Too many firms, Cates says, haven't completed what he calls the "blocking and tackling" of data discovery and classification. After taking a hard look at the data assets, many firms conclude with confidence that only around 10 percent to 20 percent of their data assets might be considered mission-critical, and therefore in need of the strongest protection.
"Not everything is valuable. In most organizations it's a very small percentage that's very valuable," Cates says.
Even as firms like Vormetric urge companies to become more vigilant in locking down their data, the security units of an organization cannot operate in a vacuum. Cates stresses the importance of the CISO partnering from the outset with the CIO -- and by extension the business side of the house -- to strike an appropriate balance of data security that does not unduly hinder the mission.
"You've really got to make sure security is step 1, because it's really hard to retrofit security in after the train's left the station," Cates says. That process must be collaborative, he says, appealing for the security wing of the enterprise to show a measure of restraint and develop a data policy that respects the legitimate business concerns of access and usability. "Don't break the business -- rule number 1 as a CISO is you can't break the business."
Sign up for CIO Asia eNewsletters.