Beside network access control (NAC), data leakage prevention (DLP) comes to mind as the second most overly-hyped security solution on the market today. This isn't because DLP isn't useful or doesn't contribute to solving information-security related problems. Rather, it's because the problems it was designed to solve, when set against a myriad of proposed deployment strategies, have made its utility and value difficult to gauge.
Last year DLP saw something on the order of over $1.6 billion in mergers and acquisitions activity against a total pure-play DLP market space of something like $100 million in total revenue. What that means is that DLP, in its first stage of life, has become a feature of much larger information-centric lifecycle management suites of large companies with expansive portfolios.
Some of these portfolios are wide reaching and all-encompassing, while others are quite narrowly focused and solve very specific needs. Choosing the right technology and technology partner is critical.
So what's the best strategy for recommending DLP to clients? That really depends upon the business and technical problems they are trying to solve, existing vendor relationships you and they may already have and the size of the organization.
The best recommendation I can make for understanding and choosing a DLP solution is actually not my own; it belongs to Rich Mogull from Securosis. Rich covered this space for Gartner and is the authoritative source for all things DLP.
Rather than paraphrase his numerous and incredibly detailed set of criteria for DLP selection and deployment, I simply suggest reading his whitepaper on DLP. Despite being sponsored by a DLP vendor, it will give you as a reseller the understanding necessary to evaluate your partnership opportunities given your competencies, as well as enabling you to listen to your customer's requirements and recommend the most appropriate solution.
This was first published in May 2008