Blog post

My DLP Survey Results

By Anton Chuvakin | February 09, 2016 | 4 Comments


A few weeks ago I posted a quick one-question survey on DLP. I asked “Can Data Loss Prevention (DLP) technology be effective against the “bad guys” [= anybody with malicious intent, whether insider or outsider], threatening your organization?”

Here is what came out:


Comments? Well, while my language inside the answer options was intentionally fuzzy, we can try to stratify the responses in buckets like:

  1. DLP optimists – the “it just works” crowd – measure at 6%. This makes sense, our industry is rather short of optimists and for lots of good reasons…
  2. DLP “positive realists” – a combination of the above with “work hard – get a DLP WIN” – clocks at 20.9%. This is reasonable, and matches our research on DLP project success.
  3. DLP skeptics – a combination of “no” and “never efficient” – comes at 37.3%, a very large group indeed.
  4. Similarly, another kind of a DLP skeptic – a combinaton of “no” and “works only against unsophisticated threat” – measure at 43.3%, nearly half of the total. This is roughly what I’d call a majority opinion on DLP. Further, if you add “never efficient” to it, the subtotal jumps to 64.2% (2/3 of the respondents!)
  5. “DLP deniers” – those who say that it just cannot work – measure at 16.4% of the total.

There you have it – have fun with it! More one-question polls coming soon.

Possibly related blog posts:

Comments are closed


  • Those respondents in categories 3 & 4 (and previously #5) are/were probably yoked to very complex DLP solutions that require too much emphasis on data classification, tagging, or content definitions ahead of deployment to allow them to work effectively. Or, most of the analyst’s darling DLP systems are too heavy on architecture (servers/DBs), vendor services, or involve a network choke point gateway or appliance that really only handle network traffic while basically ignoring endpoint leak channels (or paying them lip-service while overstating their effectiveness). Perhaps a simple Windows installation that provides MMC-snap-in consoles to the MS GPMC that allow for GPO-based configuration and policy maintenance over light endpoint agents by current Windows Admin staff would be adopted and implemented at a much higher rate if given a chance… An agent that is in the kernel, IP stack, print spooler, etc at the appropriate layers to inspect data movements on-the-fly for violating content or contextual security scenarios before it leaves the endpoint to any media, network port, printer, the clipboard, a VM session, or key logger. A DLP solution that is set up in a few hours and deployed in days by current staff is actually a reality…a DLP system that is granular and flexible enough with just a little orientation such that compound rules using simple Booleans and thresholds can prevent the dreaded false positives with ease. That solution is DeviceLock DLP for data-in-motion, data-in-use, and data-at-rest. A solution that has been around for 20 years now with contextual DLP origins and went full content-aware 5 years ago. Give the free 30-day trial a chance, and see what all the household DLP names are missing. Regards – David Matthiesen

  • Dori Fisher says:

    As with other solutions, i think DLP usually does not have enounth context to reach a good decision regarding data in motion.
    I used to deploy Verdasys and my context pitch was:
    “if a guy with a bag is getting out of your window at 2am – does it realy matter what’s in the bag?”
    that’s true for some cases but in many instances, is less relevant in Cyberspace.
    IMHO, any DLP solution deployed in an enterprise enviroment, should be integrated with a SIEM “well thought of use cases” to be of real value, as in most cases I’ve seen, the gap between business and infosec, renders many alerts unclear or irrelevant.