"You'll always get feedback from users, but when you have senior executives including the CIO saying this work needs to get done, you're not going to get a lot of kickback," he said. "I'd say the two most important pieces of doing this right are aligning the right team to drive it from the top down and making sure that everyone reads that letter and understands the role they play in helping us protect the data."

DLP's cooperation requirement in the real world
Since getting its system up and running and ensuring that employees knew what was happening more than one year ago, the company has experienced only a dozen or so incidents that forced it to warn individual users or send reports to those workers' department heads, the IT leader said.

Even vendor representatives, such as Palisade chief executive Kurt Shedenhelm, concede that the challenging politics of a DLP project often outweigh the technical issues that come into play when working out all the complex data-handling rules that his company's systems are employed to enforce.

Some companies struggle to achieve the right level of executive buy-in to force business unit leaders to play ball, while others don't go to great enough lengths to ensure that workers have been sufficiently retrained to understand new policies, he said. "This issue of internal politics, of who is responsible for protecting the data, who is responsible for educating the end-user, and who is ultimately responsible for enforcement, that's actually the hard part," Shedenhelm said. "In a lot of companies, I think you might find that it's hard to get the business units, HR, and IT people that need to be involved on the same page, but you can't really do DLP without that."

In some companies, especially large enterprises, multiple DLP projects may only be put under the domain of IT security and compliance teams, making it harder for those groups to keep their efforts in step without overwhelming end-users.

From the issues relating to which business units ultimately maintain responsibility for specific sets of data and who is tasked with enforcing policies, things can get too complex very quickly, he said. "In larger enterprises, where you often have multiple projects looking at DLP from perspectives of intellectual property, compliance, and customer data and information spanning multiple business units, that's where you run into problems," said Shedenhelm. "One of the biggest issues we see is with trouble discerning who is ultimately responsible for handling violations; sadly, in some cases, people clearly don't want to know if violations are occurring on the business side because then they will be forced to respond."

Other experts agreed that the size of an organization often plays directly into its ability to make DLP work with issues of enforcement standing as central disputes.

A tug-of-war can break out between security teams tasked with enforcing DLP and the business units that want unfettered access to data to help do their jobs, according to some industry players. "That's one of the big problems with DLP in general -- organizations are often quite hesitant in enforcing policies, especially when it comes to any notion of blocking secure content and getting in the way of the business," said Uzi Yair, CEO of DLP vendor GTB Technologies. "Businesses want people to be able do their work and don't want interference, but on the other hand, they know they need to weigh that against any loss, which could cost an organization a lot of money these days," he said. "I think it's always going to be about this trade-off, enforcement versus the fear of slowing down business opportunities, but people need to understand that they all play a certain role."