Relative to DLP, I thought it best to consult my friend Rich Mogull from research and consulting firm Securosis, the premier analyst in the DLP space. He's published quite a bit about DLP use cases and value.
In Rich's words: "The business problem for DLP is: 'Tell me where my sensitive information is and help me protect it.'" If an SVP doesn't think that value statement is important enough to consider DLP products, then give up now. There won't be any funding."
Rich also emphasizes that looking at only a network-based DLP product is inherently limiting. There are a number of products that offer integrated protection for data in motion (such as network-based DLP products mentioned in this question), and data at rest and data on the endpoints. A content-protection strategy is only as good as its weakest link, and without factoring endpoints, files stores and databases into the mix, there will be a pretty significant gap in protection.
The best way I've seen to make a case is actually to bring a product in and do a proof of concept. Conduct a quick scan to pinpoint some sensitive content. Install a gateway and roll out endpoint DLP agents to a test group. See what they find. If it's nothing major, then the company doesn't need to spend the $500,000.
But if there are anomalies, those will be the ammunition and the urgency to make the case, because your pitch will be based on data, not PowerPoint slides or fear-based marketing. Get the data and let the SVP make up his/her mind about how important the problem is.
This was first published in June 2008