Gartner Blog Network


DLP: Education and/or Automation?

by Anton Chuvakin  |  January 4, 2013  |  2 Comments

Is DLP an education tool or an automation tool? Huh? Why does it have to be an “or” question? Can it be both? Why so many questions? Smile

In any case, during my DLP research I have come across a set of peculiar attitudes about content-aware DLP:

  1. Since DLP is a non-transparent control, behavior change is its primary mission. The tools can block and encrypt, but ultimately MUST change behavior to reduce data risks.
  2. DLP tools can interact with users, but users are incorrigible. Unless we can automate the protection of data, we will fail to reduce the data risks.

Notice something interesting here? There is a philosophical disagreement among DLP users about its primary mission. 

Those in camp #1 will focus on educating the users and using DLP as “behavioral change amplifier.”   They will heavily rely on warning messages, notify/justify prompts and “real-time education” features (“please don’t email SSNs – here is a link to our approved secure data transfer facility”). Of course, they will block the most blatant data violations, but will use the act of blocking as an educational opportunity as well.  These people would celebrate when they see less attempts to send the data by the users rather than when they see more blocked attempts. Finally, they are  well aware of the limits of automation, especially when complex and potentially ambiguous pieces of information need to be protected.

Those in camp #2 will focus on tuning the policies for more reliable automated blocking, low “false positive” rates and will seek out ways of triggering various automated actions (such as encryption, access right changes, etc). Of course, they will grudgingly access that a DLP tool will occasionally become visible to users, but they would treat this as a “failure of automation.” They talk a lot about how “users are a security problem” and how “policies are there since we cannot trust the users.” Moreover, they only accept security features that work “despite the user” and “take the decision away from  them.”  (all quotes fictitious, of course).

So, what do  you think? Do you block since you cannot educate or do you educate since you cannot reliably block? Do you prefer to FORCE the users or to CHANGE them? Or do you simply think that these two must form a balance?

BTW, DLP Magic Quadrant 2012 is out.

Related posts:

Additional Resources

Category: data  dlp  security  

Tags: data-security  dlp  security  

Anton Chuvakin
Research VP and Distinguished Analyst
8 years with Gartner
19 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on DLP: Education and/or Automation?


  1. Ray says:

    D. All of the above.

    We block to protect the company, its customers and employees from harm. If data loss did not have an associated high cost in dollars, lost time, and increased stress, we would focus our efforts elsewhere.

    We block with informative notifications and with links to the policies about why. Some employees may not read them or care but plausible deniability has been reduced. And most employees will read and follow them because they don’t like controls getting in the way of them doing their job efficiently. It wastes their time.

    We block on all violations because policies without technical controls are like locks on a door: they keep the honest people honest. If you’ve been hacked, the criminals aren’t going to care about your policies. No one wants to come in on Monday morning to an alert that 100,000 credit card numbers were successfully uploaded or emailed, one at a time, to another country over the weekend.

    And most importantly, we block because no one screws up on purpose, yet everyone makes mistakes.

    Practicing IT security is like bumper bowling. Our job is to keep people from going in the gutter and to gently nudge them back on to the correct path without consequences. And if they throw their ball into another lane, well, we’ll just let the proprietor handle it. 🙂

  2. Ray, thanks a lot for your insightful comment. I figured that “all of the above + more” is going to be the answer of the enlightened type 🙂

    Also, “block with informative notifications and with links” is the one I hear working great for many organizations.

    It does seem that the blend of “educate+automate” is indeed the winning combo with DLP and not one of the two can ever work.



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.