Data loss prevention (DLP) strategy and approach is an evergreen topic in the ongoing guidance sessions I have with clients, where I hear: 1) We must have this, we already have it, and we are not happy with what we currently have; 2) We have this, and we don’t want it anymore; or 3) We don’t have this, and we want it (or an auditor told us we need it). People have very strong opinions about DLP.
DLP: The Concept
I still see the scars from firsthand experiences of failed DLP deployments from well over a decade ago. Yet this is not the primary challenge. The issue is DLP itself and what it means to people today. When I hear folks talk about DLP and use the term, DLP is:
- A reference to DLP technology itself. This is whether it is a DLP product/solution or DLP capabilities/features within a product or platform.
- Synonymous with data security controls. In this situation, the scope is not limited to DLP technology. There is a world of data-centric security controls such as encryption, rights management, and more that all come into consideration.
- A reference to the desired outcome. This would be in order to prevent data loss, now a discussion that spans technology controls, processes, and practices.
- All of the above. When DLP is this, then we need to take a step back and examine the big picture. Usually this leads us down a path of discussing the Zero Trust journey, maturity, and architecture. We figure out the current state, identifying where data security controls fit in the context of Zero Trust, and then use Forrester’s data security control framework as a guide for key capabilities.
DLP: The Control
This is where it gets fun and infuriating. Security technology vendors also use the term DLP in different ways. You may end up comparing apples with pineapples across different technology offerings. Security leaders get to wade through a changing and growing landscape of technology options because DLP is a:
- Standalone technology product offering. For example, Symantec/Broadcom, Forcepoint, Fortra, Proofpoint, Trellix, and GTB Technologies all offer standalone DLP technologies. Depending on your requirements and where you want to apply DLP capabilities, the lines are increasingly blurring between DLP as a standalone offering and as a feature within a separate data security product or platform.
- Technology capability within another product or platform. For example, Microsoft and Google, as well as providers such as Netskope, Palo Alto Networks, Zscaler, Lookout, Retarus, Mimecast, VIPRE, and many others, include DLP functionality. DLP is like glitter, sprinkled across and embedded everywhere. Some love it, others hate it, and then there are those who tolerate it because it’s there.
- Data-centric security control and alternative approach to DLP all in one. This is when you are looking for DLP as an outcome and assessing a broader range of data controls. These are replacements for or an augmentation of an existing DLP technology deployment. Hot ones I see today: insider threat solutions, secure browsers, and approaches for persistent data controls. In recent months, I’ve also had discussions with clients about rights management, watermarking, and privacy-preserving technology approaches like data masking.
Steps To Move Forward
Different data types, environments, use cases, and organizational factors (such as legacy infrastructure, business stakeholder requirements, and technology consolidation efforts) will dictate the approach and combination of controls. A few questions to ask to start to bring clarity to your approach:
- Why DLP? What does it mean to you?
- What if you did not use the term “DLP”? How else would you describe what you are trying to accomplish or the technology capabilities that you are trying to build? Where do you need these controls, and for what purpose?
What are you doing for DLP today? What questions or considerations are top of mind when determining your path forward? Let me know! I’d love to continue the conversation. Forrester clients: Schedule a guidance session with me on this topic. There’s a lot we can unpack together as we figure out your approach and look across your options. My upcoming report, The State of Data Security, 2023, will also dig into Forrester’s data on how firms prefer to source data security technology capabilities today.