News

02:45 PM
Connect Directly
LinkedIn
RSS
E-Mail
50%
50%

InformationWeek Analytics: Data Loss Prevention

Security pros continue the shift from protecting systems to protecting data, and it's about time. Technologies like data loss prevention purport to help. Here's what you need to know about this emerging discipline.

InformationWeek Analytics New communication channels make it ridiculously easy for employees to lose corporate data. Security professionals understand this and realize that a paradigm shift is under way, from endpoint and network protection toward safeguarding information itself.

But as we discuss in our InformationWeek Analytics Report, "Risk Intolerant: Defense In Depth And The Rise Of Data Loss Prevention," the trick for IT is keeping multiple constituencies happy. Your knowledge workers want access to their data at any time, on the platform of their choice, using their preferred sets of tools and applications. The CEO wants to ensure your organization won't be the next data loss poster child, without impacting productivity. Auditors want proof that sensitive data is accessed only by authorized users. And the CIO wants some aspirin, because it's shaping up to be another trying budget season. The CFO? Just show her the ROI.

Emerging systems for data loss prevention (DLP) can help meet all these mandates.

Technology To The Rescue
In our report, we discuss challenges early DLP adopters face, informed by our ongoing InformationWeek Data Loss Prevention Rolling Review. We also map out a battle plan, complete with tools, technologies, and best practices that can keep information assets from slipping through your fingers.

Perhaps the biggest roadblock right now is gaining funding. DLP products are expensive, but then, so is a data loss incident. Fortunately for security groups, helping ensure regulatory compliance is something DLP vendors are continually focusing on. And as we learned in our InformationWeek Analytics Executive Security Priorities Survey of 326 business technology professionals, when asked about factors that most influence the direction of corporate information security programs, IT directors and executives alike ranked industry and government compliance at No. 1.

Our take: Aggressive growth industries all share one thing in common--a catalyst. Remember when oil hit $140 in the summer of 2008, or when the price of gas shot past the magic $4-per-gallon barrier? The ensuing outrage sparked a renewed call for conservation and alternative-energy development. In the case of DLP, the catalyst is clearly the outrageously complex and ever-changing regulatory environment in which we all participate. Funding follows regs. And it's not just public companies--healthcare providers and retailers that need to worry about strict data privacy regulations. Increasingly, the small pizzeria owner in Boston and the city librarian in San Francisco also need to pay attention to state-driven data privacy laws.

More often than not, according to our survey on data loss prevention, the need to facilitate and prove compliance with data privacy or other industry regulations is a catalyst for purchasing an enterprise DLP package, along with risk avoidance. Just 11% of respondents say the penalties associated with noncompliance don't justify the cost of purchasing DLP, while 14% believe they aren't subject to any regulations.

chart: Mandates And Regulations Count: What top factors are driving, or would drive, your interest in data loss prevention? We want to know where they live.

Once funding is secured, the next challenge enterprises face is matching a broad, and oftentimes vague, set of regulatory requirements to specific DLP features, products, and suites. One pertinent example is the new Massachusetts Data Privacy Law. Known to lawyers as 201 CMR 17.00, this relatively new reg is widely believed to be the most far-reaching state-mandated privacy law in the country.

While the legislation is a victory for consumer-protection advocates, it's an absolute nightmare for IT. Why? The regulations were conceived by legislators who largely have no idea how difficult and costly it is to execute on the myriad vague requirements set forth in the bill--and probably wouldn't care if they did. The enforcement date of CMR 17.00 has been pushed back twice; it's now slated to take effect on Jan. 1, 2010. These delays resulted from push-back from private-sector entities confused about how to approach compliance, and concerned about the cost.

Despite the outcry, we expect more states to adopt similar laws. There's also discussion of a national privacy bill. Legislators are clearly hearing loud and clear from constituents that identity theft and credit card fraud are huge issues that need to be addressed. They're tired of companies that they perceive as playing fast and loose with their personal information.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Cartoon
Slideshows
Audio Interviews
Archived Audio Interviews
Jeremy Schulman, founder of Schprockits, a network automation startup operating in stealth mode, joins us to explore whether networking professionals all need to learn programming in order to remain employed.
White Papers
Register for Network Computing Newsletters
Current Issue
2014 State of Unified Communications
2014 State of Unified Communications
If you thought consumerization killed UC, think again: 70% of our 488 respondents have or plan to put systems in place. Of those, 34% will roll UC out to 76% or more of their user base. And there’s some good news for UCaaS providers.
Video
Twitter Feed