2008 DOI: Day 9 - Get the Jumper Cables for DLP

2007 Incite: Patching the Leaks
More high profile privacy train wrecks force many customers to just buy something to address the information leakage problem. Laptop encryption turns out to be far from a panacea, while multi-protocol leak prevention gateways remain in high demand. Users demand integration at both ends (client and perimeter), foreshadowing more consolidation. Users finally figure out data protection is more of a process issue, forcing Pragmatic CSOs to ask tough questions of senior IT managers on how data is handled and who has access to it.

2008 Incite: Get the jumper cables for DLP
Data leak prevention stalls in 2008, continuing to be a solution looking for a problem. Given its complexity, limited ability to protect intellectual property, and early consolidation by Big Security, the technology is stuck in the early adopter phase. Significant regulatory catalysts are balanced by an uncertain spending environment, which forces users to utilize the built-in filtering within email and web gateways. These solutions are largely good enough to make sure a dimwit doesn’t send a SSN# (or other regular expression) outside of the organization.

Sometimes it’s hard delivering a message your friends don’t want to hear. I have a lot of friends in the DLP space and many of them are not happy with my prediction that the DLP market stalls in 2008. They weren’t bashful about calling me an idiot. Of course, the Mogull correctly wonders during our email interview whether the DLP market ever got started in the first place, but that’s neither here nor there.

The fact is DLP is expensive, it’s hard to implement (with any sophistication anyway), requires a lot of cross-functional cooperation both within and beyond the IT group, and takes a long time for customers to get discernable value. I know a lot of the vendors will argue those points, but that’s what I’m hearing.

Yes, it’s getting easier. Yes, some companies are coming into the market with more attractive price points. Yes, the high profile acquisitions of the DLP start-ups will allow more flexible bundling and pricing. Yes, a few of the companies are growing nicely, albeit off of a small base.

But this market is still very early. It is what it is.

You have a lot of users that continue to kick the tires. You also have a lot of companies that aren’t taking the time to kick the tires. Organizationally they are not ready. Many of them don’t want to know the answer. They can maintain plausible deniability if they don’t have physical evidence of private data and intellectual property theft. That sounds weird, but it’s true. You have a lot of political maneuvering as to who gets to set the DLP policies and what happens when they find a violation. These are things that have to be determined before a deployment begins.

Internal politics is actually the biggest risk to the DLP market. If the organziation can't get on the same page in terms of policies, workflows, and the like. There is no way anyone's technology can solve that problem.

With an economic headwind, a focused investment like DLP usually goes out the window. But that isn’t the biggest reason DLP will stall this year. I think it’s the presence of “poor man’s” DLP, in the form of email filtering and web filtering that are going to be “good enough” for most end users in 2008. Yeah, the DLP vendors definitely don’t want to hear that.

Let’s be clear that most of the DLP market has been driven by compliance. Big companies are writing big checks because they feel they have a gun to their heads. But what if they can convince themselves that looking for account IDs, Social Security #’s, and some other regular expressions is good enough? If they believe the auditor will only poke their eye 1 knuckle deep, I believe they stop writing the checks.

Fact is - most companies already have a gateway (at least email) that can provide a rudimentary outbound filtering capability. They turn it on and they figure out a lot of data is leaking. They also have an endpoint security suite that is starting to add features like device control to deal with USB drives and iPods.

They set some policies to show to the auditors and to prove they are taking data loss seriously and implementing additional controls to fix the problem. Auditors don’t expect the problem solved (at least initially), but they do want to see incremental progress. Monitoring SMTP and outbound HTTP is that kind of progress.

And it doesn’t cost $500,000 to get started.

To be clear, I do believe in the core value proposition of DLP, in terms of helping organizations protect their data and make sure it isn’t being sent to webmail accounts, competitors, or even customers. I just don’t think the current DLP deployment model of using an overlay content monitoring and blocking infrastructure will solve the mass-market problem.

DLP really needs to be a feature, and it’s starting to happen. EMC and Symantec will build the DLP algorithms into their storage management suites, while trying to milk the standalone cow as long as they can. Big AV (Symantec, McAfee and Trend) all have bought DLP properties and will be shipping the DLP agent capability with the endpoint suites.

Longer term, there is no DLP market. Which is as it should be. A philosophy of protecting data should be a fundamental value for every organization.