Perspectives: Wrestling Match

Data protection and compliance teams battle for resources but need each other to succeed.

Information Security
magazine, July-August issue

Download the entire July-August issue of Information Security magazine here in PDF format.

In today's security-conscious organization, there is a split between two competing security camps: the policy-driven governance, risk and compliance (GRC) group and the technology-driven data protection group. In the "ring of protection," the GRC camp and data protection camp are locked in a veritable "Smackdown," wrestling for the same buckets of resources and funding for their projects.. Ultimately, however, both sides need each other to succeed.

Data protection tools such as DLP examine, block and report on unauthorized transmission of data which protects an organization against loss of sensitive and confidential information. In many organizations, they're being deployed as a stop gap measure while security managers develop and/or refine their long term protection strategies. But how do you configure a DLP service without proper security standards already in place? Vendors may offer "best practice" sets of configuration data, but be cautious: While they can be used as examples of the information needed to configure a DLP service, they generally don't provide an effective set of standards that fit an organization's data protection requirements.

On the other side, GRC activities create the foundational standards that drive security deployments like data protection. But how do you know they're effective without the feedback data protection tools provide? Surveying managers and workers who handle sensitive data is one way to get feedback, but it's time consuming and not always accurate.

Information Security July-Aug
Table of Contents

Controlling Privileged Accounts: Regulatory requirements and economic realities are pressuring enterprises to secure their privileged accounts. Applied correctly, technology can help offset the risks.
DNSSEC: Has the Time Come? DNSSEC brings PKI to the Domain Name System and prevents dangerous cache poisoning attacks. Implementation difficulties and political battles, however, keep it from going mainstream.
UTM Should Not Equal Unnecessary Threat Management: Buying the right unified threat management appliance means knowing what--if anything--you actually need beyond a firewall.
ISP shutdown latest cat-and-mouse game with hackers: While the 3FN.Net shutdown had limited impact on cybercriminals, it signaled that the private sector and the government are serious about illegal activity.
Editor's Desk: Hey Google: Do the Right Thing: Security's leading thinkers ask Google to turn on HTTPS by default for Gmail, Docs and Calendar.
Perspectives: Wrestling Match: Data protection and compliance teams battle for resources but need each other to succeed.

When GRC and data protection activities are both effective and are not in competition with each other, they create an ongoing cycle which benefits both as illustrated:

Business and security requirements + key security events = security standards -> local execution -> configuration information -> data protection and reporting -> standards effectiveness feedback -> business and security requirements -> {cycle begins again}

So the configuration of a good data protection service relies on good GRC standards and an effective set of GRC standards rely on good DLP services to provide feedback on their effectiveness. While both GRC standards and data protection services are needed, most companies don't have the time or energy to dive into them at the same time. So how does a company decide where to start? Here are some key considerations:

  • Does the organization have a working, clearly defined security standards development process? This process should take into consideration the organization's business and security requirements and prioritize the results according to the top security and industry or regulatory compliance issues that most affect the organization. The resulting standards should then be communicated down to the local business managers for execution. However, if the organization doesn't have a clearly defined process, then short term this lack of direction will undoubtedly benefit from technological services like DLP. These services will block, as best as possible without a configuration mapped to the business' security standards, unauthorized access to sensitive information at the business' security boundaries until the process can be formally initiated
  • Is the organization heavily regulated or constantly "under cyber attack" from outside entities? Businesses that are under the scrutiny of outside entities, whether legally or illegally (such as large on-line retailers who are constantly bombarded by cyber attacks), have to be able to monitor the effectiveness of their information boundaries. In this case, deploying tools like DLP is mandatory, even with a lack of security standards.
  • Who owns security? Is the enterprise managed centrally or is it distributed? Are there political ownership obstacles for security? Centrally managed organizations typically can create good GRC standards that are applicable across the entire organization. But distributed management models can run into political and control issues and usually have to rely on locally generated standards to manage security. This leads the local lines of businesses to protect their limited amounts of sensitive data with locally deployed data protection services.
  • What is the "resource to area of coverage" ratio? While this isn't necessarily a quantitative number, if you have a limited number of security personnel and large geographic areas or end use populations, strong standards or strong tools, will have to be put into place depending on your resources' capabilities. Businesses with limited resourced tend to deploy tools first to augment their security team's activities.

So as you examine your business to see which camp you're in, you must look critically at the effectiveness of your GRC standards and data protection efforts. Short term, funding and efforts should be directed at maintaining the stronger components while shoring up the weaker ones. In the end, the standards and services must be in balance to securely protect your information.

Randall Gamby is an independent security analyst who has worked in the security industry for more than 15 years. He specializes in security/identity management strategies, methodologies and architectures, and has a security and identity management blog at: Send comments on this column to

This was last published in July 2009

Dig Deeper on Emerging cyberattacks and threats

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.