2007 DOI: Day 6 - Patching the Leaks

More high profile privacy train wrecks force many customers to just buy something to address the information leakage problem. Laptop encryption turns out to be far from a panacea, while multi-protocol leak prevention gateways remain in high demand. Users demand integration at both ends (client and perimeter), foreshadowing more consolidation. Users finally figure out data protection is more of a process issue, forcing Pragmatic CSOs to ask tough questions of senior IT managers on how data is handled and who has access to it.

Read all of the 2007 Incites here.

Leak prevention is an interesting market. To day, the total sales in the category is less than the VC funding by an order of magnitude. That will change, but not overnight.

We’ve seen this movie before, lots of times. Big, high profile problem. Frantic buying of anything that portrays to solve the problem, which leads to general customer dissatisfaction with what they bought. Eventual consolidation, then integration and the category is ultimately swallowed up into a larger data or information security function.

The good news is that for most information leakage solutions, the benefits are much clearer than other over-hyped categories (like NAC for instance). But I haven’t found a way to accelerate the market adoption curve (and it’s not from lack of trying), so you’ll have early adopters/panic buyers over the next 12-18 months. This will give way to the mass market (likely in late 2008/09) that figures out what they need and why.

Keep in mind that we are really talking about two different problems here. The first is lost laptops. This is the high profile issue that keeps both security pros and PR people up at night. Just look at the Veteran’s Administration fiascos of the past 8 months and you’ll know why. Lots of whole disk encryption (WDE) will be sold to solve that specific problem. But these are very tactical buys, and vendors that talk about “policy” and integrating WDE with an encryption utility are selling ahead of the requirements.

Separately, you’ve got the problem of private data and intellectual property being sent outside the boundaries of the enterprise. This is another huge problem, with much less clarity on the solution. There are lots of products, but their effectiveness is questionable and the amount of integration it takes to make it work can be significant.

Gosh, kind of sounds like SIEM to me. I wish I was smart enough to have made that analogy, but I’m not. It was my pal Mark Bouchard. But unlike SIEM, there is a real value proposition for leak prevention, and it extends to more than the largest 2000 companies in the world. But only if the technology gets easier to implement.

When the market leaders have average selling prices of greater than $400,000, clearly it’s an early, integration centric market.

As this market matures, we’ll see folks continue to drive for integration (enforcing a common policy for data in motion, data at rest and data on endpoints) and simplifying the implementation process.

Very few markets develop without hiccups and I believe that leak prevention will be a key part of the data security landscape in a few years. But for those that absolutely, positively need a solution today – just understand the inherent messiness of early market technology.