The DLP Pain Report
Today we launch DLP Sucks - a movement born from hundreds of customer calls, years of false positives, and an industry that's been saying this quietly for too long.
DLP Sucks is a movement for every analyst, CISO, engineer and marketing manager that’s been burnt by DLP, either managing it and spending hours on tuning a rule that will block a recipe instead of a leak, or being blocked from sending that recipe.
After hundreds of customer calls where we heard the same pains over and over, we had to do something. This is DLP Sucks. A wall of pain, a real store of swag and jokes, online and physical events, and a whole lot of finally saying it out loud.
To kick things off, we went to where practitioners actually talk. Reddit threads at midnight. Spiceworks forums. Anonymous survey responses. The comments sections of postmortems nobody published. We collected the complaints, cross-referenced them with independent research, and put it all in one place.
This is what the industry has been saying.
"I don't even look at the alerts anymore."
It's the most common thing security analysts say when you ask them — off the record — about their DLP program. Not with embarrassment. With exhaustion.
The numbers back them up. Enterprise Strategy Group research found that 38% of all DLP alerts are false positives. According to Dropzone.ai's alert fatigue research, 40% of alerts are never investigated at all — the volume is mathematically impossible to process.
"Tuned our DLP for 18 months. It blocks copy/paste. Has never caught an actual breach." — r/sysadmin
"We have a Slack channel just for DLP complaints from employees. It's our most active channel." — r/netsec
The False Positive Problem Isn't Getting Better
82% of practitioners say DLP alert volume either significantly impacts other priorities or requires direct trade-offs, according to Enterprise Strategy Group. The false positive rate in legacy deployments regularly hits 35-40%. In some environments, it reaches 90%.
The practical result isn't just wasted time. It's that security teams stop trusting their own tools.
"At some point you stop triaging and start pattern-matching in your head. This sender, this file type, probably fine. It's not security anymore, it's gut feel." — r/cybersecurity
"My analysts have developed an informal tiering system that has nothing to do with actual risk. It's based on which alerts have historically been false positives. The tool trained them to ignore it." — Spiceworks community
A CIO at a 50,000+ employee organization described their system bluntly: "Our DLP solution provides 60% accuracy, in the best of times."
Tuning Never Ends
One in three DLP practitioners report frustration specifically with tuning and policy management, per ESG research. That number understates it.
"We've been 'finishing' our DLP rollout for three years. Every time we think we're done, something breaks and we're back to exceptions." — r/netsec
"The first year of any DLP deployment is just tuning. You're not protecting anything. You're just trying to make it stop breaking things." — Practitioner, via Spiceworks
The problem compounds over time. Policies get added to address specific incidents, then never retired. Rules overlap. Alerts multiply. Nobody has a complete picture of why the system is doing what it's doing — including the people who built it.
Employees Figured Out the Workarounds
When DLP is too aggressive, users don't file helpdesk tickets. They route around it.
Personal file sharing. Personal email. Screen photos. Typing data directly into web forms instead of uploading files. Microsoft's own product documentation acknowledges that Purview endpoint DLP cannot monitor data typed into web forms, cannot scan encrypted files, and cannot block screenshots taken in a browser.
"We did a survey. 60% of our employees admitted to using personal Dropbox to get around DLP blocks. They didn't think they were doing anything wrong." — r/sysadmin
The People Are Burning Out
Prophet Security's research puts SOC analyst burnout at 71%. Among analysts with under five years of experience, 70% leave within three years.
"Lost my third analyst in 18 months. All three cited alert fatigue in their exit interviews. Management keeps asking me to fix the DLP. I keep telling them the DLP is the problem." — r/netsec
"I got into security to stop threats. I spend most of my time explaining to employees why they can't attach a PDF to an email." — r/cybersecurity
When the people whose job it is to act on alerts have stopped believing in them, the tool has failed — regardless of what the dashboard says.
The Tools Keep Multiplying. The Leaks Don't Stop.
The average enterprise now runs six different DLP solutions, according to Enterprise Strategy Group. Data leaks persist. 72% find DLP administration challenging or very challenging. Egress research found that 85% of organizations using Microsoft 365 DLP still suffer email leaks.
"We've bought three DLP products in five years. Different vendors, same promises, same results. The procurement team wants to try a fourth." — Spiceworks community
"We run it in monitor-only mode now. Enforcement was breaking too much. So it watches. It alerts. We don't look. I'm not sure what it's for anymore." — r/netsec
This is the wall before the wall.
Every quote above is a confession someone made in a forum because they couldn't say it at work.
That's what DLP Sucks is for. A place to say it — with your name on it, or without. A wall for the industry's honest conversation about a tool that's been failing quietly for twenty years.
The wall is open.
