Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

Security Thought for Thursday: DLP Should be a Process, not a Product

by Neil MacDonald  |  September 10, 2009  |  3 Comments

When someone talks undertaking a “Data Loss Prevention” (DLP) initiative, they are usually talking about deploying a product from one of the DLP vendors such as McAfee, Symantec, EMC/RSA and so on. Much like I talked about in this post on application security, a product cannot solve what first and foremost is a process problem. The same is true with data protection.

Data protection is the process of identifying and understanding where and how sensitive information is created, used, processed, moved, shared, stored and retired and protecting it throughout this lifecycle.

Endpoint DLP is a possible technical control to map against this process. So is endpoint encryption. So is endpoint device control. So are email and web security gateways that support basic DLP functions. Start first with the process, identity and prioritize gaps, then decide where a tool is needed.

3 Comments »

Category: Information Security     Tags: ,

3 responses so far ↓

  • 1 Security Thought for Thursday: With DLP, Don’t Just Treat the Symptoms, Address the Cause   September 24, 2009 at 8:38 am

    [...] governments) that have banned the use of all USB flash drives as part of a data loss prevention (DLP) strategy. This may indeed be necessary and provides immediate protection of data loss. However, its a blunt, [...]

  • 2 Mehul Doshi   October 19, 2009 at 10:19 pm

    Neil, While all would agree the process is key to success. However process culture is not a overnight job. Second as organizations change rapidly so the need to have process change rapidly. Rather than waiting for process and looking for product. Why not look at a product which has the flexbility of process workflow and implement the same. We tested all the DLP vendors and found Symantec having such process within the product itself. Whatever be our changing business environment, we find the product would be able to meet the needs either immediately or with minor modification.

  • 3 MIke   December 7, 2009 at 5:07 pm

    I agree that a product cannot solve all problems. Many times proper training would be a better if not equal solution to a proper data protection suite. Still, one compliments the other, and I think that one without the other is a mistake.