As predicted, the DLP market continues to consolidate on it's way to eventually disappearing. McAfee announced as part of their earnings release that they are acquiring Reconnex for $46 million in cash. This is a good deal for McAfee for lots of reasons. I don't think they are going be "redefining the data protection market" as stated in their press release - but there are positives.

1. All the cool kids have one - McAfee needed to bolster their DLP position because their benchmarks, Symantec, Trend, EMC/RSA, and Websense, already acquired assets in this space. They also realized the endpoint centric product they've brought to market (based on the Onigma acquisition) wasn't going to get them there. Reconnex is one of the last independents standing, so it's not a surprise they got taken out.
   
   
2. DLP is a feature - As I've mentioned, DLP is not a market category that is going to stand alone. These capabilities need to be built into bigger security, and eventually general IT infrastructure. McAfee now has some more technology to foster that kind of integration and value add.

Of course, all that glitters is never gold, so there are some things to watch for, especially around channel mismatch. McAfee doesn't really have a high end services/implementation business to drive big DLP implementations. And their channel tends to focus more on mid-sized companies. Sure they do some big deals (around endpoint security and some IPS), but there could be a bit of an impedance mismatch when the reality of DLP deployment cycles sets in.

How about that price?

But any potential issues with the deal are offset by the price. $46 million in cash. Wow! That is really a fire sale price for a company with seemingly a lot of momentum. I guess seemingly is with a capital SEEMINGLY.

Reconnex had raised $37 million in VC funding. So the VCs get their money out, the management team (mostly executives) maybe gets a little carve out, and the rank and file get screwed. Of course, that is speculation on my part, but having seen enough of these deals - I'm probably not too far off.

This is just yet another example of the reality that you cannot believe all your read. Check out the momentum release from TWO WEEKS ago. If you take the words on the surface, things are going great. Lots of growth, named a leader in that quadrant thingy, yada yada. The print isn't even dry on that release and they sell for not much more than DeWalt's expense account.

I'm sure there is some kind of back story here, and I'm sure it's not real pretty. But at the end of the day, they got a deal done. Bully for them. And once again, McAfee shows it's one of the shrewdest buyers in the space. They won't have to turn many Reconnex lemons into lemonade to make the deal pay big time.

Photo credit: "Cheap Store" originally uploaded by ZannaLyon

Good Morning:
At this point, I'm probably chewing my arm off - ready to head back home and get back to my daily routine. I've come to embrace the fact that even if I didn't have to work - I still would. The life of leisure just isn't for me. I'm not the type to want to play golf every day or sit at the pool or out by the beach.

It's not that I don't appreciate the ability to turn things off and just relax a bit. It's important. But it's not something I want to or could do for months at a time. I'm a builder. I like to create new things and creating a lower golf handicap is not really what I'm talking about. As I mentioned on Monday of this week. It's not something I feel bad about either.

So over the next two days, I'll be ramping back up to jump into my routine. By Monday, we'll be back at the home base. The kids will be gearing up for another couple weeks at camp, and I'll be back to being pulled in 15 directions. And I can't wait.

Yes, vacation is great. But if you aren't looking forward to getting back to your life, then you need to change your life. Have a great day.

Incite #9: Get the Jumper Cables for DLP

Data leak prevention stalls in 2008, continuing to be a solution looking for a problem. Given its complexity, limited ability to protect intellectual property, and early consolidation by Big Security, the technology is stuck in the early adopter phase. Significant regulatory catalysts are balanced by an uncertain spending environment, which forces users to utilize the built-in filtering within email and web gateways. These solutions are largely good enough to make sure a dimwit doesn’t send a SSN# (or other regular expression) outside of the organization.

Read the original Days of Incite post on this topic.

6-month grade: C+

I hate waffling, but ultimately I have no choice but to waffle a bit on this Incite. Clearly I don't think the DLP market is going great guns, and I constantly hear anecdotes about big DLP projects being pushed out or pilots kind of stuck in pilot mode. Yet, on the other hand, I also hear anecdotes about some of the acquired DLP vendors beating their internal projections, mostly driven by the reach of the acquiring company. I guess the truth is kind of in the middle and very hard to really calibrate.

That's why I hate making market size projections. I guess I'll take a mental note to remember that next year, when I'm preparing the 2009 Incites.

But let's get back to the fundamentals of the DLP space. The reality is, as this business and the product offerings mature, the problems is less about catching bad stuff at the gateway and more about protecting the data at rest. That's really where it's most vulnerable. I should probably say FINDING the sensitive data at rest, since you need to figure out where it is before you can worry about protecting it.

And that gets back to a key hallmark about DLP, is that it's more about process than it is about a product. Sure you can buy a gateway to look for regular expressions (like SSN#'s and account IDs) or even use some sophisticated information fingerprinting algorithm, but unless you know what you are trying to protect and why - then the inherent value of the DLP will be limited.

I think that's really the concept I was trying to isolate in the Incite, but of course it came out like a Kimbo uppercut delivered to the jaw of the entire category. My point is that without a process to allow data leak prevention to actually prevent anything, you need to have an underlying process to figure out what's important, find it, and then ultimately protect it.

And without the process, the product is a pretty (I guess I should say a VERY) expensive way to find the low hanging fruit, and your existing mail and web gateways can probably find the low hanging fruit.

Photo credit: "Old Jumper Cables" by Dann Solo

2007 Incite: Patching the Leaks
More high profile privacy train wrecks force many customers to just buy something to address the information leakage problem. Laptop encryption turns out to be far from a panacea, while multi-protocol leak prevention gateways remain in high demand. Users demand integration at both ends (client and perimeter), foreshadowing more consolidation. Users finally figure out data protection is more of a process issue, forcing Pragmatic CSOs to ask tough questions of senior IT managers on how data is handled and who has access to it.

2008 Incite: Get the jumper cables for DLP
Data leak prevention stalls in 2008, continuing to be a solution looking for a problem. Given its complexity, limited ability to protect intellectual property, and early consolidation by Big Security, the technology is stuck in the early adopter phase. Significant regulatory catalysts are balanced by an uncertain spending environment, which forces users to utilize the built-in filtering within email and web gateways. These solutions are largely good enough to make sure a dimwit doesn’t send a SSN# (or other regular expression) outside of the organization.

Sometimes it’s hard delivering a message your friends don’t want to hear. I have a lot of friends in the DLP space and many of them are not happy with my prediction that the DLP market stalls in 2008. They weren’t bashful about calling me an idiot. Of course, the Mogull correctly wonders during our email interview whether the DLP market ever got started in the first place, but that’s neither here nor there.

The fact is DLP is expensive, it’s hard to implement (with any sophistication anyway), requires a lot of cross-functional cooperation both within and beyond the IT group, and takes a long time for customers to get discernable value. I know a lot of the vendors will argue those points, but that’s what I’m hearing.

Yes, it’s getting easier. Yes, some companies are coming into the market with more attractive price points. Yes, the high profile acquisitions of the DLP start-ups will allow more flexible bundling and pricing. Yes, a few of the companies are growing nicely, albeit off of a small base.

But this market is still very early. It is what it is.

You have a lot of users that continue to kick the tires. You also have a lot of companies that aren’t taking the time to kick the tires. Organizationally they are not ready. Many of them don’t want to know the answer. They can maintain plausible deniability if they don’t have physical evidence of private data and intellectual property theft. That sounds weird, but it’s true. You have a lot of political maneuvering as to who gets to set the DLP policies and what happens when they find a violation. These are things that have to be determined before a deployment begins.

Internal politics is actually the biggest risk to the DLP market. If the organziation can't get on the same page in terms of policies, workflows, and the like. There is no way anyone's technology can solve that problem.

With an economic headwind, a focused investment like DLP usually goes out the window. But that isn’t the biggest reason DLP will stall this year. I think it’s the presence of “poor man’s” DLP, in the form of email filtering and web filtering that are going to be “good enough” for most end users in 2008. Yeah, the DLP vendors definitely don’t want to hear that.

Let’s be clear that most of the DLP market has been driven by compliance. Big companies are writing big checks because they feel they have a gun to their heads. But what if they can convince themselves that looking for account IDs, Social Security #’s, and some other regular expressions is good enough? If they believe the auditor will only poke their eye 1 knuckle deep, I believe they stop writing the checks.

Fact is - most companies already have a gateway (at least email) that can provide a rudimentary outbound filtering capability. They turn it on and they figure out a lot of data is leaking. They also have an endpoint security suite that is starting to add features like device control to deal with USB drives and iPods.

They set some policies to show to the auditors and to prove they are taking data loss seriously and implementing additional controls to fix the problem. Auditors don’t expect the problem solved (at least initially), but they do want to see incremental progress. Monitoring SMTP and outbound HTTP is that kind of progress.

And it doesn’t cost $500,000 to get started.

To be clear, I do believe in the core value proposition of DLP, in terms of helping organizations protect their data and make sure it isn’t being sent to webmail accounts, competitors, or even customers. I just don’t think the current DLP deployment model of using an overlay content monitoring and blocking infrastructure will solve the mass-market problem.

DLP really needs to be a feature, and it’s starting to happen. EMC and Symantec will build the DLP algorithms into their storage management suites, while trying to milk the standalone cow as long as they can. Big AV (Symantec, McAfee and Trend) all have bought DLP properties and will be shipping the DLP agent capability with the endpoint suites.

Longer term, there is no DLP market. Which is as it should be. A philosophy of protecting data should be a fundamental value for every organization.