In other words, "coordinate but don't duplicate," according to Robert Charette, director of the enterprise risk management and governance practice at Cutter Consortium.

At the same time, it can be frustrating to stand by and watch as your company refuses to make investments in securing areas that aren't regulated. "I have designed security for dozens of companies, and none of them have ever secured anything they didn't absolutely have to, especially customer data," says Mark Rhodes-Ousley, an information security architect. "Even the simple precaution of encryption is almost never practiced."

With the possibility of regulations requiring encryption on hard drives looming on the horizon, Rhodes-Ousley is starting to see companies deploy encryption on their endpoint workstations. "This is only a beginning, but I'm hopeful," he says.

"It shouldn't take a federal law to make a company start caring about how the personal information that they've been trusted with is being handled," says Christopher Bomar, founder of Boomarang. "But unfortunately, that's how companies are operating now as a majority."