Hello and welcome back to the third installment of our Data Protection blog series. So far, in part one we took a high-level view of the topic, then in part two we dug into the five pillars of an effective program. Now that we understand the topic and the pieces that make it up, it’s time to dig into the specific goals and challenges related to implementation. If you’re just catching this installment, click here for the introduction or here for part two.
So, you’ve decided (or had the decision made for you) that it’s time to protect your company’s data. You’ve got a 10,000 foot view of what needs to be accomplished, but what considerations need to be addressed before you pull the trigger, engage a knowledgeable partner and actually do a Proof of Concept?
Here are some challenges we’ve seen customers run into that have turned what could have been a successful implementation into shelfware gathering dust:
- Executive sponsorship – Because a data protection program touches virtually every user, it ultimately represents a cultural change for the company. Without senior leadership onboard and willing to invest the time and energy to support the effort, user push-back will ultimately doom the effort to failure.
- Government regulations / legal requirements – These can be the justification behind the program but they may also dictate its scope. GDPR’s “right to be forgotten” is a great use-case for data discovery but Europe’s (and some US state) privacy laws may force data storage and administration decisions based on who can and can’t look at data.
- Data categorization – How will data be categorized? This is a seemingly minor detail but it can have far-reaching implications. Are the categories as simple as Public vs. Private? Are there shades between those categories? Many customers succumb to the temptation of having a dozen or more categories then find that end-users are unable to make a decision as to how to use them.
- Staffing – Aside from the evaluation, configuration and deployment of any products, there’s the “care and feeding” aspect. A data protection program has many moving parts and touches multiple departments. Is the help desk prepared with the appropriate training and staffing to support the additional tickets? Is there a team trained to support the various products? How about on the DLP side of things—it’s not unusual to need manual verification of flagged documents and rules frequently need updating.
Your Data Protection program should be a layered, multi-tier effort – with a DLP solution being the last line of defense. When designing your Data Protection program, it is important to determine how much protection is necessary vs. what level of risk is acceptable. As we wrote about in previous installments in this series – the type of data your organization houses will play a major role in determining your level of acceptable risk. If the majority of your data is business-confidential, clearly there is still risk to data leaking outside of the bounds of your organization, but the level of acceptable risk should be much smaller should you be hosting PCI or HIPAA data.
It is important to also determine how you will choose the solutions and products you put in place to solve these problems, much like determining your level of acceptable risk over the data your organization houses. One of the keys in determining the proper product or solution to insert in to your multi-tiered Data Protection program is the manner in which you will choose these solutions – is there interest in a bake-off between multiple solutions to determine how each one will solve your use cases? Will you be performing an on-paper POC? Would your organization prefer a “live” technical POC of the actual product in a sanboxed environment with live data?
The methods mentioned above all yeild different and similar results at the same time. A bake-off and an on-paper POC will give your teams and organization a good idea as to how the chosen solutions will solve your use cases. A technical “live” POC with live data should yield those same results while also giving your organization a proper look in to how the solution will operate within your organization, what management of the tool will look like, and how many people it should take to manage it on a day-to-day basis.
These solutions tend to be complex and have multiple interactions with other infrastructure platforms and teams. The final thing to determine when choosing solutions for your Data Protection program are setting your short, mid, and long-term goals. Did you recently have an incident that exposed gaps in your program? Are you building your program from the ground up and trying to use best-of-breed tech? Is your organization trying to quickly react to an audit or board requirements? These items will play a big role in to how your program is built out and implemented. Whatever stage your organization or Data Protection program is at – we’re here to help. Reach out to your account manager today – we’d be happy to assist with selecting the proper solutions for your needs.