Posted by Andrew Jaquith on May 1, 2009
Hi everybody! Long time, no post.
- Financial information, such as cardholder data or bank details
- Non-public personal information, such as government identifiers
- Personal health information (PHI)
- “Intellectual property,” such as earnings forecasts, product plans, legal documents, or confidential data
- Current offering (Y-axis): Solution breadth and technology; data-in-motion features (network); data-at-rest features (discovery); data-in-use features (desktop or host); unified management; policy management; administration; forensics; integration; customer references
- Strategy (X-axis): Company vision and product strategy; go-to-market; pricing and cost
- Market presence (size of bubble): installed base; revenues
- Default weights that reflect the features customers are actually using. Practically speaking, this will probably cause us to underweight desktop DLP features, because these have not been rolled out as widely as network features. (As with all Waves, of course, clients are free to adjust weightings for each criterion as they see fit.)
- Scenario-based criteria instead of “feature-based.” Buckets like DIU, DIM, DAR are a bit broad, and architectural “checkbox” features (“do you have a network appliance?”) are not helpful. Criteria that reflects a specific business problem (“how well do you address the problem where someone e-mails a spreadsheet with bulk PII in it?”) are better.
- Stronger emphasis on understanding success in the field. Customer success (or lack thereof) should be given much more weight by default. We will want to know about time-to-value, scalability, and operational/staff workloads.
- Strong emphasis on criteria for using DLP outside the IT Security group. If you’ve read my report Data-Centric Security Requires Devolution, Not a Revolution, you know that my basic premise for success is that business units need to own the security of their data. That’s true with DLP, too. As such, we will likely include new criteria that places a premium on delegated policy management and operations. If DLP is just a “security group thing,” it will fail.
Who we will invite
How you can help
- What are the most important criteria for you, when selecting a DLP product?
- What business problems are the most important ones for you? What scenarios must we address in our criteria?
- Which vendors would you like to see us evaluate?
- If you’ve already selected or deployed a DLP product, what did you wish you’d known before buying — and how can we help uncover those qualities in our evaluation?
Please post replies to this blog — I’d like to keep the dialog transparent and free-flowing.