French Caldwell

A member of the Gartner Blog Network

French Caldwell
VP and Gartner Fellow
15 years at Gartner
19 years IT industry

French Caldwell is a vice president and Gartner Fellow in Gartner Research, where he leads governance, risk and compliance research. Mr. Caldwell also writes and presents on knowledge management. His research includes analysis of the impact… Read Full Bio

Proposed NSA Reform on Bulk Data Collection Declared Illegal by EU Court of Justice

by French Caldwell  |  April 14, 2014  |  3 Comments


Not that it directly affects U.S. legal and constitutional considerations on the NSA phone records program, it is  still worth noting that last week the European Court of Justice declared the EU Data Retention Directive was a violation of the fundamental rights of EU citizens under the Charter of Fundamental Rights of the European Union — that’s the equivalent of the Bill of Rights in the U.S.  A fundamental right is a legally protected right – such as the right to due process, the right to equal protection under the law, or the right to free speech – or the inalienable rights in the US Declaration of Independence.

The Charter provides for fundamental rights of respect for private life (Article 7), which includes private communications, and protection of personal data (Article 8).  The EU Data Retention Directive required that telecoms and ISPs retain phone records and some internet service records for at least six months and up to two years and make these available to government agencies as needed for law enforcement.  The requirement that telecoms hold on to phone record data instead of the NSA storing the data is likely to be part of the White House proposals for NSA reforms in response to public concerns over domestic spying.

The courts are ultimately the arbiter of what are rights, and what infringements are allowed.  In order to infringe on a fundamental right, the government must prove that it serves a significant governmental purpose that cannot be achieved in some other way.  Even when that is proved, the infringement must then be narrowly tailored.  It is the latter which the EU Court appears to state has not been done – that is, the data retention directive did not narrowly tailor the means of meeting the government’s interest of law enforcement.  This ruling then leaves open the ability of the EU to revisit the directive and tailor it in a way that is narrower.  The Court described six ways in which the directive is too broad.  The EU could issue a new directive that addresses those six objections.

Notably the directive was intended to harmonize activities in which many EU member states were already engaged.  And the directive was phrased in terms of law enforcement, where the EU has some standing, not national security where the EU has very little standing.  We should expect that EU member states that have a history of this type of activity will continue to require telecoms and ISPs to store the data for national security purposes.  However, this ruling will balkanize the data, making pan-EU law enforcement and anti-terrorism analysis more difficult.



Category: Cybersecurity Legal IT public policy Surveillance     Tags: ,

Gartner Dubai Symposium: An Interactive Conversation on Security and Risk Management

by French Caldwell  |  April 8, 2014  |  3 Comments


A couple of months ago, the conference chair for Gartner’s Dubai Symposium, Mary Mesaglio, presented me a challenge.  She said, “French, we need more local content and more security content.  What’s possible?”

Having made some trips to the Gulf region in the last year, I’d met some really interesting people and heard some great stories.  I told Mary that perhaps we could do a panel.  I shared this idea with some other Gartner associates who have experience in the Middle East and some who work there, and there was real skepticism as to whether we could find panelists willing to share their stories and best practices on security.  Some colleagues told me that the culture just wouldn’t support that kind of open sharing around topics as sensitive as security and risk management.  When I told them that I was going to get the audience to participate in the discussion as well, I met with even more skepticism.

With the assistance of our Gulf region account executives, I reached out to two security and risk management leaders in the region whom I had met on earlier trips, José Rossi at RasGas in Qatar, and Amair Saleem at Dubai Road and Transport Authority.  RasGas had been the target of a highly publicized cyber attack in 2012, and I knew that would grab the attention of attendees, and RTA operates one of the most technologically advanced driverless Metro systems in the world — which represents a breadth of risk management challenges.  Their two organizations also demonstrate the convergence of operational technology (OT) and IT security and risk management.

José and Amair agreed to join the panel, and my colleague Kristian Steenstrup who leads our OT research community at Gartner also joined.  Not only did this panel work out extremely well, the audience itself joined the panel — it was an hour long lively discussion among the attendees and panelists of security and risk management challenges and sharing of practices for dealing with those.  The idea that security and risk management leaders, and CIOs — there were a number of them joining in as well — will not openly share with each other their challenges and solutions is a myth in the Gulf as it is in all the other regions where I have tried this interactive format.  Clearly the panelists and the audience participants saw value in sharing and connecting with each other.

Here are key takeaways from the audience and panelists:

1 — Security awareness: Inducements are very important, such as including metrics in performance appraisals, rewards for tip of the week, and even providing security for personal IT in the home

2 — Risk Management: Should start from business objectives, can’t be a stand-alone function, and risk ownership must be unambiguous

3 — Cloud risk management: Data classification is essential in deciding what can go on the cloud and the type of cloud allowed

This panel and audience were the most dynamic and engaging that I have seen in a long time, and I am grateful to Amair, José, Kristian and the audience participants for contributing, to Mary for insisting that we do this, and to our events program manager Rutuja Vadhavkar for making the arrangements to add this session.


Join us for the first ever Gartner Security and Risk Management Summit in Dubai, 15-16 September 2014.


Category: Cloud Cybersecurity Risk Management     Tags:

The Myth of EMV

by French Caldwell  |  March 25, 2014  |  7 Comments


Like most of us, since the Target hack, I’ve heard statements on how EMV is THE answer to credit card fraud, and how it’s been working great in Europe which has had it for 20 years.  If the business case were so compelling, wouldn’t EMV have made the trip across the Atlantic a long time ago?  Let’s take a look at the numbers.

According to a report from Aite and ACI, with just 10% of credit card users reporting they’ve experienced fraud in the last five years, Germany’s fraud rate would seem to be very low as compared to the US (37%).  While there must be many factors than just technology involved, at first blush, with such a huge disparity, this looks very promising for EMV.   But then, taking a look at the UK, which adopted EMV in 2006, the fraud rate for Britons is 31% — not so far behind the US.   So is credit card fraud in the UK really three times that in Germany?

Perhaps there could be other factors involved.  According to data from the European Central Bank,  Britons use their cards more.  With twice as many transactions per card and more cards per person,  2.4 for each Briton and 1.68 for each German according to the ECB, Britons have almost three times as many transactions per inhabitant.  So, Britons use their cards three times as much as Germans, and they have three times the fraud.  That’s at least one way of looking at the data – I’m sure there are others.

So, perhaps culture and payment habits have something to do with the fraud rate.

Now let’s take a look at the US where the number of credit cards is 3.5 per person.  Is the US fraud rate really that much higher than the UK?  Americans have a consumer lifestyle much like Britons and I would think would use their cards in a similar fashion.  That’s just a working assumption and certainly open to challenge.

As noted above, 37% of Americans and 31% of Britons report experiencing credit card fraud.  Since Americans have 3.5 cards per person and Britons 2.4, this would mean a fraud probability of 10.6%/card/person in the U.S. and 12.9%/card/person in the UK. Hence, one reason that Americans may experience more incidents of fraud than Britons is that they have more cards per person.  There are other reasons as well – such as the percentage of cards that are authorized online or offline in a particular country.  All I am trying to point out here is that EMV is not going to solve the problem of consumer credit card fraud.

No doubt, EMV chip and pin could have a big impact on point-of-sale face-to-face fraud, but it will push fraud to other means, and once the big honeypot of US consumers is on EMV, I’d expect that Europe will see an uptick in cross-border fraud.  The numbers as best as I can tell for the fraction of transaction fraud in US is 0.0005,  and for Europe it is roughly 0.0004, with many countries well below that and several well above it.

With fraud incidence per card roughly equal in US and Europe and the cost of fraud only a tiny fraction of the transaction value — much less even than card fees — it’s easy to see why EMV has not yet made the leap across the Atlantic.  EMV will be helpful, yes – particularly for merchants doing face to face transactions – but looking at the data, the best way to avoid credit card fraud is to follow the German example and just avoid using credit cards.


Category: Cybersecurity fraud Standards     Tags: , , ,

Hey, Corporate Director, Who’s Your CISO?

by French Caldwell  |  March 7, 2014  |  3 Comments

Cosmo Ciso

I’ve spoken to a few corporate boards on IT governance and risk management, and I’ve one question that I always ask — but first let me clarify this Target CISO tweet with my twitter handle on it.

In an internal Gartner e-mail thread about the Target CIO resigning, I added some irony, writing:  “Another good reason to have CISO — so the CISO can resign.” Violating all manner of e-mail and twitter etiquette, my good friend and colleague Doug Laney blasted my snarkiness to the world in a tweet — thanks, Doug! I mean it — thanks — wish I’d thought to tweet it.

But it’s really not funny, is it, when a CIO must resign her post over something she probably had been trying to fix for some time.  I’ve no special inside knowledge of Target, but we’ve all seen other large organizations that have had big security, risk management, or compliance failures, and typically someone, somewhere has made the problem known, but other business priorities — making a project deadline, opening new big box stores in an emerging market, or closing the deal for a merger — seem more tangible to the powers-that-be (PTB) than dealing with security or risk issues.  ‘We’ve lived with it so far — how do you know something bad will happen, anyway, Ms CIO?’  It’s a real stumper when the PTBs just don’t get it — especially when one fail after another is in the news!

Two factors often emerge when there is a big failure — 1) There’s no one outside of IT who acknowledges ownership of the risk; 2) There’s no one coordinating and providing oversight of the many different risk silos.

Target is just the latest in a long line of consumer giant security fails — remember TJX, remember Sony?

So, after the fail, they all get religion.  The answer lies not just in getting a real corporate CISO, but also requires getting true business leader ownership of the risks.  That can only come from the very top, from those who are truly responsible to the shareholders for governance — the Board.  Tone at the top is the one ingredient of risk management that even when you are just a pinch short, your recipe will end in disaster.

So besides running an effective coordinated security program, there’s another role for a CISO in a large dynamic enterprise, and that’s working with the leadership of the company and ensuring that IT risk management issues are addressed in business initiatives.  For large organizations, the CISO will have her hands full running a corporate-wide IT security program and organization, and to have that kind of oomph, she must have a direct line to the board.

So, if you’re a corporate director, I have just one question for you: ‘Can you tell me the name of your CISO?’


Category: Cybersecurity IT Governance     Tags: , , , ,

Gartner Legal IT Scenario, 2020 – Smart Machines and LPO Radically Disrupt Legal Profession

by French Caldwell  |  February 28, 2014  |  4 Comments

Legal IT ScenarioThe first ever Gartner legal IT scenario is out, and it’s both controversial and not.  Many of the disruptions that we discuss in the scenario are well underway, such as the increasing demand for legal process outsourcing (LPO) and the use of advanced analytics  — so what’s new?  Well,  new are the dramatically disruptive effects arising from the accelerating adoption of legal IT.  Here are a few predictions:

  • By 2020, 75% of U.S. and U.K. corporations will use LPO.
  • By 2019, 75% of corporate legal and IT departments will have shared staff.
  • By 2018, legal IT courses will be required for the graduates of at least 20 U.S. Tier 1 and Tier 2 law schools.

– if you want more, please read the research.  We’ve provided analysis and recommendations for CLOs, law firms, CIOs, and legal IT vendors and service providers in each of the four futures in the scenario.  And we’ve laid out current day evidence and future indicators to guide your legal IT strategy and investments.

One big hint though for all those legal IT vendors — it’s time to get big or get out.  Frankly, half of you guys will be gone within another 36 months.  Good luck!


Category: Legal IT     Tags: , , , , ,

#RSAC Buzz — Regulators Raising the Bar on Vendor Risk Management

by French Caldwell  |  February 27, 2014  |  2 Comments


Vendor Risk Management Is Flashing Hot

Vendor Risk Management Is Flashing Hot

I went to the RSA conference once  — it was really busy and hearing from my buddies at the front, it’s now busier than ever.  So much for the boycott, eh?

A lot of my security buddies are at RSA this week, and are broadcasting the buzz back to the rest of us here at Gartner.  One piece of gossip that got my attention was shared by Erik Heidt.  He said that many of the financial services attendees are talking about the FS regulators ramping up vendor risk oversight requirements on FS firms.  Third party risk management is the one area where I do get involved in security — I always say I’m a risk management analyst whenever anyone asks me a really tricky security question. ;)

Third party risk management is pretty broad; it covers downstream risks associated with customers and prospects, business partners and resellers — and downstream is where much of the fraud, bribery and corruption comes into play — and it covers upstream risks associated with suppliers in manufacturing, mining, oil and gas, retail and other supply chains, plus the risks associated with vendors that provide business process outsourcing, information services, or manage IT assets — these vendors can range from a major outsourcer to a visiting nurse.  We group these vendors that somehow touch information which you own or for which you are accountable into VRM — it’s focused mostly on the logical supply chain, whereas supplier risk management focuses on the physical goods supply chain.  For more on this, I’ve included at the bottom of this post our working definition for the upcoming Magic Quadrant for Vendor Risk Management, which is slated for Q4 this year.

Anyway, is the buzz about VRM at RSA right? — yes.  Ever since late October when the Office of the Comptroller of Currency published guidelines saying that VRM should be part of the ERM program, we have seen an uptick in inquiry on vendor risk management.  I expect other FFIEC regulators — FRB, FDIC, NCUA and CFPB — to continue raising the bar as well.

Now there are a couple of immediate problems with complying with the OCC guidelines — first they make the assumption that FS firms have ERM programs.  I’m sure most do in name, but frankly, in practice many don’t.  Secondly, most FS firms don’t have a vendor management function, and if you don’t do vendor management, then how can you do vendor risk management?

To deal with the onslaught of client interest, we’ve been ramping up on VRM here at Gartner.  First we formed a dedicated vendor management team, headed up by Linda Cohen, and including my good friends Helen Huntley, Chris Ambrose, and Gayla Sullivan.  You may remember that Helen and I led a special report on VRM in 2009 when the first bubbles of VRM began to appear in the risk management pond.  Now the pond is in full boil, and we’re worried about a steam flash!

By the way, it’s not just FS clients driving the demand — healthcare and E&U are getting into this too in a big way, and no industry vertical will be left behind.  You can thank cloud computing for that!

We’re getting behind the demand for VRM research in a big way.  Very soon, you’ll see a note from Kristian Steenstrup and Gayla Sullivan on VRM for operational technology.  Looking ahead, Chris Ambrose and I are working on updating Gartner’s Simple Vendor Risk Management Framework.  There’s nothing wrong with it now, and it’s very popular, but we want to add more detail on sources of risk data, and key risk indicators for VRM.

Chris, Gayla and I are also working on the new VRM magic quadrant, and we’re starting to track services for VRM.  This is in addition to the work that other analysts like Debbie Wilson, Ray Barger and Noha Tohamy are doing on supplier risk management, Jay Heiser and Rob McMillan on VRM standards, and Khushbu Pratap on auditing vendors.  And I’m also working on some of those downstream risk issues — expect a note on FCPA solutions in Q2.


VRM Technology Definition

Vendor risk management (VRM) is the process of ensuring that the use of third-party service providers and IT suppliers does not create an unacceptable potential for business disruption or a negative impact on business performance.  VRM solutions support enterprises that must assess, monitor and manage their risk exposure from third parties that provide IT products and services, or that have access to enterprise information.



Category: Cloud compliance Cybersecurity Risk Management Third Party Risk Management Vendor Contracts     Tags: , , ,

WhiteHouse Announces PTO Will #Crowdsource Patent Review in Anti-Troll Initiative

by French Caldwell  |  February 21, 2014  |  1 Comment

Patent Trolls The Hobbit Wikimedia Commons

As part of its anti-patent troll initiative, the White House announced a new crowdsourcing initiative at PTO.  Should be interesting.  Is government by the people taking on new expanded meaning and moving beyond representative democracy?

The idea of crowdsourcing patent review was tested on a few hundred patents already.  PTO used Stack Exchange to test it. Interestingly, one of the patents shot down in this test was an application from Microsoft, and as explained by Joel Spolsky prior art from Microsoft was the basis for the refusal.

However, looking at the activity currently on Stack Exchange, I’m not sure how great a service PTO will get there when the novelty wears off.  Since no one is really paid for their expertise, it doesn’t seem totally suited for this task.  How much independent expert input would a totally voluntary service get?  Seems like you’d get a lot of competitors who will fight patents, and that might help, but is it sufficient?

Developing panels of independent experts on Mechanical Turk or a similar service would bring in more independent expertise.  Article One Partners is a crowdsourcing patent research service which Microsoft itself has used.

Perhaps a mix of open public input and crowdsourced expert panels would work to fight the trolling problem.

1 Comment »

Category: compliance Crowdsourcing Legal IT public policy Social Technology     Tags: , , ,

Happy #GIGD, the Problem with Twitter, and Where’s the Love for Info Gov?

by French Caldwell  |  February 20, 2014  |  1 Comment


Global Information Governance Day — who knew.  Not I, and I must apologize to those who take such industry observance days seriously — which I don’t — but I forgot to bring flowers or a bottle of wine or something.  What’s really appropriate for #GIGD anyway?

Not that information governance is not a serious subject, but a tweet jam on the topic is about as useful as a band-aid on a skull fracture.  Information governance is just broken in most organizations, and frankly, in most cases it isn’t going to be rescued.

First of all information governance just doesn’t command budget, does it.  No matter how much you talk to executives about how much better their decisions could be if they had more reliable, accurate and timely information, they just aren’t going to pay for it.  Sorry — but it’s the truth.  Just ask all those KM folks out there (in the interest of full disclosure, I was a KMer and a darn good one).  Like KM, in the context of business information, IG just becomes another librarian function.

The other day a CIO shared that her discretionary budget had been whacked to zero.  She was cancelling all her projects, but one.  Guess what that one project was that didn’t need any budget — yep, IG!

But what if we could find a problem where doing IG well really has clear and direct payoffs — like KM did when CRM found it.  The marriage of KM and CRM has been an outstanding success.  Certainly not as strategic as the marriage of KM to business decision making or business performance would have been, but no one can doubt that CRM really loves KM and vice versa.  In the IT world, money is love, and CRM sure has a lot of money.

But who loves IG?  E-Discovery — that’s who.  But ugh, IG doesn’t really love e-discovery and that’s sad.  IG want’s to be even bigger than e-discovery — Big IG wants to really find its full potential in supporting business decision makers to make better decisions — and not just the big decision makers, but all of those people who are making crucial decisions all across the enterprise, and even customers who are making decisions.

Unfortunately, that’s just not going to happen.  Big IG is stuck with regulation and litigation for now.  But there’s a lot of room for little IG in all those business digitalization projects — frankly they don’t work without IG — but this isn’t the Big IG that we all want to be.  So what! — the point is there is a little IG in every business digitalization project and as the Internet of Things takes off, all those little IG’s will add up to a mammoth amount of IG — but they are not going to be controlled from BIG IG CENTRAL.  Ain’t gonna happen — get over it.



So, except for regulation and litigation where Big IG is being forced into an arranged marriage with Big Discovery, there’s no one else out there for Big IG.  On the other hand, a whole bunch of little IGs really add up to a whole lot of love.

1 Comment »

Category: compliance Legal IT     Tags:

WSJ: Target Warned of Vulnerabilities Before Data Breach

by French Caldwell  |  February 15, 2014  |  1 Comment

I wouldn’t read too much into the headline of this WSJ article.  Security intel people warn of problems all the time – it’s their job.  A real bit of news is in the last paragraph of the article:

Several members of Target’s cybersecurity team left the company in the months before the hack, according to people familiar with the matter and a search of social media profiles. Many left for more prestigious jobs at other firms, the former employee said.

As cysec becomes a prominent issue for execs, chief legal officers and corporate directors, companies who are building IT security teams are going to be poaching experienced security pros from other companies.  This poaching is a significant risk and companies should do an assessment of their own susceptibility to poaching.

1 Comment »

Category: Cybersecurity     Tags:

A Revolution in GRC Affairs at Gartner (or burning the EGRC mq)

by French Caldwell  |  February 4, 2014  |  3 Comments

Burning mq

Gartner’s coverage of vendors in the GRC marketplace is about to change.  The main reason for the change, as noted in the most recent Enterprise Governance, Risk and Compliance Platforms Magic Quadrant, is that GRC solutions buyers are shifting away from a platform-centric approach to one focused on targeted solutions for specific use cases.

A platform approach is attractive for its ability to get all risk management and compliance professionals on the same system of record.  Being on the same system of record allows more effective sharing of risk and controls information, and the elimination of inefficient overlaps between risk management and compliance silos.  Internal auditors for instance can gain access to IT security’s risk assessments, thus enabling more effective allocation of audit resources to higher risk areas.  And IT security and audit, by using the same taxonomies for risks and controls, can reach agreement on where remediation is most needed.  Platforms also enable improved executive and board level reporting through aggregation of risk and control data across risk management and compliance programs.

On the other hand, buyers of platform-based solutions usually end up sub-optimizing something.  For instance a GRC vendor may have a superb solution for corporate compliance management, but poor operational risk management capabilities.  When most enterprises had fairly immature risk management and compliance organizations, the trade-off of sub-optimizing some technology solutions in order to get all the organizational silos on the same system of record was reasonable.  However, as organizational maturity improves, the gaps in technology support become more of  a limitation.

As more enterprises have matured their risk management and compliance functions, the market has reached the point where buyers want targeted solutions that fit their needs for specific use cases.  The following use cases are the subject of ongoing GRC research at Gartner:

  • Use case 1: IT Risk Management (ITRM). The use of GRC tools for management, measurement, and reporting against IT risk. While this may include security operations data and processes, implementations that are primarily focused on security operations, analysis, and reporting will be considered “below the line” and not part of this use case.
  • Use case 2: Operational risk management (ORM). The use of GRC tools for management, measurement, and reporting against operational risk.  Enterprise risk management, considered as the impact of risks on enterprise strategic objectives, will also be addressed in this use case.
  • Use case 3: Audit management. Audit solutions used by internal audit teams that document and track phases of the audit cycle — audit planning, audit risk assessment, audit project management, time and expense management, issue tracking, audit work paper management, audit evidence management, and reporting. Implementations primarily for the benefit of non-audit functions are excluded.
  • Use case 4: Vendor risk management (VRM). The use of VRM tools for management, measurement, and reporting against vendor and third party related risk.  This will include capabilities to identify, classify, monitor, and recommend risk mitigation to support business operations and regulatory requirements.
  • Use case 5:  Business continuity management (BCM). Supporting the coordinating, facilitating and executing activities that ensure an enterprise’s effectiveness in identifying and mitigating operational risks that can lead to business disruptions, and recovering mission-critical business operations after a disruptive event turns into a disaster.
  • Use case 6: Corporate Compliance and Oversight. Compliance management and reporting associated with corporate governance codes, ethics, and financial reporting integrity regulations, such as Sarbanes-Oxley, Turnbull and others, and other regulations, standards and policies that materially affect the compliance posture of the overall enterprise.

Having all these use cases supported by the same vendor on the same platform is helpful but not mandatory.  Vendors who are opening up their platforms to make integration easier are more competitive in this new phase of the GRC marketplace.

Recognizing the shift in the GRC marketplace from platform-centric to targeted solutions, Gartner  will no longer publish the Enterprise Governance, Risk and Compliance Platform magic quadrant or the IT GRC Management marketscope.  We have instead developed an aggressive 2014 GRC technology agenda with specific deliverables for targeted solutions, including the following, with lead author:

  • Market Guide for Audit Management – Khusbu Pratap
  • Magic Quadrant for Operational Risk Management – John Wheeler
  • Magic Quadrant for Security & IT Risk — Paul Proctor (Erik Heidt will lead additional Gartner for Technology Professionals deliverables)
  • Magic Quadrant for Business Continuity Planning — Roberta Witty
  • Magic Quadrant for Vendor Risk Management — Chris Ambrose
  • Market Guide for Corporate Compliance and Oversight — French Caldwell

These deliverables will assess both broad-based GRC platform vendors, as well as vendors who offer only targeted solutions.

Of course, the GRC platform market is far from dead.  Besides using platform solutions to enable cross-silo collaboration, many enterprises designate one of their GRC platforms as the platform of record for higher level reporting for enterprise risk management, strategic planning, and incident management.  To facilitate collaboration between risk silos, and cross-enterprise coordination and reporting, we recognize that many buyers in the market will still want to compare GRC platforms.  To enable comparison of GRC platform vendors who address multiple use cases, we will produce the following research note that will rate the top 10 GRC vendors on each of the use cases and also provide an overall ranking of the platforms:

Most of the above research notes will be delivered in Q3 and Q4 of 2014.  In the meantime, our clients are welcome to contact the analysts above.  Vendors, whether client or not, who wish to brief us on their capabilities to support any of the use cases above or who have questions on the process should please contact Gartner’s vendor relations to schedule a briefing.

We recognize this is a large change to how GRC is covered at Gartner, but it is indicative of the market direction.  We expect our competitors to follow suit.


Category: Applications compliance GRC IT Governance Risk Management     Tags: , , , ,