Gartner Blog Network


Security Thought for Thursday: DLP Should be a Process, not a Product

by Neil MacDonald  |  September 10, 2009  |  3 Comments

When someone talks undertaking a “Data Loss Prevention” (DLP) initiative, they are usually talking about deploying a product from one of the DLP vendors such as McAfee, Symantec, EMC/RSA and so on. Much like I talked about in this post on application security, a product cannot solve what first and foremost is a process problem. The same is true with data protection.

Data protection is the process of identifying and understanding where and how sensitive information is created, used, processed, moved, shared, stored and retired and protecting it throughout this lifecycle.

Endpoint DLP is a possible technical control to map against this process. So is endpoint encryption. So is endpoint device control. So are email and web security gateways that support basic DLP functions. Start first with the process, identity and prioritize gaps, then decide where a tool is needed.

Category: information-security  

Tags: endpoint-protection-platform  information-security  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio


Thoughts on Security Thought for Thursday: DLP Should be a Process, not a Product


  1. […] governments) that have banned the use of all USB flash drives as part of a data loss prevention (DLP) strategy. This may indeed be necessary and provides immediate protection of data loss. However, its a blunt, […]

  2. Mehul Doshi says:

    Neil, While all would agree the process is key to success. However process culture is not a overnight job. Second as organizations change rapidly so the need to have process change rapidly. Rather than waiting for process and looking for product. Why not look at a product which has the flexbility of process workflow and implement the same. We tested all the DLP vendors and found Symantec having such process within the product itself. Whatever be our changing business environment, we find the product would be able to meet the needs either immediately or with minor modification.

  3. MIke says:

    I agree that a product cannot solve all problems. Many times proper training would be a better if not equal solution to a proper data protection suite. Still, one compliments the other, and I think that one without the other is a mistake.



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.