External data breaches (think: Anonymous) and internal data leaks (think: Edward Snowden) have enterprises questioning and rethinking their security programs. Are they doing enough to protect their data? Are their security controls effective? Would they be able to respond appropriately to a data breach and contain it quickly?
Many of the questions and much of the confusion has to do with executives not understanding where their critical assets are and how to protect them. Their sense of security is skewed because they passed their compliance requirements, causing them to think they are safe. Most companies, if they were truly targeted by a sophisticated and determined attacker, would fail miserably.