Tackling Data Leak Prevention At Forrester's Security Forum EMEA 2011

For the second year in a row, I have the honor of hosting our Security Forum EMEA in London, March 17th - 18th. This is Forrester's 5th annual Security Forum in Europe, and each year brings a larger, more influential audience and more exciting Forrester and industry keynotes. The theme of this year's event builds on our fall event in Boston - Building The High-Performance Security Organization. It would have been easy to focus the event on one of the myriad of threats and challenges facing security and risk (S&R) professionals today — from the emergence of advanced persistent threats to the security and risk implications of cloud services, social technologies and consumer devices in the workplace — but the real challenge for S&R professionals is not in the specific response to today's threats. It's building the oversight and governance capabilities, repeatable processes, and resilient architectures that deal with today's threats but can also reliably predict, analyze, mitigate, and respond to tomorrow's threats and new business demands. For many of us in security, we are mired in day-to-day operational responsibilities — or as some of us like to call it, the Hamster Wheel Of Hell. 

Let's take data leak prevention as an example. The term "data leak prevention" (including multiple spellings, capitalizations, acronyms, and other variants) is one of the top search terms on Forrester's Security & Risk research site. However, when you peel back the layers of the onion a bit, when you dig a little deeper with clients, what we find is that clients are not necessarily struggling with the identification, selection, and implementation of DLP technology (although clients do tell us this is also frustrating in and of itself), but the overall strategy for data security and protection. DLP technology implementations will fail or have minimal effect if they are not part of an overarching strategy. What clients struggle with is working with business and IT leaders to understand their risk tolerance levels, define simple information/data classification levels, classify data appropriately and building a set of data protection capabilities. Building a set of capabilities will include the use of a multitude of technologies from encryption to enterprise rights management to yes, DLP (standalone and embedded DLP functionality). It also includes working with your counterparts in enterprise architecture and IT operations to design an IT environment that compartmentalizes the most sensitive data (think virtual desktop infrastructure). This strategy or approach combines governance, process and technology. It also requires that S&R professionals collaborate with and influence individuals outside of IT - from business leaders to legal professionals to knowledge management professionals to other IT leaders. Collaborating and building influence outside of security is not something S&R professionals are necessarily good at. If you haven't read it, Jinan Budge has a great blog post on security's aversion to communicating and marketing outside their own organization – The “M” Word: Don’t Be Shy.

At this year's Forum, we have two sessions dedicated to data protection. I'm thrilled to have Gianluca D'Antonio, CISO, Information Security & Risk Management Group, FCC relay his own organization's DLP journey in the track session: How To Successfully Implement A Data Leak Prevention & Containment Strategy - Lessons Learned From FCC’s Two Year Journey. I'll also reprise a presentation on Moving To Information Control: Forrester's Maturity Model For Information Control.

I hope you'll join us at this year's Forum; if not, I'll hope you'll take a moment to share your own thoughts on DLP at your organization.

Comments

DLP Saga

DLP implementation could definitely add you in the "me too" list of the emerging technology implementation categories unless done right with a sound process & business requirements study and some basic organizational considerations. As rightly pointed out in your post, S&R professionals definitely need to look at existance and enhancemnent of fundamental processes like Data classification and then really understand what needs to be monitored or prevented through DLP with out hindering business operations. Based on my understanding and experience, policy definitions in DLP needs to be debated thoroughly to achieve results which could be sold to Line of Business Managers easily. Coz you suddenly start seeing 'unstructured data' going out prior to DLP implementation; One could easily get lost in the game looking at the instances based on what is defined as confidential. Also it is very critical to 'tie up' initially classified data on to the 'Monitor/Prevent' action scenarios to be able to make the monitoring better, meaningful and less User intrusive. Agree with your input on the business communication of security results/findings in a way Line of business guys could understand and help drive decision support. Most importantly I feel that DLP implementation in itself should not be seen as an S & R group initiative alone, though S&R group may facilitate and drive the implementation. This must essentially be considered as a strategic business security initiative where S&R group gets stakeholders from Legal, HR & IT teams on the table even before preparing the blueprint for implementation! Another aspect which needs to be noted is to look at the data privacy /regulatory issues that may possibly emerge if DLP solutions are rolled out with out consideration to specific Geographies - Be it e-mail or web - as there are geo specific workplace monitoring laws which must not be inadverdently violated by Organizations. One needs to deal with this on a Country wide basis looking at services considered for monitoring. From the maturity perspective one would need to consider tying up (a) the existing enterprise security technology solutions (including SIEM & other monitoring solutions) with DLP from the technology side and (b) Security Incidnet Management process with DLP on the Process side. From the People perspective, User communication indicating the use of a DLP or similar tool in the enterprise is also a good practice in enhancing awareness!

Thanks!

Sreehari

Hi Sreehari, great insight. I

Hi Sreehari, great insight. I particularly like the recommendation that the "implementation in itself should not be seen as an S & R group initiative alone...". In my pior role at Forrester, I covered data backup and IT disaster recovery. I was continuously amazed at how many clients (I would estimate at least 90%) continued to user their backups as archives - even though this quadrupled the cost of backup and exposed the company to all sorts of risk and despite the fact that there are great email, file and database archiving tools on the market. However, the problem (like our DLP example) was not with the technology but with the fact that IT Ops did not engage with legal, finance, enterprise risk and other groups to actually define what appropriate retention policies should be. It seems that across IT, creating and managing multi-functional teams to solve complex business and IT challenges is a skill that is sorely lacking.

I also agree with your recommendation about user awareness. A client recently told me that they had not really invested as much time as they should have on user awareness. As a result, they had a bumpy start after implementation and an internal PR nightmare on their hands to deal with (like S&R needs more bad press internally). Apparently, many users were suddendly concerned about "Big Brother" monitoring everything they were doing.