Data Loss Prevention Challenge – No. 4 – DLP doesn’t stop at the Tooling Implementation

It’s been interesting when I speak with clients who are looking for help in implementing their Security and DLP Projects, they still to this day surprise me with their view that this is an IT project and we should not need to speak to the business (for some projects that may be true, but when I get the same response for DLP Projects, it does surprise me. Why is the case?

Those organisations who have been through the full cycle of a Data Loss Prevention Project, can fully appreciate the need for Business involvement. In fact in many cases I have to inform the IT sponsor that this is more a Business Project than an IT Project as it’s the Business who needs to define their DLP Policies, it is after all only them who will know their data and can easily identify what data is sensitive and which is not (they will also be able to define the format of the Sensitive Data within the files.

Key to the success of a DLP Project is the Business’ engagement, their ability to classify their data and define the policy on the handling of the files. In many cases there will be a need to hand hold the team through the process.

Key to these activities is training all staff on what is covered under DLP and how the staff can manage their files within a DLP environment. This may include the inclusion of Sensitivity buttons to their normal applications, this will need to be co-ordinated with training schedules. Once the Business has defined their DLP Policy requirements this can be quickly set up, tested and implemented within the DLP tooling by the IT Team.