What comes first? Does a company implement a policy for compliance and data loss prevention and then hunt around for the tools do it? Or does an organisation buy the products and then use those as a means of keeping its employees in check? It's like a tech version of the old chicken and the egg conumdrum.

There's a difference between theory and practice here. I'm sure that 99 percent of organisations would opt for the first - or at least, say they opt for the first. In practice, I think it's fair to say that companies don't always lay down solid policies. They have been countless examples of employees bringing viruses into organisations through downloading inappropriate material or using USBs, or through sharing data

And it's not just about lowly employees, employees in the higher echelons have been equally guilty - it seems that scarcely a week goes by without sensitive information going missing,, whether it be prison data or politician's own PCs. It's going to be hard to implement any organisation-wide policy when there are so many people from all levels who are failing to abide by corporate policy

So, the Quocirca/CA survey on DLP is a timely reminder of some the problems that they face. Companies surveyed complain about a lack of time and resources to implement a proper compliance vision. The danger. therefore, is that the adoption of DLP tools is used  to mask some of these problems.  As long as the company has this vision right and has adopted a culture where every employee knows the issues, these tools will be a complementary asset not an essential need.

Follow Maxwell on Twitter on @maxcooter