What keeps the CISO awake at night?

 

Part 2 – How can I stop our Data Loss Prevention project from failing?

There is a reason that data loss prevention (DLP) projects are often cited as the most likely to fail of any security transformation initiative. The reason is that DLP tooling, when not used very carefully, is hugely disruptive. So, if worrying about DLP is keeping you awake a night, then read on to find out how to turn a DLP project with a high risk of failure into an effective project which deals with the central business problem of managing data loss.

 

Asking for failure by making the deployment of DLP an IT project

You may well identify with this client’s DLP case study: A relatively sophisticated firm with staff for whom new ways of working would be manageable, needed a DLP project. The problem was that technology had grown at a separate pace from the needs of the business. People worked long hours and were often travelling. Busy salespeople who wanted to get home to their families were given remote access so that they could work on projects or documentation from home. The problem was that many of these people were often travelling very long distances and were not issued with company laptops they could use on the plane. This led to a practice of ‘sending work home’, whereby salespeople would send documents to their personal email addresses so that they could then work on them through a personal laptop while they travelled.

The extent of this practice became clear when we deployed a tactical email filter, in this case it was via Mimecast, which flagged certain predefined combinations like ‘PowerPoint to Hotmail’ to a centrally controlled email address. In other words, if staff members sent work home, particularly sensitive commercial documentation, this would be flagged and followed up by the Security team. Initial analysis of the inbox populated by this filter, suggested that several thousand sensitive emails per day were being sent to the home email addresses.

It is very easy for a Security function to become ‘high and mighty’ about the irresponsible use of personal email addresses. Don’t these people know that this is a violation of our policy? Have they never heard of GDPR? What if their email password has been compromised?

But this siloed approach to managing security improvements is wrong. By seeing them as something that the security function does ‘to’ the business, you are setting yourself up to fail. Business users legitimately ask their IT colleagues, “given that we are not supposed to send work home, wouldn’t it be useful if you provided us with a laptop?”

 

Supporting success with a business-wide integrated project

The case study above is simply an illustration of the broader principle: security must not be seen as an inhibitor to business activity. On the contrary, doing business in a way that is secure requires integration of secure practices with everyday business activity.

The simplest way to ensure that a DLP deployment is successful, for example, is to frame the exercise as a business project and not an ‘IT security’ project. Security will obviously be involved, as will IT, but, crucially, without champions supporting the effort to make preventing data loss a business objective, the success of any such project is inherently limited..

Here are three ways to improve your chances of success:.

  1. Refer to the project as Managing Data Loss, not ‘Deploying a DLP tool’. This will reinforce the nature of the project as a business project, which is everyone’s responsibility, and not just another widget.
  2. Ensure that the Accountable Executive is not an IT person. If you have a major data breach, it is likely that the Chief Exec will be the person on TV explaining to customers why their data has been lost. It’s a useful exercise to practice giving that interview before the project kicks off, just to focus minds on success.
  3. Don’t rush it. Enterprise grade DLP tooling requires careful allocation of data classification and inventories of prioritised data types before any intervention by the DLP tool is turned on. Further, having a team set up to receive and assess the alerts generated by the tooling is a prerequisite to demonstrating value from the investment. Trying to do this too quickly will inevitably create cynicism among users because of the number of false positives and noise that is generated by most DLP tools when they are initially switched on.
One final word on DLP, which is not currently an issue for anybody, but is likely to return in the near future, don’t take your laptop to the pub! If you would like to discuss how to deploy an effective DLP project across your business, then why not get in touch on +44 203 603 4733 or email us at info@324consultancy.com. If you enjoyed this blog then why not read others in our ‘What keeps the CISO awake at night?’ series: Part 1 – The biggest security threat to my organisation is our staff – what can I do?