Building a value-based business case for DLP

What is a value-based business case?

A value-based business case demonstrates alignment between business priorities and data protection initiatives. There are two different approaches to identifying value.

Two different approaches to identifying value: Quantify & Qualify

It is important to quantify the value of information security because it allows for the performance of DLP software to be measured. Executives care about the success of investments made by the company and in order to get executives on board with the purchase of a DLP solution, such quantification is necessary. It is important to be aware of the benefits of protecting information assets both now and in the future. Consider the market value of your organization’s trade secrets, formulas, proprietary methodologies, and other IP that keep you in business. Don’t stop at the data that produces revenue today. What IP will help drive market share tomorrow? Quantify how a strong data protection regime would affect business growth over the next 3-5 years. Both of these factors lead to positive business outcomes.

The ability to qualify how security aligns with your business is also imperative to creating a strong business case. A value-based approach highlights how security initiatives support or enable key business imperatives or initiatives, which aids strategic discussions and executive visibility. In order to accomplish this, it is essential to use the right language for the right audience and to tie data security to the right top-line goals and timelines. Attack surface reduction, OS X coverage, and technology integrations work well with the CISO, but chances are your CFO is more interested in CapEx reduction, no additional FTEs, and reduced TCO. Similarly, your security team might talk in terms of only a 3-6 month plan, but line-of-business management plans out a full 12 months, while the corporate office gazes at a 3-5 year picture. The ability to qualify and quantify the value of a DLP program while using the right language and timelines increases your chances of persuading executives to integrate security systems into the organization.

DLP vs. Cyber Insurance Coverage

Some organizations choose to invest in cyber insurance rather than security resources, but the reality is that cyber insurance is a less effective and more expensive alternative to solutions like DLP. Insurance does not cover all forms of losses because intellectual property laws are still in their early stages and lines can be blurred. Having cyber insurance does not reduce the likelihood of an incident, whereas DLP software mitigates risk by blocking harmful actions from the start. If cyber insurance does cover data loss, it can only address the financial impact and will not restore the reputation and integrity of a company. Because insurance only allows for reactive measures, it should not be the only form of protection that a company relies on.

For information on how to build a business case for DLP at your company, download our free eBook - start reading now, no registration required.