Ironically, that really seems to be the case. Data security truly is the new data security. I've been spending a lot of time with CIO and CISO types over the past several months, and so many of them are starting to realize that their "secure perimeter" has finally shrunk to the data itself. Allow me to explain...
Information security has always been about securing corporate data (hence the name "information security" - clever, huh?). For as long as most of us can remember, we were able to secure wide swaths of corporate data simultaneously by creating a secure perimeter. We secured devices by managing them tightly and installing endpoint security software. We secured corporate data centers and offices by placing security infrastructure between those locations and the bad guys. We even secured our data from ourselves, by walling off segments of our internal networks and controlling access. The point of all of this, of course, was to secure corporate data.
Fast forward to today - in a world of cloud apps and BYOD, we no longer control the underlying infrastructure, so using that infrastructure as a means to secure corporate data is out the window. Microsoft won't allow me to install firewall, IPS, anti-malware and DLP appliances in front of Office 365, and my employees won't allow me to take over control of their personal devices and configure them as I please.
The last remaining thing that the enterprise controls is the data itself. That spreadsheet with next quarter's financial projections. The X-ray containing Protected Health Information. The PPT outlining the company road map.
Today's progressive IT security leaders are becoming aware of this, and are actively seeking ways to solve these problems. Encryption is a start, but it goes beyond encryption - data leakage prevention, data classification, anomalous activity detection, etc - all of these techniques will have a home in the data-centric security approaches that we are forced to take moving forward.
This may sound like a straightforward adaptation of existing technologies to a new deployment model, but it goes so far beyond that. It's a rewiring of our entire approach to security, our policies and procedures, and new skills for already overburdened IT security professionals to learn.
If this sounds like a conclusion you have made or are close to making, take a look at Bitglass.