How can we convince our VP that a network-based DLP makes sense?


Flask Data provides a one-stop cloud subscription for EDC, data management and statistics.

My colleague, Michel Godet – sent me a link to an article that Mike Rothman recently wrote.

Michel  (rightly) thinks that it supports the approach that we have been pushing in Europe for over a year now, to justify data security technology investments by using Value at Risk calculations.

Mike’s article – building a business case for security is good. I agree with most of what he writes (I would have commented but searchsecurity doesn’t allow commenting on their Ask The Security Expert: Questions & Answers articles.

So – I will use my own blog to post a couple of my comments (I should probably ping Mogull on this too but I lost  his email)

1) I agree that if you can’t get past the first energy barrier of concern with information protection than you are a non-starter for DLP ( or any data security technology for that matter – it must fit the business needs – otherwise it’s like trying to sell a trombone to a violinist.  Total waste of time

However – once you get past the first road block, the business problem for security investment is:

What is your value at risk, what are the right security countermeasures and are they cost-effective.? Not – what are the vendors selling this quarter.

There is no reason in the world why data security should be any different than any other IT investment.

2) I totally disagree that looking only at a network-based DLP product is inherently limiting. Just because a few vendors like Websense and Symantec, have integrated end point and gateway products doesn’t  makes them cost-effective data security countermeasures, ensure success of the project or prevent the next data breach.

Let me submit  two counter-examples:

A) Suppose all your sensitive data is in the cloud – then maybe network DLP is a good fit

B) Suppose all your endpoints are in the cloud – then maybe endpoint DLP is a good fit

C) Suppose all your sensitive data is on notebooks – then maybe encryption is the right countermeasure to data loss.

The answer is that you have to measure stuff – measure your people, process and system vulnerabilities and where your assets are headed. After that you need to estimate your  VaR and only THEN start thinking about the people, process and technology countermeasures

BTW – I’ve been saying this for years

October 28, 2004 –  A guide to buying extrusion prevention products

March 17, 2005 – How to justify Information security spending

Now if only we could find a way to monetize being right.

Related Posts Plugin for WordPress, Blogger...

Flask Data is a technology company with a strong people focus. We are a diverse group of computer scientists and clinical operations specialists based in Israel, the US and India. We are accomplished at providing our customers with the most effective way to achieve high quality clinical data and assure patient safety. There is no single solution that works for every clinical trial. We work hard to understand your unique situation. We work with your team to develop the best solution to achieve high quality clinical data and assure patient safety the same day you engage with patients.

Flask Data – same data data and safety solutions for clinical trials.

Contact us to learn more

Tell your friends and colleagues about us. Thanks!
Share this

Leave a Reply