"You'll always get feedback from users, but when you have senior executives including the CIO saying this work needs to get done, you're not going to get a lot of kickback," he said. "I'd say the two most important pieces of doing this right are aligning the right team to drive it from the top down and making sure that everyone reads that letter and understands the role they play in helping us protect the data."
DLP's cooperation requirement in the real world
Since getting its system up and running and ensuring that employees knew what was happening more than one year ago, the company has experienced only a dozen or so incidents that forced it to warn individual users or send reports to those workers' department heads, the IT leader said.
Even vendor representatives, such as Palisade chief executive Kurt Shedenhelm, concede that the challenging politics of a DLP project often outweigh the technical issues that come into play when working out all the complex data-handling rules that his company's systems are employed to enforce.
Some companies struggle to achieve the right level of executive buy-in to force business unit leaders to play ball, while others don't go to great enough lengths to ensure that workers have been sufficiently retrained to understand new policies, he said. "This issue of internal politics, of who is responsible for protecting the data, who is responsible for educating the end-user, and who is ultimately responsible for enforcement, that's actually the hard part," Shedenhelm said. "In a lot of companies, I think you might find that it's hard to get the business units, HR, and IT people that need to be involved on the same page, but you can't really do DLP without that."
In some companies, especially large enterprises, multiple DLP projects may only be put under the domain of IT security and compliance teams, making it harder for those groups to keep their efforts in step without overwhelming end-users.
From the issues relating to which business units ultimately maintain responsibility for specific sets of data and who is tasked with enforcing policies, things can get too complex very quickly, he said. "In larger enterprises, where you often have multiple projects looking at DLP from perspectives of intellectual property, compliance, and customer data and information spanning multiple business units, that's where you run into problems," said Shedenhelm. "One of the biggest issues we see is with trouble discerning who is ultimately responsible for handling violations; sadly, in some cases, people clearly don't want to know if violations are occurring on the business side because then they will be forced to respond."
Other experts agreed that the size of an organization often plays directly into its ability to make DLP work with issues of enforcement standing as central disputes.