Vina Nguyen
You’ve watched all the demos and taken all the calls. You’re narrowed down a short list of solutions, and now you’re ready to invest and commit to one. Here’s some questions to ask before committing to a data loss prevention solution that will strengthen the security of your organization’s most sensitive information.
Does it meet my must-haves?
Sounds like a basic question, but it can be easy to get lost in the finer details when you’ve come this far. In a sea of solutions that offer different pros and cons, going back to your most basic requirements will add clarity to whether this DLP is the one you want to invest in. Some requirements you might check against:
- What kind of data do you need to protect? (e.g., your “crown jewels”)
- How is this data identified? (e.g., does it follow a distinct format, like credit card numbers?)
- Where is the data located? (e.g., the cloud or offline—not on the corporate network?)
- Who accesses it and how is access granted? (e.g., everyone or a select few?)
- Where are your weakest points, your most likely vectors of exfiltration? (e.g., email, file uploads to third party services?)
- Does this DLP solution meet legal requirements? (e.g., HIPAA, GPDR?)
One solution might hit all of these points except one. A set of solutions might meet all your requirements. If you’re just starting off, you might have a smaller-scoped set of requirements where one DLP will do the trick for now. Keeping track of which business need is negotiable vs. required will help you be sure that your chosen solution is the one.
Can I afford this?
Affordability encompasses both financial and staffing resources. Besides the initial cost, do your estimates make sense based on your projections for future years? Cost is a combination of many factors; such factors can include the number of end units (e.g., devices) and the level of technical support offered by the vendor. For cloud DLP, you might be charged by the amount of data processed. Depending how you believe your business will scale, take a moment to check the math and see if you can sustain the investment, or at which point you may have to pivot and find another solution that meets new requirements.
Deploying a DLP may take a significant effort, depending on your requirements and solution of choice. When cybersecurity talent can be difficult to recruit and retain, you might decide to rely on the DLP vendor for support. Consider both the cost of third-party services vs. building the function in-house over time.
Why this solution vs. another?
Assuming a couple DLP solutions met your requirements, you might want the most optimal solution vs. going with the first one that you found. (Of course, this depends on whether you can afford the effort to continue researching.) What does this DLP solution offer that others don’t? Maybe you’re giving up performance for accuracy, maybe it’s extra functionality for cost. Be clear on what you’re accepting and whether you can compensate for its downsides (if that’s in scope this round) through other means.
Keep in mind that no one solution will be 100% of what you want (though hopefully 100% of what you need). Another way to compare solutions is to understand, how does this DLP solution reduce your risk exposure in addition to checking off a box? As Anthony Carpino of Gartner describes, “A DLP program is a risk reduction, not a risk elimination exercise.” If your reasons for choosing a solution change over time based on evolving business needs, make a note of it so you can evolve the solution in the future as well.
Do you trust the vendor?
Depending on your solution of choice, you may be planning to rely on the vendor to help deploy and maintain your DLP. When you interacted with the support (and sales) team, were they easy to work with? Did you feel like you were in a partnership? If you haven’t done a trial yet, consider running a proof-of-concept test with a well-scoped scenario. If you did run a trial, when issues cropped up, how smoothly did support go? Answering this question will help you decide whether to commit to not only the DLP solution but also to the people you plan on hiring for support.
Is your team ready for DLP?
Team refers to anyone who is affected by DLP. One way to ensure you’ve covered all the people who need to be prepared for a DLP deployment is to build a RACI chart—a matrix of people’s responsibilities based on whether they are Responsible for doing a task, Accountable for ensuring it’s done to specification, Consulted for their expertise, or Informed as decisions can affect their work. Because DLP involves the protection of critical data, ensure the correct accesses are in place as well. By having your team prepared for DLP across all areas of responsibility, you’ll be able to get the ball rolling once you’ve committed to a solution rather than burning resources on lagged time.
Ready to make the jump
When you’re ready to commit to a DLP solution, know your reasons for saying yes: does it meet your requirements, and do you know why you’re choosing this solution vs. another? If you trust your vendor and your team is prepared, you might be ready to make that commitment and deploy your chosen DLP solution to achieve the next level of security.
Vina Nguyen is a B2B technical copywriter, specializing in cybersecurity, SaaS, and artificial intelligence. Through blog articles, case studies, web copy, and more, she aims to inspire by Before she was a writer, Vina spent over 10 years as a computer scientist, where she analyzed software, designed cybersecurity products, and built machine learning models for both public and private organizations. Her languages of choice were Python and x86; now she writes, trading Stack Overflow for Merriam-Webster as her new best friend.
Vina holds a BS in electrical engineering and computer science from MIT and an MS in computer science from JHU. She can be found exploring Washington, DC or at www.vinawrites.com.