The Forrester S&R team has doubled in size during the last several years. Today, we're 17 analysts and researchers across the US, Europe, and India, 19 if you count the research associates that support every project. Given the size of the team and the degree to which analysts have been able to specialize, we decided that we'd take a little time each month to highlight each member of the team in one of our bi-monthly newsletters and in a short podcast. If you're not signed up for our newsletters, I highly encourage you to do so, please email firstname.lastname@example.org for additional details. In the meantime, click below to listen to our analyst spotlight on Senior Analyst, Tyler Shields.
S&R Podcast Listening Options
Click here to download the MP3 file of this episode.
On the heels of the CrossIdeas acquisition (about which we have recently published a QuickTake), IBM today acquired another IAM cloud provider, Lighthouse Security Group. Its product and service, Lighhouse Gateway, is a small cloud provider that appeared in our Cloud IAM Wave and we were impressed by the "slickness" and ease-of-use of its customer interface for administration (policy management) and also for end users (Lighthouse Gateway provides its own front-end to ISIM and ISAM).
Now we recommend that IAM security and risk professionals should ask IBM the following questions about the acquisition:
1) How will IBM offer Lighthouse Gateway? Will it be an add-on to ISIM and ISAM licenses or will it be a standalone offering or both?
2) How will IBM integrate the beautiful user interface of Lighthouse Gateway into ISIM and ISAM on-premises offerings?
3) How will the new IBM IAM access governance ecosystem of ISIM+CrossIdeas be merged with Lighthouse Gateway?
Corporations spend a lot of time and money to ensure their employee- and customer-facing technologies are compliant with all local and regional data privacy laws. However, this task is made challenging by the patchwork of data privacy legislation around the world, with countries ranging from holding no restrictions on the use of personal data to countries with highly restrictive frameworks. To help our clients address these challenges, Forrester developed a research and planning tool called the Data Privacy Heat Map (try the demo version here). Originally published in 2010, the tool leverages in-depth analyses of the privacy-related laws and cultures of 54 countries around the world, helping our clients better strategize their own global privacy and data protection approaches.
The most recent update to the tool, which published today, highlights two opposing trends affecting data privacy over the past 12 months:
Increased government surveillance continues to impede the free flow of information. Corporations worry that storing or processing data within the borders of a country with high levels of governmental surveillance could place their intellectual property at risk. Notable additions to the tool's growing list of countries with lowered barriers to government surveillance include the US, Germany, and the UK.
Sometimes ambiguity has power — the power to capture the zeitgeist of a movement, culture, or vision without getting dragged into the weeds about what really is or isn’t included; it provides time for an idea to crystallize, become defined, or reach critical mass.
That (somewhat arcane opening paragraph) sums up where I feel we are with regard to the term "cyber." We all know that it has crept into the security and risk (S&R) lexicon over the past few years, but, by managing to avoid clear definition, it’s become all things to all men — a declaration that “information security is different now” but not quite saying how. Think about it: If the US Department of Defence and the standards body NIST aren't aligned on their definitions of cybersecurity, how can we expect CISOs and business execs to be?
I have spoken to numerous S&R leaders recently, and, although there was a fair amount of discord, the CISO of one global financial services organization best summarized the prevailing perception:
"’Cyber’ is something coming from the Internet attacking our infrastructure assets. We're not classifying internal incidents as cyber, otherwise it makes no sense for us to have another word for something that is a classical security incident. It's about the external and internal distinction."
Cartoon included by kind permission of http://www.kaltoons.com/