5 dlp tips from security execs

8/9/2019 5 DLP Tips From Security Execs

1/4

Executive SummaryWith the rapid rise in data breaches, advancedthreats and mobility, data loss prevention (DLP)has quickly evolved from a security issue to abusiness imperative. Once considered the con-cern solely of regulated nancial services andhealthcare organizations, companies across allindustries are focusing on managing their dataloss risk. As a result, C-level executives are turn-ing to IT security to protect condential data suchas intellectual property (IP) and personally identi-able information (PII). DLP programs are emerging

as the most effective solution. Security executiveswho use DLP as the cornerstone of their infor-mation security strategy are reaping signicanttangible and intangible benets; not only are theykeeping their company out of the headlines, butthey are also getting a seat at the table with theirbusiness peers.

This research paper examines the ndings froma new study on DLP by Symantec . The goal of

the study is to understand how DLP programsimpact the effectiveness of security executives,while also protecting corporate data. Symantecsurveyed more than 130 CISOs, VPs, directorsand managers responsible for the evaluation,selection, deployment and governance of theirorganization’s DLP solution. The study reveals thatnearly half of the respondents believe they haveimproved their credibility with peers in other busi-ness units by implementing DLP. Key ndings:

» Improved boardroom credibility— Forty-ve

percent of survey respondents say that DLPprograms improved their credibility with peersin other business units, leading to more effectivebusiness leaders.

» Increased executive visibility— Eighty-ninepercent of respondents say that their organiza-tion’s DLP initiative originated from the top, eitherto demonstrate compliance or because manage-ment requested it.

1 » Five DLP Tips from Security Executives

Five DLPTips fromSecurityExecutivesDATA LOSS PREVENTION: WHAT YOUR COLLEAGUES ARESAYING ABOUT IT AND HOW THEY TAKE ACTION


2/4


» Increased awareness of data loss risk—Fifty-two percent of respondents’ companieslaunched a data protection plan because they hadeither experienced data loss or felt such an eventwas imminent.

The Priority: Protect Business DataSome of the top IT security issues troubling enter-prises today have also become pressing businessconcerns. As industries grow more competitiveand markets expand across the globe, C-levelexecutives worry that intellectual property (IP),trade secrets and other strategic information ismore likely to suffer unauthorized access or eventheft, blunting an organization’s ability to inno-vate and maintain a competitive edge. Businessleaders are also plagued by the fear that when adata breach happens to a partner or competitor,the same thing could happen to them, completewith the negative publicity and high cost thatstems from dealing with such an incident. Mean-while, regulatory pressure from governmentsand industries continues to mount as enterprisesare mandated to strictly guard customer andemployee privacy, keeping data protection top ofmind in the C-suite.

However, while the threat of a data breach is aserious concern for enterprises today, the need toprotect data also presents an opportunity for CISOsto be viewed as more strategic contributors to thebusiness rather than technical advisers (how theyare traditionally viewed). However, since protect-ing data involves safeguarding both a company’scrucial corporate assets and its reputation, CISOshave a chance to work with business users todevelop strategies that protect data while lendingcredibility to their roles as strategic partners.

In fact, the survey conducted by Symantec showsthat of the 130 respondents, 45 percent say theirDLP program increased their credibility with peers

in other business units.

“Data loss is a very real and very serious issue,”says Tim Matthews, senior director, Data LossPrevention, Symantec. “And DLP is the safestinvestment you could make.”

The High Cost of Doing Nothing toProtect Your DataBusiness leaders have opened their eyes to theneed to protect data at a time when risks arehigher than ever. This is in part due to the preva-

lence of advanced threats that are increasingly dif-cult to detect and thwart. Users are more mobilethan ever, leveraging consumer devices that aren’towned or managed by the company to access cor-porate data. Greater access from more endpointsmeans employees create additional vectors forthreats to inltrate the corporate network and forcrucial data to be stolen. In addition, attackers aregrowing more mature and patient, planting moresophisticated malware inside organizations.

The risk of data theft is also increasing because

of changes in the way employees do their jobstoday. In the race to be as productive as possible,users often don’t stop to consider whether theyare working with condential data, or whetherthey are treating condential data with the cor-rect level of protection. Patient records are savedto a thumb drive; customer data is transferred toa laptop so an employee can work from home;unreleased product plans are emailed to personalwebmail. While these actions may be uninten-tional, they still can expose sensitive informationto unauthorized access. In fact, well-mean-ing insiders continue to cause the majority ofbreaches; the latest Cost of a Data Breach studynds that negligence was responsible for 39percent of all data-loss incidents, with systemglitches accounting for another 24 percent. Addto these threats the ongoing risk of maliciousinsiders stealing data, and it becomes clear thatdoing nothing isn’t a strategy.

Not only does unprotected data expose a com-pany to a possible breach, the fallout from suchan event can threaten the viability of a business.According to the Cost of a Data Breach study,the average cost of a breach hit $5.5 million in2011. These costs involve responding to breachnotication laws, which are pervasive and man-date a rapid response, as well as lost businessopportunities. What’s more, customer condenceand the overall reputation of a company can takea serious hit once a breach is publicized. Havingto bounce back from a data breach event is astruggle best avoided.

“Data loss isa very realand veryseriousissue. AndDLP isthe safestinvestment

you couldmake.”

— TIM MATTHEWS,SENIOR DIRECTOR,

DATA LOSS PREVENTION,SYMANTEC


3/4


DLP as a Strategic Business InitiativeResults from the Symantec survey show that dataprotection is indeed growing in strategic impor-

tance, as the vast majority of respondents (89percent) say that their company’s data protectionplan originated from the top; either to demonstratecompliance or because management requested it.And data theft is not an idle threat—more than half(52 percent) of respondents’ companies launcheda data protection plan because they had eitherexperienced data loss or felt such an event wasimminent. Of those survey respondents at compa-nies that performed a risk assessment or proof ofconcept before installing a data protection solution,82 percent found at least some sensitive data was

at risk of unauthorized access or breach.

DLP solutions are increasingly being used toprotect the crown jewels—IP, product blueprints,source code, nancial documents, trade secrets,quarterly projections and so on. An organization’sability to compete in the marketplace and remaininnovative is often dependent upon safeguardingsuch information, and thus doing so is a strategicimperative. DLP is also an effective way to protectregulated data and reduce business risk.

Five DLP Tips from Your ColleaguesDLP is more than just a security tool, it’s a businessprocess for managing risk, which affects everydepartment in your company that touches conden-tial data.” Therefore, DLP strategies require consul-tative input from CISOs to ensure the correctsolutions are put in place and best practices arefollowed. In fact, DLP solutions are most effectivewhen CISOs work with business users to identifyand prioritize sensitive or condential data, andapply policies to how it should be treated.

Symantec’s survey respondents, who all haveexperience evaluating and deploying DLP solu-tions, recommend the following best practices fora successful DLP implementation:

1 » Clearly dene your DLP requirements.It’s important to understand how a DLP solu-tion will integrate with your unique environ-ment (cloud, mobile, endpoints, network andstorage). Don’t rely solely on paper evaluations

and lab demos. Put DLP solutions through thepaces in a production environment.

2 » Build a business case for your DLP pro-gram. DLP vendors can perform risk assess-ment to identify which critical data is leaving

your network and thus is vulnerable to theft.The results, for example, quantied data lossrisk, will arm you with a compelling businesscase to gain funding and support from keybusiness stakeholders.

“Run the risk assessment and use theresults to craft a strategy; don’t [attemptto] boil the ocean with the tool,” one surveyrespondent says. “The technology is great,but it’s the processes built around it that areessential to success.”

3 » Understand the total cost of ownershipof DLP solutions. One survey respondentadvises: “You evaluate all vendors and don’tpick one that is the least costly.” In addition toup-front software license costs, it’s important tofactor in hardware, maintenance, installation andstafng. Ninety percent of the effort of runninga DLP program is reviewing and remediatingdata loss incidents.

Among survey respondents, 50 percentsay that their DLP deployment costs are in linewith the amount budgeted, and the majorityof respondent companies dedicate one or lessemployee to DLP once the solution is up andrunning.

4 » Deploy DLP in waves to get quick wins.Attempting to deploy DLP across all of yourusers and systems simultaneously can beoverwhelming and potentially disruptive to

your business. Survey respondents recom-mend deploying DLP in stages: Develop a

roadmap that starts with your highest-riskareas rst and get some quick wins under

your belt.“Start out slow with a small number of key

compliance policies enabled rst, and do notattempt to block content from leaving yourcompany until you are sure that the policieshave been tuned to eliminate false positives,”one respondent advises.

“The technol-ogy is great,but it’s theprocessesbuilt aroundit that areessential tosuccess.”— SURVEY RESPONDENT


4/4


Questions to Ask Before You Deploy DLP

To set yourself up for success, CISOs say it’s important to understand what data is condential to your business, how data owners want to respond to incidents and the overall corporate culture.Here are ve questions to ask before you deploy DLP:

n What data do you need to protect? Companies store hundreds of terabytes, even petabytes, of data. Understand what is condentialto your business and prioritize the most critical data rst. Don’t try to boil the ocean—that’s asurere way to kill your DLP project before it even starts.

n What is your corporate culture? It’s critical to understand your organization and tailor your DLP program to t within the corpo-rate culture. You want to be seen as “caring mother” not “big brother.”

n Do you have buy-in from business stakeholders? Data loss is not just a security issue, it’s a business process that touches everyone from HR andlegal to engineering and sales. Getting business-data owners involved early on will help you gain

their support when it comes time to deploy and manage your DLP program.

n How are you going to roll out DLP? CISOs recommend starting “slow and steady.” First, monitor where data is stored and how it’sbeing used. Once you’ve identied broken business processes and high-risk users, then you canstart remediating data loss incidents. Next, turn on automated notications to educate usersabout security policies—this dramatically cuts down repeat offenses. And prevent users fromaccidentally or maliciously leaking information by quarantining, encrypting and blockingoutbound communications.

5 » Prepare for broken business policies.Before deploying DLP, enterprises are advisedto determine how best to deal with bro-ken policies, what methods will be used toprioritize and remediate them and how to

keep those policies current as the businesschanges.

Other DLP best practices mentioned bysurvey respondents include using DLP to edu-cate business units on the risks that exist andgetting buy-in from business units and supportfrom top executives before deploying.

ConclusionIncreased mobility and greater access to dataare removing hurdles for employees to be asproductive as possible and drive the businessforward, but those trends also present a number

of data protection challenges. Whether the goalis to comply with privacy regulations or protectcondential data, understanding how best toprevent data from falling into the wrong hands isa business imperative.

Recognizing the challenges and developing along-term, sustainable data protection strat-egy that has the support of top executives andbusiness units as well as the IT department is thebest way to maximize risk reduction in a mannerthat’s quick and doesn’t tax resources. Choosingthe right DLP solution helps enterprises developand enforce better business practices regardinghow to treat sensitive data as an integral part ofa comprehensive security program. DLP solutionsalso help drive change across the organizationand elevate the CISO’s role to become a strategicpartner to the business.

Under-standinghow bestto preventdata fromfalling intothe wronghands is abusinessimperative.

5 dlp tips from security execs

Documents