In the information security world we face two major types of threats: “noisy” threats which directly interfere with our ability to do business and “quiet” threats which cause real damage, but don’t necessarily prevent people from doing their jobs.

Noisy threats such as viruses, worms, and spam attack both networks and systems and clearly disrupt productivity and business operations. With highly visible (and often very annoying) attacks, it’s easy to justify investments.

Quiet threats, such as data theft, are far more insidious — they can go undetected for years. When they are eventually discovered, you may not be able to calculate the material damage the breach has caused. In many cases, such as the theft of a credit card, it’s someone else who suffers the loss. That’s why security investments for quiet threats are often forced upon us by regulation or contractual obligation.
In a parallel evolution, the risks have changed, with attackers realizing it is both easier and more profitable to target our data. The deficiency lies in the distribution of security resources. Now that the organizationally simple protections (such as firewalls) are well understood and broadly implemented, the battle has shifted to more subtle and involved problems.

The threats against our perimeter security are still very real, but newer threats against information assets require much different security controls.
The answer is the change of mentality, move to the “information-centric security” and use products that monitor all activity in a business application and database, identify and audit users and content, and, based on central policies, protect data based on content, context, and/or activity.