I have had the privilege of working in IT Risk for over 20 years. I have, on many occasions, wondered how we felt comfortable communicating to our clients their true risk of data loss when we never took an accurate inventory of what data was held and where it was stored. As a good friend of mine said, “you can’t protect the President if you don’t know where the President is.” We did so because we used the best tools we had at the time. We knew everything we could reasonably know. Today, we repeatedly see this is not enough.