What is interesting and generally overlooked – is the cultural differences between the US and the rest of the world. The Europeans prefer a more nuanced approach stressing discipline and procedures,The Americans are compliance driven and IT top heavy, I imagine if you look at DLP sales – 98% are in the US, being (right or wrong) compliance driven.
Last September, Forrester did a seminar in Amsterdam on data security – only 10% of the CTOs/CIOs that attended the meeting had plans to implement DLP in 2010.
The Europeans have a point – but, policies and procedures are only as good as the monitoring and enforcement behind them. This is where DLP comes into play- collecting data in several realms – data channels, content and organizational anomalies (downloads, uploads etc…).
In addition – there is a strong and well-known link between the social health of employees in an organization and the company’s economic/business health. In a successful business unit – people are happy, and happy people contribute to the success of the business. Unhappy people don’t identify, have problems contributing and leave or cross the line to malicious behavior.
For my money (and this is my experience in a dozen DLP deployments in EMEA) – the key value add of DLP technology is not the prevention part but the monitoring part and it’s role in a feedback / educational loop with the organization.
If you only do one thing this year – you should start measuring data security events and using those measurements to improve your policies, procedures and systems – and user education.