It is difficult to name an IT industry that has stayed the same as long as ours has. It's as if we've had blinders on, telling ourselves to stick to breach prevention. But that mindset isn't advancing organizations. Take a look at other sectors within the IT industry and you'll see huge change in the last five to 10 years because we didn't have a choice. The way people demand, use and share data is nothing like 2002 and today the problem and the solution just don't match up. It's no longer just about the network or our PCs. It's about the actual data.

Now, that isn't to suggest that organizations should stop investing in key breach prevention tools or do away with . What we need to do is place our bets on strategies that protect our most valuable assets. Just like the military, IT should always presume to be functioning in a compromised state.

* Understanding: The third step is knowing who your enemies are and what they're after. Today's threat is not from kids looking to prove they are smart enough to deface a website. Modern adversaries are sophisticated, international organizations whose business is to defeat your defenses. They might be organized crime syndicates, nation-states or .

No matter who they are, they have the skill, financial backing and motivation to defeat your defenses. You don't protect yourself against these kinds of sophisticated organizations by building a bigger wall around your house -- they will simply build a bigger ladder. You protect yourself by making it so difficult to access what they crave -- which is always your data -- that they give up and move on to someone else. In business terms, you create a very poor return on their investment in trying to steal your data.

How do you do this? First, you put yourself in the mindset of your adversary and understand what they want to steal from you. From there, you'll quickly realize that protection must be moved closer to what really matters -- the data itself. Obviously, this means .