Signaling Changes in StrategyBy Ericka Chickowski | Posted 2008-03-12 Email Print
Where can data loss prevention technology make sense for your company? When defining your long-term risk management strategy. But don't take vendor and analyst words for it: Hear it from the head of risk management at
Signaling Changes in Strategy
While short term value is derived from DLP’s ability to aid compliance, which can also be achieved by other product categories. Some like Gold believe that in order for DLP to be embraced wholesale it is going to take some time as companies adjust their information-centric strategies and their business goals in order to see the long term value of the category.
“That’s an area where we as risk officers have trouble. Sometimes we look at where the industry is going with the newer technology and don’t focus on where is our own firm going and where is our vertical going,” Gold said. “I think if we do that technology takes care of itself; but if we let technology drive our strategy then I think that's where the organizations have trouble consuming newer technology because it looks pretty, it sounds pretty, but fundamentally I don't know why I'm using it and I don't know how I can map towards strategic risk mitigation within my environment.”
In his case, the discovery of DLP’s value to his organization came when he first moved to ING and started working on long-term risk management strategy.
“It wasn't until we laid out our three year strategy that we saw the use. We looked at what the organization was wanting to do from a strategic perspective and then overlaid that with the gaps within our risk perspective. I think when you do that your areas of focus immediately bubble up,” Gold said. “So from our perspective information leakage became one of those areas that immediately bubbled up.”
For example, Gold was consistently hearing from his CEO that ING is planning to grow considerably in the coming years, be it through organic or inorganic expansion. From personal experience he knows the devastating effect that an IP leak can have on acquisitions. During his time at Continental the airline was considering purchasing Delta, but word of the buy was leaked and bumped Delta’s stock price up to the point that it became too expensive for acquisition. He decided that he needed a way to prevent the same thing from happening at ING.
This mix of strategic and tactical needs is what many DLP vendors are hoping to satisfy, Peters of Reconnex says.
“What we are seeing now is that most of our prospects and customers have some form of compliance or privacy application from a tactical standpoint but the strategic thrust really is to protect their intellectual property because that is the core asset of their business,” Peters said. “So almost every one of our customers has some combination of it protection along with compliance and or privacy
But Mogull doesn’t believe that all organizations need to find that strategic need for DLP in order to consider bringing it into the infrastructure.
“To be honest DLP can be a quick fix, if you worry about your data getting exposed out through those channels, everything from USB to email there is no reason to sit there and pontificate about information centric security model,” Mogull said. “The DLP is going to grow into that. we're going to see initially people who are deploying this are going to be more focused on things like protecting credit card numbers and social security numbers I mean 90 percent of the market is focused on credit cards and social security numbers today, for better or worse.”
From there, Mogull believes deployments will expand using the DLP tools already in place to protect more unstructured content through partial document matching and the like.
“I think the areas where we're going to, where people are going to start getting really interested in DLP is the content discovery, both as product capabilities improve as well as customers realize there is a lot of value in moving into kind of areas of content protection that aren't as well defined. People will start using this as a tool to better understand how their sensitive data is being used within the organization.”
But this realization won’t be slow. He thinks that the market still needs more time to grow. His estimation is that DLP will see revenue increases of about 75 percent in the next few years. It won’t explode with growth because this is a new category that isn’t mitigating immediate threats like viruses. This is a fact of the market not lost on people in the DLP realm.
“Like a lot of new product concepts, new technologies this is one that is not a replacement for an existing budget item,” Peters said. “This is a new budget item, so that's one issue--its not cheaper faster better disk drives or cheaper faster better processors and i just get more for my money. It's a new initiative that has to be funded.”
Likely much of the initial drive to find the money for deployment will come through compliance needs, Mogull said, reiterating that the strategic benefits will be icing on the cake.
“I think that’s where we are going to see a lot of the enhancements of the various products over the next few years,” Mogull said. “Some of the products have now just started to introduce features where you can say, ‘I don't know exactly what is going on with my data so I want to see anything that looks like it might be along the lines of engineering plans.’”
From there, it will be a matter of figuring out how DLP fits together with other information centric security solutions.
“We've got a lot of things like encryption and DLP and database activity monitoring but they're not really designed to work together,” Mogull said. “People haven't spent a lot of time figuring out how to pull those models together and I think that's where there is going to be a lot of work moving forward.”