Data Loss Prevention needs a new name--and acronym
Data Loss Prevention, or DLP, was appropriate circa 2005, but not in 2008. So if DLP doesn't fit anymore, what does?
We are an industry of Three Letter Acronyms (TLAs). Everyone tries to categorize what they do with them.
Some like ERP stick around for years, while others like Enterprise Optical Networking (EON) come and go without much fanfare. On occasion, however, the industry creates a TLA to define an industry trend, but as the market and technology develop the TLA no longer fits.
This explanation aptly describes the situation with Data Loss Prevention (DLP). A few years ago, DLP vendors like Vericept and Vontu made hay by providing a network-based gateway appliance that would scan IP packets looking for confidential data "leakage." When evil Joe in accounting tried to send a spreadsheet of customer credit card numbers to his Hotmail account, DLP boxes could detect and prevent this type of malicious behavior.
Given this heritage, the DLP acronym was appropriate circa 2005, but not in 2008. Why? Gateway DLP packet filtering devices are only part of the story; today's DLP vendors do a heck of a lot more. Tablus is an expert at data discovery. Vericept excels in data classification. Orchestria is really good at policy management and enforcement. As part of Symantec, Vontu is focusing on integrating DLP functionality with other IT operations tasks. Finally, some vendors like Trend Micro and McAfee eschew the network altogether and focus on endpoints.
So if DLP doesn't fit anymore, what does? My colleague Charlotte Dunlap and I suggest we borrow another acronym and re-name this category Data Governance, Risk, and Compliance (DGRC). To us, this covers everything that's needed in the data lifecycle data including creation, classification, and policy management/enforcement. Typically, only Gartner acronyms stick, but Charlotte and I have our fingers crossed.
In all seriousness, many large organizations have no idea how much confidential and private data they have or where it is stored--a pretty scary thought. Given this problem, gateway filtering devices aren't enough. We need DGRC policies, processes, and technologies across all data around the enterprise. We need a new acronym that aptly describes this situation, even if it's actually four letters.