"Customers were telling us that they're not ready for DLP because they don't know the data context and they can't create rules if they don't understand where they are in this process," Lakhani said. "DLP vendors don't want to talk about this problem because it is a major impediment to the market in general, but this is the biggest challenge around this technology," he added.

"The technology works fine if you can establish the right policies to filter and identify potential problem areas, but that's a very hard thing to do," said Larry Ponemon, chairman of the Ponemon Institute, a security research firm. "The hope of DLP has always been prevention, and that smart companies would be able to use these tools to quarantine data before leaks, but the reality is that if you ratchet up the prevention too high, it creates a burden for organizations in trying to carry out normal transactions." So he expects most DLP-using companies to have low — or no — thresholds for what is blocked.

Where DLP can help today
Despite their criticisms of how difficult it is to understand the real-world flow of data and to use DLP tools to create enforcement policies that would work in a typical business environment, both ING's Gold and Broadcom's Venner do see a use for DLP technology today: as an analytics aid.

"Right now we'd rather use the system to know someone did something after the fact, versus trying to block. It's amazing how different the real world is compared to what you believe it to be," Venner said.

So today, Broadcom is working to apply the DLP platform's business intelligence and data analytics tools to better understand where it can create and enforce controls, and what levels of data risk various business units are willing to stomach.

As it determines areas where it can enforce policies more aggressively without creating business issues, Venner said the company will turn on more enforcement capabilities. He advises companies new to DLP to spend as much time as possible doing the upfront data analysis needed to understand how it should balance policy enforcement with issues of business process and overall risk.

Similarly, ING's Gold uses DLP for analytics, just as he did at Continental. "Information leakage is something we really want to have a finger on the pulse of [as we grow]," he said. "There are way too many scenarios where M&A [merger and acquisition] information is leaked and then causes the acquisition to fall through" as the target company's stock prices rise with the news leak.

Neither Venner nor Gold can walk away from DLP, even if they can't really take advantage of its core promise yet.

Researcher Ponemon said that this dilemma explains why many companies are still likely to buy into DLP, despite its difficulty. But they'll use it largely for after-the-fact forensics, not to block data, he said.

What DLP vendors are doing
Some DLP vendors recognize that the DLP task is very difficult and is keeping customers away or limited in how they use the tools. Researcher Ponemon noted that some major DLP vendors — CodeGreen, Reconnex, Verdasys, Vericept, and most notably Vontu, which Symantec bought in late 2007 — have made progress in creating policy-authoring tools that can work. But they all still have a lot of additional work to do to get broad adoption, he added.

Reconnex is also tackling the issue in a second way: It's selling an appliance designed to classify data to help determine where the risks may be. The hope is that such a device, which costs perhaps one-tenth of a full-fledged DLP system, will get companies onto the DLP road more quickly by promising to do less while also being much simpler, said Reconnex's Lakhani.