Last month we featured Gartner research director Brian Reed in a webinar on the 2016 Magic Quadrant for Enterprise Data Loss Prevention. After his presentation Brian answered five questions from the audience on DLP’s role in enterprise security, how to position DLP programs for success, and some common DLP pitfalls to avoid. See what Brian had to say in the interview below.
1. What are the biggest mistakes that you see companies making when it comes to DLP?
Brian Reed: Probably the single most common mistakes that I have seen from Gartner clients, particularly in the last 12 months, with deploying data loss prevention is not moving the responsibility outside of IT. Seldom it is IT the only or primary resource in your organization that is creating data. The IT security people need to work with the data security or with the data owners themselves, and better understand what proper business rules are for securing data. The IT security folks are really the ones that are responsible for being the gate keepers and for implementing proper controls on data. But, they have got to take the lead from people that are actually responsible for creating, maintaining and using that data in a business sense. I would really tie back the common mistake being lack of communication between the data owners themselves and the people responsible for implementing data security or data loss prevention.
2. If I am looking to get backing for a DLP initiative, how do you recommend I position it with company leadership?
BR: Some great advice for being able to help explain the value of any data security tool, particularly data loss prevention, to senior management or the board of directors: I wouldn't go in and sell them on the idea of fear, uncertainty and doubt. I think you have to go in and learn to speak in business terms.
One of the key points of success is being able to find that champion for your DLP project. Typically it is going to be a board member or a senior management person that is outside of IT or IT security. So not just simply the CIO or the CISO. But the CIO or the CISO should be working directly with this person whether it is the general counsel, or the chief financial officer or the chief data officer or someone who is on the board of directors that has an oversight or advisory role to the organization. The idea here is that you have got to be able to bridge the gap. Just like the most common mistakes that we see in deploying DLP are not speaking in business terms, the biggest way to help senior management is to bridge the gap between technical people and business people working together to understand what security is, where the risks to my data are, and how I go about securing it with something like a data loss prevention solution.
3. We have so many security concerns to focus on, so where should clients place DLP on their priority list?
BR: This is an interesting question. Again, if you tie back to the three use cases of regulatory compliance, intellectual property protection, and data visibility and monitoring, DLP as a priority for clients comes up in many different ways.
For people that are simply looking to check a box and solve the regulatory compliance problem, dust off their hands and walk away, it can come up at any time. It can come up due to something like a failed audit or missed technology that some auditor may perceive. However, the real times we see DLP, are really focused more on the intellectual property protection angle. Organization have a lot of IP protection needs. They are worried about either data exfiltration purposefully or accidental loss of critical information that is key to their business. The data visibility and monitoring angle as well is huge. In light of all of the recent breaches we have seen in the past few years, DLP is simply another arrow in the quiver of being able to identify and have the potential to see when and where and how content is moving into and out of your organization.
We did a survey for the upcoming Gartner U.S. security summit (taking place in June 2016) and data loss prevention was identified as one of the top five solutions that organizations wanted to hear more about at that conference. I think the reason for that is those three use cases again. Data loss prevention is not meant to be the silver bullet to stop everything, it is meant to be a very useful utility in working together with the three use cases of regulatory compliance, intellectual property protection, and data visibility and monitoring.
4. How is DLP suited for small and mid-market enterprises?
BR: DLP is a technology that is really suited for any size of market. It is not constrained by the number of users. One of the reasons for that is even small organizations have the same data security needs that large organizations do. They may have sensitive data that is intellectual property that is key to the firm. They may have regulatory compliance concerns and requirements. They certainly have data moving around their environment that is unstructured, user-created content.
DLP is a technology that has historically gotten a bad rap, particularly for being something that you can only deploy with a large number of full-time employees and a large amount of resources and dollars. DLP managed services that we mentioned earlier (in the webinar) have really helped to level the playing field, not just in the initial instance of getting DLP up and running and getting it implemented, but having it operational on an ongoing basis. The knock has been that DLP has typically been positioned as an enterprise-only solution, however, there are a lot of smaller examples of compliance.
Again, smaller organizations have the exact same concerns as larger organizations. Financial institutions are a key example. We deal with a lot of hedge funds and venture capital firms. They may only have 100, 200 or 300 employees at the most, however, they are dealing with 9 to 10 figures’ worth of assets in their portfolio. So per employee value is exactly where somebody who is in a large financial institution is at, as far as the cost per employee and revenue per employee. If you look at the portfolios being managed in the case of hedge funds, VC firms, or small boutique financial services, there are a lot of other examples of small and mid-sized corporations, particularly ones in manufacturing support services, that have critical data that requires data loss prevention. So it is not just a solution that is geared towards enterprise only. It is for people that have data concerns.
5. Do DLP vendors provide feature and functionality parity for the operating environments they support?
BR: This is a good question that is something you should certainly consult with vendors while you are evaluating data loss prevention solutions. In the DLP Magic Quadrant (entitled Magic Quadrant for Enterprise Data Loss Prevention, Brian Reed and Neil Wynne, January 28, 2016), we identified where clients could see some of the shortcomings of some of the other vendors with operating systems support. We are seeing a huge rise in Mac OS X particularly in enterprise environments but also in small and mid-sized organizations due to the rise of bring your own device and other technologies that are decentralizing the common desktop environment. Also the rise in Linux, not just on the server level but also on the desktop and the client level, is another area where the non-Windows operating system world in organizations is certainly starting to grow. It is something that data loss prevention vendors are going to have to account for. It is something that you are going to want to consult on the different levels of support.
Different DLP vendors have different levels of support for non-Windows operating systems. For instance, some of them support Mac OS X, but, may only support it from a device control only approach, where it can detect when you plug in a USB device in to that Mac desktop or laptop. Or, they may only do data-at-rest scanning of certain shares or certain directories on that Mac OS X system, and not do full data-in-use content inspection DLP capabilities. So you really need to consult with each and every vendor that you are evaluating and look at what their functionality is for their endpoint DLP.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Source: Gartner, Inc., Magic Quadrant for Enterprise Data Loss Prevention, Brian Reed and Neil Wynne, January 28, 2016.
