Often, companies take their budgets and only (or mostly) invest in technology and expect it to do the rest of the work for them, explained Shey. They're not investing in the front end, like internal processes or policies, that aren't necessarily technology. Some of these solutions need to be fine-tuned or fixed so they look for exactly what the company wants.
"Until they get their house in order on the front end, anything they throw on the other side is not as effective as they would have hoped or expected it to be," said Shey. "If you don't know what your data is or what you need to protect, you can't do much to protect it properly."
Since some of the solutions, like data leak prevention (DLP), are not a silver bullet, Shey recommended a more holistic approach to security by using a data control framework. Things like DLP and encryption are useful for data protection, she said, but they're very tactical. "You need to be more strategic on a higher level," she said. "That's where this kind of framework comes in."
The framework is split up into three parts, the first of which involves a company defining its data, the very thing it wishes to protect. So aspects like data discovery, classifications, and determining what exactly the company values all come into play here.
Then companies need to dissect their data. Companies typically have traditional reporting tools, said Shey, which tell them about alerts and events. They can then analyze this data and see what information they can glean about visibility, their environment, and what exactly is going on in that environment. They can also look at data flows to see where it goes and how it's being used. By looking at their security data and info about their data, companies can determine the requirements that need to be put on the type of data they're handling.
The final part of the framework is, of course, defending. Defending and inspecting access controls, proper data disposal (getting rid of data that is no longer needed, as it could be a liability), and killing or encrypting data are all imperative in carrying out the last step of the data control framework.
"The framework is a way we found to be really helpful with enterprise clients," said Shey. "It's a good way to think about this whole big picture view on how to handle and treat data in the enterprise."
Security teams are beginning to take on more responsibility, too. When it comes to privacy, security is only one aspect of the larger picture and as such, IT security groups generally are not the only ones involved. The survey results, however, indicated that 30 percent of the respondents' security teams were "fully responsible" for privacy and regulations, with the most frequent answer being that security is "mostly responsible" at 34 percent.
Sign up for CIO Asia eNewsletters.