With rarely a day passing without the British media reporting a data leak at a prominent organisation or government department, it wouldn’t be unreasonable to expect sales of data loss prevention technology to have gone through the roof. Yet, as security resellers know, the issue has turned far more on preliminary discussions with clients than concrete sales.
Data loss prevention has suffered many of the adoption problems of emerging technologies. Some businesses have decided security crises couldn’t happen to them. Others have been saying they’re not ready for full data protection because they don’t know how to start the complex process of identifying sensitive information and they can’t create protection rules without this knowledge. Resellers have faced difficulties acquiring the experience and knowledge to build business cases.
With margins for more established security products continually driven down through commoditisation and competition, higher margins from new technologies can provide welcome relief for resellers. Most resellers are still waiting to see these higher margins from data loss prevention.
Now for the good news. Anecdotal evidence suggests the end of the data loss prevention hype cycle is in sight and 2008 will see much higher conversion of discussions into real sales. This isn’t just a gut feeling. IDC recently predicted data loss prevention will emerge as a critical component in organisations’ information protection and control strategy this year. So what’s changed?
Companies are under pressure to protect data. The media continues to jump on data leak incidents. After two years of warnings and recommendations that organisations take steps to protect data, those that find themselves in the data leakage spotlight now have few excuses. There’s also recognition that, with data security breach notification legislation under discussion at both UK and European parliament level – and being pushed by the Information Commissioner’s Office – it is only a matter of time before the UK has more stringent laws and penalties.
Of 107 security professionals interviewed at this year’s e-Crime Congress, 95 per cent believed the board or CEO should be accountable for security breaches, up from 74 per cent in 2007. Data security has undoubtedly become a board-level issue.
Data loss prevention products have matured. Previously they were generally offered as a complete package of data discovery, monitoring and protection tools. Now companies have the option of discrete modules providing a more cost-effective and simpler entry. More organisations have the means of discovering and monitoring the flow of sensitive information so they can quantify risk before deciding on whether to engage the protection element of a data loss prevention package.
Of course, data loss prevention vendors and resellers would prefer to sell a full data loss prevention solution with the associated value-add services required to configure the rules-based protection engine. However, a company might not immediately move beyond initial data monitoring, choosing to react to breaches as they happen. Yet providing consultancy, technical expertise and training to the customer will enable the reseller to secure additional revenue from data loss prevention in the longer term.
Pat Dunne is senior director for the UK and Ireland for Websense