Posted by Andrew Jaquith on March 20, 2009
As most Forrester customers know, data security has rocketed to the top of the list of CISO priorities for 2009, even considering the down economy. Our Business Data Services group has published some excellent quantitative research on this subject, which we've summarized in report form for Forrester customers. I refer you to Jonathan Penn's excellent The State of Enterprise Security 2008 to 2009 for more details. But for those of you who want the sound bite, 90% of CISOs said that data security was either "important" or "very important" on their proirity lists for this year. That trumped disaster recovery, identity and access management and regulatory compliance.
Digging deeper, though, what's been most interesting in the dozens of customer calls I've had since January 1 has been the amazing consistency of much of the interest. We are clearly getting past the Early Adopter stage of adoption, and are now well into Early Majority. I'd say about 2/3 of the enterprise customer inquiries I've fielded have been around product selection: Who are the leading vendors? Is the incumbent vendor who provides my anti-virus software a good choice for DLP also? What are the most important qualities in selecting a DLP product?
As an analyst, these are the kinds of questions I expect to hear at this stage of adoption. But what's most striking are the questions I have not heard. Here's what nobody seems to be asking about:
- What can I do to persuade my boss?
- How do I justify the investment?
- Customer names and addresses, when combined with one or more of the following:
- Government identifiers (taxpayer ID, SSN)
- Health care identifiers
- Bank account details
- Cardholder data (number, expiration date)
Of course, if the toxic data problem related solely to black-market selling, that alone would not explain the interest in DLP. And here's where the second driver kicks in: the mushrooming number of state and federal statutes and regulations around data breach disclosure. PCI is a key driver too: although it isn't a statute per se, it is a contractual agreement that many enterprises are subject to.
These two issues -- increased toxicity of customer data, and mandates designed to protect that toxic data -- are the primary reason DLP is taking off. About 80% of the time, enterprises evaluating DLP are doing it because of toxic data problem. They are not doing it primarily because of the fear of leaking more ethereal forms of intellectual property, like product plans or sales forecasts. Yes, we do hear that IP protection is driving some interest. It's just not the primary driver -- at least not amongst the mainstream adopters who are now kicking the tires and exploring their options.
In future posts and in my written research, I'll examine the follow-on phases of DLP adoption: that is, what do you do once you have it? How do you use DLP successfully within organizations? Based on the conversations I've been having with customers, we are already seeing some very sharp and distinct trends with successful adopters. Stay tuned!