My colleague, Michel Godet – sent me a link to an article that Mike Rothman recently wrote.
Michel  (rightly) thinks that it supports the approach that we have been pushing in Europe for over a year now, to justify data security technology investments by using Value at Risk calculations.
Mike’s article – building a business case for security is good. I agree with most of what he writes (I would have commented but searchsecurity doesn’t allow commenting on their Ask The Security Expert: Questions & Answers articles.
So – I will use my own blog to post a couple of my comments (I should probably ping Mogull on this too but I lost  his email)
1) I agree that if you can’t get past the first energy barrier of concern with information protection than you are a non-starter for DLP ( or any data security technology for that matter – it must fit the business needs – otherwise it’s like trying to sell a trombone to a violinist.  Total waste of time
However – once you get past the first road block, the business problem for security investment is:

What is your value at risk, what are the right security countermeasures and are they cost-effective.? Not – what are the vendors selling this quarter.

There is no reason in the world why data security should be any different than any other IT investment.
2) I totally disagree that looking only at a network-based DLP product is inherently limiting. Just because a few vendors like Websense and Symantec, have integrated end point and gateway products doesn’t  makes them cost-effective data security countermeasures, ensure success of the project or prevent the next data breach.
Let me submit  two counter-examples:
A) Suppose all your sensitive data is in the cloud – then maybe network DLP is a good fit
B) Suppose all your endpoints are in the cloud – then maybe endpoint DLP is a good fit
C) Suppose all your sensitive data is on notebooks – then maybe encryption is the right countermeasure to data loss.
The answer is that you have to measure stuff – measure your people, process and system vulnerabilities and where your assets are headed. After that you need to estimate your  VaR and only THEN start thinking about the people, process and technology countermeasures
BTW – I’ve been saying this for years
October 28, 2004 –  A guide to buying extrusion prevention products
March 17, 2005 – How to justify Information security spending
Now if only we could find a way to monetize being right.