Is DLP an education tool or an automation tool? Huh? Why does it have to be an “or” question? Can it be both? Why so many questions? 
In any case, during my DLP research I have come across a set of peculiar attitudes about content-aware DLP:
- Since DLP is a non-transparent control, behavior change is its primary mission. The tools can block and encrypt, but ultimately MUST change behavior to reduce data risks.
- DLP tools can interact with users, but users are incorrigible. Unless we can automate the protection of data, we will fail to reduce the data risks.
Notice something interesting here? There is a philosophical disagreement among DLP users about its primary mission.
Those in camp #1 will focus on educating the users and using DLP as “behavioral change amplifier.” They will heavily rely on warning messages, notify/justify prompts and “real-time education” features (“please don’t email SSNs – here is a link to our approved secure data transfer facility”). Of course, they will block the most blatant data violations, but will use the act of blocking as an educational opportunity as well. These people would celebrate when they see less attempts to send the data by the users rather than when they see more blocked attempts. Finally, they are well aware of the limits of automation, especially when complex and potentially ambiguous pieces of information need to be protected.
Those in camp #2 will focus on tuning the policies for more reliable automated blocking, low “false positive” rates and will seek out ways of triggering various automated actions (such as encryption, access right changes, etc). Of course, they will grudgingly access that a DLP tool will occasionally become visible to users, but they would treat this as a “failure of automation.” They talk a lot about how “users are a security problem” and how “policies are there since we cannot trust the users.” Moreover, they only accept security features that work “despite the user” and “take the decision away from them.” (all quotes fictitious, of course).
So, what do you think? Do you block since you cannot educate or do you educate since you cannot reliably block? Do you prefer to FORCE the users or to CHANGE them? Or do you simply think that these two must form a balance?
BTW, DLP Magic Quadrant 2012 is out.
Related posts:
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.
Comments are closed
2 Comments
D. All of the above.
We block to protect the company, its customers and employees from harm. If data loss did not have an associated high cost in dollars, lost time, and increased stress, we would focus our efforts elsewhere.
We block with informative notifications and with links to the policies about why. Some employees may not read them or care but plausible deniability has been reduced. And most employees will read and follow them because they don’t like controls getting in the way of them doing their job efficiently. It wastes their time.
We block on all violations because policies without technical controls are like locks on a door: they keep the honest people honest. If you’ve been hacked, the criminals aren’t going to care about your policies. No one wants to come in on Monday morning to an alert that 100,000 credit card numbers were successfully uploaded or emailed, one at a time, to another country over the weekend.
And most importantly, we block because no one screws up on purpose, yet everyone makes mistakes.
Practicing IT security is like bumper bowling. Our job is to keep people from going in the gutter and to gently nudge them back on to the correct path without consequences. And if they throw their ball into another lane, well, we’ll just let the proprietor handle it. 🙂
Ray, thanks a lot for your insightful comment. I figured that “all of the above + more” is going to be the answer of the enlightened type 🙂
Also, “block with informative notifications and with links” is the one I hear working great for many organizations.
It does seem that the blend of “educate+automate” is indeed the winning combo with DLP and not one of the two can ever work.