Getting data loss prevention right

When a CISO takes the wrong approach to data loss prevention (DLP), it can quickly compound into a triple loss. First, they lose their organization’s money by investing in an ineffective solution that meets required regulations but does little else. Second, they lose considerably more money when their data is breached. Third, they can lose their jobs.

This predictable chain of events is probably not news for my fellow CISOs. Other professionals may be surprised to learn that DLP is often acquired simply to satisfy government requirements. This may be due to the priorities of the people ultimately signing the checks. Board members care about cybersecurity, but they overwhelmingly view regulatory compliance as the number one business risk. This prioritization understandably shifts C-level conversations on DLP from “Does it work?” to “Will it help us achieve regulatory compliance?”

Unfortunately, when a data breach occurs because DLP does not work, companies lose an average of $4.35M. Like clockwork, a significant number of CISOs then leave the compromised organization.

The many downsides of data protection

Before digging into DLP specifics, consider the deceptive marketing behind data loss prevention “as a service.” The name implies that DLP is just one aspect of maintaining a security posture, when in fact, preventing data loss encompasses almost all of cybersecurity. Authentication and identity access management exist to prevent data from being accessed (lost) to unauthorized users. Encryption exists to prevent data from being accessed (lost) by anyone beyond the intended audience. When DDoS attacks occur, data is lost to those who are seeking reliable access, and so on.

What DLP solutions address is a narrow range of cybersecurity problems. Traditionally, they focus on protecting data at rest, in use and in motion. By focusing on these three functions, DLP has established itself as a go-to solution for protecting sensitive data. Unfortunately, the effectiveness of DLP solutions is often secondary to their performative role of demonstrating businesses have something in place to address privacy concerns.

Why do DLP solutions perform so poorly?

DLP, like any tool, must be wielded by skilled professionals. Governing all the data in an enterprise is no small task. Deployment of DLP solutions is often arduous and operating them can be taxing. An organization must ensure they have the right people, with the right experience, and enough of them to implement DLP properly. Platforms and tools vary widely, so simply having staff familiar with DLP may not be enough. Organizations need professionals whose prior DLP experience aligns with the use cases they are currently trying to address.

DLP is not a plug-and-play solution. There is considerable prep work that must take place before anything is deployed. Reliable processes must exist for identifying data, performing continuous inspections, and verifying results. There must be a clear framework that identifies how data is classified, what gets blocked, and who is responsible for ultimately setting policies.

Historically, many DLPs have relied on data access pattern recognition (REGEX), which offers mediocre insights into how data is used. In other words, even with the right people at the helm, the tools may be lackluster. DLP’s middling capabilities, often wielded by untrained IT departments, have given it a reputation for over-promising and under-delivering. Without a strong ability to apply context to data, many DLPs are glorified string-matching tools that overwhelm analysts with false positives.

I have worked with DLP solutions that have sent dozens of alerts a day, none of them valid. Tinkering with heuristics and changing settings to fine-tune alert triggers did nothing to solve the issue. These false positives inevitably result in organizations wasting resources pursuing dead-end leads, and actual data violations getting lost in the noise or ignored entirely.

DLPs might solve this problem by adopting contextual awareness capabilities like those used by up-and-coming email providers. These innovative companies consider current and previous behaviors when making decisions related to email delivery. They look at relationships between the communicants, expected types of valid emails (e.g., invoices), and user account roles before making delivery decisions. The same contextual consideration applied to data could help DLP solutions achieve stronger results.

Lastly, the business environment is a place of dynamic evolution. I previously mentioned the importance of having the right people and processes when deploying DLP. Likewise, these same experts must help the DLP solution adapt as the business environment shifts to new technologies and procedures. Otherwise, the initial setup effort becomes a sunk cost when the organization grows in ways the DLP does not address.

Can DLP be done right?

Much of DLP’s shortcomings are attributable to untrained staff or poor implementations. Some DLPs are built upon frameworks with functional limitations that may negatively impact their effectiveness. However, the right people armed with robust tools that consider broad context, easily accommodate change, and vastly limit false positives can achieve great things. Certain technologies, such as reading encrypted traffic and ensuring it only flows to authorized parties, is also key.

Organizations are faced with two simple choices when it comes to deciding on DLP. Will they make the considerable investment needed to comply with regulations like the EU’s GDPR and the payment card industry’s PCI-DSS? Or do they simply want to tell government bodies that they “Had something that met regulations in place” after a data breach? Both choices are costly, but I like to believe the right choice is obvious.