"The whole configuration aspect has been the hindrance for the adoption of DLP in most organizations," Gold said. "At companies like ING that have been built through mergers and acquisitions, we have data in a variety of different systems. It makes no sense going back and mining all that to create maps by hand. It's too hard, and [moving into the enforcement phase] simply won't happen."
And the process of creating data-handling and enforcement policies that can work feasibly won't get any easier, Gold said, since ING intends to continue to grow via mergers and acquisitions.
Users such as Venner and Gold are not unusual, no matter whose product they use, said Faizel Lakhani, vice president of products and marketing at DLP provider Reconnex. Many potential customers are deciding not to get into broad DLP projects because of how daunting the data analysis work is to make the security tools work effectively, he noted.
"Customers were telling us that they're not ready for DLP because they don't know the data context and they can't create rules if they don't understand where they are in this process," Lakhani said. "DLP vendors don't want to talk about this problem because it is a major impediment to the market in general, but this is the biggest challenge around this technology," he added.
"The technology works fine if you can establish the right policies to filter and identify potential problem areas, but that's a very hard thing to do," said Larry Ponemon, chairman of the Ponemon Institute, a security research firm. "The hope of DLP has always been prevention, and that smart companies would be able to use these tools to quarantine data before leaks, but the reality is that if you ratchet up the prevention too high, it creates a burden for organizations in trying to carry out normal transactions." So he expects most DLP-using companies to have low — or no — thresholds for what is blocked.
Where DLP can help today
Despite their criticisms of how difficult it is to understand the real-world flow of data and to use DLP tools to create enforcement policies that would work in a typical business environment, both ING's Gold and Broadcom's Venner do see a use for DLP technology today: as an analytics aid.
"Right now we'd rather use the system to know someone did something after the fact, versus trying to block. It's amazing how different the real world is compared to what you believe it to be," Venner said.
So today, Broadcom is working to apply the DLP platform's business intelligence and data analytics tools to better understand where it can create and enforce controls, and what levels of data risk various business units are willing to stomach.
As it determines areas where it can enforce policies more aggressively without creating business issues, Venner said the company will turn on more enforcement capabilities. He advises companies new to DLP to spend as much time as possible doing the upfront data analysis needed to understand how it should balance policy enforcement with issues of business process and overall risk.
Similarly, ING's Gold uses DLP for analytics, just as he did at Continental. "Information leakage is something we really want to have a finger on the pulse of [as we grow]," he said. "There are way too many scenarios where M&A [merger and acquisition] information is leaked and then causes the acquisition to fall through" as the target company's stock prices rise with the news leak.
Neither Venner nor Gold can walk away from DLP, even if they can't really take advantage of its core promise yet.