Anyone can be breached. Risk of breach and data loss is an increasingly significant issue, but not just a technology issue, and technology alone regardless of spend will not fix it. Mitigating the risk of data breach demands recognition of a flaw in the data protection strategies of too many very large and competent organizations that have emphasized the reliance on technology to broadly target enterprise vulnerabilities over the implementation of effective administrative controls and operational hygiene. Monitoring tools and mitigating technologies are critical to awareness of compromise and effective defense, but without the more mundane attention to operational cleanliness and prudent controls are less effective and offer diminishing returns relative to the increasing threat environment. Like all risk, breach and data loss needs to be managed, and prioritized, and in fact it can be managed and consequences limited. Of course vulnerabilities overall need to be managed, there are threats other than data theft to be addressed, but managing risk of data loss requires more than addressing vulnerabilities. Effective management requires a better understanding of the consequence of loss for different classes of data to better target breach mitigating investments. This requires greater visibility and a clear understanding of what we have, where we have it, how we use it, how long we retain it and how we protect it. This even more so for regulated data and for companies operating overseas.