Problem solve Get help with specific problems with your technologies, process and projects.

How can we convince our VP that a network-based DLP makes sense?

Pitching data leak prevention security technology to a vice president can be tricky, but security management expert Mike Rothman gives tips on how to get funding without creating unrealistic expectations.

Our organization is trying to build a case for implementing data leak prevention (DLP) technology. How can we make a case to our senior vice president that a network-based DLP product makes sense? We want to convey the value, but avoid pitching it as a cure-all.
This is the very quandary that most security professionals face when looking to get key projects funded. Obviously, downplaying the true benefits won't get the funding. But overselling will mismanage expectations and cause a lot of grief when the project doesn't deliver the promised value.

Relative to DLP, I thought it best to consult my friend Rich Mogull from research and consulting firm Securosis, the premier analyst in the DLP space. He's published quite a bit about DLP use cases and value.

In Rich's words: "The business problem for DLP is: 'Tell me where my sensitive information is and help me protect it.'" If an SVP doesn't think that value statement is important enough to consider DLP products, then give up now. There won't be any funding."

Rich also emphasizes that looking at only a network-based DLP product is inherently limiting. There are a number of products that offer integrated protection for data in motion (such as network-based DLP products mentioned in this question), and data at rest and data on the endpoints. A content-protection strategy is only as good as its weakest link, and without factoring endpoints, files stores and databases into the mix, there will be a pretty significant gap in protection.

The best way I've seen to make a case is actually to bring a product in and do a proof of concept. Conduct a quick scan to pinpoint some sensitive content. Install a gateway and roll out endpoint DLP agents to a test group. See what they find. If it's nothing major, then the company doesn't need to spend the $500,000.

But if there are anomalies, those will be the ammunition and the urgency to make the case, because your pitch will be based on data, not PowerPoint slides or fear-based marketing. Get the data and let the SVP make up his/her mind about how important the problem is.

More information:

This was last published in June 2008

Dig Deeper on Data security strategies and governance

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.