It brings to mind the story of the little Dutch boy attempting to stop a leaking dike with his finger. When a hole is discovered (through testing or an attack) we work to plug the leak quickly, and then wait for the next leak.

The problem with this approach is obvious. It focuses on defending against the last successful attack, and requires organizations to anticipate all possible weaknesses and attack vectors. We see proof every month that this strategy will eventually fail.

A better approach starts with a simple threat modeling exercise: For your organization, what are the likely goals of an attack? In the vast majority of cases, the answer is stealing data. It may be personal information or credit card numbers for criminals interested in financial gain, or source code, design documents, and trade secrets targeted by nation-states or competitors.

Rather than enumerate every possible attack vector and build a corresponding defense (and there are probably some you won’t think of), a better solution is to protect the data itself. A data-centric approach applies protection to the data and enforces usage policies based on the sensitivity of the data, the user, and the intended action (e.g. email, move, copy, print).

At its core a data-centric approach focuses on three things: identifying your most sensitive data, continuously monitoring that data so you know what’s happening to it at all times and locations, and protecting that data through the right level of usage controls and encryption. Protection that travels with the data simplifies the security challenge.

Or, like the little Dutch boy, we can continue to plug holes, hoping not to run out of fingers…