On DLP Research

by Anton Chuvakin | October 19, 2012 | 2 Comments

It so happens that I will focus on Data Loss Prevention (DLP) this quarter, and it will be added to my coverage areas (which are, as a reminder, SIEM, vulnerability management, denial of service defense and, of course, PCI DSS compliance). While I am not exactly a novice in DLP, I need to dig MUCH deeper in order to create GTP-style research on the subject. For now, let me present a few quotes on DLP from other research that really impressed me (all italics below are mine):

“Do not implement DLP with all implementation and operational responsibilities solely allocated to IT. If the lines of business do not actively support the project — for example, by assisting in the development of processes and committing to resource requirements to meet their responsibilities — then consider ceasing the project.” (http://www.gartner.com/resId=1925115)
“Most organizations buy significantly more content-aware DLP than they use, resulting in shelfware at significant costs.” (http://www.gartner.com/resId=1433239)
“DLP is a nontransparent control, which means it is intentionally visible to an end user with a primary value proposition of changing user behavior. This is very different from transparent controls like firewalls and antivirus programs, which are unseen by end users. Nontransparent controls represent a cultural shift for many organizations” (http://www.gartner.com/resId=1421941)
“Content-aware DLP should not be considered as a method of managing IT-related risk (that is, fundamentally a technology risk), but rather as a comprehensive, organizationwide means of controlling and mitigating information risk (that is, a business risk).” (http://www.gartner.com/resId=1925115)

So, here is my next call to action:

Vendors with DLP tools, got anything to say about it? Here is a briefing link … you know what to do.
Enterprises, got a DLP story – either about DLP deployment or operations – to share? Hit the comments or email me privately (Gartner client NDA will cover it, if you are a client).
DLP-focused consultants, got a DLP story (“inspired by” your recent project) to share? I’d love to hear it as well!

And, yes, watch this space for more questions and comments, as I delve deeper into DLP architecture and operational practices.

Somewhat related posts:

My Gartner research published so far

Additional Resources

Category: dlp security

Tags: data-security dlp security

Anton Chuvakin
Research VP and Distinguished Analyst
5+ years with Gartner
17 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio

Thoughts on On DLP Research

On DLP Processes or “No DLP For Dummies” says:

October 25, 2012 at 7:36 pm

[…] Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio Coverage Areas: ← On DLP Research […]
DLP and/or/for/vs Data Security says:

November 1, 2012 at 4:42 pm

[…] On DLP Research […]

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.

Gartner Blog Network

Anton Chuvakin

On DLP Research

Additional Resources

Thoughts on On DLP Research

Who's Blogging

About