To be able to do something before it exists,
sense before it becomes active,
and see before it sprouts.
The Book of Balance and Harmony
(Chung-ho chi).
A medieval Taoist book
Will security vendors, large to small (Symantec, Mcafee, nexTier, ANBsys and others..) succeed in restoring balance and harmony to their customers by relabeling their product suites as unified content security (Websense) or enterprise information protection (Verdasys)?
I don’t think so.
Unfortunately – data security is not an enterprise suite kind of problem like ERP. You don’t have harmony, synergy and control over business process; you have orthogonal attack vectors:
- Human error – cc’ing a supplier by mistake on a classified RFP document
- System vulnerabilities – Production servers with anonymous file transfer protocol (FTP) turned on
- Criminal activity – Break-ins, bribes and double agents (workers who spy for other groups or companies)
- Industrial competition/breach of non-disclosure agreements – the actuary who went to work for the competition
After 5 years of hype, most customers have a high awareness of DLP products but fewer (especially outside the US) are buying DLP technologies and even fewer are succeeding with their DLP implementations. This stems from the customer and vendors’ inability to answer two simple questions:
- Who is the buyer?
- What is her motivation to protect information?
A common question I hear from my clients, is, “Who should ‘own’ data security technology?” Is it the vice president, internal auditor, chief financial officer, CIO or CSO, our security consultants or our IT outsourcing vendor; IBM Global Services?
If there is no clear business need for information protection (the kind that a CEO can enunciate in a sentence) – the company is not going to buy DLP technology.
The business need for data security derives directly from the CEO and his management team. In firms with outsourced IT infrastructure, the need for data security becomes more acute as more people are involved with less allegiance to the firm.
To help qualify an organization’s business need for DLP technology, let’s examine the decision drivers, or what compels companies to buy data security products, and the decision-makers, or those who sign off on the products. Let’s look at seven industries: banking, credit card issuing, insurance, pharmaceuticals, telecommunications, health care and technology.
| INDUSTRY | TYPICAL DATA SECURITY DRIVERS | DECISION – MAKERS |
| BANKING |  A real event, such as theft of confidential customer account information by trusted insiders
|
CSO or CIO |
| CREDIT CARD ISSUERS | Ongoing theft of customer transactional information by customer service reps
|
The security officer or information security officer (many issuers have separate functions for physical and information security) |
| INSURANCE | A real event, such as theft of customer lists by competitors
|
General counsel, VP of internal audit, CFO |
| PHARMACEUTICALS | Theft of chemistry, manufacturing and control information, product formulation and genome data by trusted insiders
|
General counsel, CFO, chief compliance officer |
| TELECOM/ONLINE BUSINESS (Telecom service providers and large online operations such as Yahoo collect and aggregate huge quantities of data, and the higher up the value chain you go with data aggregation, the more valuable and vulnerable the asset.) |
Prepaid code files
|
VP of internal audit, VP of technologies |
| HEALTH CARE | Privacy regulations/HIPAA
|
CSO, VP of internal audit |
| TECHNOLOGY COMPANIES | Theft of:
|
CEO, CTO |
[...] More: Do you have a business need for DLP? | Israeli Software [...]
[...] Do you have a business need for DLP? | Israeli Software [...]
Nice article! These are excellent decision points. One Israeli company, PineApp, has run into a lot of these points, and combats most of them with their Mail SeCure and Archive SeCure.