Andrew Jaquith

Hi everybody! Long time, no post.

It’s an exciting time here at Forrester. I’m pleased to say that we are getting ready to kick off the next Forrester Wave on Data Leak Prevention. We won’t be kicking it off formally for another few weeks, but because the lead times on these publications are extremely long, it makes sense to start firing up the jets now.

One thing we will be doing this year is getting Forrester clients, members of the security community, and readers of this blog involved in the process. We want you to help us shape our evaluation criteria! We’re looking for some good ideas that will make our DLP Wave more transparent, better suited to real-world scenarios, and more relevant to enterprise planners who need to select a DLP product.

Definitions

But first, let’s define what we mean when we say “DLP.” Data leak prevention products detect and optionally prevent violations to corporate polices regarding the use, storage, and transmission of sensitive information, which includes:
  • Financial information, such as cardholder data or bank details 
  • Non-public personal information, such as government identifiers 
  • Personal health information (PHI) 
  • “Intellectual property,” such as earnings forecasts, product plans, legal documents, or confidential data
Protected channels include e-mail, HTTP, FTP, file shares, copy and print, USB/portable media, databases, and IM. Unlike access control technologies, DLP is content-aware. Forrester regards endpoint device control technologies as complementary to, but distinct from, data leak prevention. (But this may change.)

Evaluation criteria

In last year’s DLP Wave, we evaluated products using the following top-level criteria:
  • Current offering (Y-axis): Solution breadth and technology; data-in-motion features (network); data-at-rest features (discovery); data-in-use features (desktop or host); unified management; policy management; administration; forensics; integration; customer references 
  • Strategy (X-axis): Company vision and product strategy; go-to-market; pricing and cost
  • Market presence (size of bubble): installed base; revenues  

Each of these individual criteria, in turn, contained additional criteria — 56 in total.
This year, we are considering making some major changes to the current offering (Y-axis) criteria in particular. Here are possible changes we are considering:
  • Default weights that reflect the features customers are actually using. Practically speaking, this will probably cause us to underweight desktop DLP features, because these have not been rolled out as widely as network features. (As with all Waves, of course, clients are free to adjust weightings for each criterion as they see fit.)
  • Scenario-based criteria instead of “feature-based.” Buckets like DIU, DIM, DAR are a bit broad, and architectural “checkbox” features (“do you have a network appliance?”) are not helpful. Criteria that reflects a specific business problem (“how well do you address the problem where someone e-mails a spreadsheet with bulk PII in it?”) are better.
  • Stronger emphasis on understanding success in the field. Customer success (or lack thereof) should be given much more weight by default. We will want to know about time-to-value, scalability, and operational/staff workloads. 
  • Strong emphasis on criteria for using DLP outside the IT Security group. If you’ve read my report Data-Centric Security Requires Devolution, Not a Revolution, you know that my basic premise for success is that business units need to own the security of their data. That’s true with DLP, too. As such, we will likely include new criteria that places a premium on delegated policy management and operations. If DLP is just a “security group thing,” it will fail.

Who we will invite

In general, the number of vendors we can cover in a Forrester Wave is governed by two factors: the number of important market participants, and amount of capacity we have to analyze those participants. Frankly, Waves are very laborious, and the more vendors we have, the longer it takes. 
This year, we will be stingy about the number of vendors we invite. The magic number I have in my head, at the moment, is 8 vendors. That’s not many, but then again, one theme we hear consistently from our clients is that when they want a “short list,” they want a short list. Moreover, in recessionary economic climates most customers retreat to quality vendors with established track records, rather than little vendors nobody’s heard of.
Thus, we will likely invite mostly household names to the Wave. Symantec, for example, is far and away the market leader by revenue in DLP, and at the top of the list in terms of volume inquiries we get on DLP vendor selection. So we will invite them. But I’d love to hear about other DLP vendors you’d like to see us invite. But to be candid: the small upstart vendor from Lower Slobovia who’s got a flashy feature “that nobody else has” is unlikely to make the cut unless we can verify that their revenues are significant. Last year, by the way, we evaluated 11 vendors: Code Green Networks, InfoWatch, McAfee, Orchestria, Reconnex, RSA Security, Trend Micro, Verdasys, Vericept, Websense, and Workshare. The landscape has changed considerably since then.

Timeline

We’re looking to send out preliminary invitations to participate to a dozen or so vendors next week. We will spend a month drafting (and re-drafting, and eventually finalizing) evaluation criteria in the month of May. Formal kickoff will begin in June, with strategy briefings, demos, desk research, and the like going throughout the summer. If all goes well, we’ll then do fact-checking and get the Wave finalized in the third quarter. That’s if everything goes well. 
For people reading this post, the most important part of the timeline is now: your active participation will be most valued from today through the end of May.

How you can help

I'd love to hear the ideas you have to make our DLP Wave the best one we’ve ever done. For your consideration, here are some questions to spark discussion:
  • What are the most important criteria for you, when selecting a DLP product? 
  • What business problems are the most important ones for you? What scenarios must we address in our criteria?
  • Which vendors would you like to see us evaluate?
  • If you’ve already selected or deployed a DLP product, what did you wish you’d known before buying — and how can we help uncover those qualities in our evaluation? 

Please post replies to this blog — I’d like to keep the dialog transparent and free-flowing.

Thanks for reading! I look forward to seeing your comments and ideas. I'll post updates as we go.
— Andrew