Yesterday, Varonis Systems announced a very solid quarter, reporting 19% year-over-year ARR growth and raising full-year guidance on the back of strong cash flow and demand for data centric security controls. As cyber becomes more granular and security architecture shifts closer to the data itself, these results underscore a broader truth: data-centric security isn’t a niche market—it’s the new mainstream.
Why Varonis’s Q1 2025 Matters
Varonis openly states that it is fighting a different cybersecurity battle by focusing on data-centric security rather than traditional perimeter defenses. Simply stated, they had a strong quarter as evidenced by:
- 19% ARR growth in a challenging macro environment—putting Varonis on pace with the fastest-growing public cyber-security names.
- Expansion into Database Activity Monitoring via the acquisition of Cyral — moving beyond discovery and classification into richer, integrated risk controls.
- AI-powered threat detection and Managed Detection & Response tailwinds, fueling both product innovation and go-to-market traction.
Taken together, these results show that organizations everywhere are doubling down on solutions that treat data as the ultimate security perimeter—discovering it, classifying it, locking down exposures, and detecting threats where data lives.
Spotlight on Cole Gromulus’ Analysis
Cole Gromulus of Strategy of Security captured this momentum neatly in his analysis of Varonis’ Q1 results: he notes that DSPM (Data Security Posture Management) was just the opening act, and that true leadership comes from building a consolidated security platform covering structured and unstructured data, cloud and on-premise, and discovery, classification, and prioritized remediation. Cole is absolutely right to shine a light on Varonis’s performance as a leading example of where the market is headed. TLDR: customers are demanding innovative solutions to help them:
- Discover where sensitive data resides
- Identify risks due to faulty permissions, misconfigurations, suspicious behavior.
- Generate actionable tickets so IT and security teams can remediate risk before data is accidentally lost or stolen
That said, the data centric security coin has two sides – one that aims to prevent sensitive data from accidentally leaving the organization – the other that aims to promote sharing of information with third-parties in a manner that does not sacrifice security, privacy, or control.
Until recently, most data centric security efforts have focused on preventing data loss: locking down perimeters, proxies and gateways to keep information from exiting the fortress. That playbook is no longer enough. In a world of collaborative cloud apps, AI-driven processes, and cross domain collaboration, data must travel—and remain protected—far beyond the traditional corporate network.
Enter the Trusted Data Format (TDF): an open standard that powers granular policy, access, and encryption controls that persist with data wherever it goes. By embedding granular access rules directly into files, emails, and streams, TDF makes it possible to:
- Maintain control over shared data—even after it leaves your firewall.
- Enforce attribute-based policies and identity-driven entitlements at the data object level.
- Revoke access or update permissions in real time, without having to recall or re-encrypt content.
This shift—moving security logic from the perimeter to the data itself—represents a broader picture with respect to where the future of data security is headed.
A Complete Picture of Data-Centric Security
As an industry, we must continue to celebrate the “defensive” elements of data security and all things DSPM — discover and classify sensitive data, identity risk, and generate tickets to remediate threats — but we also must embrace the “offensive” side of data security: enabling secure, compliant data sharing of information that fuels business value. That means:
- Embedding granular, persistent controls on data before it’s shared.
- Allowing trusted third parties to collaborate on sensitive information without sacrificing privacy or compliance.
- Driving new lines of business, analytics, and AI use cases on top of shared data—all while maintaining continuous visibility and control.
DSPM is the opening chapter of the data centric security story. The inevitable end game will certainly include granular policy and access controls so that an individual data object can carry its own security policy and governance model wherever it might roam.
Virtru: Riding the Rising Tide
At Virtru, we’re proud to be part of this important evolution in cyber security. Our Trusted Data Format underpins a suite of products that make secure, governed sharing simple—whether via email, files, applications, or analytics. By complementing perimeter based controls with data-embedded policy enforcement, we empower organizations to collaborate freely without fear.
As Varonis’s latest results demonstrate—and as Cole Gromulus has so thoughtfully analyzed—the data-centric security market is no longer on the horizon. It’s here, and it’s accelerating. Congratulations to Varonis on a stellar Q1, and here’s to building a future where data is not just protected from loss, but it’s also liberated to flow freely and drive innovation.
