Spoken like a true DLP vendor

First, I should say that I happen to be a big fan of DLP solutions, not because, omigosh! the world is coming to an end, but simply because they provide concrete evidence of the nature and type of activities that are ongoing in enterprises today.

Second, this post was not about the DLP value proposition, it is about evidence-based security, with Alex’s DLP example as an illustration. You not only confirmed my point in this regard, but reinforced it – I am not surprised at all that people react strongly even without evidence of that information being used against them. They reacted strongly with all the IDS alerts to ping sweeps back in 1998, too.

It is well-documented that people over-react to risk (see Paul Slovic, et. al. and the perception of risk academic work); I am cautioning against that kind of reaction, in any/all cases that come up.

You’re not really suggesting that because people are “shocked” and “awed” by your reports that it causes or even correlates to losses, are you?

Heck, Vontu would probably be in the best position to provide such quantitative analysis. Do you have it?

“it is not even clear whether these leakage events create higher risk for an enterprise that is already sharing information in huge volumes”

Yes, there aren’t reliable numbers yet on the conversion rate from exposure events to actual legal/financial harm, but response to the wrap-up results of DLP risk-assessments nearly always lands somewhere between “shock” and “awe”. Anyone in business immediately sees the potential harm that can come from these exposure events and, often enough, activity found by just a two-day risk assessment finds clear evidence of serious harm.

I agree its important not to try to create a sense of panic out there. Besides, FUD marketing doesn’t work anyway. On the other hand, you are *way* out on a limb if you think the problem that DLP treats is illusory or just vendor marketing spin.

If you don’t subscribe to massive number of breaches, why did GAO report that CERT is hearing about roughly a breach an hour? Is the US government different?

We move rocks, we see things. We move more rocks, we see more things. You seem to be saying that the next rock is going to be different.