Call us Toll Free (USA): 1-833-844-9468     International: +1-603-280-4451 M-F 8am to 6pm EST

Innovator Spotlight: DataBahn

Pete GreenPete Green
March 11, 2026

Making SIEM Worth Loving: Why CISOs Need an Independent Security Data Pipeline

The CISO–SIEM Love-Hate Relationship

Security operations rarely start with love stories.

Ask almost any CISO how they feel about their SIEM and you’ll hear something like what Nanda Santhana, CEO and founder of DataBahn.ai, told me:

“I’ve never heard a CISO say, ‘I love my SIEM’… But SIEM is a very critical component in security operations. It isn’t dead.”

That tension – between frustration and absolute dependence – defines where many programs are stuck. Data volumes are exploding, architectures are hybrid, budgets are tight, and boards are asking pointed questions about AI. The old “send everything to the SIEM” pattern is quietly failing under the weight of its own success.

The Uncomfortable Truth About SIEM Data

Every CISO knows they’re paying to store noise, but Santhana quantifies it bluntly:

“You see about 20% of the data that is collected is actually being used. The remaining 80% of the data that’s shoved into the SIEM has no security relevance or value.”

That unused 80% is not just dead weight – it’s licensed, stored, and sometimes indexed at premium rates. Meanwhile:

  • Data volumes are growing roughly 30% year over year.
  • Architectures span “a little bit of Google, a little bit of AWS, a little bit of Microsoft, a little bit of on-prem.”
  • Many organizations are already hitting SIEM ingestion or license ceilings.

The result is paradoxical: when security teams want to onboard crown-jewel applications, OT and IoT from manufacturing, or critical SaaS platforms, there’s often no room left. As Santhana put it, “The only way to make it happen is to go upstairs again and get a new budget approved, which is becoming very hard for CISOs these days.”

All of this is happening while boards push in another direction:

“The board is coming down and saying, ‘Do you have AI agents right now? Can you start looking at AI agents before you start requesting more full-time employees?’”

CISOs are being asked to handle more data, with smarter analytics, using fewer people and not much more money – on top of a SIEM that’s overloaded and under-loved.

The Shift: Own Your Data, Don’t Rent It

In response, a clear architectural shift is underway. Santhana describes what she sees across customers:

“Customers actually want to own their own data in their own data lake… They want to only send the security-relevant data to their SIEM.”

The emerging pattern looks like this:

  • All telemetry (security, IT, business) is collected into an enterprise data lake (Snowflake, Databricks, AWS S3, Microsoft security lakes, etc.).
  • Security-relevant data is normalized and pushed into the SIEM.
  • Operational and noisy logs (heartbeats, diagnostics, traces, debug) are routed to observability platforms.
  • The lake becomes the system of record for both cyber and business data.

That shift is about more than cost. It’s about being able to understand major events in a business context. Santhana frames it with a simple scenario: an outage could be ransomware, a vendor misconfiguration, a burned-out component on the manufacturing floor, or “a person named Dave” making a mistake.

If cyber data lives in one silo and operational data in another, you can’t easily tell which story is true. When they share a lake, partitioned but queryable, you can.

Breaking the Monolith: Why the Pipeline Must Be Independent

Today’s SIEMs are overloaded because they try to own the entire stack: connectors, storage, analytics, and response. As Santhana notes, SIEM vendors constantly wrestle with where to put limited engineering effort: new integrations, cheaper storage, better detections, or richer automation.

The architectural answer is to separate the pipeline from the SIEM.

“With the pipeline product in place, which is a modern architecture, you’re breaking it down into pieces… When your kitchen faucet does not work, you don’t cut the entire pipeline behind the wall. You just remove the kitchen faucet and bring a new one.”

In this model:

  • The pipeline becomes an independent, vendor-neutral layer that collects, normalizes, enriches, classifies, and routes data.
  • The SIEM focuses on correlation, advanced detection, investigation, and response.
  • The data lake serves as the long-term, open-format store that other analytics and AI can consume.

Santhana calls this independent layer the “Switzerland of data pipeline” – neutral, connected to everyone, and not writing data into proprietary traps.

Inside an Intelligent Pipeline

What changes for a CISO when that independent pipeline is in place?

First, connectors stop being projects. DataBahn, for example, provides hundreds of prebuilt connectors and an AI-based collector framework:

“If a CISO or a CIO wants to bring in a new system, our AI agent will crawl the web, look at the documentation and make the connector for you on demand. That’s called Cruise Connect.”

Second, normalization and enrichment become automatic. Whether the destination is Splunk, Microsoft Sentinel, Google SecOps, Exabeam, or Anomali, the pipeline knows the format and shapes the data accordingly:

“The system automatically says, ‘Oh, you need the data in so-and-so format.’ It automatically normalizes… We think data engineering is not required in 2026. I think a system needs to take care of those things.”

Third, the pipeline understands security relevance. High-value security data flows to the SIEM, operational noise flows to observability, and full-fidelity data lands in the lake:

“We end up sending the security-relevant data to the SIEM. The non-security data, we send it to a data lake… observability logs we send to an observability platform.”

Finally, because data now lives across SIEM, lake, and cold storage, the pipeline provides a unified search and visibility layer – plus insights when data stops flowing or sensitive information leaks to the wrong place.

For CISOs, that translates into lower SIEM costs, fewer integration bottlenecks, and better assurance that detections are actually fed and functioning.

A Three-Phase Roadmap for CISOs

Santhana frames this evolution as a three-phase journey.

Phase 1: Own your data, modernize the plumbing

  • Introduce an independent pipeline.
  • Stand up or expand an enterprise data lake.
  • Normalize into open formats so analysts don’t have to learn new parsing languages per tool.
  • Keep your SIEM, but stop treating it as the only destination.

“Start owning your own data. You don’t need to put this data behind a SIEM,” she says. “A SIEM is still required. It’s 100% required.”

Phase 2: Explore headless SIEM where it fits

Organizations with strong internal engineering may move analytics directly onto the data lake:

“People are now looking at headless SIEMs where they run directly on top of the data lake… It really holds good for organizations which have a lot of technical oomph.”

Others will keep a traditional SIEM in front. The key is that the pipeline doesn’t lock you in either way.

Phase 3: Operationalize AI with micro-agents

Once data is owned, normalized, and queryable, AI finally becomes practical:

“We’re starting to see not broad-stroke AI agents, but very small, purpose-built what I call micro agents. They are meant to do specific tasks.”

Examples include parsing large PDFs, accelerating compliance reviews, scoring vulnerabilities with business context, and supporting third-party risk management.

To support this, DataBahn is introducing an “exit” on the pipeline highway to large language models, so customers can bring their own models and build micro-agents that snug-fit their own data.

Making SIEM Worth Loving

For CISOs, the message is not that SIEM is obsolete. It’s that SIEM needs the right role in a modern architecture.

  • Let SIEM do correlation, detection, and response.
  • Let your pipeline handle ingestion, normalization, and routing.
  • Let your data lake be the durable, open home of your security and business data.
  • Let AI micro-agents sit close to that data, solving specific, high-value problems.

As Santhana puts it, “We are making SIEM great again.” By reducing noise and expanding meaningful coverage – including OT, business transactions, and crown-jewel systems – SIEM becomes more valuable, not less.

If your renewals are creeping up, your data feels trapped, and your board keeps asking about AI, now is the time to rethink the plumbing. Start by insisting on one principle with every vendor in your stack:

Help me own my data. Don’t own it for me.

Learn more at https://www.databahn.ai/

About the Author

Pete Green is the CISO of Anvil Works, a ProCloud SaaS company and co-author of “The vCISO Playbook: How Virtual CISOs Deliver Enterprise-Grade Cybersecurity to Small and Medium Businesses (SMBs)”. With over 25 years of experience in information technology and cybersecurity, Pete is a seasoned and accomplished security practitioner.

Throughout his career, he has held a wide range of technical and leadership roles, including LAN/WLAN Engineer, Threat Analyst, Security Project Manager, Security Architect, Cloud Security Architect, Principal Security Consultant, Director of IT, CTO, CEO, Virtual CISO, and CISO.

Pete has supported clients across numerous industries, including federal, state, and local government, as well as financial services, healthcare, food services, manufacturing, technology, transportation, and hospitality.

He holds a Master of Computer Information Systems in Information Security from Boston University, which is recognized as a National Center of Academic Excellence in Information Assurance / Cyber Defense (CAE IA/CD) by the NSA and DHS. He also holds a Master of Business Administration in Informatics.

Top InfoSec Innovators Awards for 2026 now open…

Show Me!
X

Stay Informed. Stay Secure. Read the Latest Cyber Defense eMag

Free Download
X