[I know, this part 2 is coming after so much delay. Even I have forgotten what I really wanted to put here!]
After that encounter with the customer, DLP went off my radar for some time. It was while working in a start up, that I kind of rediscovered it while thinking about ideas for a new line of security services. This time around, I had some expert help at hand. Lengthy discussions and brainstorming was done, as I was asked to sell it as a service internally first. Putting a service twist on what apparently looks like a product was a challenge.
But some research actually made it clear. It IS a service, and not a out of the box product, as most people believed.
It’s been a few years since then, but sadly that’s the the perception is still largely. Though there is a shift, yet a lot more needs to happen. I have spent countless hours educating customers on DLP, and have made some headway. But like I said in the beginning, the term DLP itself is extremely misleading.
It does not magically stops/prevent data from leaking from your organization. If configured and implemented correctly, what it is really good at is preventing accidental leaks (like sending an internal price list to a customer by mistake).
A person who is motivated enough will find a way around the DLP. That’s where you need more controls and practices in place on top of the DLP to ensure the overall security of the organizations’ assets.
DLP + other logical/physcial/administrative controls = reasonable assurance against leakage.
Keep in mind. A DLP product isn’t the silver bullet.
