DLP Revisited

I’ve been a little remiss in keeping my blog up-to-date. Apologies to my editors who have been hounding me to get this posted…thanks Bill.

I wanted to give a quick update on the CSO Executive Seminar on Data Loss Prevention that we held in NYC a few weeks back. One of the best events we have held in quite some time. Speakers and content were fascinating and "right on point" keeping the audience of security and technology execs. engaged throughout the six hour program.

Our kick-off speaker was Dr. Larry Ponemon of the Ponemon Institute who took us through some great research with insights on how data loss can happen right under your nose. He discussed cost of a data breach, the business impact of a breach, and took us through some of their research on lost laptops and airport security. He then previewed the findings from some of his new research on the mega trends on data security, which include:

  1. Cloud Computing
  2. Virtualization
  3. Mobility
  4. The external threat of organized cyber criminal syndicates
  5. Outsourcing to third parties
  6. Data breaches involving personal information (they're increasing)
  7. Peer to peer file sharing
  8. and Web 2.0

It’s always a pleasurable and enlightening experience to hear Larry speak.

We then heard from Victor Lee of Trend Micro and Lucia Johnson of Associated Fuel Pump Systems Corp. who took us through their case study on addressing security and preventing leaks. We also heard from Dan Greenberg of FujiFilm who talked about the risks of lost data backup tapes and how FujiFilm has partnered with LoJack to add surveillance technology to follow your backup tapes between your office and your off-site storage facility. I love this technology and it’s great to see supply chain best practices being applied to this challenge.

I then had the pleasure of moderating a panel of financial industry security execs exploring how they address DLP in the financial marketplace. Alex Abramov of JPMorgan, Joel Tietz of AXA Equitable, and Warren Axelrod, formerly of USTrust all shared their best practices for addressing data leakage and how they sell the value of data protection to their bosses. We also learned their recommendations for tuning your DLP solution for maximum effectiveness.

Tom Corn of RSA then presented on the subject of information risk management. This was one of the best presentations of the day. Basically, Tom’s premise is that there are a lot of ways to manage data loss risk but that one of its greatest values is that of visibility into what’s happening in your organization. Tom also shared his best practices:

  1. Don’t boil the ocean – start with your top 1-3 most pressing policies and see what develops
  2. Assess your broken business processes: discover your internal risks and monitor the egress points through which your data may leak
  3. Leverage DLP to educate employees of corporate policies
  4. Automate remediation where possible, using technologies like encryption and DRM
  5. Governance reporting: help management understand the value of your solution and the resulting risk reduction

My experience with DLP has convinced me that one of the most difficult aspects of a successful DLP deployment is tuning the system to appropriately find those vectors of leakage that are most important to your business. So it was perfect that at lunch Rich Pierpont of Symantec hosted a roundtable discussion exploring best practices in data loss prevention.

With all the great content that had been presented to this point, the presentations that followed this afternoon were equally great. Benita Kahn, an attorney with Vorys, Sater, Seymour and Pease LLP, explained the legal ramifications of DLP practices deemed “not reasonable”. I always love these legal sessions, probably because security aligns so nicely with legal justifications and because most security spending is driven by regulatory compliance. Her presentation was great as she reviewed the various data privacy laws and the legal liability associated with failure to comply. For many businesses that’s what I call the invisible big stick. It’s invisible to senior management until it hits them in the head.

We then wrapped up with a presentation on the "Do’s and Don’ts of DLP" by Dr. Arthur Lessard the former VP of Worldwide Security for Technicolor. His presentation was also right "on point" and while I’m sure he didn’t intend this to be his primary “take-away”, I was struck by how he described that even a powerful technology like DLP can’t catch everything. For example, if you are trying to prevent the leakage of SSN’s, DLP is great for that. But if, like Technicolor (which sells a variety of digital cinema technologies and services), your primary concern is leaking movie clips from films in production, DLP can’t really help that…yet.  That being said, Dr. Lessard’s key pieces of advice were:

  1. Create a DLP review team; include business representatives
  2. Premise: limited number of ways to move your data outside of your control
  3. Ensure you think “outside the box”; challenge assumptions about how your data can be accessed (e.g. do you really know all connections/paths into your network?)
  4. Identify methodologies/risks associated with each access
  5. Create gap analysis of needed remediations vs. current protections
  6. Recognize your limitations: prioritize

All in all a great event. If you didn’t have a chance to join us in NYC, we’ll be holding this event again on March 26, 2009 in Chicago.

Copyright © 2008 IDG Communications, Inc.

The 10 most powerful cybersecurity companies