My organization has led, deployed and managed more DLP technologies longer than anyone else in the world and we are uniquely qualified to share our insights to help guide organizations down the path of protecting their most critical information within their organizations.
So when we recently launched the industry's first survey designed to address key areas inside People Process and Technology for data protection programs, our goal was to help organizations assess their current posture and offer ideas for solutions to identified gaps. The free survey is open to all senior information security and risk professionals, takes just 10-15 minutes and walks you through several questions that score and benchmark your organization's critical data protection best practices and posture against that of your peers.
What's ‘Critical' about the Critical Data Protection benchmark survey is that it's a living survey that over time will amass some of the most important year-to-year benchmark and scoring data for organizations seeking to advance their overall state of critical data protection.
From intellectual property, patents, licenses, customer/patient data, salary and personal employment information, the wealth of critical data within each organization has to be protected.
In the spirit of the survey, I wanted to write an article that addresses the key question: are you really protecting the information that matters most?
In 2017, Gartner indicated that renewed interest in the EU General Data Protection Regulation (GDPR) would drive 65 percent of data loss prevention (DLP) buying decisions through 2018. While DLP is certainly not the only technology that makes up data protection strategies, it is an important one, and the one most specifically focused on data protection so it acts as a good bellwether for the rest of the data protection marketplace.
GDPR and other global regulations related to the protection of personal information, of which there are many, are driving the adoption and utilization of data security technologies as intended. Unfortunately, security programs are still largely being driven in a reactive nature to legislation. There are a few problems with that paradigm. First, the legislative process is rarely described as fast or agile. Generally, today's legislation addresses yesterday's problem. That does not mean the problems the legislation was intended to address do not still exist today, but it does mean that the situation has likely changed significantly.
Second, legislation is public. Therefore, anything prescriptive inside of a piece of legislation is well known to any moderately sophisticated adversary. Therefore, those adversaries will have countermeasures developed for any measure you are mandated to implement. That's why I often tell people security begins where compliance ends.
Compliance is necessary and generally not a bad thing, but true security is about making yourself a hard target and it is graded on a curve. Attackers have finite resources just like defenders do, and they are generally trying to achieve maximum benefit for minimal cost.
As I mentioned in my book about building comprehensive security programs, if you are camping with a friend and a bear attacks you, you don't have to outrun the bear, you just need to outrun your friend. This concept doesn't necessarily apply to organizations protecting critical infrastructure or secrets that affect the security of nations, but it certainly applies to those protecting financial instruments or Personally Identifiable Information.
Finally, regulations aren't enacted by governments to protect companies, they are enacted to protect citizens and national security. Unless your competitive advantage is a significant contributor to your country's Gross Domestic Product (GDP) and all of your competitors are overseas, the regulation isn't designed to protect your business. The information that they mandate you protect probably isn't the most important information to your business, it's likely the most important information to your government and your customers. That doesn't mean you shouldn't comply, you should. You should do your absolute best to comply with the spirit and the letter of every regulation passed to protect information, but it isn't enough.
Compliance generally has easily quantifiable penalties and risks so achieving and maintaining compliance therefore often gets funded as a cost of doing business. That doesn't mean the security program cannot be expanded to include information that is not part of a regulation though. If you were to use compliance for initial funding and budget but then build a governance group or business leadership that could identify the information that is most important to the business, wouldn't you be making better use of the funds you had allocated to your security program?
I encourage you to take the Critical Data Protection benchmark survey and I hope you find it valuable and insightful. Regardless, please ask yourself this question when you reflect on your organization, are you really protecting what matters most to your organization? Is your security program built to defend your business or simply to pass an audit? As the world becomes more connected and grows ever smaller, the answer to that question may have a significant impact on your enterprise value.