By Published on

How management killed DLP

In a medium-sized organization, whose main business model was based on the very sensitive personal data of hundreds of clients, an attempt was made by IT department to deploy Data Loss Protection technology (previously AIP, today Microsoft Purview).

The project included mapping and automatic marking of classified data and documents (scanning all content in Microsoft Sharepoint and Microsoft Dynamics (CRM)) and manual marking of the classification level during internal document circulation (MS Office, MS Outlook).

The result of about two months of testing was a total rejection by top management (who was required to participate in the testing). The final statement: "we won't do this... we don't have time for that...!"

In other words, a corporate lawyer who has just completed a contract with a client, where all his sensitive data (personal, financial, etc.) is stored, will simply not be willing to click on the Confidential option in the Microsoft Word menu to put the document under DLP protection.

Or a user who receives an email from a colleague containing payment card details will not mark such an email as Confidential simply because it would greatly delay his work.

What could be your interpretation of what actually happened?

What happened here is not a failed DLP project, we’re describing a failed leadership decision masquerading as a usability issue.

This is a governance failure:

management rejected a control because it applied to them personally,

the moment senior leadership is required to change behavior, the security needs are cancelled.

Uncomfortable truth

Leadership opt-out kills security - security controls survive only if leaders are subject to them first.

The organization’s core business asset is the sensitive personal data, so by rejecting DLP due to inconvenience, management effectively said:

“We accept the risk of uncontrolled personal data leakage to preserve our short-term productivity and convenience”.

"We don't feel like taking time to decide what's sensitive and in which context: if DLP cannot do this without our involvement we don't want it.

The (possibly) real reason management rejected it

  • loss of autonomy, invisibility and plausible deniability,
  • fear of accountability.

DLP doesn’t just protect data — it creates traceability and defines responsibility

And traceability and responsibility make people uncomfortable.