DLP politics no easy trick

No one in the business world wants to be held responsible for a breach of sensitive corporate information, but gaining the level of support necessary to allow DLP (data leakage prevention) technology to work effectively remains tricky, customers and vendors confirm.

Unlike traditional security technologies that have operated largely within the confines of IT departments and network management teams, DLP projects must include participation from almost every corner of the organizational chart to succeed, according to experts who have worked with the tools.

From all the different business units that need access to protected information to human resources departments tasked with following up on potential violations to the highest levels of business management, the issue of data leakage is so pervasive that nearly everyone in a company needs to be involved on some level for critical content to stay under wraps.

For DLP technology to have its intended effect, every employee needs to be continually educated about company policies that must be policed aggressively and attached to real consequences for violators, customers said. Simply throwing products at the problem won't work, they claim, because DLP is as much about building policies as it is about embedding IT controls.

"We have HIPPA considerations to uphold, we don't want to be in the newspaper, and we don't want to be embarrassed in today's world for having exposed data accidentally or otherwise -- but it's not an overnight process," said Charles Hibnick, chief systems security architect at AvMed, a large HMO in Florida. "Even though we've been working with compliance regulations for years, embracing DLP is still a cultural change that demands involvement from a lot of people to work."

As part of its effort to roll out its DLP program around technology provided by Palisade Systems, AvMed was forced to create a corporate steering committee that included everyone from C-level executives to its HR and compliance officials and even its external legal counsel.

If a business is attempting to create a system where employees are expected to follow specific data-handling rules and be held accountable to real penalties when they have violations, all of those parties must be involved, Hibnick contends. "We in IT had to hook up with HR and compliance to make sure that our plans specifically included a review of how the DLP product would be used and ensure that they were buying into the process," he said. "Then the HR director had to communicate with our external counsel to make sure that we were within our appropriate boundaries with everything that we wanted to do and then run it all by the board."

Once the plan had been established and the technology's use was approved, one of AvMed's most visible business vice presidents authored a letter to all of the company's employees informing them of the new policies and how they might be punished for multiple infractions, such as sending out sensitive data repeatedly in unencrypted e-mails.

The letter was received by employees with some level of concern over "big brother"-type monitoring of their work, but making its policies and penalties clear has been key to AvMed's success in keeping its data better protected, Hibnick maintains.