Building a Successful Information Protection Program

Share with your network!

Many organizations struggle to build and maintain an information protection program. It’s a challenge that’s much more daunting than many others for several reasons, partly because security controls can have an impact on users.

Building programs around cybersecurity threats is easier because most of the control plane lives in the edge, with systems owned and controlled by the IT or information security teams. This means that security controls typically have little or no impact on users’ daily jobs. 

Identity and access management (IAM) programs are also easier to build because the IT and information security teams own the directory and IAM control systems. So while the management of access can impact users, it doesn’t have a daily impact on them. These programs also have limited user involvement and education given that users interact with these control systems infrequently. 

Why information protection is challenging

Why is it more difficult to create and maintain an information protection program than a program for cyber-threat protection or IAM? After all, these programs all own their own technologies. The information protection team owns data loss prevention (DLP), data classification, data discovery and insider threat management tools.  

The reason it’s challenging comes down to the problem it’s trying to solve, namely preventing the exfiltration of sensitive data. Unlike a cybersecurity program that’s aiming to stop a nebulous idea of a “threat,” an information protection program must actively engage with users and how they interact with content.

Here’s an analogy that illustrates the challenge with information protection: A retailer locks its cash registers and back office. Plus, it has a formal process to control how money is handled when a customer buys an item and leaves the store. However, stopping items from being stolen is much more complex.  

To prevent theft, there are controls like RFID tagging for expensive items (similar to data classification). There are also controls installed in the doorway that sound an alarm if an RFID-tagged item leaves the store. And there are cameras—although they are used mainly for post-incident validation because retail security staffing is typically low. The rest of the retail staff may be trained to keep an eye out for suspicious activity, but they all have their own jobs to do, too. 

For these and other reasons—including the fact that most products in the store aren’t tagged—retailers accept their inventory will shrink by 1% to 2% annually.

The same general concepts apply to information or data protection. Data that isn’t overly sensitive or of great value is left untagged or unviewed because its loss wouldn’t damage the company. There are also controls—but they are often met with challenges and resistance because information security, as a whole, is “heavy touch.” The security controls can significantly impact how a user conducts daily tasks. So, in most companies, these processes are run “lean.”

On top of that, when it comes to education and training resources, information protection is the most underserved space in information security. In my personal experience working with numerous organizations, only one in 10 leaders have tried to run an information protection program.

The steps to create a successful information protection program

So what does it take to build a successful and sustainable information protection program? Here are six core steps: 

  1. Get the right people in place
  2. Define your data assets, risks and requirements
  3. Take stock of your capabilities and gaps
  4. Plan your program
  5. Roll out and establish a review cycle
  6. Scale up over time

These steps lay the foundation for a program that you can grow and scale over time. If you’re ready to build an information protection program, you can learn all about these steps and more by downloading our e-book Getting Started with DLP and ITM

Ready to build an information protection program?

Information protection leaders should know they have options when they’re building an information protection program. They don’t have to go it alone. Not only can Proofpoint help you build a successful program, but we also offer managed information protection services to bridge any gaps in your in-house expertise. 

About the author

Joshua Linkenhoker has been a leader in the information protection space for over 20 years. He has held multiple director roles across the Fortune 500 with a focus on information protection, cloud security, and email security. As a senior consultant at Proofpoint, Josh works with many large, global organizations to build comprehensive programs for information protection, insider threat management, and cloud security. He leads and educates both staff and clients on the information protection space, being an active participant in Proofpoint Discovery Labs, Power Series, and Certification Courses.