and we believe this is a win for Proofpoint as we work to protect people and defend data.”

In announcing the deal this week, Proofpoint officials pointed to the rapidly expanding use of not only generative AI technologies but also DBaaS and continuous integration/continue development (CI/CD) practices that have created a highly interconnected collection of data environments that are complex and difficult to secure. They also increase the risk that data will be improperly handled as developers focus more on accelerating outcomes, which can lead to them falling down on data governance needs.

Human Risks to Data Security

The company also noted that people and systems are being granted more access to the data, which leads to lower visibility and control over that data.

“Today, data is at risk because of human behavior,” Mayank Choudhary, executive vice president and general manager of data security and compliance at Proofpoint, said in a statement. “Modern applications are rapidly changing, driven by small teams of developers working independently on microservices and various data sources, leading to an explosion of data.”

Choudhary added that “these modern applications are highly interconnected, making it hard for security teams to manage the heterogeneous and ever-growing sprawl of their data.”

Merging Proofpoint’s human-centric security platform with Normalyze’s DPSM offering will give organizations better visibility and control of their data security and reduce the risk from the human factor, the companies noted.

Ravi Ithal, co-founder and CTO at Normalyze, said in a statement that “as data has become increasingly difficult to secure, the driving force behind our mission and technology has been to help organizations secure the data they care about, wherever it is.”

A Well-Funded Startup

Normalyze, which has about 80 employees, has raised about $26.6 million since 2020 and is backed by venture capital firms Lightspeed Venture Partners and Battery Ventures. Foundational to its DPSM platform is its One-Pass Scanner, which uses AI to identify and classify valuable data at scale across multiple environments. The scanning is done in place to ensure IT control, comply with data-handling regulations, and be more efficient. It includes APIs used to analyze the security of large language models for governance and visibility.

It also includes the DataValuator for assessing risk and other tools for remediating and preventing data security and management issues.

The deal for Normalyze comes more than a month after Proofpoint bolstered its own platform with Proofpoint Nexus – a collection of AI, behavioral, and threat detection capabilities to identify and mitigate risk – and Proofpoint Zen to better protect people working with email, collaboration apps, the web, and data.

It also comes as Proofpoint, which was bought by private equity firm Thoma Bravo in 2021 for $12.3 billion, reportedly is eyeing an IPO. Dhawan told CNBC earlier this month that going public could happen in the next 12 to 18 months, though the timeline isn’t set and will depend on such factors as market conditions and the results of next week’s presidential election.

He added that he expected Proofpoint would consider acquiring smaller cybersecurity firms to grow its capabilities in the runup to an IPO. With Normalyze, Proofpoint can expand its presence in a global DSPM market that is expected to grow from $4.2 billion in 2022 to $8.6 billion by 2027.