The GRC Groundswell

Chris McClean

As GRC practices continue to gain traction, I’ve had a lot of great conversations lately with clients about the importance of peer interaction for professionals in governance, risk, and compliance roles. With his finger apparently on the pulse of all major technology trends, Forrester’s Josh Bernoff must see this as well. This week he announced the winners of the 2009 Forrester Groundswell Awards, with two top GRC vendors among the winners. (For those of you not familiar with Josh Bernoff or Groundswell, check out the book info here.)

Read more


Another acquisition in the Web security service space — Cisco Systems acquires ScanSafe

Chenxi Wang Cloud security service is hot, hot, hot. My last blog post highlighted the acquisition of Purewire by Barracuda earlier this month. Today, Cisco Systems announced the intention to acquire ScanSafe, another Web security services company. Cisco’s entering this space shows that Web security services are now on the radar screen of enterprises.

At Forrester we are seeing a definite rise in interest in Web security services, partially fueled by the general interest level in cloud services. Many IT managers told me that they are being asked by their management, “Why not consider cloud services (to fulfill this IT function)?”

Is cloud Web security service for you? A good answer to the “Why not consider cloud services?” question requires examining the pros and cons of outsourcing to the cloud, which should cover, at a minimum, the following decision points:

Read more

IBM Gets Smart With Its Archiving Strategy

Brian-Hill  by Brian W. Hill

IBM’s announcement this week outlining the vendor’s archiving vision and strategy is ambitious and far reaching in scope. It’s encouraging to see IBM working across its different internal divisions to deliver solutions that address specific enterprise needs (e.g., message archiving, file system archiving, and SharePoint archiving) while providing a framework and a set of capabilities for broader enterprise archiving.

My initial feedback on IBM’s strategic announcements is positive. Here’s why:


  • Information and technology chaos reign today. Enterprises struggle with IT environments comprised of multiple, fragmented archiving, records management, and eDiscovery applications. Historically, organizations have deployed these applications to address specific needs such as message archiving to improve operational performance or records management to meet regulatory requirements for physical records. But because these deployments have typically evolved organically and in isolation from one another, enterprises grapple with fragmentation, with disparate systems that lack consistent policies and entail significant ongoing TCO and legal risk. In our Q3 2009 survey, 60 percent of records management stakeholders rated synchronizing eDiscovery, records management, and archiving during the eDiscovery process as “challenging” or “very challenging.” IBM clearly understands this scenario and is aligning its offerings and messaging to meet these enterprise needs.
Read more


Information Asset Value: Some Cold-Hearted Calculations

2009-2010 Forrester And Disaster Recovery Journal Survey

Stephanie Balaouras

Two years ago, Forrester and the Disaster Recovery Journal partnered together to field surveys on a pair of pressing topics in Risk Management: Business Continuity (BC) and Disaster Recovery (DR). The surveys help highlight trends in the industry and to provide organizations with some statistical data for peer comparison. The partnership has been a huge success. In 2007, we examined the state of disaster recovery preparedness, in 2008, we examined the state of business continuity preparedness and this year, we examine the state of crisis communications and the interplay between enterprise risk management and business continuity.

We decided to focus on crisis communications because as last year’s study revealed, one of the lessons learned from organizations who had invoked a business continuity plan (BCP) was that they had greatly underestimated the importance and difficulty of communication and collaboration within and without the organization. In any situation, a natural disaster, a power outage, a security incident or even a corporate scandal, crisis communication is critical to responding quickly, managing the response and returning to normal operations.

Organizations approach crisis communication differently. In some organizations, crisis communications is a separate team that works together with BC/DR planning teams to embed communication strategies into BCPs/DRPs and in other companies, BC/DR planning teams do its best to address crisis communication.

Read more

Barracuda acquires Purewire, jumps into cloud computing

Chenxi Wang

Barracuda Networks, the networking appliance vendor headquartered in Campbell, CA, announced today that they entered into agreement to acquire Purewire, a Web security services startup in Atlanta, in a cash/stock deal.

I have to say this announcement came as somewhat a surprise to me. Barracuda is a known networking appliance vendor, selling low-cost, on-premise network security appliances from firewalls to antispam devices. When I spoke to the Barracuda folks a few months back, they remained skeptical about the whole cloud computing craze. This move to acquire Purewire, unexpected as it was, serves as another testimony that cloud computing has reached mainstream status.

 Barracuda made a name for themselves in industry by targeting small to medium businesses. Their SMB-oriented sales strategy has paid off, as Barracuda were able to make a number of acquisitions in the past two years. In 2007, they acquired NetContinuum, a Web application firewall company. Following that, they acquired BitLeap and Yosemite, which form the foundation of their cloud backup services, and now Purewire.

Read more


Data Security: One of Forrester's Top 15 IT Technologies to Watch

What did I learn from the McAfee analyst day? Colin Powell knows a lot about information security

I attended McAfee’s analyst day at its FOCUS 09 Security Conference last week in Las Vegas. It was interesting to see former army general and Secretary of State General, Colin Powell, addressing an information security audience. He attended the same university as I did — City College of New York — so I especially enjoyed cheering on a fellow alum. His speech was very relevant to the security arena, as he discussed the danger of vulnerabilities within any information system and the critical need to safeguard against them. Of course, it fit very well with McAfee’s story, as McAfee CEO, Dave DeWalt did a good job continuing the military theme. However, I still left with feeling of wanting more — perhaps expecting McAfee leaders to say something more concrete about what it all means for them. Do they want to help with cybercrime, cybersecurity, and critical information protection? Will they be working more closely with government in information security initiatives?

(On a positive note, Colin Powell became an unexpected customer reference, as he mentioned recently licensing McAfee antivirus for his personal laptop.)

Along with many executive briefings I had with product managers and marketing folks, there were several highlights for me:

Read more

Back to work and new blog site

Chenxi Wang

Friends, after nearly three months of leave, I am back to work and ready to take on the world again.


While I was gone, a number of notable market movements happened: McAfee acquired MXlogic, AT&T acquired VeriSign’s security service business, and Verizon Business is forming a strategic alliance with McAfee to deliver cloud solutions. Many of the new announcements, which I am busy processing out of my inbox as we speak, have to do with cloud computing. Interestingly enough, in a week or so, I’ll be able to blog about a few more cloud-centric acquisitions and partnership deals. Looks like the cloud bandwagon is as hot as when I left it three months ago.


Read more

Rush To Records Management Certification

Brian-Hill  By Brian W. Hill

As we get closer to ARMA International's Annual Conference & Expo in Orlando, Florida, later this week, it’s likely that we’ll hear a lot about US Department of Defense (DoD) records management certifications. Some enterprises treat DoD 5015.2-STD V3 certification as a “check box” item for RFPs, but for others, such as US federal government agencies, these certifications are required.

Q3 2009 survey data show that in making future records management purchasing decisions, DoD 5015.2-STD V3 certification plays a key role. Forty-two percent of records management stakeholders rate DoD 5015.2-STD V3 (baseline) certification as "important" or "very important" in buying decisions. The comparable figures for DoD 5015.2-STD V3 (classified) and DoD 5015.2-STD V3 (Freedom of Information Act/Privacy Act) are 24% and 34%, respectively (see Figure 1). The survey data show that these certifications are more important for government (local, state, and federal) organizations, but not dramatically so. In comparison with their non-government counterparts and with some variation across the specific DoD 5015.2 certifications, 5% to 10% more government records management decision-makers rated these certifications as "important" or "very important."


Read more