Being in the data loss prevention (DLP) market while it has evolved has let me watch as requirements have changed over time. Initial DLP products were aimed at solving the problem of acceptable use and specifically looked at what employees were sending out of the organization's network. A couple of years ago, DLP solutions started monitoring channels of communications to detect loss of private data such as Social Security and credit card numbers and identifying how the loss occurred. Data privacy quickly became the predominant reason for deploying DLP, since it became possible to quantify the major effect of data loss: namely, the company becomes headline news, such as the recent breach at the Pentagon.

However, the promise of DLP must be greater than this simplistic goal. The goal of data loss prevention is not only to protect private information that should never be disclosed but also to protect other types of information such as trade secrets and intellectual property (IP) that could have an impact on the business if they were to get into the wrong hands. As vendors and organizations seek to extend the benefits of DLP to detect information with a high business value and prevent it from leaving the network, a number of challenges arise. We can categorize these as follows:

1. The inability of business stakeholders to quantify the impact of information loss. The negative impact of the leakage of private data is easy to understand, and security professionals know what steps to take to prevent such loss. But if other confidential company data were lost, what impact would that have on the company?

2. The inability of information security to define effective DLP policies as they relate to information with a high business impact. Information security, though responsible for safeguarding company secrets, typically has no idea what those secrets are. Nor does information security know who they are protecting secrets from or conversely, who should have access to these secrets.

These two issues are tightly woven together. The first issue is a dollars and cents issue. Enterprises invest money in order to make money or save money. How many organizations have been put out of business as a result of losing IP? Cisco was a notable example; its source code was stolen, but did that really affect its bottom line? In fact, the counter argument to investing in information security typically sounds like this-" I'd love to protect my company's important business information, but the cost of determining what information is important and who should get access to it is so prohibitively high that the economics are not viable."