It so happens that I will focus on Data Loss Prevention (DLP) this quarter, and it will be added to my coverage areas (which are, as a reminder, SIEM, vulnerability management, denial of service defense and, of course, PCI DSS compliance). While I am not exactly a novice in DLP, I need to dig MUCH deeper in order to create GTP-style research on the subject. For now, let me present a few quotes on DLP from other research that really impressed me (all italics below are mine):
- “Do not implement DLP with all implementation and operational responsibilities solely allocated to IT. If the lines of business do not actively support the project — for example, by assisting in the development of processes and committing to resource requirements to meet their responsibilities — then consider ceasing the project.” (http://www.gartner.com/resId=1925115)
- “Most organizations buy significantly more content-aware DLP than they use, resulting in shelfware at significant costs.” (http://www.gartner.com/resId=1433239)
- “DLP is a nontransparent control, which means it is intentionally visible to an end user with a primary value proposition of changing user behavior. This is very different from transparent controls like firewalls and antivirus programs, which are unseen by end users. Nontransparent controls represent a cultural shift for many organizations” (http://www.gartner.com/resId=1421941)
- “Content-aware DLP should not be considered as a method of managing IT-related risk (that is, fundamentally a technology risk), but rather as a comprehensive, organizationwide means of controlling and mitigating information risk (that is, a business risk).” (http://www.gartner.com/resId=1925115)
So, here is my next call to action:
- Vendors with DLP tools, got anything to say about it? Here is a briefing link … you know what to do.
- Enterprises, got a DLP story – either about DLP deployment or operations – to share? Hit the comments or email me privately (Gartner client NDA will cover it, if you are a client).
- DLP-focused consultants, got a DLP story (“inspired by” your recent project) to share? I’d love to hear it as well!
And, yes, watch this space for more questions and comments, as I delve deeper into DLP architecture and operational practices.
Somewhat related posts: