He acknowledged, however, that only around 10% of organizations are ready to take such a leap and have the cultural maturity for it to work.
As for the third old-school truism -- the default stance of denying access, except where someone decides an employee needs it -- that also has to go, he said. "How do you prevent access to information if you don't even know where the information is?" he asked. It's time to assume everyone needs access to everything, except where the information owners have decided the data cannot be shared for legal reasons, because of HR rules, or regulations.
"Focus on protecting the data that needs it," Scholtz advised.
Other security pointers came from Bob Smock, vice president of security and risk management at Gartner.
- Not all risk is created equal, he said, nor should it be treated equally.
- Secure software development, access management and security governance are three of the highest-risk areas in most companies.
- The three essential questions to answer for security are: How bad is it, what's really broken and must be fixed, and what will it cost?
- Buy down security exposure through appropriate levels of spending. On average, companies spend around $450/employee on security.
- Proper identification of weaknesses and consequences is key to how you invest.
- Information protection requires both strong processes and effective technologies.
In the end, IT leaders "are not the true decision-makers" on security, Smock said. "Our job is to inform senior leadership about the risks, and they can make decisions based on our data."
Just don't continue to rely on the old security basics, Scholtz said. "Digital business represents a huge opportunity, but it also changes the risk position. The traditional approaches just don't scale anymore."
Sign up for CIO Asia eNewsletters.