Overcoming Objections
This comprehensive approach is one of DLP’s biggest drivers over point products, but it may also simultaneously have been one of its limiters in the past due to deployment problems caused by its own ambitions.

“The issue, which I call the dirty little secret of DLP, is that the deployment of DLP in large organizations in particular have proven to be a bit more time consuming and costly in many cases than customers have anticipated,” Peters said. “And that’s because the number one challenge customers have had in their deployment is to determine what the right policies are for implementation. What information do I need to protect? How tight does the policy have to be to ensure that i don't generate a lot of false positives or on the converse , that I’m not missing stuff.”

He says that Reconnex recently tweaked its product in order to provide better auto-discovery of content, easier configuration and improved automated policy development. He believes this has been a major focus among DLP vendors at the request of customers and potential customers. But it has already done damage and caused some security gurus to think twice about deploying.

This was the case for Andre Gold, current head of technology risk management for ING U.S. Financial Services and a long-time security veteran. He first encountered DLP two years ago when he was pitched by one of the major vendors to install a trial deployment within the infrastructure of his previous employer, Continental Airlines.

He gave the vendor the opportunity to configure the installation so that there were no snags and waited for them to give him visibility into data leakage problems.

 “After two three weeks we went back and said ‘Where are those golden nuggets you were talking about?’ and they said, ‘Do you know you have this amount of spyware in your environment?’” Gold said. “We said, ‘Yea we knew that, we have another product to tackle that.’ Then they said, ‘Well did you know you had this amount of P2P networks?’ And we told them we knew that as well, so where were those golden nuggets?  They said, ‘Well, we can’t find that.’”

It’s experiences like those that colored Gold’s perception of the market and cast a shadow on it for himself and his colleagues for a long time. There was no value for a device unable to produce results even after being configured by its own manufacturer.

“I think these companies’ historical challenge is that there is still a stigma as it relates to the configuration and short term value that you can gain from a DLP device,” he said

But that stigma is slowly dissolving. Just last month Gold gave DLP another go, this time with ING after a much more successful trial.

“Fast-forward two years now, the market has started to mature, there's certainly some consolidation going on as well as the vendors have kind of dug down into the technology such that there is improved auto learning and the configuration is a lot easier,” he said, explaining that ING makes it a policy not to mention vendor picks.

He believes that the DLP vendors are doing a better job of both delivering short-term value by helping companies meet data leak regulation compliance goals and long-term value by helping them strategically protect corporate IP.

Mogull agrees, stating that the balance was struck as DLP vendors heard objections over the last several years and learned to adjust so that they help companies meet business needs.

“We’ve seen much better maturity out of the companies themselves,” said Mogull, who has been covering DLP as an analyst for over six years now. “I mean for a while it was a little bit of a one horse race, a lot of the companies are technology driven, not business driven. Over the past two years they've really changed and it’s become a much more competitive market.”