If I may be as bold to call Andy Jaquith a friend, I'll do so as I welcomed both his first research report and blog as an analyst for Forrester.
Andy's first topic — Data-Centric Security Requires Devolution, Not a Revolution — is a doozy, and an important one given the recent re-focus on information protection. The notion of data-centric security has caused quite the stir over the last year with the maturation, consolidation and (some might say) commoditzation of certain marketspaces (DLP) into larger mainstream security product suites.
I will admit that I did not spend the $350 to read Andy's research. As much as I like to support the ever-turning wheels of the analyst sausage machine, I'm going to upgrade to Apple's newly-announced iLife/iWork '09 bundle instead. Sorry, Andy. I'll buy you that beer instead.
However, Andy wrote a great blog entry summarizing the research here:
In the report, I take the position that devolution of responsibilities from IT Security to business units is the most important success factor. I'd urge you to read the report for yourself. But in short: as long as data security is just "an IT thing," it's virtually certain that the most accountable parties (BUs) will be able to wash their hands of any responsibility. Depending on the organization, the centralized approach tends to lead to two scenarios:
(2) IT dials up the data controls so tight that end-users and business units rebel against or subvert the controls — leading to even worse problems
What's worse? No controls, or too many? The truth lies somewhere in between, and results vary widely depending on who's accountable: the boss you already know and have a relationship with, or an amorphous cost center whose workers don't know what you do all day. Your boss knows what work products are appropriate to protect, and what aren't. IT Security's role should be supply the tools to enforce the businesses' wishes, not operate them themselves.
Want to secure enterprise data? Stop trying so hard, and devolve!
My only comments are that much like the X-Files, the truth is "out there." It is most certainly somewhere in between as users and the business will always take the convenient path of least resistance and security will impose the iron fist.
Securing information must be a cooperative effort that involves the broader adoption of pervasive discovery and classification capabilities across the entire information lifecycle. The technology has to become as transparent as possible such that workflow isn't interrupted. That's no easy task
Rich Mogull and I have been writing and presenting about this for quite some time, and we're making evolutionary progress, but not revolutionary progress.
To that point, I might have chosen a different by-line. Instead of "devolution, not a revolution," I would suggest that perhaps "goverened delegation, not regulation" might be appropriate, too.
Can't wait for that iLife/iWork bundle!