The State of Data Loss Prevention

To some IT and security professionals, Data Loss Prevention (DLP) is a bad word. They’ve been burned by high levels of false positives, slow time to value, significant costs, and high administrative overhead to set up and maintain. When we mention DLP to them, they wince. We often hear about failed DLP implementations from the IT and security teams we work with.

For others, DLP is a business necessity. They will go through the efforts required to get a DLP program in place for their companies (like assessing vendors, running proof of concepts, buying software, implementing it, and tuning it), because of pressures like compliance requirements and requests from customers.

To understand how satisfied IT and Security professionals really are with their current DLP solutions, Nira and Gartner surveyed 500 IT and security leaders.

Here’s what we found: 

IT and Security teams have implemented and maintained DLP solutions for years.

Over half (55%) of survey respondents cite that both their IT & Security teams are responsible for their DLP solution. Most respondents – 80% – said they have IT involved in some form. Who is responsible for setting up and maintaining your company’s Data Loss Prevention (DLP) solution?

Fifty-four percent of leaders surveyed have 2 or more years of experience with DLP solutions. Thirty-four percent said they had 2-3 years of experience, 13% have 3-5 years, and 7% have been using DLP for 5 to over 10 years.

How many years of experience do you have using DLP solutions?

Microsoft 365 DLP is by far the most commonly used tool to protect cloud-based documents (75%).  Google’s DLP was cited as the second most popular (33%), followed by Cisco Cloudlock (20%). The remaining 10% said they use other DLP tools.

What DLP products are you using currently to protect your cloud-based documents?

Customers are not satisfied with the DLP products they use.

The Net Promoter Score (NPS) of the DLP products used by participants is a -19. This means that customers are not only not satisfied with their DLP products – they are actively having bad experiences.

In contrast, a 1-30 NPS score means that customers aren’t very satisfied, a 31-50 score indicates that customers are satisfied, and brands with scores from 51 to 100 are some of the most loved brands and companies in the world.

Data Loss Prevention Net Promoter Score = -19

We found that most detractors said that their DLP solution was complicated to implement and maintain, had a lack of features and functionality, and still had too many false positives.

In contrast, the passives said they liked the reliability of their solution, although some saw the concept as “inherently flawed.” Meanwhile, promoters were happy that their DLP solution met their data privacy needs exactly as advertised.

What is the main reason for your score?* [Person labeled “Detractors”]: "Very hard to effectively set up and...is very prone to generate false positives.” [person labeled “Passives”]: “The market has not yet addressed the need for a transparent, polished, and truly useful DLP solution. We think the concept might be inherently flawed.” [person labeled “Promoters”]: “It is easy to use, and it has reduced the amount of lost information.” This was an open text question. Selected quotes reflect common responses.

Compliance requirements drive the adoption of DLP solutions. But current solutions have a slow time to value and require a high administrative burden.

The two primary motivators for implementing a DLP solution are certification requirements (31%), such as SOC 2 and HIPAA, and data protection regulations (26%) like GDPR.

Although DLP solutions are often purchased for these reasons, they are not the only solutions that help companies check the box.

What was your primary reason for implementing a DLP solution?

DLP implementations take time. Nearly half of DLP implementations (49%) took between 4 months and over a year.

That means organizations continued to have compliance and data protection gaps while they waited for implementations to be completed. Just 13% of IT and security leaders were able to fully implement their DLP solution in less than a month.

How long did it take your company to fully implement the DLP solution?

DLP is also not a set it and forget it kind of solution. This means security and IT teams are tuning their DLP throughout the year. Over two-thirds (68%) of respondents say they need to update their DLP rules every quarter or more.

How often do you need to update your solution's DLP rules?

Visibility gaps, false positives, and usability issues remain challenges with current DLP solutions.

Easy visibility into issues and risks (38%) is the single biggest challenge most companies face with data loss prevention. 

One-quarter of survey participants (25%) cite false positives as their biggest challenge. Sixteen percent cite usability issues as their biggest challenge, 11% said the ability to take bulk actions on problems, and 10% cite the end-user experience.

We asked participants if they could wave a magic wand and improve their DLP solution, what would they do? 

The top three most common responses were:

  1. Improve accuracy and reduce false positives 
  2. Make it easier to implement and use 
  3. Provide better visibility

 *This was an open text question. Most common responses are summarized. Speech bubble: “Improve false positives and lower administrative overhead.” Director, large software company in North America

For many respondents, DLP seems to be viewed as a “necessary evil” or as one part of a larger security response that can still be improved. We learned that most respondents wanted better accuracy, fewer false positives, easier implementation, and more visibility, overall. 

We’ve heard similar stories from our customers. It seems although traditional DLP is here to stay for the foreseeable future, the concept may be inherently flawed, and better security solutions must be developed.

About Nira 

Nira is a real-time access control system that provides complete visibility and management over who has access to your cloud-based company documents. Nira provides a single, comprehensive view of who has access to valuable cloud-based company data.

It allows you to easily find and identify risks, quickly control access and fix issues, and efficiently automate the process through policy enforcement and remediation delegation.

Nira also enables employees to manage and control who has access to their information, without needing technical expertise. 

Respondent Breakdown

Region: North America: 79%; EMEA: 13%; APAC: 8%. Title: C-Suite: 25%; VP: 20%; Director: 36%; Manager: 19%. Company Size: Fewer than 1,001: 26%; 1,001-5,000: 24%; 5,001-10,000: 23%; 10,001 or more: 27%

This content, which provides opinions and points of view expressed by users, does not represent the views of Gartner; Gartner neither endorses it nor makes any warranties about its accuracy or completeness. Source: Gartner Peer Insights

Every company that uses Google Workspace should be using Nira.
Bryan Wise
Bryan Wise,
CIO of GitLab

Incredible companies use Nira