There are many reasons why a data security strategy could self-destruct, not the least of which is a new breed of highly motivated data thieves who stand to make a considerable profit on customer and other sensitive information in data centers. We're often so mired with putting out data security and compliance fires that we don't have time to step back and look at the high-level issues that could have prevented many of those fires from igniting in the first place. Let's review four of the critical reasons why the security strategies of many companies are unintentionally opening them up to increased risk.

1. The Déjà vu Strategy: Doing more of what they have already done. I see this all the time. Companies beef up existing security hoping that it will address new security threats. I call it "outside-in versus inside-out security" because often the company will add more perimeter security rather than covering additional critical bases like core databases and edge data leaks.
2. The Rules Are the Rules Strategy: Relying on policies, like access control, without properly monitoring what is actually happening in the environment. This is especially ineffective against the insider threat. Improved password management, authentication, and better access termination policies are all noble causes, but until a company can actually see what is going on with data, who is really accessing it, and what they are doing with it, they will leave data open to risk.
3. The One Bite at a Time Strategy: Thinking about security in pieces rather than viewing it as a whole. For example, I have a laptop problem, an email problem or a database problem rather than a data security problem. One prime example is adding edge security like DLP (data loss prevention) and ignoring core security like DAM (database activity monitoring).
4. The What's Hot Security Strategy: Approaching security from a perceived-value perspective, based on what seems to be the must-have technology at the moment, rather than a risk-management model. Many companies do not evaluate technologies by the risk they mitigate versus the cost to do so. Encryption is a good example. Some kinds of encryption can cost a great deal yet eliminate only a small amount of risk. There are other technologies that eliminate a great amount of data risk with a relatively small investment.

Data security is a complicated problem, but security strategies often fail for simple reasons. Stepping back and seeing the problem as a whole is difficult for administrators and managers on the front lines because their jobs require them to be in a reactive mode much of the time. It's up to the people who chart strategic direction to maintain a high-level view and avoid shortsightedness when creating security strategies. Losing perspective based on maintaining an outdated direction, lacking an ongoing security program assessment, ignoring the big picture when it comes to data risk, or leaning toward solutions with the most marketing dollars could mean that when it comes to increased data risk for your company, it will be déjà vu all over again.