It is time to acknowledge that security policies and technology alone, without “buy-in” by staff, and enforcement by management, will not resolve the needs for regulatory compliance, and for the safety of customer, partner and employee information. Security tools will play their role in securing sensitive data from acquisition by the enterprise until its storage and deletion. However, it remains the task of management to make real-world assessments of risks to data, how those risks are best mitigated and how these assessment decisions are promulgated and enforced throughout the enterprise. But ultimately, as I see it, the real challenge is in establishing a genuine “culture of security” where staff and management view their data resources as central to the health and success of their organisation.