Organisations need to move their focus away from single-point security products to more holistic, information-based security according to Symantec.
"Clearly we've moved to a point in time where our customers have to be much more focused on protecting the information itself, as opposed to protecting the PC or protecting the network," said John Thompson, Symantec's chairman and CEO, at a symposium in Washington DC. "While those are necessary components of a protection strategy, they're not the end all. More has to be done."
In recent years, US lawmakers have focused their attention on data breaches and lost laptops, and federal agencies have scrambled to meet requirements for encrypting information on laptops and other mobile devices. On Monday, the US Government Accountability Office released a report saying that only 30 percent of sensitive data on mobile devices at 24 major agencies had been encrypted as of last September.
Encryption can be an important piece of a cybersecurity strategy, but it's just one piece, Thompson and John McCumber, Symantec's strategic programs manager for the federal public sector, said in later interviews.
Encryption isn't "the solution" to data-loss prevention, Thompson said. "Good data-loss policies start with the understanding of, what is the critical data that I have and where is it?" he said. "In many instances, there is some critical and sensitive information on every laptop. But not all information that's on that laptop is critical and sensitive."
Instead of focusing on single-point security solutions, Symantec has been encouraging U.S. agencies to look at the information they hold. The security vendor recommends agencies create "thoughtful" data classification and retention policies, Thompson said. Such policies will make it easier to manage and find data in the long term, he said.
"You've got to look at what value you place on the information," added McCumber. "Nobody wants to pay [US]$500 (£250) to protect a $50 asset."
Agencies looking at cybersecurity from that information-centric perspective may find that adopting industry best practices - what other agencies or private companies are doing - may not work for them, McCumber said. Each organisation needs to look at its own security challenges and risk, and work toward a data protection plan that works best for it, he said