But as we discuss in our InformationWeek Analytics Report, "Risk Intolerant: Defense In Depth And The Rise Of Data Loss Prevention," the trick for IT is keeping multiple constituencies happy. Your knowledge workers want access to their data at any time, on the platform of their choice, using their preferred sets of tools and applications. The CEO wants to ensure your organization won't be the next data loss poster child, without impacting productivity. Auditors want proof that sensitive data is accessed only by authorized users. And the CIO wants some aspirin, because it's shaping up to be another trying budget season. The CFO? Just show her the ROI.
Emerging systems for data loss prevention (DLP) can help meet all these mandates.
Technology To The Rescue
In our report, we discuss challenges early DLP adopters face, informed by our ongoing InformationWeek Data Loss Prevention Rolling Review. We also map out a battle plan, complete with tools, technologies, and best practices that can keep information assets from slipping through your fingers.
Perhaps the biggest roadblock right now is gaining funding. DLP products are expensive, but then, so is a data loss incident. Fortunately for security groups, helping ensure regulatory compliance is something DLP vendors are continually focusing on. And as we learned in our InformationWeek Analytics Executive Security Priorities Survey of 326 business technology professionals, when asked about factors that most influence the direction of corporate information security programs, IT directors and executives alike ranked industry and government compliance at No. 1.
Our take: Aggressive growth industries all share one thing in common--a catalyst. Remember when oil hit $140 in the summer of 2008, or when the price of gas shot past the magic $4-per-gallon barrier? The ensuing outrage sparked a renewed call for conservation and alternative-energy development. In the case of DLP, the catalyst is clearly the outrageously complex and ever-changing regulatory environment in which we all participate. Funding follows regs. And it's not just public companies--healthcare providers and retailers that need to worry about strict data privacy regulations. Increasingly, the small pizzeria owner in Boston and the city librarian in San Francisco also need to pay attention to state-driven data privacy laws.
More often than not, according to our survey on data loss prevention, the need to facilitate and prove compliance with data privacy or other industry regulations is a catalyst for purchasing an enterprise DLP package, along with risk avoidance. Just 11% of respondents say the penalties associated with noncompliance don't justify the cost of purchasing DLP, while 14% believe they aren't subject to any regulations.
We want to know where they live.
Once funding is secured, the next challenge enterprises face is matching a broad, and oftentimes vague, set of regulatory requirements to specific DLP features, products, and suites. One pertinent example is the new Massachusetts Data Privacy Law. Known to lawyers as 201 CMR 17.00, this relatively new reg is widely believed to be the most far-reaching state-mandated privacy law in the country.
While the legislation is a victory for consumer-protection advocates, it's an absolute nightmare for IT. Why? The regulations were conceived by legislators who largely have no idea how difficult and costly it is to execute on the myriad vague requirements set forth in the bill--and probably wouldn't care if they did. The enforcement date of CMR 17.00 has been pushed back twice; it's now slated to take effect on Jan. 1, 2010. These delays resulted from push-back from private-sector entities confused about how to approach compliance, and concerned about the cost.
Despite the outcry, we expect more states to adopt similar laws. There's also discussion of a national privacy bill. Legislators are clearly hearing loud and clear from constituents that identity theft and credit card fraud are huge issues that need to be addressed. They're tired of companies that they perceive as playing fast and loose with their personal information.