It’s been said innumerable times, and is no surprise to anyone reading this article, that we’re living in unprecedented times. The landscape for business and security practices is changing so rapidly, and so dramatically, that formerly firm budgets are being hastily rewritten, long-defined multi-year plans are being revisited and new technologies and use cases are being implemented at an extraordinary rate--all in an effort to adjust to rapid change.
As workers move further away from shared office spaces (perhaps forever) and processes become more cloud-centric, security practitioners across all industry verticals have worked long hours for months to bake security into the wealth of network changes and application implementations that have unfolded at breakneck speed. At this point, many IT and Security teams have hit the crest of the first big wave of change. They are rightfully taking a moment to look to the horizon, catch their breath and consider ways to improve their architectural and process resilience for the next wave of change.
By necessity, a large part of preparing for that next wave must be self-assessments of internal processes and programs that govern security products in the organizational environment and form our understanding of how those security products interrelate and adapt. Most critically, we need to assess whether the security products fulfill the needs for which they were purchased. Without proper self-knowledge of our security practices, we are blind to the risks, challenges, and strengths that should define our strategic direction as we move toward the future.
Security program design varies greatly, and assessing them is often treated as a dark art reserved for outside consultants and advisors. While these examinations are needed, not all are confident performing them and practical advice is often lacking.
Unfortunately, security program design can vary greatly across disciplines, and assessing those programs is often treated as somewhat of a dark art reserved for consultants and advisory services outside of the organization. While we all know that these examinations are necessary, few people tasked with completing them feel confident about performing them. What’s more, practical advice for these practitioners is often woefully lacking.
Hopefully, this series of articles will remedy that issue by specifically and practically addressing DLP program maturity assessment processes and procedures, from beginning to end. We aim to arm our fellow security practitioners with the real practical tools and advice from people who know and use them daily. Our hope is that they can use this knowledge to assess this complex and often misunderstood security program.
In this first article, I will discuss the core foundational elements of a DLP program self-assessment. These are the central categorical pillars of maturity that we will define, investigate, measure, and report on throughout this series. Our goal is to develop a unified lexicon for communicating about and measuring success, maturity, processes, and objectives for DLP programs.
Foundational elements of a DLP program self-assessment are the central pillars of maturity we explore, towards having a unified lexicon for communicating about and measuring success, maturity, processes, objectives for DLP programs.
As a practice team that has provided DLP program maturity assessments for some of the largest tand most complex security organizations in the world, we have tuned and evolved the assessment process for more than a decade. This allows a unique and very practical approach that I hope can provide you with the tools you need to truly embrace the self-assessment of your enterprise’s DLP program.
Critical Elements of Data Loss Prevention Program Maturity
We begin by defining six specific core elements that encompass our strategic and tactical understanding of a DLP program.
CE1 – Program Governance
For the purposes of this assessment framework and the scope of these articles, we define Program Governance as the series of hierarchies, processes, and policies that provide the enterprise with strategic and tactical decision-making guidance on DLP business uses, implementations, and organizational policies. Program governance is the formalization and process that solidify an organization’s data security policies, leadership strategies, and enterprise business vision.
CE2 – Enterprise Coverage
Enterprise Coverage, for our use here, is the breadth of DLP protections across the enterprise’s network, user, and data spaces. This encompasses all processes and methodologies of understanding and addressing data egress points, be they hardware, traffic-related, process-based, or end-user defined. While scope and scale of organizations can vary greatly, the principles of understanding this space and providing a data-driven, and provable, method of understanding protection coverage remains universal.
CE3 – Policy Coverage
Policy Coverage describes the depth of DLP detection and protections across the entire scope of data types relevant in an enterprise. This includes not just the processes we use to understand our data protection needs and data types of concern. It also includes the ways we measure, expose, and understand those data types and provide a data-derived map of risk-to-coverage ratios. This becomes the core of our proof that we are providing risk reduction and addressing security needs across all network, processes, and user interactions.
CE4 – Incident Remediation
Incident Remediation maturity encompasses the processes, personnel, training and sub-programs that define our organizational response to user, data, and network actions that violate validated DLP protection policies. Incident remediation is often the first place that DLP tooling interfaces with actual end users and can require significant interaction well beyond the security team for proper maturation and improvement. Whether centralized or distributed, many best practices are universal and can aid our understanding of efficiency of work, efficacy of process and measures of success.
CE5 – Security Awareness
Security Awareness efforts across an enterprise are often tightly collaborative with DLP programmatic protection efforts. Security Awareness, as defined for this categorical purpose, defines end-user employee awareness of security policies, data security considerations, security organizational awareness of DLP tooling, its necessity, its value, and the security-related internal uses of DLP metrics and tools. While this topic often lies outside the DLP security team, it bears significant consideration, as Security Awareness and DLP often interrelate in complex and valuable ways that can create measurable reductions in risk and cost.
CE6 – Metrics and Reporting
As with any technology-derived program, Data Loss Prevention programs need to have trackable and reportable success metrics to ensure a data-driven road to provable ROI and demonstrable security improvement. The maturity or DLP reporting practices can deeply alter the organizational attitude toward DLP processes, uses and integration.
The above definitions of the critical elements of Data Loss Prevention program maturity form the basis for the entire structure of our future conversations regarding DLP maturity assessments. We will reference these definitions consistently as we define them in greater nuance and detail.
Watch this space for the next article, which will define the statistical measurement of maturity, the meaning of those measurements, and how we can find comfort in the complexity of assigning hard metrics to seemingly abstract and subtle processes.
In future articles we will define the processes and capabilities that indicate maturity, and how we define success against these categories. We will also delve much more deeply into the real-world nuance and practical applications of these categories as part of our assessment process.
About Enterprise Studio
Enterprise Studio by HCL Technologies helps organizations make the connections between IT and business that optimize time and multiply value for realizing the full potential of their digital business plans. Our seasoned technologists, coaches, and educators can help you unlock value from existing IT investments to become a stronger, more adaptive organization – in part by leveraging a BizOps approach so that IT outputs are strongly linked to business outcomes.
Whether you’re an established Global 500 company or a new disruptive force in your industry, we can help you navigate complexities that come with competing in an inter-connected digital era. We are a global solution provider and Tier 1 global value-added reseller of Broadcom CA Technologies and Symantec enterprise software.
Many of our experts at Enterprise Studio are from the former professional services units of CA Technologies and Symantec. For decades, our teams have supported and led organizations to innovation with powerful enterprise software solutions and cutting-edge methodologies – from business and agile management to security, DevOps, AIOps, and automation.