SAN FRANCISCO -- Financial firms can't effectively protect critical data until security and business managers "get" that it's about fixing broken business practices rather than bolting on data loss prevention (DLP) products, three of the industry's top security officers said during a panel discussion at RSA Conference 2008 Wednesday.
"The day they put a browser on my desktop was the day I knew we needed data loss prevention. The need for DLP predates DLP tools," said Lincoln Financial Group CISO Pat Lefemine. "Knowing human behavior was such that we knew we had to control it, monitor it and prevent it."
Rather than solve the problem, DLP products help identify those business issues, show business managers what processes are broken and why it's in their interest to get them fixed.
"At the end of the day, this is a business decision, not just a security decision," said Rhonda MacLean, global information security officer at Barclays. "Do we have the facts and data around business issues?"
Tony Spinelli, senior vice president of information security at Equifax says his organization identified several challenges to executing a successful DLP program, an environment with 300 million consumer records and 110 million business records. Addressing the challenges meant doing several things:
- Making sure the company adopted a blocking and prevention system as fast as possible.
- Eliminating false positives and false negatives so legitimate business wasn't impeded.
- Building strong business processes in collaboration with business.
- Learning strong lessons and applying them to make significant change.
- Communicating that there is a policy, a tool to enforce the policy and follow-up procedures. "With all three of those different communications, we found we had a 97% reduction in incidents," he said.
The panelists stressed that piloting DLP technology is critical not just to prove its mettle but to win over business managers by demonstrating that there are indeed problems. Enthusiastic business support is essential to help secure funding and ensure a successful program.
"The way I sold DLP to senior management was I scared the hell out of them," said Lefemine. He said the pilot program found alarming violations and proved the numbers he expected.
"Funding came easily once we proved the pilot. And, I got a lot of credibility for other projects," he said.
MacLean said business managers may be defensive or hostile at first, but producing hard information takes the emotional aspects out of the discussion.
"I'm big on using dashboards. A line of business execs say 'show me where the threat is happening,'" she said. "It's really important to have the technology and tools to focus on facts; then it's a business decision around facts."
There's more to DLP than security and compliance, though reputation risk and regulatory pressure are powerful drivers. CISOs can become business champions by helping management understand how information is being handled, and as a result, reduce inefficiency, cut costs and even open up new opportunities.
"At Barclays, we use DLP to understand business processes," said MacLean. "There are also revenue opportunities we hadn't thought about it because we had bad control over our information. It's a good opportunity for dynamic change."