DLP Myth #4: DLP is Expensive
The topic of Data Loss Prevention enforcement technology expense is a difficult one to address. DLP technologies have long been considered very expensive and in fact, many still are. But the idea of DLP technologies can be sliced and mixed and mashed in so many ways, it is possible to purchase DLP enforcement technologies without breaking the bank. And considering the amount of risk mitigation that comes with effective DLP strategies, I believe the cost to be well worth it.
I’ve outlined below a number of key points related to DLP expense, any of which may apply directly to your organization.
Some Vendors Just Cost More
As in any marketplace, there are expensive vendors and their are cheap vendors. DLP technologies are no different. You have your high-cost leaders who may set the standard in complete coverage and expansive feature lists, targeting the large enterprise and your low-cost vendors who may only cover basic features and target small companies. Even among the leaders in the space who provide very comparable levels of coverage, there can be drastic cost differences. Want to save some money? Do your homework and don’t fall into the trap of thinking all vendor costs are the same. They are not.
Retail Price vs. Street Price
Even after you get the list price quotes from DLP vendors, keep in mind there is always a retail price and a street price. DLP street price can get surpisingly competitive with a couple vendors in the mix. To get the best price, don’t hone in on a single vendor, even if you’re convinced they’re the only one that can meet your unique requirements. Keep a couple of vendors involved, preferably a mix of leaders and challengers and play your cards close to your vest. Only reveal just enough to keep your preferred vendor on their toes and ready to negotiate.
Differing DLP Cost Models
Data loss prevention is one of those newer spaces where vendors and buyers are still trying to figure out the best way to charge for DLP. There are two basic cost models: perpetual and term (subscription). The marketplace has not completely moved to one or the other and in fact, many vendors can provide either/or. The differences in price can be very significant, both in the first year and also looking out over a number of years. Perpetual license models require a front-loaded payment on all license and support fees, plus any hardware, with a percentage paid annually for maintenance and support (usually around 15%-25%). In this case you “own” the right to use the product perpetually, assuming you pay the required annual support fees. Term models (aka annually-renewable subscription) are typcially less initial cost and often look really good when compared with the first-year cost of a perpetual license. This cost savings may be short-lived, however; annual renewals can really add up! In the end, it’s important to consider what the total costs will be over the course of multiple years.
Another way to approach DLP to keep costs down is to implement the solution in a phased approach. This may mean starting with network coverage and then adding other coverage in the coming months. This can cut initial costs by as much as a third, but some vendors provide discounts if the complete suite is purchased up front. For many companies, this approach makes good sense and allows them to roll out the DLP enforcement at their own pace.
One word of caution with a phased approach. Depending on the product, many vendors have architectures that require you add additional appliances or servers as you roll out new components. A few vendors have architectures that combine the full suite into a single appliance, so adding a service is as simple as flipping a switch in the UI.
There’s some buzz around “channel DLP,” which are DLP products that provide limited coverage, say for monitoring email only. These channel DLP products can be an inexpensive way to “break in” to data protection, but are considered by many to be “good enough” approaches that may not address a company’s long term DLP needs. Popular channel DLP products include:
- Endpoint (content-aware)
- Device Control
Be sure to note that while channel DLP can address short-term needs in one particular area (say email), adding to your DLP enforcement technologies may require you to ditch that channel DLP product for one that provides the all-critical single user interface. Managing multiple DLP products, incidents, rules, etc., means multiple interfaces which can easily double or triple management times.
Hardware vs. Software
Finally, when it comes to DLP technologies being expensive, be sure you understand all the costs involved. An appliance-based solution typically includes the appliance in the cost quote, while many leading software solutions require multiple servers be purchased along with operating systems, databases, etc., and are not included in the costs.