Devolution, job responsibilities and data-centric security

Seems like the data/information-centric approach to data protection is gathering more steam. Interesting article in CSO Magazine by Forrester analyst Andrew Jaquith talks about giving up control to gain control - using a data-centric security approach. Very interesting.

It talks about forgoing a infrastructure control perspective to being more data-centric and giving up responsibility to those to use the data.

Here is a short excerpt:

"Instead of beating your head against the wall, devolve responsibility to the business, keeping controls closest to the people who use the data. IT security should be primarily responsible only for deploying data protection technologies that require minimal or no customization."

Another excerpt I agree with :

"Confronted with these three challenges, some nervous CIOs and CSOs choose to throw the proverbial kitchen sink at the problem: DLP, encryption-everywhere, enterprise key management, NAC, and employee education. However, this approach will fail because at its roots, the problem of data security stems from four sources: digital information was meant to move; information classification isn't ingrained into work processes; technical solutions aren't standardized; and accountable parties are too far from the controls."

The main one being (highlight above is my emphasis) - data is meant to move, distribute and gain in value! You cannot stop data from moving and be a friend of the business!