On Thursday, I threw out a blog post which I hope to be the start of a series playing on Dave Ramsey’s style for financial peace, and realized I played the role of a consultant PERFECTLY (just like Marshall Eriksen might LAWYER you). SK pointed that out for me when he asks me to elaborate. In a back to school fashion, imagine this conversation as played through your teenage daughter’s cell phone.

Marshal Eriksen, LAWYERED

Marshal Eriksen, LAWYERED

“I was all, ‘Just find the data!’, and he was all, ‘Whatever.'”

I am so in touch with today’s youth.

SK brought up a good point.  Let’s say you are working with an enterprise that does not have any of the following: 1) a working DLP solution, 2) a reasonable data architecture and framework defined, 3) a reasonable understanding of business process and data flows, and 4) a reasonably accurate configuration management database.  Where do you start?  Is data discovery even worth it?

First off, throw DLP out the window.  Nearly every single DLP vendor missed the boat (or at least their sales and marketing arms have).  Note to DLP vendors, it’s really hard to sell the $7 million suite, but pretty easy to sell a $20K data discovery engagement (which could, of course, lead to that $7 million suite, or it could lead to a $50K/yr licensing deal for the tool).  Most of my customers don’t even want to hear about DLP because they don’t see it as something for which they have budget.

Secondly, attack number three (TRICKY!), but use software to help validate what you learn by talking to people.  Your business folks will not be 100% sure where their data is, or what data is on the systems they use.  Talking to them will yield you an 80% picture (at best), so you need software to validate what they are saying.  Free software like Spider from Cornell, or grep can be used to find sensitive data in your unstructured data space (like flat files).  Trust your business folks, but VERIFY what they say.

While you are going through the verification process, see how your structured data is set up.  This will be data that you find in databases all over your enterprise (yes, VSAM too).  You will be amazed at what you can learn about your applications and your data by dumping schemas from every database WITH some sample random data out of each table.  BE SURE to randomly select records from different operating times.  Applications change; maybe the newest version of your application do not store social security numbers, but older versions may have.  If someone did not go back and clean up the data after the upgrade, you’ve got a breach time-bomb on your hands.

Finally, if it applies, review your configuration management databases.  Depending on your setup, this may or may not apply.  If your applications rely on a configuration management database, you will absolutely need to address this.

Granted, finding out where your data lives will give you a massive amount of information.  If you don’t have a reasonably mature information security program in place already, you will be overwhelmed by the results of this exercise.  As always, you and your organization will benefit greatly from a good security program, but if you don’t have the funds for that, start by going on an electronic discovery and destruction initiative to effectively reduce the risk carried by the business.

This post originally appeared on BrandenWilliams.com.