He doesn’t think he has a choice because the auditors have become tougher. In the wake of the attack, the bank strengthened its audits that tested for vulnerabilities, both online and off. One of those tests inside branches found that crooks didn’t need the Internet to gain access to data. “We had guys sling monitors over their backs and tell the tellers they needed to fix the computers. They got past our tellers in three branches,” Dougherty sighs. “But I would rather have the auditors find these things than someone else.”

With so much at stake, however, CIOs have to move beyond such traditional defensive strategies. They need a protection strategy for the data too. The threat of security breaches by rogue employees or contractors has always been higher than the threat from criminals outside. But now the outsider threat is increased due to the greater portability of data via mobile devices, says Joe Nackashi, CTO of Fidelity Information Services, which hosts data not just for Fidelity but for other financial services companies as well.

In 2004, Fidelity began encrypting all of its financial data, not just on its internal systems, but on any device that enters or exits the data center, including laptops, thumb drives and magnetic tapes for mainframes. This way, “even if you lose the data, it will be scrambled when someone tries to recover it,” says Nackashi.

But encryption is expensive (because of the effort involved to dress data in extra scrambling code) and complex, requiring processes for deciding what to encrypt when, where, why and by whom. Furthermore, encryption is only as strong as its weakest link. If business partners and contractors don’t follow the same processes and use the same encryption methods, all that scrambling is for naught. These difficulties probably account for why only 16 percent of organizations surveyed by the Ponemon Institute said they had an enterprisewide encryption strategy.

Yet more companies, including those outside of financial services, will need to consider encryption for their most sensitive data. The growth in mobile devices and the ability of employees to install and run their own software gives data legs to run around the firewall—what Nackashi calls “data in flight.”

Though Nackashi won’t say how much Fidelity spends on its encryption effort, it is evident in the amount of management time he has devoted to it. “Two years ago, it probably consumed 100 percent of my time because we were planning the strategy,” he says. “Today we’re in implementation mode, so it is probably 30 percent.” This despite the fact that Fidelity has a full-time chief information security officer who is Nackashi’s peer. Overall, Fidelity’s security staff has grown 30 percent over the past two years, he estimates. “This isn’t something you can compromise on from our perspective,” he says. “The nature of the business we operate in leaves us no luxury to play fast follower.”