The cybersecurity landscape is littered with failed data loss prevention (DLP) initiatives. Perhaps surprising to many, most of these failures are the result of positioning DLP as a tool. Let’s be clear: an effective DLP is not a feature. It’s not a product. It’s not a tool. Rather, it is an ecosystem, or a mindset around the number of people, processes and technologies that must be bound together to work well. In a best-case scenario, DLP is a program that requires the application of critical security thinking, frameworks and effective stakeholder alignment to be effective.
Certainly, the rise of privacy legislation and standards has led to an explosion of tools and technologies that are sold with “Now with DLP” stickers. This market saturation is the primary culprit for the prevailing attitude towards DLP as a tool. In this post, we position a more holistic approach to DLP, framing our point of view in two categories: Program Level (less technical, strategic considerations) and Tactical Level (focused on the technical solutions).
Protecting data is a complex undertaking. We often find clients who are overwhelmed at the decisions to be made in order to get a successful DLP program up and running. We understand DLP tools and features may be enticing because they offer a quick fix. But we have learned that a comprehensive view of how the organization tracks, stores and moves its data is essential to selecting the right solutions when developing a DLP plan. Let’s have a look at the types of approaches we recommend.
A Program Level Approach
As the name suggests, a program level approach to developing a DLP is less focused on the technical factors and more aligned with the strategic considerations an organization should consider to be successful in the long-term.
Successful DLP initiatives should include:
- Requirements management
- Data discovery
- Establishment of ownership and governance
- Metrics and milestone planning
Organizations need to spend time understanding policy, regulatory, commercial and contractual requirements at the very start of the initiative. The requirements phase should also help setting clear goals for the DLP strategy. Additionally, requirements management should also include a data classification exercise. Not all data needs the same level of protection, so we suggest an organization take a risk-based approach to DLP to avoid the unmanageable task of trying to secure all of its data, all of the time. Likewise, organizations should invest time in an exhaustive data discovery exercise to understand how sensitive information flows through the enterprise, including third parties.
Establishing ownership and governance is important for the long-term. Consider adding (or enhancing) a Data Protection Officer (DPO) role, who serves as a data privacy ombudsman for the organization. While this function can be performed by a steering committee, as we’ve seen in some organizations, keep in mind that mileage may vary with the effectiveness of this type of group.
Measure, measure, measure. Metrics and milestone planning involve establishing implementation metrics that communicate the effectiveness of the program across the organization. This will become critically important to the cultural change that must take place within the organization to ensure everyone is committed to data protection. An organization’s people are the ones closest to the data – so training and awareness will be essential.
Additionally, establishing a maturity roadmap indicating what capabilities will be developed at each phase, is a key success factor.
A Tactical Level Approach
In a Tactical level approach, the focus is on the technology. It should be noted up front that there is no single technical solution that can adequately address your DLP strategy. That is why we suggest DLP be looked at as an ecosystem of solutions that need to be stitched together using an architecture methodology (e.g. defense-in-depth, zero trust, etc). Some of the capabilities, processes, and technologies that should be considered in this ecosystem include, but are not limited to:
- Activity/user behavior monitoring to identify and trigger activity-based actions
- Asset management integration to identify enterprise and non-enterprise devices
- Data discovery and mapping to organizationally defined risk levels
- Encryption and key management for monitoring encrypted traffic and also encrypt data based on access telemetry
- Security incident management (including breach notification) for a holistic picture and integration with breach or incident response
- Endpoint detection and response integration to sandbox malware or identify non-enterprise devices.
Test For Success
Here’s where the best components of Program and Tactical Level programs are put to the test. Before launching a DLP program, we suggest that organizations develop and execute a comprehensive playbook that details data management policies, response plans and more. This exercise is a good way for people involved in the program to practice their roles and responsibilities. In addition the organization can use this opportunity to test its underlying data protection principles, for example whether its policy around data remaining in a specific geographic area is effective, or if the restrictions being placed on data access are too prohibitive to business operations.
A DLP playbook, should include details on how to:
- Establish and maintain compliance with the regulations and the organization’s policies
- Load test files that simulates a DLP break
- Implement an incident management process that analyzes, contains, eradicates and recovers (including postmortem) from a data breach.
- Remediate any issues uncovered during testing
There’s too much at stake to not have a robust DLP initiative in place. Don’t be fooled by the trend to consider DLP as simply a tool. A holistic approach is imperative. Craft a comprehensive strategy, select tools that support the strategy’s objectives and test before implementing. These three simple steps set a clear path for data security.