It so happens that I will focus on Data Loss Prevention (DLP) this quarter, and it will be added to my coverage areas (which are, as a reminder, SIEM, vulnerability management, denial of service defense and, of course, PCI DSS compliance). While I am not exactly a novice in DLP, I need to dig MUCH deeper in order to create GTP-style research on the subject. For now, let me present a few quotes on DLP from other research that really impressed me (all italics below are mine):
- “Do not implement DLP with all implementation and operational responsibilities solely allocated to IT. If the lines of business do not actively support the project — for example, by assisting in the development of processes and committing to resource requirements to meet their responsibilities — then consider ceasing the project.” (http://www.gartner.com/resId=1925115)
- “Most organizations buy significantly more content-aware DLP than they use, resulting in shelfware at significant costs.” (http://www.gartner.com/resId=1433239)
- “DLP is a nontransparent control, which means it is intentionally visible to an end user with a primary value proposition of changing user behavior. This is very different from transparent controls like firewalls and antivirus programs, which are unseen by end users. Nontransparent controls represent a cultural shift for many organizations” (http://www.gartner.com/resId=1421941)
- “Content-aware DLP should not be considered as a method of managing IT-related risk (that is, fundamentally a technology risk), but rather as a comprehensive, organizationwide means of controlling and mitigating information risk (that is, a business risk).” (http://www.gartner.com/resId=1925115)
So, here is my next call to action:
- Vendors with DLP tools, got anything to say about it? Here is a briefing link … you know what to do.
- Enterprises, got a DLP story – either about DLP deployment or operations – to share? Hit the comments or email me privately (Gartner client NDA will cover it, if you are a client).
- DLP-focused consultants, got a DLP story (“inspired by” your recent project) to share? I’d love to hear it as well!
And, yes, watch this space for more questions and comments, as I delve deeper into DLP architecture and operational practices.
Somewhat related posts:
Read Complimentary Relevant Research
Five Golden Rules for Creating Effective Security Policy
Policy writing is a risk communication exercise that is frequently performed by people who lack the skills needed to create good security...
View Relevant Webinars
What Matters When Securing IoT?
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.