Building a business case for DLP

At a meeting with one of our clients last week – the question of business case for data loss prevention came up quite strongly.   It started with the client saying that they were hearing that while vendors like Symantec and Websense were getting a lot of customers to buy their DLP products – many of these customers were failing at their attempt to implement DLP.

The detailed reasons why people fail at DLP implementations merits a separate post –  but it’s a lot like why over 50% of the content management implementation from vendors like Vignette never made it to production in the 90s – the root cause was that there was no real business case for the technology.

I want to talk about why  building a business case for Data security is critical to the success of your data security/data loss prevention/fraud prevention project.

If you run a business or business unit – you must ask yourself two questions

Is data security a major operational risk for your business?

Could be.

Unlike a computer virus – internally launched attacks on data  that result in data leaks, breach of  integrity, loss of data availability and non-compliance are your problem, not someone elses.

Unlike business processes – data risk cannot be outsourced.

Unlike balance sheet assets – companies don’t know their current financial exposure to data security threats.

The next question is should you invest in DLP technologies? Any one with only a nickel in their pocket (and in this market – that’s a lot of companies…) will say “Why should we when we don’t know the return on investment?  In order to answer your questions, you must measure your value at risk using a data security based risk assessment This is a simple, almost obvious notion – you measure risk of asbestos poisoning by checking your building insulation and you measure risk of fire damage by checking the building itself and various policies, procedures and equipment related to fire prevention.

Think about smoke detectors. You can’t put up an office building without smoke detectors (in Israel – the regulator has set a minimum density per square meter and the prices are low enough that the contractors will basically put in as many as you want). Why would you think of managing your data without the comparable data breach security monitoring equipment?

Data security based risk assessment uses DLP technology (the test equipment) and a best practices analytical risk model to measure the value of your data and your value at risk. Within a couple weeks, you should be able to get a picture of your current data security events, know your data value at risk in Euro and build a prioritized program for cost-effective data security controls in the people, process and technology planes. What you do then – is up to you.

Most companies I know in Europe and Israel are not at a sufficient level of security maturity to do this kind of thing themselves – and will need an independent consultant – one with specific domain expertise in their industry vertical,  specific data security expertise and ability to do analytical threat modeling – installing Checkpoint firewalls doesn’t count and you really want someone who is vendor neutral.