It may be impossible to secure enterprise data completely, but as the threat landscape changes, enterprise security has been slow to catch up. For some, new standards such as the credit card industry's PCI-DSS served as a wakeup call. Yet many companies that have gone through the process of complying with new security standards still remain far from securing themselves.
While I think Mr. Sarel's point that many companies are still not secure is basically accurate, I was surprised about his characterization of companies that have gone through the process of complying with the new security standards as "far from securing themselves." Actually complying with the relevant standards can have a significant impact on an organization's security. Case in point: TJX. According to publicly available data, that company's breach was made much worse than it had to have been because TJX had basically no idea what was going on - even to the point that hackers passed encrypted messages to each other over TJX's network. That type of use of a compromised network would have been detected if TJX had been following the 10th requirement of the PCI DSS: track and monitor all access to network resources and cardholder data. Rather than leaving a company far from securing itself, compliance with the applicable regulations (e.g., GLBA, HIPAA, PCI DSS) actually leads to better security. This is something that Mr. Sarel glosses over when lumping compliant and non-compliant entities together, and, in my opinion, is something that weakened his article overall.