"We lost a million-dollar contract because our former General Manager took our customer database to a competitor!"
"We might have violated privacy laws — customers are complaining that their personal data is available online!"
Over decades of helping organizations secure their data, including implementing Data Loss Prevention (DLP) solutions for both security and compliance, we have encountered many ineffective deployments. Too often, companies wrongly assume that technology alone can prevent data leakage.
This misconception leads to substantial investments in DLP systems that ultimately fail to deliver their intended purpose, creating a dangerous false sense of security.
This article, based on real-world experiences, highlights the importance of governance in making DLP technology effective.
Categories of Data Leakage
Through our work, we have identified three common types of data leakage scenarios:
Known Leakage – Confirmed incidents where sensitive data has been lost.
Suspected Leakage – Unverified concerns that data may have been exposed.
Unaware Leakage – Ongoing leaks that remain undetected by the organization.
For this discussion, we will focus on "Known Leakage".
Case Study: The Illusion of DLP Effectiveness
In early 2019, a senior executive from a technology vendor reached out for assistance. The Chief Intellectual Property Officer (CIPO) of a multinational corporation (MNC) had discovered that their deployed DLP system was failing to protect critical intellectual property.
Despite implementing DLP and aligning with industry standards, the company confirmed that six out of eight key intellectual assets had been leaked.
Key Context
The company operated across Southeast Asia and Australia, with fewer than 10,000 endpoints.
Their business depended on proprietary designs vital to maintaining their competitive edge.
DLP had been in place for two years and was managed by an external provider.
The CIPO had expertise in both legal and IT fields.
Chronology of Events
The CIPO, eight months into his role, was tasked with protecting the company’s intellectual property.
Conversations with the operations team revealed that intellectual property had been leaked, either negligently or intentionally.
The DLP dashboard showed no signs of unauthorized data transfers.
The CIPO used alternative tools to confirm the leakage.
The technology vendor was called in for an explanation.
The vendor found no software bugs or issues with the DLP features.
The managed service provider confirmed that the DLP system had functioned as intended since its deployment.
The company engaged CNAV, the region’s only Master Specialist, to investigate further.
Key Findings: Governance Gaps Undermining DLP
Upon reviewing the company's DLP infrastructure, policies, and business operations, we identified several governance shortcomings:
Limited Coverage – DLP was only deployed on endpoints of Data Owners, without considering that they frequently needed to share data with non-DLP users.
Workarounds for Business Needs – Employees bypassed DLP controls due to legitimate operational requirements.
Inadequate Detection Mechanisms – DLP policies were ineffective because Data Owners were reluctant to share sensitive details.
Overly Restrictive Policies – Strict policies caused false negatives, meaning leaks went undetected.
Lack of Awareness – Many employees were unaware of policies restricting data sharing.
Stakeholder Exclusion – The CIPO was not involved in approving DLP policies.
Over-Reliance on Technology – The organization believed that deploying DLP alone would be sufficient to prevent leaks, without considering governance and oversight.
Why Governance is Critical for DLP Success
Effective data protection requires more than just implementing a technology solution. Governance ensures that security policies align with business operations, user behavior, and regulatory requirements. Here’s why it is essential:
Aligning Security with Business Needs
Without governance, security controls may unintentionally hinder legitimate business processes, leading users to bypass them.
A structured framework ensures that security measures are practical and enforceable.
Establishing Clear Policies and Oversight
Security policies must be well-designed and approved by key stakeholders, including legal, IT, and business leadership.
Governance ensures regular policy reviews and adaptations to keep pace with evolving risks.
Enhancing Data Classification and Ownership Clarity
Governance includes a formal data classification process, ensuring clarity on who owns, accesses, and secures critical data.
This prevents gaps where sensitive data flows beyond protected environments.
Ensuring Accountability and Monitoring
A well-defined RACI (Responsible, Accountable, Consulted, Informed) matrix clarifies roles and responsibilities.
Establishing a Data Governance Committee provides continuous oversight to evaluate and adjust security strategies.
Promoting User Awareness and Compliance
Employees often unintentionally violate data security policies due to lack of awareness.
Governance ensures continuous training and communication to foster a security-conscious culture.
Continuous Policy Evaluation and Improvement
Governance mandates ongoing monitoring, assessment, and updates to security policies.
This prevents outdated controls from creating security vulnerabilities over time.
Recommendations for Strengthening DLP Governance
To enhance the effectiveness of DLP, we provided the following recommendations:
Senior Management Support – Ensure leadership actively communicates the importance of DLP implementation.
Establish a DLP Governance Framework that includes:
Defined Key Performance Metrics.
Governance processes that align policies before deployment.
A clear RACI chart.
Alignment with business strategy, prioritizing sensitive data protection.
Implement a Formal Data Classification Process – Educate employees and enforce structured data handling practices.
Develop a Comprehensive Data Inventory – Track sensitive data movement within the organization.
Understand the Data Lifecycle – Map out how sensitive data flows and where vulnerabilities exist.
Build Trust in Security Measures – Ensure Data Owners feel confident that security measures do not obstruct business operations.
Identify Real-World Use Cases – Tailor DLP policies to reflect actual business scenarios.
Establish a Data Governance Committee – Create a dedicated group responsible for ongoing oversight and policy refinement.
Conclusion
Deploying DLP technology without proper governance is like installing an alarm system but leaving the doors unlocked.
Organizations must integrate people, processes, and governance with their security tools to ensure true data protection. A well-structured governance framework aligns security with business needs, promotes accountability, and enables continuous improvement—ensuring that DLP is truly effective rather than just running in the background.
Author: Charlie Chye ; Co-Author: Philip Chong
— About the Authors
Charlie Chye
Charlie has over 35 years of industry experience specializing in Cybersecurity with certification in CISSP, CISSP-ISSAP, CISA, CISM and CCSP. Charlies holds a Master Degree of Technology from National University of Singapore. He is currently leading CNAV in providing Cybersecurity advisory and implementation services to its clients. Throughout his career, Charlie has held different leading positions for leading Big 4 Data & Privacy practice, Symantec Consulting and Reuters Risk Management. He had led numerous high-profile Cybersecurity advisory and implementation projects including but not limiting to the areas of NIST Cybersecurity Framework, Data Loss Prevention, Data Protection, Endpoint Security, Security Operation Centre, Security Compliance, e-Payment (SET & SSL) and Risk Management solution etc.
Philip Chong
Philip is a senior advisor to CNAV Advisory Services. He holds Master of Finance and Master of Science. Philip recently retired from a leading Big 4 professional services firm after a career spanning 38 years before retiring in 2023. He was formerly Global Head, Digital, AI & Algorithm for this Big 4 firm. He was a Partner in the firm specialising in providing advisory services in Cybersecurity, Data Privacy, Digital Resilience and Risk Management. Philip has served multiple clients in Asia Pacific countries (China, Hong Kong, SE Asia, Singapore and Australia). His clients operated in multiple industries including banking, government, healthcare, multi-nationals, conglomerates, utilities, e-payment firms etc.
– Connect with us on LinkedIn