Information is the most important asset to a business, and today, nearly all corporate information exists in electronic form. This information needs to be readily available and accessible for use, while at the same time secure from loss and misuse. Over more than 30 years, security technology has matured to protect and control access to data. The problem is that businesses need to be able to leverage their key asset, the data, without having to jump through hoops to get at it. Data loss prevention solution vendors must continually enhance and mature their technology to enable businesses to leverage their information effectively without burden to the company and within acceptable levels of risk.
Data Lost and Found
As the number of data loss incidents - and the costs to businesses - continue to increase, the focus companies place on the issue is becoming paramount. As recent headlines reveal, data loss incidents typically result in costly fines and significant reputation damage. The notification and recovery process involved in a data security breach can cost hundreds of millions of dollars. However, financial consequences are not the only reason to implement a data loss prevention solution. Losing confidential information can also compromise regulatory compliance requirements, competitiveness, customer trust and a companys brand and reputation. Furthermore, whether it is a malicious attempt or an inadvertent mistake, data loss can affect a companys position in the marketplace, reduce shareholder value, decrease the efficiency and spirit of the organization, create more work and cause costly fines as well as associated legal fees.
Given the myriad communication and collaboration tools needed to conduct business today - including email, instant message, Web mail and file transfer - there is no doubt data loss and misuse will occur. Even worse, much of the data will go unrestricted and unmonitored on its way to its destinations. As a result, security experts have predicted that we can expect to see significant changes to how companies protect data and deal with data use. With increased awareness and a strong desire to avoid public relations nightmares, most companies are ramping up security technology and investing in security processes and corporate awareness.
DLP: The Vehicle to Your Success
Data loss prevention solutions enable organizations to understand the information that is transmitted throughout the enterprise. Furthermore, DLP solutions can help businesses comprehend the vast amounts of data that reside on their desktops, file shares and portable devices. Because of this, DLP solutions have become the foundation of an information-centric security strategy and are a perfect complement to data encryption capabilities. Initially, DLP solutions were used to reduce the risk of sensitive data leaving the organization. Now, data loss prevention capabilities have evolved into a core enterprise requirement encompassing information protection and control. DLP provides organizations with the ability to discover where their valuable information is located, where it is being moved and the level of risk it represents all while ensuring that it does not fall into the wrong hands, both inside and outside the organization.
DLP Owners: The History of the Bus Driver
Whose role is it to ensure data loss prevention? In its earliest stages, DLP responsibilities belonged to the IT department. However, these days, organizations - from health care to education to insurance and financial services - must take a more holistic approach. DLP is the responsibility of the entire organization. In order to be effective, management and business unit leaders across all corporate functions, including human resources, the legal department, IT and the executives must be involved in the DLP process.
How to Decide Who Needs to Ride the DLP Bus
After making the commitment to protect their corporate data, organizations must confront the question who should be on the DLP bus? Many factors go into finding the right answer for an organizations specific needs. First, industry is a major deciding factor that goes into delegating who has to be involved. Industry typically dictates what regulations and standards an organization must follow in order to remain compliant. Another factor is the initial use cases to which an organization wants to deploy data loss prevention technology. For example, if data at rest is the primary focus, getting the records management team involved will help ease the deployment and remediation processes. A third factor is the global impact of an enterprise-wide deployment for organizations that span many nations. An organization must consider data ownership and as compliance personel that may have unique requirements based on country regulations and codes of conduct.
The Typical DLP Bus Riders
In general, one of three groups usually leads a DLP project: IT security, compliance or the business unit. This list is not all-inclusive, and it is possible that someone outside of these groups might initiate the project. Depending on who leads the project and who has the loudest voice on the bus, DLP projects often take varying paths in terms of the focus on risk and prioritization of control points.
The most common project sponsor is the IT security group. This team often drives the determination of need, definition of scope and implementation of the project. However, the definition of policies rarely comes from this group. The security team needs to engage data owners and business leaders in order to understand what sensitive information needs to be protected and controlled. This is a critical step, because, in the absence of this input, the security team runs the risk of creating policies that may conflict with legitimate business transactions. For example, a restriction on sending source code externally is a common policy found in DLP projects. If implemented, these policies may impede regular business workflow with outsourced vendors and partners.
Another common group that often leads a DLP project is the compliance/corporate risk team. This group may have specific requirements around the regulations to which the organization must adhere. For example, this group may want to control the use of credit card numbers to meet the PCI Data Security Standard. While compliance/risk teams may have a good understanding of what information is sensitive, they might be satisfied with basic monitoring and may not require preventative measures to be deployed.
The last major group that typically will lead a DLP project is a particular business unit or department. This leadership situation typically occurs when the business unit has a clearly defined use case in mind, with specific information to protect. For example, the sales department may want to put data protection policies in place to prevent sales executives from leaving with customer information.
While the three groups above tend to lead most DLP projects, there is a set of common roles required for the success of all DLP projects. An internal project manager is needed to coordinate the overall implementation and participation of client resources. Business and compliance personnel will assist with policy definition and tuning as well as with the design of the incident review workflow process. Technical personnel from IT operations are required to assist with the overall architecture design, hardware sizing, procurement, setup and OS configuration. Along with these typical roles, an organization may also need message system specialists to configure various email components. Database and storage specialists might be required to create, configure, and tune the databases and file stores. Finally, desktop and client specialists should be available to implement and integrate with the endpoint, if that level of protection is in the project scope.
Starting Up the DLP Bus
With all these people on the DLP bus and many other stakeholders interested in the project, it can be difficult to determine a starting point. The first thing the driver of the DLP bus must do is establish and prioritize phases based on the requirements from each invested party. Furthermore, the driver needs to determine if there is a use case that needs to be solved tactically. For example, if there was a data breach, this risk should probably be addressed first. To help with the prioritizing requirements, many DLP applications can be run in detection mode. This can help the organization understand where most of the risks are and which types of deployments will provide the most results. This is a good place to start for most organizations. Recently, I consulted with a large retail firm that wanted to address specific issues involving the protection of credit card numbers. Interestingly, after reviewing information usage with them, the organization found that the biggest risk they face is when internal users send confidential information to their personal email address. This allowed the organization to prioritize and tackle a risk that had far more impact than simple credit card monitoring.
Driving the Bus
At the end of the day, a DLP project is a mix of data management and security. Most importantly, understanding organizational data is the first critical step for implementing a DLP solution. The bottom line is: when starting a DLP project, it is much less about who is driving the bus as it is about making sure you have the right people on the bus.
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access