"Deploying endpoint data loss prevention is probably the most fear-inducing step in any DLP project."
I would like to argue that with Symantec DLP this may not be true.
Mogull makes very valid points in 4 out of 5 of the statements. However the second point is where I would like to argue that Symantec DLP eases deployment of the Endpoint agent. Symantec DLP leverages the Management Platform (formerly known as Altiris Notification Server) to help distribute the agents. I covered the DLP v9 Integration Component in a post earlier but want to focus on some key things here.
If you are already using Altiris in your environment the Integrated Component plugs right into your existing Altiris 7 infrastructure. In fact when you deploy the DLP Endpoint agent, it installs the Altiris 7 agent (Note: If you have not upgraded your Altiris 6 system to Altiris 7 this is something you will need to deal w/. There is a switch in the .MSI to not install the Altiris Agent.) The DLP Integrated Component allows you to manage several parts of the DLP Agent, for more information see a post written here.
So back to the article and main part of this post. If my endpoints are already discovered and managed in Altiris, then I can easily deploy the Endpoint Agent by enabling the Install Agent policy. Its just that easy and eliminates the pain and fear of deploying the endpoint agent.
Now I'm not arguing that you shouldn't start with a test deployment and verify the settings don't affect production, but deploying the agent with Altiirs makes this a less stressful implementation.