Data Toxicology

As most Forrester customers know, data security has rocketed to the top of the list of CISO priorities for 2009, even considering the down economy. Our Business Data Services group has published some excellent quantitative research on this subject, which we've summarized in report form for Forrester customers. I refer you to Jonathan Penn's excellent The State of Enterprise Security 2008 to 2009 for more details. But for those of you who want the sound bite, 90% of CISOs said that data security was either "important" or "very important" on their proirity lists for this year. That trumped disaster recovery, identity and access management and regulatory compliance.

The elevation in importance of data security has, in turn, spurred interest in several security product categories, notable data leak prevention (DLP). According to the survey data I just cited, about 38% of enterprise customers have DLP implemented already. Another 21% are planning to implement it this year. That's an amazing expected uptick in adoption considering the overall state of the security market (flat or slightly up). And of course, if you are a DLP vendor, this is very good news indeed.

Digging deeper, though, what's been most interesting in the dozens of customer calls I've had since January 1 has been the amazing consistency of much of the interest. We are clearly getting past the Early Adopter stage of adoption, and are now well into Early Majority. I'd say about 2/3 of the enterprise customer inquiries I've fielded have been around product selection: Who are the leading vendors? Is the incumbent vendor who provides my anti-virus software a good choice for DLP also? What are the most important qualities in selecting a DLP product?

As an analyst, these are the kinds of questions I expect to hear at this stage of adoption. But what's most striking are the questions I have not heard. Here's what nobody seems to be asking about:
  • What can I do to persuade my boss?
  • How do I justify the investment?
You might be asking yourself, Why is this? How come the usual justification questions aren't coming up for this particular purchase decision?  Based on my conversations with clients, the answer to this is clear: may enterprises are living in mortal fear of suffering from a toxic data spill. Put simply, certain types of customer information have become highly toxic. The most commonly cited toxic data are:
  • Customer names and addresses, when combined with one or more of the following
  • Government identifiers (taxpayer ID, SSN)
  • Health care identifiers
  • Bank account details
  • Cardholder data (number, expiration date) 
Just like asbestos, these data types have become toxic when airborne. Why? Because they have monetary value. Robust black markets have arisen to acquire, buy, sell and barter customer information at "market prices," particularly credit cards. We don't track this kind of thing, but I'd refer you to some of the research done by Symantec and others if you want to know what "street prices" these data types are fetching.

Of course, if the toxic data problem related solely to black-market selling, that alone would not explain the interest in DLP. And here's where the second driver kicks in: the mushrooming number of state and federal statutes and regulations around data breach disclosure. PCI is a key driver too: although it isn't a statute per se, it is a contractual agreement that many enterprises are subject to.

These two issues -- increased toxicity of customer data, and mandates designed to protect that toxic data -- are the primary reason DLP is taking off. About 80% of the time, enterprises evaluating DLP are doing it because of toxic data problem. They are not doing it primarily because of the fear of leaking more ethereal forms of intellectual property, like product plans or sales forecasts. Yes, we do hear that IP protection is driving some interest. It's just not the primary driver -- at least not amongst the mainstream adopters who are now kicking the tires and exploring their options.

In future posts and in my written research, I'll examine the follow-on phases of DLP adoption: that is, what do you do once you have it? How do you use DLP successfully within organizations? Based on the conversations I've been having with customers, we are already seeing some very sharp and distinct trends with successful adopters. Stay tuned!