When, Oh When??
When will everyone at last stop confusing information with IT? Information security is not primarily a technology issue - it's about business process management. IT security is just a small part of that. If you're in doubt about this, just take a moment to review the UK Information Commissioner's action reports. A very high percentage of personal data breaches have nothing at all to do with IT - they typically range from sending a steel filing cabinet full of medical records to a scrap merchant to a barrister leaving their client's file on the bar in a pub, or a member of Parliament dumping constituents' letters in a waste bin in a park. Even a stolen laptop is not primarily a technological security issue - what matters is what information is stored on it.
Until the quality of business process management (whether related to IT or not) is taken seriously, no amount of technology will 'solve' the parlous state of information security, and this was recognised by the Article 29 Working Committee that created GDPR. However, in my experience the majority of businesses have handed GDPR compliance either to the IT department or their lawyers to create a documentation set for 'nominal compliance', rather than reviewing what they actually do with the relevant information in the course of day to day business. Which of course means that in reality they're not compliant at all.
You ultimately get the security you work for, but it's not a good starting point to mis-describe the problem you're trying to fix. IT security is technological. Information security is much wider and includes business process management, and it's still anybody's guess what the blazes 'cyber security' is.