Symantec announced today that it plans to acquire privately-held Clearwell Systems. The $390 million deal significantly strengthens Symantec’s eDiscovery portfolio. With annual sales of $56 million and more than 400 enterprise and law firm customers, Clearwell has traditionally focused on processing, search, and review to support eDiscovery and has more recently offered collection and preservation capabilities. Symantec and Clearwell have a long-standing partnership with several joint customers across their archiving and eDiscovery offerings.
My preliminary perspective is that this acquisition will ultimately be a positive move for current and prospective enterprise customers. The three main reasons:
The intersection of archiving and eDiscovery is critical. Beyond IT and compliance objectives, easing eDiscovery burdens is a top driver for message archiving adoption. In addition to aiming to cut surging messaging volumes, enabling faster and more cost-effective response to litigation and investigations, message archiving decision-makers seek better integration with eDiscovery applications. In our Q1 2011 Global Message Archiving Online Survey, we found that 82% of survey respondents perceive that provider support for collection, review, and other steps in the eDiscovery process is an important buying consideration. Clearwell's eDiscovery offerings augment Symantec’s Enterprise Vault eDiscovery capabilities.
At Forrester, we place a great deal of emphasis on relevance and what it means when researching a topic. For the busy executive, it's sometimes difficult to wade through deep lists of operational security metrics and really understand how relevant the information is to the mission of the business. Further to the problem is the need to understand what your metrics say about the security posture of your organization and the health of the business overall.
The draft title of the report I'm currently working on is Information Security Metrics – Present Information That Actually Matters To The Business. In the paper, I plan to focus on the key factors that make security metrics relevant. The idea here is that if people start checking their BlackBerrys and iPhones while you're presenting your report, it's probably time for some new metrics.
Success is the ability to educate positively the C-Level suite in your organization and demonstrate the value you and your information security program provide.
I just finished a final draft of a presentation on information security executive reporting that I and some colleagues will present at the upcoming Forrester IT Forum in Las Vegas. For those of you who want more information on the Forum please see Forrester's IT Forum 2011 in Las Vegas. In this presentation Alissa Dill, Chris McClean and I will present an approach for using the Balanced Scorecard to present security metrics for senior level audiences. For those of you who are not familiar to the Balanced Scorecard, it was originated by Robert Kaplan currently of the Harvard Business School and David Norton as a performance measurement framework that added non-financial performance measures to traditional financial metrics to give managers and executives a 'balanced' view of organizational performance. This tool can be used to:
Align business activities to the vision and strategy of the organization
Improve internal and external communications
Monitor organization performance against strategic goals
Two years ago, the OAuth API protection mechanism was a fairly well-kept secret. It actually won an award at the 2009 European Identity Conference for "best new/improved standard," but most people didn't seem to have figured out what it was good for yet; I felt like I was the only one even talking about it.
Fast forward a bit, when Facebook started using an early draft of OAuth 2.0 in its Open Graph-based platform, and then a bit more, when Twitter started requiring OAuth 1.0a use by third-party developers (known amusingly as the OAuthcalypse), turning off the HTTP Basic authentication option. And now we're in a world where cloud developers talk casually about the "open API economy" and the ease of getting work done by building RESTful apps, and OAuth is making star appearances in recent gatherings of influential software architects and developers I've attended, such as The Experts Conference and the Internet Identity Workshop.
Companies often demand to know what their peers in a particular vertical market are doing within the realm of information security before making new decisions. “We’re in retail” or “healthcare” or “financial services” they will say, “and we want to do what everyone else in our industry is doing.” Why? The TCP/IP revolution has changed everything, including how vertical markets should be viewed. In the old analog world, you could define yourself by your product or service, but no longer. Today it doesn’t matter if your company sells plastic flowers or insurance — what defines you is your data and how you handle it.
When advising Forrester clients on InfoSec, the first question I ask is, “what compliance mandates are you under?” Like it or not, compliance determines how data is handled and that defines your vertical in our data-driven society. For example, I often say that, “PCI is the world’s largest vertical market.” It is a single global standard that affects more companies than not. You may think you are a hotel and your vertical is hospitality, but if you handle credit cards your real vertical — from a data perspective — is PCI.
Data defines markets. Look at your data, your transactions, and your process, and map them to your compliance initiatives. That will determine your digital — not analog — vertical. Using this measure, you can determine your security baseline and compare yourself to companies who must handle data in the same manner as you to help guide your security decisions.
In my new report, The Risk Manager's Handbook: How To Measure And Understand Risks, I present industry best practices and guidance on ways to articulate the extent or size of a risk. More than the interpersonal, political, and leadership skills required of a risk management professional, defining how risks are measured and communicated is where I believe they prove their worth. If risk measurement techniques are too complicated, they may discourage crucial input from colleagues and subject matter experts... but if they are too simple, they won't yield enough relevant information to guide important business decisions. Great communication skills can only hide irrelevant information for so long.
This report includes factors to use in the risk measurement process, ways to present risk measurement data in meaningful ways, and criteria to use when deciding which of these methods are most appropriate. As always, your feedback is welcome and appreciated.
In addition, I will be covering a related topic with our Security and Risk Council in a session called Creating A High-Impact Executive Report along with my colleague Ed Ferrara at Forrester's upcoming IT Forum: Accelerate At The Intersection Of Business And Technology, May 25-27, in Las Vegas. Please join us if you can make it. Later in the week, I will be available for 1-on-1 meetings with attendees, and I'll also present sessions on linking goverannce and risk and establishing good vendor risk management practices. I hope to see you there.