Tackling Data Leak Prevention At Forrester’s Security Forum EMEA 2011
For the second year in a row, I have the honor of hosting our Security Forum EMEA in London, March 17th – 18th. This is Forrester's 5th annual Security Forum in Europe, and each year brings a larger, more influential audience and more exciting Forrester and industry keynotes. The theme of this year's event builds on our fall event in Boston – Building The High-Performance Security Organization. It would have been easy to focus the event on one of the myriad of threats and challenges facing security and risk (S&R) professionals today — from the emergence of advanced persistent threats to the security and risk implications of cloud services, social technologies and consumer devices in the workplace — but the real challenge for S&R professionals is not in the specific response to today's threats. It's building the oversight and governance capabilities, repeatable processes, and resilient architectures that deal with today's threats but can also reliably predict, analyze, mitigate, and respond to tomorrow's threats and new business demands. For many of us in security, we are mired in day-to-day operational responsibilities — or as some of us like to call it, the Hamster Wheel Of Hell.
Let's take data leak prevention as an example. The term "data leak prevention" (including multiple spellings, capitalizations, acronyms, and other variants) is one of the top search terms on Forrester's Security & Risk research site. However, when you peel back the layers of the onion a bit, when you dig a little deeper with clients, what we find is that clients are not necessarily struggling with the identification, selection, and implementation of DLP technology (although clients do tell us this is also frustrating in and of itself), but the overall strategy for data security and protection. DLP technology implementations will fail or have minimal effect if they are not part of an overarching strategy. What clients struggle with is working with business and IT leaders to understand their risk tolerance levels, define simple information/data classification levels, classify data appropriately and building a set of data protection capabilities. Building a set of capabilities will include the use of a multitude of technologies from encryption to enterprise rights management to yes, DLP (standalone and embedded DLP functionality). It also includes working with your counterparts in enterprise architecture and IT operations to design an IT environment that compartmentalizes the most sensitive data (think virtual desktop infrastructure). This strategy or approach combines governance, process and technology. It also requires that S&R professionals collaborate with and influence individuals outside of IT – from business leaders to legal professionals to knowledge management professionals to other IT leaders. Collaborating and building influence outside of security is not something S&R professionals are necessarily good at. If you haven't read it, Jinan Budge has a great blog post on security's aversion to communicating and marketing outside their own organization – The “M” Word: Don’t Be Shy.
At this year's Forum, we have two sessions dedicated to data protection. I'm thrilled to have Gianluca D'Antonio, CISO, Information Security & Risk Management Group, FCC relay his own organization's DLP journey in the track session: How To Successfully Implement A Data Leak Prevention & Containment Strategy – Lessons Learned From FCC’s Two Year Journey. I'll also reprise a presentation on Moving To Information Control: Forrester's Maturity Model For Information Control.
I hope you'll join us at this year's Forum; if not, I'll hope you'll take a moment to share your own thoughts on DLP at your organization.