The changing nature of governance, risk, and compliance

Chris McClean

In my ongoing work with clients, I try as often as possible to stress the importance of flexibility in GRC programs. Internal processes and technology implementations must be able to accommodate the perpetually fluctuating aspects of business, compliance requirements, and risk factors. If GRC investments are made without consideration for likely requirements 1 to 2 years down the road, decision makers aren’t doing their job. And if vendors don’t offer that flexibility, they shouldn’t be on the shortlist.

News outlets over the past year have given us almost daily examples of change in the GRC landscape. The recent stories coming out of Davos have been no exception... giving us some truly fascinating debates on the necessity and detriment of regulations. As quoted in a Wall Street Journal article on Sunday, Deutsche Bank AG Chief Executive Josef Ackermann argued against heavy-handed regulation, saying, "We should stop the blame game and we should start looking forward... if you don't have a strong financial sector to support the this recovery... you're making a huge mistake and you will regret that later on," he said. French President Nicholas Sarkozy summed up the opposing argument in his keynote, explaining, "There is indecent behavior that will no longer be tolerated by public opinion in any country of the world... That those who create jobs and wealth may earn a lot of money is not shocking. But that those who contribute to destroying jobs and wealth also earn a lot of money is morally indefensible."

Read more

Categories:

Who Owns Information Architecture? All Of Us.

Leslie Owens

Fellow analyst Gene Leganza wrote an excellent overview of Information Architecture, available for free via this link: http://www.forrester.com/rb/Research/topic_overview_information_architecture/q/id/55951/t/2

Gene briefly explores the misunderstanding between “Enterprise IA” and “User Experience IA.” This tension was well characterized by Peter Morville almost 10 years ago (See “Big Architect, Little Architect.” Personally I think it’s clear that content is always in motion, and unsupported efforts to dominate and control it are doomed.  People are a critical element of a successful IA project, since those who create and use information are in the best position to judge and improve its quality. Many hands make light work, as the saying goes.

For example, if you want a rich interactive search results page, you need to add some structure to your content. This can happen anytime from before the content is created (using pre-defined templates) to when it is presented to a user on the search results page. Content is different than data, a theme Rob Karel and I explored in our research on Data and Content Classification. For this reason, IA is both a “Back end” and a “Front end” initiative.

Read more

Is 3-D Secure Insecure?

John Kindervag

Security Researchers in the UK say that the 3-D Secure (3DS) system for credit card authorization, a protocol that was "developed by Visa to improve the security of Internet payments," has significant security weaknesses. It is used by both of the ginormous card brands, known as "Verified by Visa" and "MasterCard SecureCode."

This could be a big deal.

In a recent paper, the researcher calls out 3-D Secure as a security failure that was pushed on consumers by financially incentivized merchants because, "its use is encouraged by contractual terms on liability: merchants who adopt 3DS have reduced liability for disputed transactions. Previous single sign-on schemes lacked liability agreements, which hampered their take-up."

According to the authors:

"3-D Secure has lousy technology, but got the economics right (at least for banks and merchants); it now boasts hundreds of millions of accounts. We suggest a path towards more robust authentication that is technologically sound and where the economics would work for banks, merchants, and customers - given a gentle regulatory nudge."

Read more

In Amazon vs. Macmillan, Amazon comes off conqueror

James McQuivey

It was a surprising weekend for those of us who had naively imagined that after crossing the River iPad, we might actually get some Elysian rest. But, alas, the fates conspired against us and handed us the curious case of Amazon vs. Macmillan. Or Macmillan vs. Amazon?

For those who actually took the weekend off, let me summarize what happened. John Sargeant, the CEO of Macmillan Books, gave Amazon a wee-bit of an ultimatum: switch from a wholesale sell-through model, where Amazon buys digital books at a fixed wholesale rate and then can choose to sell those books at whatever price it deems appropriate (even at a loss, as it does with $9.99 bestsellers), to an agency model, where Amazon agrees to sell at a price set by the publisher in exchange for a 30% agency fee. Sargeant explained to Amazon that if it did not agree to the switch, Macmillan Books would make its eBooks subject to significant "windowing" wherein new books are held back from the digital store for some period, say six months, while hardback books are sold in stores and possibly, digital copies are sold through the iPad at $14.99.

This is more detail than we usually know about a negotiation like this because of what happened next. Sargeant got off of a plane on Friday only to discover that Amazon had responded by pulling all Macmillan books from the Kindle store as well as from Amazon.com. He then decided to make it clear to the industry (and his authors) that this drastic action was Amazon's fault, in a paid advertisement in a special Sunday edition of Publishers Lunch.

Read more

Q4 2009 IT Market Data As We Expected Shows End of Tech Downturn

Andrew Bartels

The first reports on the IT market in Q4 2009 are now in, and they are in line with our prediction that the tech market recession ended in that quarter (see US And Global IT Market Outlook: Q4 2009). Overall, the tech market in Q4 2009 was more or less flat with the same quarter the year before – an improvement from prior quarter when growth was negative, and evidence that the 2010 tech market will post positive growth. 

  • The US economy was stronger than expected, by 5.7% real GDP is an aberration.  The US Department of Commerce released preliminary data on Q4 2009 economic growth, and the results was a surprisingly strong 5.7% in real GDP, 6.4% in nominal GDP from the previous quarter (on a seasonally adjusted annualized basis).  However, about two percentage points of that growth was due to inventory re-stocking, which will not be repeated in future quarters.  And based on prior GDP reports, this growth rate will probably be revised down as new data comes in.  (In Q3 2009, the growth rate in real GDP started at 3.5%, but ended up revised down to 2.2%.)  Still, this report confirms that the US recession is over, and slower by steady growth is likely for the rest of 2010.
Read more

Leveraging Architecture For Business Impact

Alex Cullen

The Forrester Enterprise Architecture Forum 2010 North America (San Diego) is about two weeks away, and the EAF 2010 EMEA (London) is about five weeks away.

Read more

Categories:

Virtual Network Segmentation for PCI?

John Kindervag

Several clients have recently been asking about "Virtual Network Segmentation" products that claim to segment networks to reduce PCI compliance. They may use ARP or VLANs to control access to various network segments.  These type of controls work at Layer 2 and the hacker community is well versed at using tools such as Ettercap or Cain & Abel to bypass those controls.  We've recently written about Network Segmentation for PCI as part of the PCI X-Ray series.
While rereading the PCI Wireless Guidance document, I came across this nugget that puts a nail in the coffin of using VLANs as a security control:"Relying on Virtual LAN (VLAN) based segmentation alone is not sufficient. For example, having the CDE on one VLAN and the WLAN on a separate VLAN does not adequately segment the WLAN and take it out of PCI DSS scope. VLANs were designed for managing large LANs efficiently. As such, a hacker can hop across VLANs using several known techniques if adequate access controls between VLANs are not in place. As a general rule, any protocol and traffic that is not necessary in the CDE, i.e., not used or needed for credit card transactions, should be blocked. This will result in reduced risk of attack and will create a CDE that has less traffic and is thus easier to monitor."

Read more

Categories:

Do you require an email address or more before giving out collateral or ROI tools?

Peter O'Neill

I've recently had several interesting discussions about one of the assessment criteria in the Forrester Vendor Positioning Review (VPR). A new VPR on IT Management Software Vendors should be out this time next week (it's been stuck in our Editing dept. for several weeks now.)

Read more

Do CIOs Blog — And Should They?

Sharyn Leaver

We’ve become curious ever since we interviewed Linda Cureton of NASA a few months ago, when we were a bit surprised to discover that she has an active blog (her Thanksgiving entry implores CIOs to give thanks to their “geeks”). And there’s Rob Carey, CIO of the Navy,  who has been blogging for the past two years.  So we decided to look around to see other CIOs who are actively blogging. Active implies recent — which takes quite a bit of time and thought, and is probably not for everyone. So who else besides Linda takes the time and thought? Here are a few who do, though not always frequently.

Read more

The Future of Online Customer Experience

Moira Dorsey

New technologies follow a pattern. They start by imitating older technologies before they evolve to their true forms. The first automobiles looked like horseless carriages. It wasn't until the Vintage Era of the 1920's that cars evolved to a form that we'd recognize today with features like front-engines, enclosed cabs, and electric starters. Televisions started off copying radios - they looked more like an armoire with a small screen stuck on the front.

In the process of working on my latest piece of research, it became clear that the Web has followed a similar pattern. Early sites imitated a much older medium - paper. And even though 'web page' still dominates our thinking, online experiences have begun to evolve away from the page-based metaphor. In the next 5 years, the evolution of online experiences toward their true form is about to take off at a much faster rate than in the previous 5 years.

Consider that today's default Web platform - a browser running on a PC - is rapidly giving way to diverse online environments. The types of devices we use to connect to the Web are proliferating. In addition to the growth of netbook adoption, there are new devices like the Chumby and the Energy Joule. Portable devices are rapidly getting more powerful - as a result, the tradeoff between mobility and capability is shrinking. And even as the hardware evolves, the interfaces on the devices we use to connect to the Web are becoming more and more customizable. And the reason any of this matters at all is because consumers are already adopting these technologies.

So what are the implications of these trends? What does it mean for the future of online experiences? At Forrester, we've concluded that the resulting online customer experiences of the future will be:

Read more