The last couple of weeks since getting back to travel has been a complete whirlwind. The inspiration for today’s post has been due to the underlying theme that nobody really has data protection completely figured out yet. As such, I wanted to share some thoughts I have had in conversations with several CISOs over the last few months.
Forcepoint DLP Risk-Adaptive Protection
I'm hearing common questions such as:
- "Do I need to discover my data first to understand it?”
- “Do I need to classify my data first to begin protecting it?”
- “How do I protect all channels, quickly and effectively with the least amount of friction to the business?”
Surprisingly, the answer to these questions is a resounding “no.” When I hear these questions, I usually reply with questions in return, like: “What is the problem we are trying to solve for?” or “What is your expectation or intended result?”
In my experience, there are 3 “typical” drivers of a data protection effort:
- Regulatory requirements
- Potential brand reputation impact
- Unauthorized/inappropriate access or breach “the big bad, B word”
For larger organizations, it may be a combination of all three! Knowing this, I like to understand the business landscape. Depending on the organization, that can lead to other common questions:
- “What systems are in place today to detect it?”
Answers: Email, Web, Endpoint, existing DLP or CASB
- “What corporate policies do we have to drive this program to success?”
Answers: Secure data handling practices, inappropriate/excessive use, user education on privileged access
- “What processes are in place to scale/automate the Data Protection framework?”
Answers: DLP is part of an organic program, not just a standalone tool and it needs to be able to change with the shifts in business requirements and the policies and procedures need to support it
In preparation for your next data security strategy meeting, I recommend keeping the following items in mind:
The need to discover and comb through terabytes, if not petabytes of data is only going to overwhelm you in logs and noise. As an organization, you need to come to terms on what is critical, and needs to be protected first. Let’s face it, nobody knows the organization’s data better than your employees. It may be customer data, source code, employee PII, etc. Scoping potential data types upfront, can be the initial spearhead to make change and figure out “where does it hurt?”
Next, the need to classify or tag your data is not a guarantee to protecting it, but it is going to help your users understand data hygiene better. Most organizations I see that implement classification first, end up reworking or republishing their labels 4 or 5 times before “getting it right”, and use DLP tools to validate it. They are completely complementary solutions for a reason, use DLP to inspect, validate, enforce while using classification to help manage, educate, and simplify the user experience.
Lastly, the need to protect everything at once while being frictionless is a never-ending cat and mouse game. Some organizations for example have a matured USB or printing policy. As a result, they enforce those channels first. There is a smaller percentage in risk and a simple path to block. Many times, this is a path of least resistance for organizations.
But in my view, this approach isn’t the best. I encourage most organizations to focus efforts on email, web, or even cloud application channels as the highest priority. The potential risk associated with those channels is significantly higher and more prone to data leakage or misconfiguration. I understand this is easier said than done, as it is the most difficult area to implement compensating controls or block effectively.
If your data security program is currently a “work in progress,” I would discuss the roadmap to protect those higher-risk channels. if you can get your organization on board with enforcement, training, and education on these threat vectors early on, your program will be that much more effective, and the remaining “easy wins” cascade more smoothly.
Thanks for reading.
If you are having issues struggling through your data protection journey, and need help identifying those areas of sensitive data and the need to protect it, I know of some ways how Forcepoint can help: