Government agencies and private companies need to move their focus away from single-point security solutions to more holistic, information-based security, Symantec officials advised.

"Clearly we've moved to a point in time where our customers have to be much more focused on protecting the information itself, as opposed to protecting the PC or protecting the network," John Thompson, Symantec's chairman and CEO, said Thursday at the company's government symposium in Washington, D.C. "While those are necessary components of a protection strategy, they're not the end all. More has to be done."

In recent years, U.S. lawmakers have focused their attention on data breaches and lost laptops, and federal agencies have scrambled to meet requirements for encrypting information on laptops and other mobile devices. On Monday, the U.S. Government Accountability Office released a report saying that only 30 percent of sensitive data on mobile devices at 24 major agencies had been encrypted as of last September.

Encryption can be an important piece of a cybersecurity strategy, but it's just one piece, Thompson and John McCumber, Symantec's strategic programs manager for the federal public sector, said in interviews Thursday.

Encryption isn't "the solution" to data-loss prevention, Thompson said. "Good data-loss policies start with the understanding of, what is the critical data that I have and where is it?" he said. "In many instances, there is some critical and sensitive information on every laptop. But not all information that's on that laptop is critical and sensitive."

McCumber recently had lunch with a member of the U.S. Congress who suggested that better encryption technology would solve the government's data-loss problems. But McCumber told the lawmaker that encryption can't protect data that's being processed.

"If you think cryptography is the solution to this problem, you don't understand the problem and you don't understand cryptography," said McCumber, a former encryption expert at the U.S. National Security Agency.

Instead of focusing on single-point security solutions, Symantec has been encouraging U.S. agencies to look at the information they hold. The security vendor recommends agencies create "thoughtful" data classification and retention policies, Thompson said. Such policies will make it easier to manage and find data in the long term, he said.

The IDG News Service is a Network World affiliate.