By Roy Urrico
A common hurdle in cybersecurity is getting executive-level managers within an organization – including credit unions – to prioritize data loss prevention (DLP) tools. The global average cost of a data breach in 2024—a 10% increase over 2023 and the highest total ever – reached $4.88 million, according to IBM.
Despite the rising costs of data breaches, misconceptions about DLP — such as it being overly technical, disruptive, or only for IT teams — still prevent many businesses from implementing effective strategies. John Grancarich, chief strategy officer at Eden Prairie, Minn.-based cybersecurity company Fortra, has seen this firsthand.
Grancarich sat down with Finopotamus to cover insights presented in Fortra's eBook, How to Get C-Suite Buy-in for DLP Tools.
Topics covered include:
Dispelling myths about DLP: addressing misconceptions about DLP tools among executives, and how to overcome them.
Financial and reputational risks of data breaches, with expert-backed data.
Framing DLP as a business priority with cross-departmental implications, not just a security tool or an “IT issue.”
Real-world strategies for communicating risk and return on investment (ROI) to non-technical leaders about data protection.
The Myths About DLP
“One common myth is that DLP is only useful for large organizations,” Grancarich stated. “Companies of all sizes face risks of data breaches, and DLP solutions can be scaled to fit the needs of smaller and midsize organizations in both the public and private sector.”
Another myth is that DLP tools are overly complex to implement or manage, Grancarich noted. “Modern DLP solutions have evolved to become more intuitive, with built-in automation and user-friendly interfaces.”
Additionally, some people believe that DLP is only about achieving compliance. “While DLP does support regulatory compliance, its real value lies in being able to be configured to each organization’s unique environment and use cases resulting in them being able to proactively protect sensitive data and mitigate business risks,” suggested Grancarich.
Grancarich also weighed in on misconceptions about DLP tools at the C-suite level, particularly at financial institutions such as credit unions and vendor partners. “A key misconception is that DLP tools are a one-size-fits-all solution. Executives often underestimate the need to tailor DLP policies to their unique workflows, leading to either gaps in protection or unnecessary disruptions. We have also seen instances where an organization wants to implement DLP in one fell swoop versus taking a phased approach that starts with simpler use cases and builds out from there.” Another key misunderstanding, he pointed out, is that some executives assume that DLP is just an IT responsibility.
There is also a belief that DLP can block every threat, Grancarich said. “While it is a critical layer of defense, DLP works best as part of a broader, multi-layered security strategy.” He proposed DLP should start with and align with an organization’s governance strategy as it will span multiple departments, including compliance, legal, and human resources, and requires a coordinated effort to be effective.
Financial and Reputational Risks to FIs
The financial risks of data breaches include regulatory fines, legal fees, customer compensation, and loss of business, pointed out Grancarich. “From my perspective, the most expensive risk is the potential loss of trust – regardless of what any company markets and sells, we are all ultimately in the business of trust which is incredibly hard to build and incredibly fragile as well.”
For financial institutions, Grancarich added, “These costs can escalate due to the sensitivity of the data they handle, such as account information and social security numbers. On the reputational side, as noted above breaches erode customer trust, which can take years to rebuild. For credit unions, which often pride themselves on community relationships, a breach can have an especially devastating impact on member confidence.”
Framing DLP as a Business Priority
Data protection impacts every part of an organization, from customer trust and regulatory compliance to business continuity and innovation, emphasized Grancarich. “Framing DLP as a business priority – with specific business outcomes to work toward –- helps leadership understand its broader value. For example, effective DLP policies can streamline compliance audits, reduce legal exposure, and protect intellectual property.”
When seen as just an “IT issue,” DLP risks being deprioritized or implemented in a silo, limiting its effectiveness, said Grancarich. “In other words, we should be looking at it as a corporate-wide program with a cross-departmental approach ensuring that DLP strategies align with organizational goals and address the full spectrum of risks.”
Communicating Risk and ROI To Non-Technical Leaders
Start by quantifying the risks in business terms, recommended Grancarich, such as highlighting the potential financial impact of a breach or the cost savings from avoiding regulatory fines. Use case studies or industry benchmarks to show how similar organizations have benefited from DLP investments.
“It is also helpful to frame DLP as a value-add rather than a cost center — for example, to protect innovation, enhance trust, and support strategic goals. Finally, simplify technical concepts and focus on outcomes,” Grancarich continued.
“Non-technical leaders do not need to know how the technology works; they need to know how it will protect their business. If you are going to share data breach horror stories, balance them out with pragmatic and logical business thinking and show how the pieces fit together.”
What Is Fortra? What Does It Do?
Grancarich described Fortra as cybersecurity company that provides advanced offensive and defensive security solutions covering the entire attack chain. “Our mission is to help organizations disrupt an attack chain regardless of how an attack has been designed or where it originates from. We offer products and services from both an offensive perspective – such as advanced ethical hacking tools – as well as defensive solutions covering data loss prevention (DLP), email security, threat detection and response, and vulnerability management.”
As chief strategy officer at Fortra, Grancarich said, “I drive the vision and execution that has positioned us as a global cybersecurity platform leader. My focus spans product strategy, commercial strategy and operations, and marketing – key areas I align to ensure that Fortra leads in innovation, delivers exceptional client value, and achieves sustained market growth.”
Fortra, noted Grancarich, has a long and successful history of working with financial institutions, including credit unions. “Our DLP solutions are trusted by organizations to safeguard sensitive member data, ensure compliance with regulations like the GLBA (Gramm-Leach-Bliley Act), CCPA (California Consumer Privacy Act) and DORA (EU’s Digital Operational Resilience Act), and defend against sophisticated cyber threats.”
He explained Fortra’s clients also use its services and solutions to help them understand where their exposures may be and develop and implement comprehensive solutions to address them. “We work closely with every single institution to configure solutions that meet their unique needs while aligning with their operational priorities.”