In this article I will show that DLP technology such as Fidelis XPS, Mcafee DLP, Verdasys Digital Guardian, Websense Data Security Suite and Symantec Data Loss Prevention 9 – is a necessary but not sufficient condition for effective data security. I submit that effective data security is a three-legged stool of:

1. Monitoring – using DLP technology
2. Training – strengthening of ethical values with training and personal example at all levels of management
3. Accountability – paying the price when a data loss event happens

The role of data security in IT
Why data security and not information security?
For the sake of convenience – I will define data security as a sub-discipline of information security that focuses on protecting the confidentiality, integrity and availability of data – regardless of storage, communications and transaction processing systems that handle the data. It’s about protecting the good stuff rather than stoppping the bad guys. You can have updated, patched systems, encrypted communications, strong passwords, digital rights management, separation of duties, minimum rights granted to users and still have a major data loss event.  Why? Because a trusted insider with appropriate rights, who is familiar with the transaction systems can steal or manipulate the data.

The role of culture in data security
It seems to me that there is a fundamental difference in culture between American and European approaches to data security.
According to the Wikipedia, culture is the set of shared attitudes, values, goals, and practices that characterizes an institution, organization or group. Is data security part of your company’s shared values, goals and practices – or is it a CSO project?

Most Americans prefer technology solutions and most Europeans prefer cultural solutions.  For what it’s worth – like many other things, Israelis tends to follow American trends, and discipline is not a strong point of most Israeli corporations – just like it’s not a strong point of most Israeli drivers.
Examples
Case # 1 – Technology without culture
The American Hannaford Brothers Supermarkets chain was, and still is PCI DSS compliant. They perform PCI DSS audits, buy servers from IBM and check off payment card compliance as a mission accomplished.   They were compliant but still had a major data loss event, losing over 4 million credit cards. US customers who install DLP systems from companies like IBM, Mcafee, Fidelis Security, Verdasys,  Websense or Symantec DLP, often see them as essential to their privacy compliance program, but do not use DLP monitoring capabilities as a tool in an overall cultural effort to protect company data assets from being stolen or manipulated by employees and business partners.
Case # 2  – Culture without technology
A European firm might see data security as an ethical and regulatory issue, and decide not to invest in DLP technology on grounds of cost.  However, without data loss monitoring – the organization will never know what’s really going on, never be able to prevent a major data loss event and certainly not have the monitoring capability that is required for reinforcing the culture.
Case # 3 – Culture and technology without enforcement
I recently told a client (who uses a Fidelis XPS network DLP system) that about 30% their outbound traffic was Gmail compared to 35% of outbound traffic on Microsoft Exchange. The client had trouble believing this until confronted with the data. Even then – the attitude was “ok, so what can we do?”   My suggestion, was to to do take a cultural approach to reduce use of gmail with awareness training at the group leader and department manager levels in order to drive the message home that company digital assets need to stay inside the company and not make a side trip to Mountain View, California. They never did the awareness training and 6 months later, they had a major data loss event of proprietary company intellectual property over gmail. The point is;  increased Web mail traffic is an indicator of a bigger attack surface. Make the attack surface smaller and you become more robust to a data loss event ( a smaller attack surface, means you have a smaller target that’s easier to defend). After the data loss event, the VP Global IT wrote a memo to all the employees and stopped there. The volume of gmail traffic and overall level of data security violations has not changed significantly.
The role of user accountability and training in data security
As we can see from the above cases – DLP technology is a necessary but not sufficient condition for effective data security. I submit that effective data security is a three-legged stool of:
1. Monitoring – using DLP technology
2. Training – strengthening of ethical values with training and personal example at all levels of management
3. Accountability – paying the price when a data loss event happens
Accountability
Ensuring employee loyalty and reliability starts with HR, which has responsibility for hiring and guiding the management of employees. High-security organizations such as defense contractors, diamonds or securities traders add additional screening such as polygraphs and background checks to the hiring process. Over time, organizations should try to sense personality changes, domestic problems or financial distress that indicate increased data loss risks for employees in sensitive jobs. Even though it’s hard to quantify financial damage of a data loss event, at a very basic level data loss impacts the corporate brand.
Therefore, make your HR group and the direct managers of employees/contractors involved in a data loss event, personally accountable for the corporate brand and ensure that they pay the price when trusted employees and contractors steal data.
Training
Although it won’t help you sell more widgets, digital asset protection is part of an overall company training process that helps an organization achieve its objectives in the areas of:

1. Operational effectiveness – if you don’t lose your new price list to the competition, you won’t have to create a new one…
2. Reliability of financial reporting – data security is not only data loss, it’s also data integrity and data availability
3. Compliance with applicable laws and regulations – privacy and payment card security

Use a professional trainer to develop train-the-trainer programs and make it the job of the managers at all levels to train their employees on data security.
Monitoring
The best way I can explain data security monitoring with DLP technology is to use a physical security paradigm.
Physical security starts at the parking lot and continues to the office, with tags and access control. Office buildings can do a simple programming of the gates to ensure that every tag leaving the building also entered the building.
Data security starts with network DLP (like a Fidelis Security Systems XPS extrusion prevention system or Symantec Data Loss Prevention) at the network perimeter of the organization and continues into the office with agent DLP (like Verdasys Digital Guardian or McAfee DLP) at endpoints.  Centralized organizations might rely on network DLP only and very dispersed operations might rely on agent DLP only.   Very large, geographically dispersed organizations might used network DLP to provide wide data security coverage and agent DLP in order to provide a fine level of control at the point of use.
Whatever DLP products you buy (Verdasys Digital Guardian, Fidelis Security XPS, McAfee DLP, Websense Data Security Suite or Symantec Data Loss Prevention ); monitoring is the third leg of our three-legged stool – a sort of data security AWACS/NORAD/early warning system where  violations of company data security policy are detected in real-time.  A security team staffer sees the event on a management console – pulls up the IP address and user involved in the violation, gets the forensics – and  goes over to the employee and has a little chat. No more than 10′ elapses from the time the data security event was detected until the time a security staffer is sitting in the employee’s cubicle or talking to them on the phone about the incident.
Summary
The objective of cost-effective data security is to make the organization more robust to Black Swan events -a major, unpredictable data loss event that can maim or destroy your business.
Since it is impossible to predict when or how a high impact data loss event will happen, it is also highly unlikely you will be able to prevent it.
Real-time monitoring with DLP  is an excellent way of reinforcing training, creating accountability and making your organization more robust to data loss events.