"You need to centrally manage and push [changes] out to all types of devices and have a consistent approach because when it comes back to compliance, that's what you need," he said.

The project that Bergen knew would be funded when he found the thumb drive in the boardroom chair covers the first two of these elements. In particular, he said, when a mobile device connects to his company's servers to get the information, the device is first verified and authenticated, then the data is automatically encrypted.

"We encrypt the entire [device] one level below the operating system so if the machine is lost or the disk is stolen, it can't be read," Bergen said. "With, say, a USB drive, the whole device is encrypted, not just a directory or file, and it is usable only by computers in the same encryption domain."

Such tangible steps typically must grow out of broader policies and procedures.

"Firms have to rely on policies and procedures," Gibbons said. "For example, maybe you can't use your cell phone for certain types of communications. Or, you have to use approved network systems."