Strategies usually have a short discussion window for Executive approval, and it is the job of the CISO to get complex security messages across to the board. Boards typically understand Risk, Finance, and, rarely, there are technical board members who understand IT. Security is a difficult combination of these concepts, focused on protecting the most valuable asset a company has – it’s information.
A CISO connection of mine emailed me recently, saying:
“We’re looking to buy a DLP solution, I’ve been asked to make the final choice, but I have a few concerns that they have taken the ‘silver bullet’ approach, going out and buying a whole load of tooling, spending loads of money to magically fix our issues…
Yes, of course we need a DLP solution, not least for the compliance and data protection elements (which sit outside of CISO), but we don’t appear to be looking at things from that angle.”
A quick check of the security strategy showed that there wasn’t much else planned, the DLP had been extended to CASB functionality by the vendor and an entire business team planned around the combined tooling, whilst data was to remain unclassified, unencrypted and, in places, not monitored by either. The resulting business case looked like a vendor sales pitch, rather than a considered Solution Architecture.
I asked to see the risks it was intended to address, how they were planning to address it, and the business requirements to do so. As we unpacked the risks, we built additional requirements around the DLP platform, asset and data discovery, data classification, file encryption, whole disk encryption (for mobile devices), disabling ports on desktops and a whole raft of OS hardening basics.
By the time we had drawn up a set of requirements, DLP, including Cloud functionality (not always called CASB by all vendors we had noted) was still a core element of the data-centric strategy, so I was able to send my friend back to his board with a positive message about their investigations so far, but we added more to the mix. We took the focus off DLP being the tool that could fix everything – which means DLP can shine at what it does – and placed it instead on a strategy for preventing data loss (PDL!).
The DLP solution would now properly monitor for structured data leaving the organisation via email, network gateways and desktops (via USB or CD for example). It even prompts email users to think about what they are sending and encrypt if it is sensitive and permitted, but these controls can still be breached. DLP keeps good people honest, and supports business process, but for the minority working outside of this, the strategy needed broadening. As a monitoring tool, DLP will tell you when data is leaving the organisation, but it needs to be part of an overarching strategy which acts on that information. Do not confuse DLP technology for a DLP strategy.
We emphasized the Data Centric-ness of the strategy, as well as putting some basics in place, and ensured we tied all our requirements back to risks. It’s not rocket science, but it’s surprising how little this is done in practice.
If you know where your data is, what your data is, the possible routes out of the organisation and who has permission to move it, DLP can watch, safe in the knowledge that anything it sees as an alert is worth acting on. How and how fast you react to those alerts is a story for another time. As things are today, the time to detect a breach is much longer than the time it takes to steal data so a strategy for preventing data loss must include proactive measures in addition to the reactive capabilities of a DLP tool.