Explore the complexities of managing Microsoft Purview deployments and the importance of a robust operational strategy. Understand how user count, industry regulations, and specific Purview tools impact the required headcount for effective management.
Author: Nathan Berger,
Directory of Security @ Cyclotron
Having completed hundreds of Purview deployments in enterprise clients, Cyclotron has seen many successful deployments. But we’ve noticed over time that a surprising proportion of clients who set out with good intentions – even completing a successful deployment – make mistakes over the long term that cause platform value to fail.
Failed Purview deployments are usually caused by lack of successful operational strategy. Purview requires operational investment: Just like other security tools, Purview needs real-time alert response, tuning for accuracy, and policy redesign to meet new business needs over time.
For enterprise organizations, effective Purview management usually requires 3 dedicated personnel. But even at relatively conservative metrics, a successful Purview strategy for large organizations in regulated industries, such as a 10,000-seat Healthcare organization, dedicates about 6 personnel to Purview management across data governance, SecOps, helpdesk, legal, and compliance. This also excludes some optional functions of Purview such as HR connector management and Compliance Manager improvement actions.
Factors that affect Purview management headcount
What exactly does an enterprise client need to manage Purview? The main factors to estimate Purview management headcount are:
Number of users in policy scope. We assume this will be your total employee count.
Regulated v. non-regulated industry. Healthcare, finance, government, and associated industry partners require special focus on securing Personally Identifying Information (PII), Protected Health Information (PHI), and more.
Importance of Intellectual Property (IP) protections. Intellectual Property is one of the main use cases for protecting data outside of regulated industries. Software, digital platforms, manufacturing, and other clients often need Data Loss Prevention (DLP) to prevent IP loss. Although the number of employees using IP can be small in some orgs, the volume of operational alerts skyrockets when DLP policies are designed to protect it. Organizations must suddenly be aware of every appropriate & inappropriate use case of their IP, which is greater than they expect.
Which Purview tools are being deployed.
DLP, Insider Risk Management, Communication Compliance, and (sometimes) Defender for Cloud Apps all generate real-time alerts. These require a formal SLA-based response (perhaps not needing to be as fast as malware response, but still important to address within a few hours to reduce business impact).
Other Purview tools don’t have real-time alerts, but they do have helpdesk burden for ensuring proper use of Sensitivity Labels, Retention Labels, and are often first to help troubleshoot issues with DLP.
Lastly, your compliance or data governance teams will want to manage admin-level controls such as Compliance Manager, audit and eDiscovery features, each of which involve specialized operational activities for effective deployment.
The number of policies deployed, and their total strictness and coverage. For example, a policy with built-in override options will be less disruptive than hard blocks. Your organization may also have many use cases for blocking sensitive data loss, which results in more alerts & management overhead.
Managing Purview: The numbers
Let’s assume a Healthcare provider of 10,000 seats wants to deploy the entire Purview stack. We could reasonably expect to see:
Up to 5% of employees triggering DLP alerts each month, roughly 17 alerts per day. We assume 30 minutes average alert response time for SecOps to follow-up, take action, communicate, and close alerts.
Up to 3% of employees triggering Insider Risk Policies, which are general data leaks not covered by explicit DLP rules, each month, roughly 10 risk alerts per day.
Up to 2% of employees triggering Communication Compliance policies about appropriate chat use, about 7 alerts per day.
These alerts often involve helpdesk, so expect that of ~34 alerts per day, about half of these trigger a helpdesk ticket, so about 17 helpdesk tickets per day. Often helpdesk and SecOps are notified about these at the same time, and each have specific roles to fulfill to ensure the incident is resolved.
Helpdesk also would help with classifications, including helping users understand when to use classifications, resolving issues with encryption, and other common tasks. In a proper Purview deployment, preparing end users is an important component, but we still expect helpdesk activity for a typical label deployment to consume around 10 tickets per day, or up to 20 hours per week.
The data governance team would oversee the retention deployment, sensitivity label deployment, auto-labeling policies, DLP definition success, and regularly update DLP recipient exceptions, application exceptions, process exceptions, and other tuning as needed. We expect this to consume between 1-1.5 FTEs managing the Purview stack. All proposed Purview changes need to run through these personnel, and they would be monitoring the long-term value and success metrics of the platform.
eDiscovery and legal cases happen frequently in larger organizations, so this requires a minimum of 2 FTEs to ensure response time and quality remain effective in an enterprise organization.
The data governance team would also communicate with legal, compliance, HR, SecOps, and IT to review policy impacts, tuning, and scenarios where these groups must consult on user impacts and make decisions.
In summary:
34 alerts per day, or 85 hours per week of alert management & response
27 helpdesk tickets per day, or about 64 hours per week of helpdesk allocation
2 FTEs for eDiscovery case management
10 hours per week of platform tuning and management across all Purview tools.
We’ve seen a variety of issues cause Purview deployments to lose value: SecOps doesn’t want to own compliance alerts; data governance teams are unprepared to handle real-time alerts; policies are not tuned effectively; short-staffed personnel turn off Purview policies because they can’t handle the volume; and many more.
How we ensure long-term Purview value
Our Purview managed service offer, Kapton, uses a combination of Purview management dashboards and managed services to ensure your organization doesn’t encounter the pitfalls frequently seen in long-term Purview deployments.
As part of this service, Cyclotron’s award-winning compliance team provides:
Purview success metrics on dashboards designed for data governance administrators and executive-level views
Real-time alert response
Policy tuning and updates
New policy implementation as requirements change
Technical support for admins
Coordination with business units (HR, Legal, Compliance, etc.) to reduce cross-team management overhead and streamline effort.
For more information about long-term Purview management with Kapton, contact nathan.berger@cyclotron.com. We’ll provide you with a consultation on your Purview strategy and how we can help improve your compliance posture.