Data loss prevention requires locking down devices but it also requires steps to protect data directly, beginning with encryption. And it's not just about technology, to rephrase James Carville, "It's the policy, stupid", or Lundquist put it:

Protecting data requires developing and deploying an overall company process. Before you try to fix data leakage, you have a lot of work to do. You need to figure out where all your data resides and set levels of protection depending on the degree of data importance. If you decide to encrypt data, you need to figure out how to handle encryption and decryption keys. Who should issue the keys, how long they should exist, ...

There is also the problem of mobile devices, which are still working out fundamental security issues, see an earlier post on the J2ME platform for examples. Lundquist also sees this as a key issue:

The move to protecting data instead of devices comes at a crucial time for companies. The power of mobile devices is rapidly increasing to the point where your laptop will appear underpowered compared with the handheld combination phone/e-mail/personal data device.

The development of those mobile devices also means that more confidential corporate data will be moving over more networks.

We need to secure devices to maintain availability and to keep them from being used by others (e.g. bots), but we need to keep data secure because that's the valuable stuff. Data is not tied to a single point in time and space, it moves around, it gets copied, and if it's accessible to a search engine crawler, it might even get indexed.