To be able to do something before it exists,
sense before it becomes active,
and see before it sprouts.
The Book of Balance and Harmony
A medieval Taoist book
Will security vendors, large to small (Symantec, Mcafee, nexTier, ANBsys and others..) succeed in restoring balance and harmony to their customers by relabeling their product suites as unified content security (Websense) or enterprise information protection (Verdasys)?
I don’t think so.
Unfortunately – data security is not an enterprise suite kind of problem like ERP. You don’t have harmony, synergy and control over business process; you have orthogonal attack vectors:
- Human error – cc’ing a supplier by mistake on a classified RFP document
- System vulnerabilities – Production servers with anonymous file transfer protocol (FTP) turned on
- Criminal activity – Break-ins, bribes and double agents (workers who spy for other groups or companies)
- Industrial competition/breach of non-disclosure agreements – the actuary who went to work for the competition
After 5 years of hype, most customers have a high awareness of DLP products but fewer (especially outside the US) are buying DLP technologies and even fewer are succeeding with their DLP implementations. This stems from the customer and vendors’ inability to answer two simple questions:
- Who is the buyer?
- What is her motivation to protect information?
A common question I hear from my clients, is, “Who should ‘own’ data security technology?” Is it the vice president, internal auditor, chief financial officer, CIO or CSO, our security consultants or our IT outsourcing vendor; IBM Global Services?
If there is no clear business need for information protection (the kind that a CEO can enunciate in a sentence) – the company is not going to buy DLP technology.
The business need for data security derives directly from the CEO and his management team. In firms with outsourced IT infrastructure, the need for data security becomes more acute as more people are involved with less allegiance to the firm.
To help qualify an organization’s business need for DLP technology, let’s examine the decision drivers, or what compels companies to buy data security products, and the decision-makers, or those who sign off on the products. Let’s look at seven industries: banking, credit card issuing, insurance, pharmaceuticals, telecommunications, health care and technology.
|INDUSTRY||TYPICAL DATA SECURITY DRIVERS||DECISION – MAKERS|
|BANKING|| A real event, such as theft of confidential customer account information by trusted insiders
Privacy regulations such as the Gramm-Leach-Bliley Act, HIPAA
The Sarbanes-Oxley Act, for transparency and timeliness in reporting of significant events
|CSO or CIO|
|CREDIT CARD ISSUERS|| Ongoing theft of customer transactional information by customer service reps
Data breach threat to credit card numbers that haven’t yet been printed on plastic cards and issued to card holders
Privacy regulations, Sarbanes-Oxley , nondisclosure agreements with business partners
|The security officer or information security officer (many issuers have separate functions for physical and information security)|
|INSURANCE|| A real event, such as theft of customer lists by competitors
Fear of losing actuarial data
Exposure to data leakage of credit card numbers in online systems
|General counsel, VP of internal audit, CFO|
|PHARMACEUTICALS|| Theft of chemistry, manufacturing and control information, product formulation and genome data by trusted insiders
Difficulty in preserving secrecy of sensitive intellectual property prior to patent filings
Sensitivity of company records during due diligence processes
|General counsel, CFO, chief compliance officer|
(Telecom service providers and large online operations such as Yahoo collect and aggregate huge quantities of data, and the higher up the value chain you go with data aggregation, the more valuable and vulnerable the asset.)
| Prepaid code files
Strategic marketing plans
Call detail records (analogous to credit card transaction records, these are extrusions by customer service representatives to private investigators and difficult to detect)
Customer credit card records
|VP of internal audit, VP of technologies|
|HEALTH CARE|| Privacy regulations/HIPAA
Need to protect pricing data of drugs and supplies purchased by the health care organization
|CSO, VP of internal audit|
|TECHNOLOGY COMPANIES||Theft of:
Designs, pictures and plans of proprietary equipment
Strategic marketing plans