DLP politics no easy trick

Implementing DLP technology often involves participation from all elements of a company, not just the IT desk, and thus can be thwarted by office politics

No one in the business world wants to be held responsible for a breach of sensitive corporate information, but gaining the level of support necessary to allow DLP (data leakage prevention) technology to work effectively remains tricky, customers and vendors confirm.

Unlike traditional security technologies that have operated largely within the confines of IT departments and network management teams, DLP projects must include participation from almost every corner of the organizational chart to succeed, according to experts who have worked with the tools.

From all the different business units that need access to protected information to human resources departments tasked with following up on potential violations to the highest levels of business management, the issue of data leakage is so pervasive that nearly everyone in a company needs to be involved on some level for critical content to stay under wraps.

For DLP technology to have its intended effect, every employee needs to be continually educated about company policies that must be policed aggressively and attached to real consequences for violators, customers said. Simply throwing products at the problem won't work, they claim, because DLP is as much about building policies as it is about embedding IT controls.

"We have HIPPA considerations to uphold, we don't want to be in the newspaper, and we don't want to be embarrassed in today's world for having exposed data accidentally or otherwise -- but it's not an overnight process," said Charles Hibnick, chief systems security architect at AvMed, a large HMO in Florida. "Even though we've been working with compliance regulations for years, embracing DLP is still a cultural change that demands involvement from a lot of people to work."

As part of its effort to roll out its DLP program around technology provided by Palisade Systems, AvMed was forced to create a corporate steering committee that included everyone from C-level executives to its HR and compliance officials and even its external legal counsel.

If a business is attempting to create a system where employees are expected to follow specific data-handling rules and be held accountable to real penalties when they have violations, all of those parties must be involved, Hibnick contends. "We in IT had to hook up with HR and compliance to make sure that our plans specifically included a review of how the DLP product would be used and ensure that they were buying into the process," he said. "Then the HR director had to communicate with our external counsel to make sure that we were within our appropriate boundaries with everything that we wanted to do and then run it all by the board."

Once the plan had been established and the technology's use was approved, one of AvMed's most visible business vice presidents authored a letter to all of the company's employees informing them of the new policies and how they might be punished for multiple infractions, such as sending out sensitive data repeatedly in unencrypted e-mails.

The letter was received by employees with some level of concern over "big brother"-type monitoring of their work, but making its policies and penalties clear has been key to AvMed's success in keeping its data better protected, Hibnick maintains.

"You'll always get feedback from users, but when you have senior executives including the CIO saying this work needs to get done, you're not going to get a lot of kickback," he said. "I'd say the two most important pieces of doing this right are aligning the right team to drive it from the top down and making sure that everyone reads that letter and understands the role they play in helping us protect the data."

DLP's cooperation requirement in the real world
Since getting its system up and running and ensuring that employees knew what was happening more than one year ago, the company has experienced only a dozen or so incidents that forced it to warn individual users or send reports to those workers' department heads, the IT leader said.

Even vendor representatives, such as Palisade chief executive Kurt Shedenhelm, concede that the challenging politics of a DLP project often outweigh the technical issues that come into play when working out all the complex data-handling rules that his company's systems are employed to enforce.

Some companies struggle to achieve the right level of executive buy-in to force business unit leaders to play ball, while others don't go to great enough lengths to ensure that workers have been sufficiently retrained to understand new policies, he said. "This issue of internal politics, of who is responsible for protecting the data, who is responsible for educating the end-user, and who is ultimately responsible for enforcement, that's actually the hard part," Shedenhelm said. "In a lot of companies, I think you might find that it's hard to get the business units, HR, and IT people that need to be involved on the same page, but you can't really do DLP without that."

In some companies, especially large enterprises, multiple DLP projects may only be put under the domain of IT security and compliance teams, making it harder for those groups to keep their efforts in step without overwhelming end-users.

From the issues relating to which business units ultimately maintain responsibility for specific sets of data and who is tasked with enforcing policies, things can get too complex very quickly, he said. "In larger enterprises, where you often have multiple projects looking at DLP from perspectives of intellectual property, compliance, and customer data and information spanning multiple business units, that's where you run into problems," said Shedenhelm. "One of the biggest issues we see is with trouble discerning who is ultimately responsible for handling violations; sadly, in some cases, people clearly don't want to know if violations are occurring on the business side because then they will be forced to respond."

Other experts agreed that the size of an organization often plays directly into its ability to make DLP work with issues of enforcement standing as central disputes.

A tug-of-war can break out between security teams tasked with enforcing DLP and the business units that want unfettered access to data to help do their jobs, according to some industry players. "That's one of the big problems with DLP in general -- organizations are often quite hesitant in enforcing policies, especially when it comes to any notion of blocking secure content and getting in the way of the business," said Uzi Yair, CEO of DLP vendor GTB Technologies. "Businesses want people to be able do their work and don't want interference, but on the other hand, they know they need to weigh that against any loss, which could cost an organization a lot of money these days," he said. "I think it's always going to be about this trade-off, enforcement versus the fear of slowing down business opportunities, but people need to understand that they all play a certain role."

Copyright © 2008 IDG Communications, Inc.

How to choose a low-code development platform