DLP in the GenAI Era: Shadow data and DLP product churn
Recent Enterprise Strategy Group research found data loss prevention product churn combined with undiscovered data and shadow IT are changing the DLP landscape.
- Todd Thiemann,
-
Enterprise Strategy Group
We provide market insights, research and advisory, and technical validations for tech buyers.
Data loss prevention is the No. 1 data security spending priority for enterprises, according to research from Enterprise Strategy Group, now part of Omdia. The global "2025 Technology Spending Intentions Survey" included responses from more than 1,300 IT and security decision-makers.
We wanted to delve deeper into why enterprise DLP was such a focus, so this month we published "Reinventing Data Loss Prevention: Adapting Data Security to the Generative AI Era." This research, which surveyed 370 IT and cybersecurity professionals, explored the state of DLP today and expectations for the future.
The research had many surprising findings. In this article, I'll focus on two key areas: undiscovered data and the flux around existing DLP products.
Data growth and undiscovered data
As enterprises expand, data volumes grow quickly. Yet, IT and security teams often lack visibility into this expanding data estate.
Our research found that while overall enterprise data volumes were growing at 44% annually -- 38% annually for unstructured data -- 54% of respondents had visibility into less than half of their data estate. To state the obvious, a lack of visibility increases risk. Organizations might have sensitive data in their estate, but they will not know about it without adequate visibility.
When asked specifically about sensitive data, survey respondents said an average of 56% of data was discovered, and that 40% of that discovered data was classified. This lack of visibility speaks to the inadequacy of existing products and the significant risk that enterprises face if they encounter a breach of undiscovered or shadow data.
To add fuel to the fire, unstructured data increasingly ends up in generative AI (GenAI) tools because of how employees work with data -- for example, to accelerate code development, evaluate strategy notes or resolve customer issues. Employees paste data into prompts without realizing it could contain sensitive information, often because this type of sensitive content lacks clear markers. A paragraph about an M&A deal might not trigger any rule, but it's still confidential. Yet, labeling every variation is unrealistic. This lack of control over unstructured sensitive data can lead to delays in enterprises adopting AI due to data security risks.
Flux in existing DLP products
Our research found that most enterprises take a portfolio approach to DLP, with an average of six DLP tools deployed across their environments. Six might seem like a high number, but organizations can reach it much faster than they think. For example, a company could use one tool for endpoint DLP to secure laptops and USB drives from unauthorized access; a network DLP tool to stop data exfiltration via email, web traffic and file sharing; and cloud DLP tool to safeguard SaaS applications.
While many tools might be discrete DLP products, others serve another purpose but include DLP functionality. Consider a secure email gateway that includes DLP functionality or a SaaS tool that includes DLP features.
The portfolio approach can pose challenges in maintaining policy consistency across DLP products, and ill-tuned policies can result in alert fatigue.
Our research also found significant dissatisfaction with the DLP status quo that has accumulated over the years. Most of the 370 respondents said they encountered challenges in administering DLP policies across their tool investments and that false-positive alert noise drained security team members' time.
Expect significant product flux as the DLP space evolves in the next 12 to 18 months. We asked enterprises what they intended to do, and the results were surprising. While our research indicated significant change is coming, that change is headed in diverse directions. Enterprises are striving to improve their DLP programs in divergent ways -- 66% said they were expanding use of an existing DLP tool, 62% deploying a new DLP tool, and more than 40% said they were either replacing existing DLP point products (48%) or replacing an enterprise DLP product (41%). These atypically high numbers indicate that enterprises recognize the need to rationalize and improve what they are doing to mitigate against data loss and insider threats.
Innovation and the DLP future
First-generation and legacy DLP tools did their job in their time, but are showing their age in the form of alert noise, administrative pain and subpar coverage of new data loss vectors. More recent DLP products from the likes of Forcepoint, Microsoft, Proofpoint, Palo Alto Networks and Zscaler are easing the policy administration problem, driving down alert noise and solving emerging data loss vectors, such as GenAI infrastructure.
DLP will continue to see point products that solve specific problems with more agility than broader platforms. To that end, startup innovators have come onto the DLP playing field, including Harmonic Security, which offers DLP for GenAI applications informed by high-fidelity AI models; Cyberhaven, which offers data detection and response for insider risks; MIND, which offers DLP for unstructured data; and Cyera, which combines DLP and data security posture management.
These are exciting times in the DLP space. If you are a new technology player with an innovative approach, I would like to hear about it. You can reach me via LinkedIn.
Todd Thiemann is a principal analyst covering identity access management and data security for Enterprise Strategy Group, now part of Omdia. He has more than 20 years of experience in cybersecurity marketing and strategy.
Enterprise Strategy Group is part of Omdia. Its analysts have business relationships with technology vendors.
