Data protection has followed the same paradigm for years: discover, classify and protect. That paradigm exists because years ago, protection solutions were extremely painful to implement. Administrative overhead was high. The end-user impact was high.
The only way organizations would consider implementing protection tools without a riot was to execute protection on a small amount of data. Historically, organizations wanted to discover all the locations of data first. Then they decided which data was essential to protect by classifying the data. This paradigm creates a small, manageable amount of data to protect.
Again, the legacy paradigm exists because protection solutions such as file encryption, information rights management (IRM) and data loss prevention (DLP) were too complicated to deploy, administer and operate. Many data loss guides span into the thousands of pages.
Protection solutions like DLP are too fragile. They rely on classification, which always changes over time. What is critical to protect today is not sensitive tomorrow, and more troubling is that what organizations don't consider important today becomes vital in the future. Classification is also very user dependent. Users make mistakes, and malicious users are hard to identify.
A new category of data-centric data protection is now available that works in the background, where users only see notifications when users access files they don't have permission. It's a similar approach to antivirus and malware. Users are only interrupted when something needs attention.