When Christopher Burgess, a senior security adviser to Cisco, surveys the state of data leakage prevention, he doesn't like what he sees.
"I literally have seen advertisements that say the insider is the enemy," he said.
That approach, which pits IT against end users, is exactly the wrong way to develop and execute security policies, Burgess said. Trust is a much more powerful motivator than mistrust. It encourages communication between IT and end users, and once communication channels are open, the benefits continue to flow.
A collaborative security approach also helps prevent IT organizations from imposing policies that are ignored or haphazardly followed because they get in the way of employees doing their jobs.
"Don't create security policy in a vacuum," Burgess warned. "Don't force workers to choose between doing their job and following policy." For instance, IT shouldn't make the mistake of locking down access to video-streaming sites like YouTube even as the company's corporate communications department embraces those same sites to push out information.
Rather than issue blanket decrees, IT should set rules against the bad behavior, Burgess said. Don't use YouTube excessively, and don't use peer-to-peer file sharing to violate intellectual property rights.
When it comes to developing data leakage prevention practices, Burgess has three golden rules to create a solid policy:
1) Do no harm: If you're not sure what you're going to do, you want to take the route that will be the least invasive. Don't just press forward with a project or implementation without fully understanding all the consequences.
2) Know what you're dealing with: "Know the value of the data you're handling," Burgess said. "If it's customer data, handle it correctly. If it's R&D, handle it correctly." Before data leakage prevention policies can be enforced, a reliable system to classify such data in an easy, intuitive manner must be developed, and this data should ultimately have one person or department responsible for it.
3) Ignorance isn't an excuse: "This is pretty straightforward," Burgess said. "If you don't know the answer, stop and get it." Ask around and feel free to cross departmental lines as you determine who is in charge of what data, what laws and regulations apply to it, and how it needs to be used.
So how does IT turn those three maxims into practice?
The first step, Burgess said, is to find an opportunity to develop a security policy, such as laptop deployments. Then IT can make a policy recommendation, such as locking down all laptops to prevent third-party -- and potentially malicious -- software from running on it.
"The recommendation creates discussion," he said. "That leads to a position paper. That goes out to the client base that is affected by it, which says: 'If you do that, I can't do this.' "
Once IT and end users have both contributed to the discussion, a security policy that balances the organization's security requirements with the needs of workers is created. And that policy is easier to enforce because end users now understand the reasoning behind it and will be more likely to adhere to it.
"Once they see this is a positive engagement rather than a negative engagement, they're showing up at your door regularly," Burgess said.
While applauding the idea of bringing users into the security conversation early, Carol Baroudi, research director for Aberdeen Group, said network security professionals could not afford to rely on the goodness of users as a defense.
"I don't know anybody who's saying trust anybody," Baroudi said. "Only trust them in the sense of making them part of the discussion, making them understand what's at risk."
Many users have no understanding of the basic compliance rules and other regulations that apply to them, she said, nor how basic concepts like encryption can reduce risk. Because of this knowledge gap, education is one of the most important tactics an IT organization can adopt.
According to Baroudi, however, few companies are up to speed on data loss prevention in general, whether it comes to user education or almost any other aspect -- scanning email attachments or flash drives, for example. The real concern, she said, is that if any of these areas is left undefended, serious security holes are wide open.
"DPI [deep packet inspection] is going to do nothing if you have a thumbdrive and pull it off and walk out the door with it," she said. "You can just leave yourself open in a wide area of arenas."
The truly effective approach to data leak prevention, Baroudi said, is a combination of comprehensive protection with a dose of education – and flexibility – built in, such as an email program notifying a user when he tries to send a protected file, and giving him information on how to get the proper clearance to send the file.