Paying the price

In general, these products are costly. Pricing varies greatly, but most vendors will charge per user/workstation, per appliance or per the exit points at which information can leave the corporate network, such as through e-mail attachments, IM and data uploading to an FTP server.

Organizations in highly regulated industries can more easily justify the investment in products that monitor outbound content. But taking into account the financial damage associated with the loss of intellectual property and governmental fines, the vendors report that even small and midsize businesses (SMB) are showing interest in these products. An SMB may be able to keep the price tag at less than US$100,000, but an enterprise-level system supporting thousands of users will easily run between $200,000 and $500,000.

While the vendors we surveyed offer professional services to assist with project implementations, we believe most organizations should be able to install them with minimal assistance from the vendor. However, you'll likely have to pay service and support dollars when it comes to policy creation, troubleshooting network performance and integrating the data-leakage monitoring into custom applications.

To avoid spending extreme amounts of time and money with professional services, buyers must research the built-in features each product has to offer before implementing them. You'll also need to identify internal management tools that will require integration with the data-leakage products. In addition, if the product has built-in templates for outgoing messages that comply with governmental regulations, be sure to investigate whether those templates are easy check-off lists or require an administrator to use a built-in template as a base for creating more-granular custom categories.

The ROI regarding data-leakage products is closely aligned with business risk and therefore they are often purchased under the umbrella of compliance or risk management.

Vericept's Piccinini says these products help with hard and soft return on investments: The hard ROI is that organizations gain insight about when to replace network gear, and the soft ROI is realized through money saved by staying in compliance and avoiding the cost associated with damage to brand reputation.

These products won't solve all your information security issues and are not meant to replace -- but rather work in conjunction with -- regularly scheduled vulnerability assessments, physical security, data encryption, user identity and access control, incident response and reporting or employee screening. While the regulatory climate is ripe for these types of products, the steep price tag, stiff competition from digital rights management vendors and a market filled by smaller vendors could make these products appear as luxury information security tools. That said, if you stand to lose a lot if you lose even a little bit of data, they are worth a look.

VanAuken is a freelance writer and product tester in Syracuse, N.Y.