Yes, remediation is the bottleneck. But automation starts upstream.

By Amy Ryu, Founding Product Manager, Teleskope

Last week Teleskope partnered with GDS Group for a CISO roundtable on the automation imperative in data security. Six security leaders joined me and Lock Langdon, VP and CISO at Aprio. The session was Chatham House on the substance, and revealing on the shape of the problem.

I'm usually the only vendor in the room at these conversations, which is the part I look forward to. CISOs talk differently when they're talking to each other. I went in expecting to learn what people are struggling with. I came out with a thesis I want to push back on.

{{banner-large="/banners"}}

The straw poll

The host asked everyone a single question. Where is your biggest bottleneck, detecting data risk or remediating it?

Five of seven said remediation. Two said both.

Nobody said detection.

Derek Stevenson, CISO and VP of IT at Mural, put the shape of it plainly. "No issue detecting it. Remediating it is probably the biggest bottleneck, balancing risk acceptance with the business." Joel Koshy, Senior Director of Data and Analytics and Enterprise AI Strategy and Governance at E2open, said the same thing from a different angle. Remediation, but proactively. The challenge is preventing exposure from accumulating, not finding it faster.

Jan Mast, Director of Global Cybersecurity at AeroVironment, put a sharper edge on it. With a lean team and a defense-industry risk appetite, the volume of signals isn't the issue. The constraint is what you can do about them.

Kenton McDaniel, CISO at Henry Schein, named the operational cost. "That remediation part is largely around communication to the business and the sentiment that comes with it. That's the real toll on my team."

This is the consensus. It's the part I want to push back on.

{{cs-1="/banners"}}

Remediation is the bottleneck because classification is

Here's the part the consensus misses. You cannot safely deploy automated remediation on top of a classifier that doesn't understand your business.

This is the hidden constraint behind every "we want automated remediation but" conversation I have with security leaders. The reason teams stall at automation isn't that they don't trust automation. It's that they don't trust the input. A platform that confuses a marketing one-pager with a customer contract is a platform you cannot allow to revoke access, redact a fragment, or delete a file.

What I heard underneath the bottleneck framing was this: my classifier produces too many false positives to safely automate, so I keep the human in the loop on everything, so my queue grows faster than I can clear it.

That's not a remediation problem. It's a classification problem with a remediation symptom.

The platforms that can actually automate at scale are the ones that built a context-aware truth layer first. Regex and flat ML classifiers can't carry remediation safely. Drop the threshold to catch the long tail and false positives spike. Raise it to suppress false positives and you miss what matters. There's no setting on a bad classifier that makes automated remediation safe.

The way out is classification that understands what data actually means inside a specific business. Document type. Access context. Business intent. The 1099 that's expected to contain an SSN. The marketing deck that contains no regulated field but is board-level sensitive. The contractor's stale share that was useful twelve months ago, but is a risk today.

Lock's "better together" story is the proof

Lock Langdon explained how this plays out in production. Aprio is a financial services CPA firm with a heavy Microsoft footprint. They use Microsoft Purview for DLP enforcement and Teleskope as the classifier that feeds it.

"We are a very large Microsoft organization, so we leverage Teleskope to actually do our labeling for us. It has a very high-efficacy auto-detection of the document type. It has context that can say, 'oh, well, obviously this is a 1099,' and in that 1099 there's these types of metadata. So it'll actually tag that information using the Microsoft Information Protection labels, which then allow us to leverage the more robust DLP engine that Microsoft Purview brings to the table. We're kind of building this 'better together' capability."

Read that quote again with the classification thesis in mind. Lock isn't bolting Teleskope on for just the remediation. In the case of Purview labels, it already does enforcement. He's using Teleskope because the labels Purview applies on its own are not good enough to safely automate against. The reason their Purview deployment performs is that the input layer is right. Read more about how the "better together" approach works in practice.

Lock added another point that lands the same argument. "We leverage it for identifying secrets much more quickly than we do through Purview. If someone puts an API key or has passwords.txt sitting in their OneDrive."

Same lesson. Native enforcement was never the problem in their stack. Native classification was.

{{cs-2="/banners"}}

The two levers, in the right order

Later in the conversation we talked about what makes automated remediation safe enough to deploy. I named two levers. Confidence in the classification, often expressed as a threshold above which the system acts on its own. And the reversibility of the action.

Lock framed reversibility well. "It's not 'do we trust the automation' as a binary choice. It's 'what actions within scope are we okay with maybe failing on.' Understanding the reversibility, how quickly you can revert, always gives the technical team a little more comfort."

Both levers matter. But they're not equal. Reversibility is the safety net. Classification confidence is what determines how often you need it.

A platform with low-confidence classification and high-reversibility actions will run, but slowly. Every action requires a human to confirm. Every false positive degrades trust. The queue gets shorter than the alert-only model, but not by much.

A platform with high-confidence classification and high-reversibility actions is what real automated remediation looks like. The system acts on its own when it's confident. The reversible action lets the user correct edge cases in one click. The human reviews only what the system flagged as ambiguous.

That's the playbook. Detection is fine. Remediation is where the work happens. But the work doesn't start at remediation. It starts one step upstream.

Get the truth layer right. The rest gets dramatically easier.