Is Technology Enough to Drive a Successful DLP Program?
With today’s headlines about data loss and data regulatory compliance, Data Loss Prevention (DLP) is top-of-mind for an organization’s C-Suite personnel. If you’re not already implementing a DLP program, you should act quickly to protect your company's assets before you become a potential target.
So, where do you start? And how do you build a successful program that beats the Gartner statistic that only one in four DLP initiatives returns business value?
It’s tempting to look for a technology-first solution that automates data classification and protection through policy-driven attributes. Taking this approach, however, runs the risk of DLP becoming an “IT project” that never gets off the ground, or loses momentum because technology alone fails to account for the key drivers of success.
Most DLP programs fail because of one or more of the following:
1. Lack of executive sponsorship
2. No clear accountability and ownership for the data that needs to be protected, or consensus on what is considered sensitive data in the organization
3. Lack of employee-focused training and communication
4. No formal plan for ongoing program governance
Overcoming these challenges requires a comprehensive program focused on strategic organizational behavior change to instill a culture of data ownership and protection—one where technology plays a supporting role.
Enable leadership to drive the need and inspire people
The news has shown us that a data loss event can and will impact a company’s reputation, consumer confidence, bottom line and shareholder perception. Unfortunately, many companies don’t establish a DLP program until after they’ve become a victim.
Technology definitely has a place in a DLP program and can be used as a tool to help users comply with the program and to help monitor for and block against accidental data loss
If your C-Suite or board of directors don’t already have interest in a DLP program, use examples from the news as motivation to get top-level buy in and help them understand the financial and stakeholder risks, especially in the context of your company and the industries you serve. The risks may vary by company, and walking your C-Suite through relevant scenarios and their potential impact may help build a strong case for a DLP program.
Executive sponsorship can help pave the way and allow you to gain commitments and inspire behavior change throughout the organization.
Establish an accountability structure outside of IT
One of the most challenging parts of developing a DLP program is overcoming the perception that IT owns company data and should therefore be accountable for protecting it. IT should play a strong supporting role, but data ownership belongs in the business or function that produces and works with the data.
Interview company executives to identify what categories of data are the most valuable, or could cause the most harm if lost. Then, ask company leaders to designate the functional/business management leaders who should be accountable for the data; these will become your data owners who should be tasked with driving your DLP program.
Enable data owner success by developing a standard set of guidelines and processes to safeguard the most sensitive data. Provide the data owners with clear DLP goals and objectives, and articulate what support they can expect from a program level.
Change employee behavior through awareness, engagement, and education
Most data loss occurs unknowingly or accidentally by employees, so awareness and education are key. But getting employees to adopt DLP practices won’t happen with a single email communication.
You’ll need to invest in a comprehensive DLP awareness and training campaign to build an emotional connection to help employees understand their role as data custodians.
Partner with your internal communications function, or hire outside support if needed, to develop ongoing, consistent messaging that leverages a range of communications touchpoints. Focus on actionable information and easy-to-understand examples in training and communications to improve adoption of the program. Additionally, consider engaging employees by rewarding “good” security and data protection behavior through visible awards and acts of recognition.
Measuring and planning for success
A DLP program often lives for less than two years before it loses momentum, failing to become ingrained in the culture.
By establishing a single enterprise-wide group to govern your DLP program and set yearly key performance objectives, you can measure program effectiveness and the organization’s cultural change. Ensure data owners know the KPIs and how they will be measured against them. Perform bi-yearly or annual reviews with the data owners and identify areas of improvement.
Some KPIs to consider:
• Increase in the trend of classified files
• Reduction in excessive sharing of sensitive data
• Increased user awareness on data handling procedures
Keep the program fresh and relevant for employees by reinforcing communication and training annually, and remember to integrate training as part of your onboarding process for new hires.
The role of technology in DLP
Technology definitely has a place in a DLP program and can be used as a tool to help users comply with the program and to help monitor for and block against accidental data loss.
Remember that no technology is 100 percent effective or comprehensive, especially as the number of places where your data resides continues to expand. Besides taking months to implement and fine-tune, many DLP technologies are prone to ‘false positives’ that can drain resources in the process of investigation and resolution.
Look for technology that helps users classify documents or data as easily as checking a box. Ease of use will increase compliance and, with more documents correctly classified, your tools will be more effective in accurately identifying and preventing data loss.
But until such a time when technologies mature to a point where all DLP is automated and self-sustaining (artificial intelligence shows some promise in this space), developing a program that focuses on instilling a culture of data protection remains a key element to success.