In this difficult economy -- some say because of the economy -- data security remains a spending priority. Companies still must meet regulatory compliance requirements; layoffs, and the specter of impending layoffs, have exacerbated corporate concerns about employees taking sensitive information out the door.
It's true that every information security technology in some way involves the data protection market -- everything from network firewalls and desktop antivirus to application security products (Web application firewalls, code review tools, etc.) However, there are two critical markets that deal with data directly and are generating some serious business: mobile data security (laptop encryption and portable device control), which Forrester Research Inc. pegs at a $1 billion-plus business, and data leakage (or loss) prevention (DLP). Forrester estimates the DLP market will be between $200 million and $250 million this year, while Gartner estimates around $300 million.
A business' security posture and its purchase and implementation of protective products and services is based on either data threats and vulnerabilities, or compliance requirements -- Payment Card Industry Data Security Standard (PCI DSS), Sarbanes-Oxley (SOX) or the Health Insurance Portability and Accountability Act (HIPAA), to name a few.
Laptop encryption is the most popular technology response for data security, particular for compliance requirements. The 40-plus state data breach notification laws waive responsibility if the lost or stolen data is encrypted.
DLP is also getting a lot of attention, though mostly in pilots and narrow focus projects for location and detection of credit card data for PCI compliance. Often it is only applied to email, which covers most of the risk of data leakage. Full deployments are complex and costly, requiring interdepartmental cooperation and examination of business processes.
Whether the prime driver is "pure" security or regulatory compliance, the ultimate goal is to safeguard data. After all, regulations arise to impose standards for protecting personally identifiable information, credit card numbers, and access to and handling of financial records, to name a few.
"These are the two major drivers for data security," said Stamford, Conn.-based Gartner Inc. vice president and distinguished analyst Mark Nicolett. "For each of these [data security technology] areas, you can discuss the particular threat and vulnerability management drivers and compliance drivers, and the drivers also vary by industry."
Nicolett said companies have spent as much or more money than in 2008 to close compliance gaps, but are getting tougher when it comes to discretionary security budgets. In past years, security managers have used funding for compliance initiatives to introduce security projects, but to save money enterprises are narrowing the scope to focus on the core compliance requirements.
While the concept may seem to fall under the heading of protecting "sensitive" information, there's a distinction that directly affects corporate priorities for the data protection market. Cambridge, Mass.-based Forrester Research senior analyst Andrew Jaquith describes two broad types of sensitive data: "toxic" and "secret."
Secret data is important to a company's competitive position and therefore valuable to other companies in the same industry. These are things like intellectual property (proverbially, the secret recipe for Coca-Cola, but more likely something like research information on clinical trials for a new drug), sales forecasts, films and music, etc. It also applies to things like government and defense department contractor secrets.
Toxic data is generally what most compliance mandates are designed to protect. It's the information that an organization is entrusted with but doesn't actually own, such as personally identifiable information and credit card numbers. These are valuable, Jaquith said, because regulations force enterprises to take specific measures to protect them, and criminals can directly profit by stealing them. Data breaches often cost companies millions of dollars in penalties and customer remediation, and the business' reputation and brand take a hit when the breach goes public.
"The trend has culminated this year, to a very clear division in terms of the types of data being protected," he said. "They have very different protection profiles, and the degree to which companies care about them are quite different."
Jaquith said 80% of Forrester's client inquiries are related to this second type of data, which is why laptop encryption and DLP are getting a boost in the data security market.
"Regulators are breathing down their necks," he said, "and, upstream customers are asking, 'What the heck are you doing with all this information I'm entrusting to you?'"