Data Loss Prevention (DLP) protects critical information from being stolen or lost. Yet, without business input and ownership, organisations don't realise DLP's value.
Performanta has successfully deployed hundreds of DLP projects. We often find that organisations use DLP for little else than data leakage monitoring. There is scant prevention. They don't create any real DLP policy, balance DLP on business risks, or involve business stakeholders. The result is an expensive investment that underperforms and risks being of no real use at all.
We can blame poorly-conceived processes and policies. Companies fall into the trap of purchasing a technology and expecting it will do the job without the organisation's input. Business people don't buy into the overall DLP philosophy yet think their issues are under control and well handled.
Consequently, DLP falls far short in value, security effectiveness, and risk mitigation. Companies spend millions without being able to justify the expense.
Yet a good DLP operational framework increases visibility and control, allowing people to do what they should be doing and stop what they shouldn't. DLP is fundamentally about compliance and incident risk management: understanding the risks through trending and reporting, and involving all relevant stakeholders—especially on the business side, particularly senior executives.
DLP can provide context for business risks; it can avoid false positives and false negatives.
False positives are false alerts of violations. Companies reactively throw more people at the problem to manage the high amount of incidents, resulting in higher costs and more management complexities. False Negatives are genuine violations mistaken as non-violations. Miscategorising such violations creates serious business risks.
Organisations should take the following steps to reduce these risks, highlight other issues, and ultimately get the most DLP value:
Identify DLP's stakeholders, focusing first on those who most feel the relevant risks or know about them. Use data discovery, data-in-motion risk assessment, and stakeholder interviews.
Create a heat map of each department's risk, compiled through interviews, best practices, and assessments.
Create DLP policies and standards that reflect business needs and risks. Develop bespoke ones for stakeholders with buy-in and generic ones for the rest. Focus on quality and quantity.
Propose a Target Operating Model to ensure business and IT work together. Educate where needed and address disciplinary matters if required.
The right DLP approach will generate clear business value. Performanta's DLP policy creation experience guides customers through this process. We have helped hundreds of companies establish effective and value-generating DLP systems. In a recent webinar, we unpack these challenges and our approach to dealing with them, going into much more detail about the above steps.
Treat DLP as a business tool. Understand why you need it, support it with policies, and involve the people who face those data risks the most. That's how you create lasting value from DLP investments.
Comments