The DLP struggle is real according to Andrew Bales, Associate Principal Analyst with Gartner. So real in fact that in 2020, Gartner fielded 32% more client inquiries on the topic of DLP than in 2019 and led to the recent release of a new research report titled: Getting DLP Right: 4 Elements of a Successful DLP Program.
Like all research from Gartner, this research published in late August 2021 articulates Andrew’s key findings and recommendations followed by in-depth analysis and evidence. His premise is simple and something we all know: Almost every organization has and continues to struggle with effective data loss prevention (DLP), with many even viewing success as unattainable. This conclusion alone is quite disturbing for DLP customers and vendors alike. A near 15-year-old technology market segment should be far past missing the mark and failing to meet promises and expectations.
Likewise, the report’s key findings as to the lack of success of DLP programs seem to place blame squarely on SecOps, IT, and endpoint security teams. While we all can do better in our day-to-day…be more organized, improve our collaboration and communication, and focus on improvement…to suggest, even if not intended, that it is security risk management (SRM) leaders alone that are at fault for the failures of data loss prevention is seemingly unfair and simply not true.
- For example, two of the report’s four key findings are as follows:
DLP strategies developed independently of business initiatives fail to correctly identify sensitive data, exposing organizations to excessive risk of data loss and noncompliance, and yielding inconsistent DLP policies and initiatives.
- Immature DLP programs are systemically inundated with recurrent violations and repeat offenders, which contribute to wasted time and resources.
The full report, including the other two key findings, recommendations, and analysis, is available for download on our website, but for now, let’s focus on these two.
Data loss prevention (DLP) strategies developed independently of business initiatives fail to correctly identify sensitive data, exposing organizations to excessive risk of data loss and noncompliance, and yielding inconsistent DLP policies and initiatives.
Sure, the SRM leaders in charge of a DLP project have responsibilities to identify sensitive data by working with their business stakeholders but let’s be real, how many business stakeholders can answer all the questions an SRM leader would ask in order to hit data classification out of the park? For example, how many business leaders or IT teams can tell an SRM leader exactly where sensitive data resides on their servers and file stores, how that data is being transferred or used, or when sensitive data should be destroyed? C’mon man! Isn’t this what data-centric DLP tools from Symantec, McAfee, or Digital Guardian list as capabilities? And isn’t this what data classification technologies such as Help Systems, Bolden James, and others are supposed to automate?
Immature DLP programs are systemically inundated with recurrent violations and repeat offenders, which contribute to wasted time and resources.
Yes, 100% true. People are very often the cause of data loss. In fact, the 2021 Verizon Data Breach Report found that 85% of breaches involved human interaction. Eighty-five percent! Why then do traditional DLP tools rely nearly 100% on data-centric rules and policies that ignore human behavior? This not only makes it impossible to understand ‘why’ users are violating policies but even harder to design proper education programs that address these behaviors and teach users how to do it better, safer, and in compliance. Building, administering, and modifying rules and policies that focus on the data is like a dog chasing its tail. The ride will never end.
Gartner and Bales’ report identifies key areas of improvement and ways to improve DLP program effectiveness for sure. But let’s not forget that SRM leaders and the programs they put in place can only be as effective as the technology they are built on, and traditional data-centric DLP solutions have failed miserably. So much so that SRM leaders don’t believe DLP is even attainable.
Good news. DLP is attainable when organizations and their vendors take a ‘people-centric’ approach. Understanding human ‘intent’ directly from the endpoint is the most important element of a Zero Trust Behavioral DLP strategy that will work in today’s, and tomorrow’s, virtual economy driven by a distributed workforce no longer dependent on the network perimeter.
Learn more about Behavioral DLP and DTEX InTERCEPT, and make sure to download our latest eBook: Zero Trust Data Loss Prevention for the Distributed Enterprise.