Archive for the ‘Analysts’ Category

Jaquith: Data-Centric Security Requires Devolution, Not a Revolution

January 6th, 2009 1 comment

If I may be as bold to call Andy Jaquith a friend, I'll do so as I welcomed both his first research report and blog as an analyst for Forrester.

Andy's first topic — Data-Centric Security Requires Devolution, Not a Revolution — is a doozy, and an important one given the recent re-focus on information protection.  The notion of data-centric security has caused quite the stir over the last year with the maturation, consolidation and (some might say) commoditzation of certain marketspaces (DLP) into larger mainstream security product suites.

I will admit that I did not spend the $350 to read Andy's research.  As much as I like to support the ever-turning wheels of the analyst sausage machine, I'm going to upgrade to Apple's newly-announced iLife/iWork '09 bundle instead.  Sorry, Andy.  I'll buy you that beer instead.

However, Andy wrote a great blog entry summarizing the research here:

All of the enterprise's data must be secured… that is obvious. Enterprises have been trying to do this for years with e-mail filtering, hard disk encryption, data leak prevention (DLP) and other technologies. Every few years, another hot technology emerges. But what's less obvious is that the accepted way of tacking the problem — making IT Security the primary responsible party — isn't necessarily the most effective way to do it.

In the report, I take the position that devolution of responsibilities from IT Security to business units is the most important success factor. I'd urge you to read the report for yourself. But in short: as long as data security is just "an IT thing," it's virtually certain that the most accountable parties (BUs) will be able to wash their hands of any responsibility. Depending on the organization, the centralized approach tends to lead to two scenarios:

(1) IT throws up its hands, saying "it's too hard!" — guaranteeing that data security problems breed like rabbits
(2) IT dials up the data controls so tight that end-users and business units rebel against or subvert the controls — leading to even worse problems

What's worse? No controls, or too many? The truth lies somewhere in between, and results vary widely depending on who's accountable: the boss you already know and have a relationship with, or an amorphous cost center whose workers don't know what you do all day. Your boss knows what work products are appropriate to protect, and what aren't. IT Security's role should be supply the tools to enforce the businesses' wishes, not operate them themselves.

Want to secure enterprise data? Stop trying so hard, and devolve!

My only comments are that much like the X-Files, the truth is "out there."  It is most certainly somewhere in between as users and the business will always take the convenient path of least resistance and security will impose the iron fist. 

Securing information must be a cooperative effort that involves the broader adoption of pervasive discovery and classification capabilities across the entire information lifecycle.  The technology has to become as transparent as possible such that workflow isn't interrupted.  That's no easy task

Rich Mogull and I have been writing and presenting about this for quite some time, and we're making evolutionary progress, but not revolutionary progress.

To that point, I might have chosen a different by-line.  Instead of "devolution, not a revolution," I would suggest that perhaps "goverened delegation, not regulation" might be appropriate, too.

Can't wait for that iLife/iWork bundle!


Security Analyst Sausage Machine Firms Quash Innovation

July 10th, 2008 15 comments

Quis custodiet ipsos custodes? Who will watch the watchers?

Short and sweet and perhaps a grumpy statement of the obvious: Security Analyst Sausage Machine Firms quash innovation in vendors’ development cycles and in many cases prevent the consumer — their customers — from receiving actual solutions to real problems because of the stranglehold they maintain on what defines and categorizes a "solution."

What do I mean?

If you’re a vendor — emerging or established — and create a solution that is fantastic and solves real business problems but doesn’t fit neatly within an existing "quadrant," "cycle," "scope," or "square," you’re SCREWED.  You may sell a handful of your widgets to early adopters, but your product isn’t real unless an analyst says it is and you still have money in the bank after a few years to deliver it.

If you’re a customer, you may never see that product develop and see the light of day and you’re the ones who pay your membership dues to the same analyst firms to advise you on what to do!

I know that we’ve all basically dropped trow and given in to the fact that we’ve got to follow the analyst hazing rituals, but that doesn’t make it right.  It really sucks monkey balls.

What’s funny to me is that we have these huge lawsuits filed against corporations for anti-trust and unfair business practices, and there’s nobody who contests this oligopoly from the sausage machine analysts — except for other former analysts who form their own analyst firms to do battle with their former employers…but in a kindler, gentler, "advisory" capacity, of course…

Speaking of which, some of these folks who lead these practices often times have never used, deployed, tested, or sometimes even seen the products they take money for and advise their clients on.  Oh, and objectivity?  Yeah, right.  If an analyst doesn’t like your idea, your product, your philosophy, your choice in clothing or you, you’re done.

This crappy system stifles innovation, it grinds real solutions into the dirt such that small startups that really could be "the next big thing" often are now forced to be born as seed technology starters for larger companies to buy for M&A pennies so they can slow-roll the IP into the roadmaps over a long time and smooth the curve once markets are "mature."

Guess who defines them as being "mature?"  Right.

Crossing the chasm?  Reaching the tipping point?  How much of that even matters anymore?

Ah, the innovator’s dilemma…

If you have a product that well and truly does X, Y and Z, where X is a feature that conforms and fits into a defined category but Y and Z — while truly differentiating and powerful — do not, you’re forced to focus on, develop around and hype X, label your product as being X, and not invest as much in Y and Z.

If you miss the market timing and can’t afford to schmooze effectively and don’t look forward enough with a business model that allows for flexibility, you may make the world’s best X, but when X commoditizes and Y and Z are now the hottest "new" square, chances are you won’t matter anymore, even if you’ve had it for years.

The product managers, marketing directors and salesfolk are forced to
fit a product within an analyst’s arbitrary product definition or risk
not getting traction, miss competitive analysis/comparisons or even get
funding; ever try to convince a VC that they should fund you when
you’re the "only one" in the space and there’s no analyst recognition
of a "market?"


A vendor’s excellent solution can simply wither and die on the vine in
a battle of market definition attrition because the vendor is forced to
conform and neuter a product in order to make a buck and can’t actually
differentiate or focus on the things that truly make it a better

Who wins here? 

Not the vendors.  Not the customers. The analysts do. 

The vendor pays them a shitload of kowtowing and money for the privilege to show up in a box so they get recognized — and not necessarily for the things that truly matter — until the same analyst changes his/her mind and recognizes that perhaps Y and Z are "real" or creates category W, and the vicious cycle starts anew.

So while you’re a vendor struggling to make a great solution or a customer trying to solve real business problems, who watches the watchers?