Transparency or Opacity

September 12, 2019 | By Moshe Dadush, Infrastructure Security Manager

During my work of leading and managing implementations of Data loss prevention systems in various organizations, I came across two main approaches employed by companies.

Approach #1: Move along, nothing to see here!

This approach tries to “hide”, almost completely, the very existence of the DLP solution and monitoring capabilities from employees.

This tactic can be expressed in several forms:

  1. Employees don’t even know that most of the actions they perform are monitored.
  2. There is no training and explanation for employees on how to securely handle the various types of information.
  3. The legal department is not involved in the process – which can lead to a violation of employee privacy.

This approach lacks transparency. As Dalai Lama puts it, “a lack of transparency results in distrust and a deep sense of insecurity”.

Approach #2: Full transparency

Unlike the previous approach, this one advocates full transparency. The teams and departments are an integral part of system implementation and help characterize and locate the sensitive information the company wants to protect.

In these organizations, the awareness of the information leakage problem is high, not only among information security professionals but also at all levels within the organization.

The king’s road for successful implementation of a DLP solution

I have worked with banks, telecommunications and high-tech companies that took the first approach; I have also consulted with credit companies and security agencies that adopted the second approach. It is not possible to speculate what approach an organization will implement based on its nature.

In an organization, the most essential person who decides how to design, enforce and shape the data loss prevention solution is the information security manager.

In my experience, I deduced that by reflecting and sharing the information security process with your employees, you can obtain the best results. This can be done by:

  1. Providing periodic training to all company employees regarding the dangers of data loss and the need for protection information.
  2. Selecting a representative from each department who is familiar with the department’s business activities and the information it deals with best. A representative who would communicate, to the other members of the department, the importance of data protection and how to beware of data leakage.
  3. Including the legal department during the critical stages of the process (decision on monitoring channels, the policy writing process, etc.).