Q

How can we convince our VP that a network-based DLP makes sense?

Pitching data leak prevention security technology to a vice president can be tricky, but security management expert Mike Rothman gives tips on how to get funding without creating unrealistic expectations.

Our organization is trying to build a case for implementing data leak prevention (DLP) technology. How can we make a case to our senior vice president that a network-based DLP product makes sense? We want to convey the value, but avoid pitching it as a cure-all.
This is the very quandary that most security professionals face when looking to get key projects funded. Obviously, downplaying the true benefits won't get the funding. But overselling will mismanage expectations and cause a lot of grief when the project doesn't deliver the promised value.

Relative to DLP, I thought it best to consult my friend Rich Mogull from research and consulting firm Securosis, the premier analyst in the DLP space. He's published quite a bit about DLP use cases and value.

In Rich's words: "The business problem for DLP is: 'Tell me where my sensitive information is and help me protect it.'" If an SVP doesn't think that value statement is important enough to consider DLP products, then give up now. There won't be any funding."

Rich also emphasizes that looking at only a network-based DLP product is inherently limiting. There are a number of products that offer integrated protection for data in motion (such as network-based DLP products mentioned in this question), and data at rest and data on the endpoints. A content-protection strategy is only as good as its weakest link, and without factoring endpoints, files stores and databases into the mix, there will be a pretty significant gap in protection.

The best way I've seen to make a case is actually to bring a product in and do a proof of concept. Conduct a quick scan to pinpoint some sensitive content. Install a gateway and roll out endpoint DLP agents to a test group. See what they find. If it's nothing major, then the company doesn't need to spend the $500,000.

But if there are anomalies, those will be the ammunition and the urgency to make the case, because your pitch will be based on data, not PowerPoint slides or fear-based marketing. Get the data and let the SVP make up his/her mind about how important the problem is.

More information:

This was first published in June 2008
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close