Security breaches continue to rock the enterprise, leaving organizations scrambling to safeguard their data from unauthorized disclosure. More CISOs are resorting to data loss prevention to manage electronic communication pertaining to their organization and to offset insider threats.
But an effective DLP implementation calls for organization-wide awareness and engagement, while making sure that the program doesn’t impede the business in any way. That’s according to panelists discussing DLP implementation best practices at the recent Argyle CISO Leadership Forum in New York.
“With DLP, where it does have the capability to block or change the way that people are conducting their business, you want to make sure that you have that [business] buy-in first and make sure that you implement it in a way that actually supports the business,” said Matt Hughes, vice president of professional and platform services at InteliSecure.
Hughes sees data loss prevention as a business enabler, and getting company-wide support at the very inception of the program will help security teams from running into obstructions during DLP implementation, he said.
According to Mohammed Lazhar, head of global security and compliance at Wolters Kluwer and a co-panelist, a DLP partnership with the business and the need to educate employees is critical. It has become imperative for organizations to share and transfer data both internally and externally, so educating the business, sales, HR and the legal departments about the value and importance of that exchange is important, he said.
Matt Hughesvice president of professional and platform services, InteliSecure
A DLP implementation can also help businesses set guidelines and apply processes to ensure safe transfer of sensitive data like personally identifiable information, he said.
“[In our organization], we put more on discovery mode and use DLP more as an engagement and awareness tool, and then we are going to apply more controls so we are not appearing as blocking the business, or preventing the business, which then enables the adoption,” Lazhar said.
For co-panelist Nashira Layade, CISO and senior vice president at Realogy Corporation, DLP has never been strictly an infosec or IT tool. She sees it as being more beneficial to compliance and for educational purposes.
During DLP implementation, the first step is to define what organizations are trying to achieve and second is to identify the partners who they will work with, she said. A DLP program requires organizations to work very closely with the business and legal units to determine how organizations want to implement it, she reinforced.
When it comes to DLP implementation, it is really about putting the accountability on the business leader, she added.
“That’s how I personally work with the business in the DLP space,” Layade said.
Identify ‘crown jewels’ for DLP implementation
The DLP implementation process also involves identifying an organization’s most crucial data assets that are critical to their business in terms of revenue and reputation, Hughes said.
Once the crown jewels are identified, a risk assessment and a business process impact assessment are conducted for each of those crown jewels, Layade said when describing the procedures that her organization follows. The risk assessment is designed to figure out the technical parameters that are required to protect the data assets, she explained.
“The business processes impact assessment is more about what are the outfalls of that data from a non-systemic perspective,” she explained. “Often times when we think about data protection, we limit it to the system and not to other areas where things can be printed, where it can be shared and exchanged in other areas, like the cloud.”
Therefore, having some sort of governance mechanism in place that spans across all business units will help organizations prioritize those critical assets. This will also prevent the company from wasting resources trying to protect every single piece of data the organization generates, Hughes said.
“They can prioritize the assets based on revenue impact, reputational impact, public-facing assets, and make sure they’re properly handled. Once you have that understanding, then you can launch the next steps, whether it’s discover, or monitor, or block, or whatever is appropriate for the business.”