For instance, maybe the security team runs vulnerability scans, but database admins don't act on the results, or the database team may start securing the environment without knowing how to do it well. "Getting the two teams together to accept database security as a shared problem is one of the most important keys, far more than any technology out there," Shaul says.

Integrate with other systems: While many organizations begin their database security efforts with vulnerability scanning, they struggle to know what to do with the output of those reports, Hortobagyi says. "Scanning is the easy part," he says.

"You need an effective way to track, manage and remediate vulnerabilities over time. How do you manage vulnerabilities that you can't patch right away, or that will be upgraded 'soon'?" The answer is to hook the findings into other enterprise processes and systems, such as trouble-ticket processes, a case-management system or a SIEM system, he says.

Don't boil the ocean: When beginning their database security programs, companies often make the mistake of trying to go from zero straight to 60 mph, Shaul says, resulting in frustration. Instead, they should prioritize a high-impact subset of issues or highly valuable databases and add on from there.

A phased improvement plan begins with database auditing and vulnerability scanning, Hortobagyi says, then moves up to access rights management, and then to activity monitoring, real-time protection and threat correlation.