Type to SearchView Tags

Measuring Success: Data Loss Protection (DLP) Program Maturity - Part Two
Aaron Smith Information Protection Practice Lead; Director, Symantec Global Consulting | November 30, 2020
320 Views

In our previous installment on Data Loss Prevention (DLP) maturity, we established a conversational base by defining the critical elements of DLP program maturity; we also built the groundwork for the larger and more complex conversation regarding program maturity of data protection tooling. Since the first article lays the groundwork for all my posts on this topic, I hope you will read it if you haven’t already.

When a metrics measurement tool isn’t well-defined, measuring DLP maturity can devolve into capturing an arbitrary number representing a “feeling” about process maturity vs providing a defendable and debated metric with a firm, clear definition.

Now that we’ve established the groundwork, it’s time to tackle the first major challenge of assessing data protection maturity—defining the maturity measurement tool.

While it may seem painfully abstract, putting real-world parameters around the numerical system for measuring maturity is always one of the first tasks for any process maturity assessment, and with good reason.

Process maturity is, by its nature, a structurally challenging and logically abstract concept that can be deeply context-dependent, and this example of data protection program maturity is no different. In fact, its abstract nature can be amplified by organizational definitions of purpose, tool functions, and practitioner perspectives.

Without first clearly defining the metrics measurement tool, measuring maturity can devolve into merely capturing an arbitrary number that represents an organization’s “feeling” about its process maturity rather than providing a defendable (and if need be, debatable) metric that has a firm and clear definition.

Program maturity is a challengingly subjective topic. Adding obfuscation by introducing unclear definitions can easily damage an assessment’s value and accuracy, turning hard-fought effort into an easily disputed point of contention rather than the valuable and concrete tool for strategic decision making and operational planning that it ought to be.

With that in mind, we have good groundwork from which to begin. The concept of measuring process maturity has been around for some time and has been carefully developed, especially in the last two decades. Experience has shown us that we often need to meticulously adapt and customize measurement ideas and tools and simplify communication of their core concepts so that they can be of real direct value. For our purposes here—measuring Data Loss Prevention (DLP) programs—we will tune a common process measurement base to our needs.

It bears mentioning that this is the design and format that HCL’s Enterprise Studio Information Protection Practice uses to measure DLP program maturity, and it is specifically adapted for our needs. It is meant to be used across multiple industry verticals and organizational designs, and to deliver the greatest flexibility while not sacrificing simplicity of communication. Your enterprise may need to tweak, tune and add to it with unique organizational definitions and/or concepts or adapt it to specific uses.

So now, let’s define our maturity level metrics.

We use CMMI (Capability Maturity Model Integration), which was developed by Carnegie Mellon University and is registered with the US Patent and Trademark Office. One of the most enduring and successful process maturity standards, CMMI is a jumping-off point for establishing a model unique to data protection tooling in general and DLP specifically. We have found CMMI to be too abstract for audiences who do not have process maturity improvement training, so we have altered the design to our needs, as represented here.

The core concept is simple. We measure each of the six critical elements of DLP program maturity and provide them with a rating from 1 to 5, with 1 being the least mature and 5 the most mature, but those ratings leave a lot of room for confusion and disagreement. To have truly meaningful metrics parameters, we need more specific definitions at each maturity level.

So, below we name, define, and provide examples of each maturity level:

Maturity Rating 1: Initial Effort. This lowest maturity level for each critical element represents the initial period of rapid dynamic change typical of implementations. At this level, organizations are still defining stakeholders for each critical element, gathering needs and initial capabilities, and beginning to generate (if not use) metrics data for reporting.

At this level, documentation is either non-existent or in a state of flux as it is being developed. In the specific context of Data Loss Prevention (DLP), the earliest policies are being implemented, and the DLP infrastructure may change as the technology begins to prove itself through early operational use.

At this stage, it is typical for organizations to be at a “monitor only” level of policy enforcement, as policies have yet to be tuned to a level that’s safe for active protection mechanisms to be implemented without damaging business processes and workflows.

Maturity Rating 2: Stable Process. At this stage, processes have gone through initial testing and organizational implementation and have become repeatable. While the processes may not have been tightly tuned or prepared for stress or change adaptability, they produce consistent results in line with expectations. At least an early iteration of process documentation has been completed, and the process can be re-created by others via that documentation.

At this stage, policies often begin having defined measurements for success, and DLP metrics reporting is often making its way to leadership. Expanding the architecture or implementing new channels of detection is a repeatable process, and new policy or exception creation has a defined workflow.

Many organizations become stuck at this stage, especially if they lack strategic direction or defined organizational drivers and needs.

Maturity Rating 3: Structured Progress. This level tends to separate actively maturing DLP programs from those that have hit an organizational roadblock, because the level is defined by improvement processes having been built into the process design, with a defined structural process that subjects the process to improvement pressures. It is important to note that at this level, while the process is designed for self-improvement, it is still essentially reactive to input.

Review DLP maturity level definitions for changes needed to meet your organizational needs. You will reap the greatest value by adapting to your enterprise, your strategic needs, and your evolving challenges.

In our specific context, Data Loss Prevention policies and exceptions receive a formal and defined periodic review that is robust enough to ensure that necessary changes are implemented in a defined manner. This stage is also typified by:

  • Strategic guidance that adapts to DLP metrics reporting with improved strategic direction and guidance
  • Incident remediation that has a defined process for feeding issues unearthed by the tooling back into the organization
  • A method for measuring the percentage of data flow and process flow that is truly protected by the DLP tools

Maturity Rating 4: Adaptive Refinement. The penultimate maturity level reflects a state of adaptability and persistent refinement. The process is not just repeatable and subject to pressures that improve it but has been tuned and tested across other objectives and can expand and contract naturally across the organization as needed.

That may sound a bit abstract, so picture a deeply documented and refined process that can be easily replicated and immediately add value to another organizational unit, such as a recent acquisition or a new business unit. DLP objectives and measurements are well understood and can be expanded to cover new channels of detection such as new cloud applications or nascent SASE (secure access service edge) strategic change efforts without strain to the organization or its processes. New reporting channels can be easily adapted and, very tellingly, DLP visibility and controls usually feed other organizational security efforts or internal metrics analyses.

Maturity Rating 5: Proactive Evolution. The highest level is defined by proactive innovation with the goal of process improvement. At this level, the process is optimized and efficient and is designed to seek new value to add to its environment.

Some organizations push for this maturity level before the program can actually benefit from its value, leading to stymied efforts and a frustrating separation between effort and added value that can do serious harm to a program’s perceived value. When pushing for this level, it’s important to be certain you have fully achieved Maturity Rating 4.

Programs that have achieved Maturity Rating 5 have strategic guidance that includes time and effort for testing new architectural paradigms and preparing for future adaption to new strategies such as Zero Trust. It includes remediators trained for evolving data protection threats and analytical capabilities that make corollary pattern recognition a part of new threat discovery. It also includes other organizational units sharing metrics data with the DLP team, which proactively adds data security value to new organizational efforts.

This level requires technical and process expertise, fruitful relationships across enterprise elements and rich strategic guidance.

In my next article, I will discuss how to find indicators via careful examination and best practice analysis that will help you identify and understand maturity levels for each element.

In the meantime, I highly recommend that you and your team review the above maturity levels and how they might need to change to meet your organizational needs. While the levels here are used by many industries on a global basis, you will reap their greatest value by adapting them to your enterprise, your strategic needs, and your evolving challenges.

About Enterprise Studio

Enterprise Studio by HCL Technologies helps organizations make the connections between IT and business that optimize time and multiply value for realizing the full potential of their digital business plans. Our seasoned technologists, coaches, and educators can help you unlock value from existing IT investments to become a stronger, more adaptive organization – in part by leveraging a BizOps approach so that IT outputs are strongly linked to business outcomes.

Whether you’re an established Global 500 company or a new disruptive force in your industry, we can help you navigate the complexities that come with competing in an inter-connected digital era. We are a global solution provider and Tier 1 global value-added reseller of Broadcom CA Technologies and Symantec enterprise software.

Many of our experts at Enterprise Studio are from the former professional services units of CA Technologies and Symantec. For decades, our teams have supported and led organizations to innovation with powerful enterprise software solutions and cutting-edge methodologies – from business and agile management to security, DevOps, AIOps, and automation.