Do you have a business need for DLP?

To be able to do something before it exists,
sense before it becomes active,
and see before it sprouts.


The Book of Balance and Harmony

(Chung-ho chi).
A medieval Taoist book

Will security vendors, large to small  (Symantec, McafeenexTierANBsys and others..) succeed in restoring balance and harmony to their customers by relabeling their product suites as unified content security (Websense) or enterprise information protection (Verdasys)?

I don’t think so.

Unfortunately – data security is not an enterprise suite kind of problem like ERP. You don’t have harmony, synergy and control over business process; you have orthogonal attack vectors:

  • Human error – cc’ing a supplier by mistake on a classified RFP document
  • System vulnerabilities – Production servers with anonymous file transfer protocol (FTP) turned on
  • Criminal activity – Break-ins, bribes and double agents (workers who spy for other groups or companies)
  • Industrial competition/breach of non-disclosure agreements – the actuary who went to work for the competition

After 5 years of hype, most  customers have a high awareness of DLP products but fewer (especially outside the US) are buying DLP technologies  and even fewer are succeeding with their DLP implementations. This stems from the customer and vendors’ inability to answer two simple questions:

  1. Who is the buyer?
  2. What is her motivation to protect information?

A common question I hear from my clients, is, “Who should ‘own’ data security technology?” Is it the vice president, internal auditor, chief financial officer, CIO or CSO, our security consultants or our IT outsourcing vendor; IBM Global Services?

If there is no clear business need for information protection (the kind that a CEO can enunciate in a  sentence) – the company is not going to buy DLP technology.

The business need for data security derives directly from  the CEO and his management team. In firms with outsourced IT infrastructure, the need for data security becomes more acute as more people are involved with less allegiance to the firm.

To help qualify an organization’s business need for DLP technology, let’s examine the decision drivers, or what compels companies to buy data security products, and the decision-makers, or those who sign off on the products. Let’s look at seven industries: banking, credit card issuing, insurance, pharmaceuticals, telecommunications, health care and technology.

INDUSTRY TYPICAL DATA SECURITY DRIVERS DECISION – MAKERS
BANKING A real event, such as theft of confidential customer account information by trusted insiders

Privacy regulations such as the Gramm-Leach-Bliley Act, HIPAA

The Sarbanes-Oxley Act, for transparency and timeliness in reporting of significant events

CSO or CIO
CREDIT CARD ISSUERS Ongoing theft of customer transactional information by customer service reps

Data breach threat to credit card numbers that haven’t yet been printed on plastic cards and issued to card holders

Privacy regulations, Sarbanes-Oxley , nondisclosure agreements with business partners

The security officer or information security officer (many issuers have separate functions for physical and information security)
INSURANCE A real event, such as theft of customer lists by competitors

Fear of losing actuarial data

Exposure to data leakage of credit card numbers in online systems

General counsel, VP of internal audit, CFO
PHARMACEUTICALS Theft of chemistry, manufacturing and control information, product formulation and genome data by trusted insiders

Difficulty in preserving secrecy of sensitive intellectual property prior to patent filings

Sensitivity of company records during due diligence processes

General counsel, CFO, chief compliance officer
TELECOM/ONLINE BUSINESS
(Telecom service providers and large online operations such as Yahoo collect and aggregate huge quantities of data, and the higher up the value chain you go with data aggregation, the more valuable and vulnerable the asset.)
Prepaid code files

Pricing data

Strategic marketing plans

Call detail records (analogous to credit card transaction records, these are extrusions by customer service representatives to private investigators and difficult to detect)

Customer credit card records

VP of internal audit, VP of technologies
HEALTH CARE Privacy regulations/HIPAA

Need to protect pricing data of drugs and supplies purchased by the health care organization

CSO, VP of internal audit
TECHNOLOGY COMPANIES Theft of:

Source code

Designs, pictures and plans of proprietary equipment

Strategic marketing plans

CEO, CTO
Related Posts Plugin for WordPress, Blogger...
Tell your friends and colleagues about us. Thanks!
Share this

3 thoughts on “Do you have a business need for DLP?

  1. Nice article! These are excellent decision points. One Israeli company, PineApp, has run into a lot of these points, and combats most of them with their Mail SeCure and Archive SeCure.

Leave a Reply

Your email address will not be published. Required fields are marked *