When security people see headlines about data losses at TJ Maxx, ChoicePoint, DuPont, and the Department of Veterans Affairs, they quickly assume that preventing such loss is a technology problem.

It clearly is not. It is an information problem.

Organizations know that protecting their clients' or employees' data is paramount and that the risk of not protecting it is a story in the Wall Street Journal. However, underneath the public thunder about the loss of credit card and social security numbers and healthcare information, even more confidential information is at risk.

Before Steve Jobs introduced the new iPhone 2.0 last week, did the security people at Apple know what it was or from whom details about it should be kept? I suspect security would have needed to talk with the iPhone business owners, if not with Steve Jobs himself, to find this out. When Pfizer starts developing a blockbuster drug, how does the information security team protect the recipe for the drug before it achieves regulatory approval?

Today, information security (IS) must know what information to protect and from whom. How can IS do this? Security personnel can start by involving the stakeholders in the process of determining what data is sensitive and who needs to know it early in the data creation process. This is a very difficult task, as the main incentive of business stakeholders is to bring in revenue; protecting information is of secondary importance.

However, weaving information protection into the business is a top necessity. Information security teams need to understand and identify the most important data and where it should go before they can protect it. This means that IS needs to take on a new role as partners to the business stakeholders. Historically, IS has lacked the capabilities required to converse about sensitive information and who is allowed to see it. Data loss prevention (DLP) solutions can help, as they examine all content as it leaves an organization's network or an individual's workstation, or as it is stored on the network.

But how can IS determine which data it should protect? I have found this model to be successful:
1) Start by finding out the top projects that the company is working on
2) Build out a definition of what makes up the project (either through scanning data at rest or manually)
3) Analyze where communications about this project are going (through data-in-motion analysis)
4) Map which departments are communicating the information (by leveraging identity information)
5) Interview business stakeholders to determine if these communications are part of business policy
6) Set up rules to look for communications that are outside the norm