DLP Wave Getting Started: How You Can Help

Andrew Jaquith

Hi everybody! Long time, no post.

It’s an exciting time here at Forrester. I’m pleased to say that we are getting ready to kick off the next Forrester Wave on Data Leak Prevention. We won’t be kicking it off formally for another few weeks, but because the lead times on these publications are extremely long, it makes sense to start firing up the jets now.

One thing we will be doing this year is getting Forrester clients, members of the security community, and readers of this blog involved in the process. We want you to help us shape our evaluation criteria! We’re looking for some good ideas that will make our DLP Wave more transparent, better suited to real-world scenarios, and more relevant to enterprise planners who need to select a DLP product.


But first, let’s define what we mean when we say “DLP.” Data leak prevention products detect and optionally prevent violations to corporate polices regarding the use, storage, and transmission of sensitive information, which includes:
  • Financial information, such as cardholder data or bank details 
  • Non-public personal information, such as government identifiers 
  • Personal health information (PHI) 
  • “Intellectual property,” such as earnings forecasts, product plans, legal documents, or confidential data
Protected channels include e-mail, HTTP, FTP, file shares, copy and print, USB/portable media, databases, and IM. Unlike access control technologies, DLP is content-aware. Forrester regards endpoint device control technologies as complementary to, but distinct from, data leak prevention. (But this may change.)

Evaluation criteria

In last year’s DLP Wave, we evaluated products using the following top-level criteria:
  • Current offering (Y-axis): Solution breadth and technology; data-in-motion features (network); data-at-rest features (discovery); data-in-use features (desktop or host); unified management; policy management; administration; forensics; integration; customer references 
  • Strategy (X-axis): Company vision and product strategy; go-to-market; pricing and cost
  • Market presence (size of bubble): installed base; revenues  

Each of these individual criteria, in turn, contained additional criteria — 56 in total.
This year, we are considering making some major changes to the current offering (Y-axis) criteria in particular. Here are possible changes we are considering:
  • Default weights that reflect the features customers are actually using. Practically speaking, this will probably cause us to underweight desktop DLP features, because these have not been rolled out as widely as network features. (As with all Waves, of course, clients are free to adjust weightings for each criterion as they see fit.)
  • Scenario-based criteria instead of “feature-based.” Buckets like DIU, DIM, DAR are a bit broad, and architectural “checkbox” features (“do you have a network appliance?”) are not helpful. Criteria that reflects a specific business problem (“how well do you address the problem where someone e-mails a spreadsheet with bulk PII in it?”) are better.
  • Stronger emphasis on understanding success in the field. Customer success (or lack thereof) should be given much more weight by default. We will want to know about time-to-value, scalability, and operational/staff workloads. 
  • Strong emphasis on criteria for using DLP outside the IT Security group. If you’ve read my report Data-Centric Security Requires Devolution, Not a Revolution, you know that my basic premise for success is that business units need to own the security of their data. That’s true with DLP, too. As such, we will likely include new criteria that places a premium on delegated policy management and operations. If DLP is just a “security group thing,” it will fail.

Who we will invite

In general, the number of vendors we can cover in a Forrester Wave is governed by two factors: the number of important market participants, and amount of capacity we have to analyze those participants. Frankly, Waves are very laborious, and the more vendors we have, the longer it takes. 
This year, we will be stingy about the number of vendors we invite. The magic number I have in my head, at the moment, is 8 vendors. That’s not many, but then again, one theme we hear consistently from our clients is that when they want a “short list,” they want a short list. Moreover, in recessionary economic climates most customers retreat to quality vendors with established track records, rather than little vendors nobody’s heard of.
Thus, we will likely invite mostly household names to the Wave. Symantec, for example, is far and away the market leader by revenue in DLP, and at the top of the list in terms of volume inquiries we get on DLP vendor selection. So we will invite them. But I’d love to hear about other DLP vendors you’d like to see us invite. But to be candid: the small upstart vendor from Lower Slobovia who’s got a flashy feature “that nobody else has” is unlikely to make the cut unless we can verify that their revenues are significant. Last year, by the way, we evaluated 11 vendors: Code Green Networks, InfoWatch, McAfee, Orchestria, Reconnex, RSA Security, Trend Micro, Verdasys, Vericept, Websense, and Workshare. The landscape has changed considerably since then.


We’re looking to send out preliminary invitations to participate to a dozen or so vendors next week. We will spend a month drafting (and re-drafting, and eventually finalizing) evaluation criteria in the month of May. Formal kickoff will begin in June, with strategy briefings, demos, desk research, and the like going throughout the summer. If all goes well, we’ll then do fact-checking and get the Wave finalized in the third quarter. That’s if everything goes well. 
For people reading this post, the most important part of the timeline is now: your active participation will be most valued from today through the end of May.

How you can help

I'd love to hear the ideas you have to make our DLP Wave the best one we’ve ever done. For your consideration, here are some questions to spark discussion:
  • What are the most important criteria for you, when selecting a DLP product? 
  • What business problems are the most important ones for you? What scenarios must we address in our criteria?
  • Which vendors would you like to see us evaluate?
  • If you’ve already selected or deployed a DLP product, what did you wish you’d known before buying — and how can we help uncover those qualities in our evaluation? 

Please post replies to this blog — I’d like to keep the dialog transparent and free-flowing.

Thanks for reading! I look forward to seeing your comments and ideas. I'll post updates as we go.
— Andrew


re: DLP Wave Getting Started: How You Can Help

Good questions. Here are a few thoughts to keep in mind:The ability to handle IP that is fairly unstructured is important. I’ve grown tired of seeing the example where the tool blocks a SSN in an email message. I prefer to look at use cases.1) How about a CAD schematic diagram being printed to a non-corporate asset2) A piece of source code (binary and text) being uploaded to a web site3) Financial numbers in an email message before being released4) Copying the HR ranking list from the backup database5) Preliminary contracts about an acquisition being left on an open file shareMuch of our IP is stored on large network attached file servers and manipulated via tools that run on Unix and Linux platforms. A Windows only solution is an incomplete solution.I’m interested in seeing Symantec, McAfee and Verdasys but I’m also curious to see what other players exist. My only concern is that the vendor must be a long term viable solution for a large, global company. A 60 person start-up with most of the employees in California may not make the cut.It would be nice to see examples or recommendations on business and operational flows for the daily usage of the tool. Which groups are responsible for supporting it, who creates the policies, and who monitors the alerts? I also want realistic numbers regarding FTE’s required to use it effectively.I would like to know how many of the existing customers are non-financial institutions and give me some indication of the breadth of the installation inside the companies.If I think of anything else I will let you know. Thanks for asking.

re: DLP Wave Getting Started: How You Can Help

Ha! Invariably, a short list omits solutions that may be cost-effective and less complex because they don't meet each one of your DLP group criteria. DLP is a process and cannot be managed or solved by technology products alone. But, then again, the Wave isn't meant to be all things to all people. It's simply a product one hopes to sell to lots of people and make a nice return.

re: DLP Wave Getting Started: How You Can Help

@Brian: Thanks for your comments. I appreciate, in particular, that it sounds like what your firm is trying to do involves more than just the usual "toxic data" detection. The kinds of use cases you cite are exactly the sorts of things we want to create criteria for measuring. (Although to be frank: we will still spend plenty of time looking at the credit card/PII scenarios too, because it's what the majority of the inquiries we get are about.) As for your usage and operational questions: these are good things to ask about. Those things we can evaluate objectively, we will try to include.@Schratboy: You are right to point out that Waves aren't all things to all people. They are definitely not about process evaluation. Waves are about products. I agree that DLP is a process; I make this point much more forcefully in some of my non-Wave reports. See, for example, my report "Data-Centric Security Requires Devolution, Not a Revolution" (http://www.forrester.com/Research/Document/Excerpt/0,7211,47649,00.html)