Guide: The Definitive Guide to Data Loss Prevention

Top Two Reasons to Consider a DLP Solution

Approach Compliance with Confidence

Organizations are handling more sensitive data than they ever have before, and as a result, data privacy is taking center stage. Gartner predicted that by the end of 2024, 75% of the world’s population would have their personal data covered under modern privacy regulations. And according to IBM’s 2022 Cost of a Data Breach Report, compliance failures were one of three factors associated with the highest net increase in the average cost of a breach.

With pressure mounting to comply with these regulations, it’s important that organizations find and implement a modern DLP solution that will provide immediate value and can adapt to changing regulations. And if your organization spans multiple countries, a modern DLP solution can help employees handle data properly in an uneven regulatory landscape.

Begin to Combat Costly Data Breaches

If your organization is looking to mature its data protection journey, implementing a DLP solution (or replacing one you’ve outgrown) is a wise step. Modern solutions do not depend on a policy-driven approach to get started. Rather, context-aware DLP enables you to automatically collect information on data usage and movement in and out of the extended enterprise, giving your organization valuable insight and visibility over its data and preventing costly breaches.

Today’s SaaS DLP solutions can also be turned on quickly, are modular, and allow for iterative deployment as part of a continuously evolving, ongoing data protection program that integrates other data protection solutions.

Key Steps Before You Talk to Any DLP Vendors

Process First, Technology Second

Getting your process in order first helps you focus on what matters most – what you and your business need—not what a vendor has to offer.

Due to the pandemic, 33% of buyers spent more time researching products before making a purchase this year..
49% of buyers spent time doing extra research because of data security concerns.
Almost 9 out of 10 buyers want to self-serve part or all of their buying journey.
30% of organizations deploy more than 50 cybersecurity-related tools on their networks, and nearly a quarter of those organizations deploy more than 100 tools.

"Mature security teams are investing heavily in a couple key categories. So as an organization, I would ask, “Where am I not investing, and why?” Understand your points of weakness and your risk in those areas, and get a strategic plan around trying to solve those gaps."
Cary Hudgins, Director of Product Management, Fortra’s PhishLabs
CISO Perspectives: Data Security Survey 2022

Deploying more solutions does not always lead to greater cyber resiliency, however, as 37% of organizations believe they have too many security solutions in place.
Meanwhile, 33% of organizations believe they don’t have enough security solutions in place, while only 30% believe they have the right number of solutions to achieve cyber resiliency.
Rather than fixating on the number of security solutions your organization deploys, focus your organization's efforts on the decision-making process instead.

Source: IBM Cyber Resilient Organization Study 2021

What to Do Before You Contact Any Vendors

The list of things to do before contacting a vendor can seem daunting, but it will prove beneficial and prevent the “changing the tire while driving” scenario that leads nowhere good.

Define the problem you are trying to solve and the criteria you intend to use to judge the solution
Establish what matters to the various stakeholders – what the CISO cares about and what the VP of Sales cares about may be very different, but you need a common language to evaluate
Create a scoring system on functionality that allows people to adjust weightings
Set milestones for the internal process and the external process
Create a cross-functional project team
Seek guidance from peers. Look to similar and dissimilar roles/industries
Look to online reviews
Seek industry analyst guidance, many of whom are regularly briefed by vendors
Make a short list of vendors you’re interested in
Develop an RFP (Request for Proposal) document

How to Improve Your DLP RFP Process

Structure Your RFP for Success

structure-your-rfp-process-for-success-infographic-page-17

Project Planning

Requirements scope - Start by examining the features of the existing software that are used and rewriting them into requirements. Look to the broad base of people within the business to ensure you get the full picture. From the admins to the end users, each has a role to play in defining the scope. After finding something new and exciting in a potential replacement platform, the process of reverse engineering requirements from the existing features is critical to ensuring you don’t regress in functionality and ignore what you use today.
Alignment with business strategy – How does your business operate today? What are the things that make it unique? Are you a highly seasonal retail business where even a few minutes of downtime during the holiday shopping crunch can mean millions? Align the project with the business goals, calendar, and future plans. Are there any major shifts planned? Be aligned with the leadership team and use a new security solution as a growth accelerator!
Budget – You never have enough time or money, but knowing how much you have sets the guardrails on the project. Don’t evaluate a $100mm solution when you have a $100k budget. It wastes your time and creates unrealistic expectations. Understand how that money can be spent, too. Opex vs Capex can drastically change budgeting.
Timeline – What compelling event, if any, is driving the evaluation, and how can you respond as quickly as needed to address it? If you’ve been breached, the timeline may be accelerated; if a business peer has been breached, there may be even higher urgency. Transparency throughout the business will avoid nasty surprises. Timelines should be set up front, but be realistic about them and allow for slippage when the inevitable happens.
Stakeholders and review panel - Who is going to be part of the evaluation process and the decision process? More input is good, to a point. You need technical and non-technical people involved. Each party should know what their level of involvement is and how the final decision will be made. The RACI model can help organize the roles and maintain order. Get them on board and involved early.
Scoring criteria and review process – How will the points be assigned, and how will the weighting work? Who wants what, and how important is that to them? Does anyone have override authority? Who breaks the tie if it happens? How will you document the procedure so that when the time comes, everyone understands what to do and sticks to a consistent process? A blend of quantitative/yes/no and qualitative questions allows for objective and subjective data and will give you a more complete picture of capabilities.

Drafting the RFP

Set the stage for the RFP with the details that you and the team have already agreed upon, but that the potential vendors have no insights into, yet. The more thorough you are here, the better-tailored the responses will be. You’ll also eliminate vendors that can’t compete.

Who is the lead, and who else is involved
Why is this happening and why now?
What’s important for the vendors to know?
How do you box in the project?

The nuts and bolts of an RFP, such as schedule, T’s & C’s, and other requirements, are a great filter. The last thing you want is to invest time with a vendor, award them the business, and have them tell you that their delivery timelines are well outside your window. After taking all of this into consideration and it comes time to draft your RFP, it should include all of the following (roughly in this order):

Introduction
Statement of purpose
Background information
Scope of Work
Project Schedule
Contract Terms and Conditions
RFP Timeline and Review Process
Requirements for Proposal

Issuing the RFP

After the RFP is drafted, issuing it should look something like this five-step process:

Creating the Shortlist of Vendors
Distribution to Networks
Take 60 Seconds for Yourself
Coordinate Responses and Answer Questions
Receive Submissions

Getting a proper response means delivering the RFP to the right selection of vendors. You need to make the list manageable, but comprehensive enough to get a feel for the breadth of capabilities. Be sure to give a reasonable and equitable time to respond. Once it’s out there, you can take a breath for a minute before the questions come back from the vendors and the responses come in.

Don't Get Stuck in Analysis Paralysis

The reason you invested time up front in the RFP process was to have a plan ready to go when the responses came in. Now you can execute (and refine if needed) on that plan. Even if you need to make modifications, you have something to start with and can feel safe in the knowledge that the other stakeholders willingly provided input and bought into it early in the process.

Reviewing Proposals & Award Contracts

RFPs Scored
Finalists Selected
Interviews & Reference Checks
Best and Final Offers Submitted
Contracts Awarded
Final Legal Clarifications Complete
Other Bidders Notified

Refer to the scoring matrix you created early on and begin the process of scoring and ranking each of the vendors based on their submitted answers. How do the vendors rank relative to what’s most important to your business needs? If you want to eliminate some bias, you can have a neutral party in your business receive and anonymize the responses. Any questions back to the vendors should be aggregated and then submitted together.

Once you’re happy with the scoring, you rank them and select the finalist(s). Depending on the scope of the project, reference checks, interviews, price negotiations, etc, encompass the final stage before awarding the winner. The vendor’s provided references are good, but use your own network to find unofficial references to boost comfort level.

Once you and the selection committee are satisfied with all the responses and have decided on the winner, you get to make one of the teams happy. Depending on the breadth of the contract, some final legal work may be needed, but given the time invested thus far, both sides should be eager to come to an agreement on any issues and get down to business.

Alas, as with any competitive situation, other vendors won't win the bid. Common courtesy suggests you notify them all in a timely manner. Some may request a feedback call with you to inquire about areas where they fell short. The decision about that rests with the team, though it does help the vendor learn what gaps they have and if they can even address them.

Integrated vs. Enterprise DLP

When a vendor embeds a feature or functionality to address a specific channel of data loss, this is referred to as Integrated DLP. For example, many secure email gateway providers these days have an added functionality that protects against leaks of data via email. Enterprise DLP, on the other hand, is an integrated technology that protects against data loss from all channels and offers more robust data detection and control capabilities.

There are advantages and disadvantages to both Integrated and Enterprise DLP. The right choice depends on the nature of your company’s data and risk tolerance.

Integrated DLP

Upsides

Allows you to leverage your existing security investments
Gives you high-fidelity alerts for a specific channel, such as email, and can be effective for whichever channel your organization selects

Downsides

Compared to Enterprise DLP, it has less sophisticated capabilities to detect sensitive data
Usually siloed by channel, with no integration and no consistent policy across integrated products
Harder to coordinate for incident investigation and response because you need a console for each integrated product. This can lead to coverage gaps as your DLP will only cover specific egress vectors

When It Makes the Most Sense

If your existing security tools have DLP for specific channels built in, then integrated DLP can be a cost and resource-effective interim solution for companies that aren’t in heavily regulated industries, don’t have lots of valuable IP to protect, and/or have a higher risk tolerance.

Enterprise DLP

Upsides

Much greater depth and breadth of sensitive data detection methodologies, which translates into meaningful increases in DLP effectiveness
A central management console that eliminates the need for multiple management interfaces and significantly reduces the management overhead of a comprehensive DLP program
In combination with CASB, it can provide coverage across the complete spectrum of data leakage vectors

Downsides

Considerably more resource-intensive to deploy and manage. DLP as a managed service has grown dramatically in the past few years in response to this challenge.

When It Makes the Most Sense

Although Enterprise DLP is more resource-intensive, it provides the level of data protection that regulated, IP-intensive organizations need. Done right, it can drive changes in business processes that reduce risks to your organization’s most sensitive data. For resource-challenged companies, Enterprise DLP as a service is an increasingly popular option.

Managed Security Services Evaluation Checklist

Functionality or deployment options; where do you start the evaluation? If you know you need a fully managed offering, understand what is included in the service before the technical evaluation begins, and your team falls in love with something you ultimately can’t have.

1. Does the MSP have any of the following security certifications, and if so, which ones? Asking about all of these, not only about the standards and regulations of your industry, is one way to demonstrate the vendor’s depth and breadth of DLP knowledge:

	Statement on Standards for Attestation Engagements (SSAE) 16 (SOC 1)
	Audited Cloud Security Alliance Cloud Controls Matrix (CCM)
	Information Technology Infrastructure Library ITIL v3
	Payment Card Industry Data Security Standard (PCI-DSS)
	Department of Defense Information Assurance Certification (DIACAP)
	Federal Information Security Management Act (FISMA)
	Health Insurance Portability and Accountability Act (HIPAA)
	Health Information Technology for Economic and Clinical Health (HITECH)
	Security Clearance Level (U.S. Federal Government)

2. What steps does the MSP take in cloud DLP delivery to ensure that your sensitive data is protected?

	Data collection and dissemination
	Metadata collection and dissemination
	Data residency
	Tamper-proof agents
	Secure communication protocols

Related resource: What are Managed Security Services (MSSPs)? - Digital Guardian Blog

Making the Business Case for DLP

How To Make a Value-Based Business Case

Data protection makes sense to you, but how do you pitch that idea internally to get the financial and political support you need?

A value-based business case demonstrates alignment between business priorities and data protection initiatives. There are two different approaches to identifying value:

Qualify how security aligns with the business.
Understand the value of information security.

What Makes a Value-Based Business Case

Demonstrating alignment with business priorities

Shows how security contributes to growth and revenue

Encouraging a focus on understanding data

Supports data classification, proper data use and handling

Sending a message that security and privacy are business differentiators

Supports the view that security is a business partner and enabler

Understand the Value of Information Security

What's the true cost of a breach?

In short, it depends. Despite multiple studies attempting to quantify the cost of a breach down to the cost per record (in cases of lost PII, for example), the problem is that the cost often varies widely. When it comes to your organization, these figures might not be accurate or relevant enough to base your business decisions on them, such as purchasing cyber insurance. Furthermore, many fail to include IP theft in their analysis, only further diminishing those estimates' applicability.

Below are some questions to consider to help create a more accurate estimate based on the specifics of your organization:

Are you most concerned with losing PII, PCI DSS, PHI, or GDPR-regulated data?

In the case of hospitals, retail banks, retail, and hospitality organizations, customer records and the information associated with it is the crown jewels. If you fail to protect it, you risk fines and customer churn.

Fines: The maximum fine for GDPR non-compliance is 4% of an organization's global revenue or 20 million Euros—whichever is higher. What is your global revenue, and how would a fine of that magnitude impact your annual earnings?
Churn: What is your average customer acquisition cost? What would the impact on your organization be if, post-breach, your churn rate went up 5%, 10%?

Are you most concerned with losing intellectual property?

Intellectual property is a staple in several industries, from manufacturing to pharmaceutical and beyond, but it lives in virtually every organization. Its value can often only be determined after liquidation, and factors like patent protection limits often give it a finite shelf life.

Patents: What is the R&D budgeted for patent development? How many patents per year are you awarded? What is the expected revenue from that patent? What would the impact be if one of those patents were stolen?
Algorithms: In the Financial Services industry, complex trading and pricing models are closely guarded as each firm seeks to outperform the market. What would be the impact on your organization if your models leaked?

Align DLP With Company Growth and Innovation Initiatives

Data security and privacy are a source of growth and differentiation.

Data is the new currency! It may sound cliché, but data is what fuels modern businesses and is one of the biggest sources of sustainable competitive advantage. According to Forrester, data protection can benefit your business growth and innovation initiatives in the following ways:

Build trusted customer relationships that drive loyalty and retention. Firms must give customers assurance and additional reasons to do business — and continue to do business — with them.

Elevate data security and privacy as a corporate social responsibility. Behind every compromised customer record is a person who must deal with the consequences, and this makes data protection an ethical and moral imperative.

Capitalize on risk. Workforce mobility, internet of things, big data analytics, artificial intelligence, automation, and more all give firms plenty of ways to carve out new opportunities to drive growth. All come with varying levels of security, privacy, and ethical risks that you must address, including data collection, appropriate use, and data access. Security and privacy pros must help manage and mitigate the risks.

Protect future revenue streams. Research and development efforts, corporate secrets, and intellectual property can hold the key to a company’s future growth and direction. Safeguard this data against cyberespionage, theft, and careless compromise.

Thrive in a post-EU General Data Protection Regulation (GDPR) world. With GDPR readiness out of the way, S&R and privacy professionals must focus on sustaining compliance over time. From managing third-party risk to reporting data breaches in a timely manner and addressing privacy by design, GDPR requires ongoing compliance.

Growth opportunity exercise

Using the growth and innovation opportunities from the previous page, determine which ones you can tie your DLP project with to make a growth-oriented business case.

GROWTH OPPORTUNITY	DESCRIBE HOW YOUR DLP PROJECT CAN SUPPORT (IF APPLICABLE)
Build trusted customer relationships that drive loyalty and retention
Elevate data security and privacy as a corporate social responsibility
Capitalize on risk
Protect future revenue streams
Thrive in a post-GDPR world

A Word About Cyber Insurance Coverage

A KPMG study estimated the cyber insurance market will grow between 20 and 25% annually and reach $20 billion in premiums by this year, up from $2.5 billion in 2015. Despite this growth, in insurance terms, the industry is still in its infancy, with only ~40% of the Fortune 500 carrying cyber insurance coverage. The industry is learning—both the insured and the carriers—and sometimes it can cause tension.

For example, Mondelez International, a multinational food company, filed a $100 million claim in 2017 following damages from the NotPetya cyberattack. Their insurance carrier, Zurich Insurance, claimed at the time that the attack was an “act of war” and thus denied coverage to Mondelez. Mondelez then filed a lawsuit claiming that Zurich breached its promise to make an “unconditional partial payment” of $10 million. Nearly five years later, the two parties settled out of court.

Positioning DLP to the Business

DLP is not just a security team's decision—more titles within the organization, particularly at the C-suite level, are involved in data protection projects. Ultimately, business unit executives are data owners, while users create and consume data. Engage with them on their key business processes and routine data flows. Identify how they would be impacted by a data breach, and consider some of their pain points in your efforts to encourage DLP adoption: