French Caldwell

A member of the Gartner Blog Network

French Caldwell
VP and Gartner Fellow
15 years at Gartner
19 years IT industry

French Caldwell is a vice president and Gartner Fellow in Gartner Research, where he leads governance, risk and compliance research. Mr. Caldwell also writes and presents on knowledge management. His research includes analysis of the impact… Read Full Bio

WhiteHouse Announces PTO Will #Crowdsource Patent Review in Anti-Troll Initiative

by French Caldwell  |  February 21, 2014  |  1 Comment

Patent Trolls The Hobbit Wikimedia Commons

As part of its anti-patent troll initiative, the White House announced a new crowdsourcing initiative at PTO.  Should be interesting.  Is government by the people taking on new expanded meaning and moving beyond representative democracy?

The idea of crowdsourcing patent review was tested on a few hundred patents already.  PTO used Stack Exchange to test it. Interestingly, one of the patents shot down in this test was an application from Microsoft, and as explained by Joel Spolsky prior art from Microsoft was the basis for the refusal.

However, looking at the activity currently on Stack Exchange, I’m not sure how great a service PTO will get there when the novelty wears off.  Since no one is really paid for their expertise, it doesn’t seem totally suited for this task.  How much independent expert input would a totally voluntary service get?  Seems like you’d get a lot of competitors who will fight patents, and that might help, but is it sufficient?

Developing panels of independent experts on Mechanical Turk or a similar service would bring in more independent expertise.  Article One Partners is a crowdsourcing patent research service which Microsoft itself has used.

Perhaps a mix of open public input and crowdsourced expert panels would work to fight the trolling problem.

1 Comment »

Category: compliance Crowdsourcing Legal IT public policy Social Technology     Tags: , , ,

Happy #GIGD, the Problem with Twitter, and Where’s the Love for Info Gov?

by French Caldwell  |  February 20, 2014  |  1 Comment


Global Information Governance Day — who knew.  Not I, and I must apologize to those who take such industry observance days seriously — which I don’t — but I forgot to bring flowers or a bottle of wine or something.  What’s really appropriate for #GIGD anyway?

Not that information governance is not a serious subject, but a tweet jam on the topic is about as useful as a band-aid on a skull fracture.  Information governance is just broken in most organizations, and frankly, in most cases it isn’t going to be rescued.

First of all information governance just doesn’t command budget, does it.  No matter how much you talk to executives about how much better their decisions could be if they had more reliable, accurate and timely information, they just aren’t going to pay for it.  Sorry — but it’s the truth.  Just ask all those KM folks out there (in the interest of full disclosure, I was a KMer and a darn good one).  Like KM, in the context of business information, IG just becomes another librarian function.

The other day a CIO shared that her discretionary budget had been whacked to zero.  She was cancelling all her projects, but one.  Guess what that one project was that didn’t need any budget — yep, IG!

But what if we could find a problem where doing IG well really has clear and direct payoffs — like KM did when CRM found it.  The marriage of KM and CRM has been an outstanding success.  Certainly not as strategic as the marriage of KM to business decision making or business performance would have been, but no one can doubt that CRM really loves KM and vice versa.  In the IT world, money is love, and CRM sure has a lot of money.

But who loves IG?  E-Discovery — that’s who.  But ugh, IG doesn’t really love e-discovery and that’s sad.  IG want’s to be even bigger than e-discovery — Big IG wants to really find its full potential in supporting business decision makers to make better decisions — and not just the big decision makers, but all of those people who are making crucial decisions all across the enterprise, and even customers who are making decisions.

Unfortunately, that’s just not going to happen.  Big IG is stuck with regulation and litigation for now.  But there’s a lot of room for little IG in all those business digitalization projects — frankly they don’t work without IG — but this isn’t the Big IG that we all want to be.  So what! — the point is there is a little IG in every business digitalization project and as the Internet of Things takes off, all those little IG’s will add up to a mammoth amount of IG — but they are not going to be controlled from BIG IG CENTRAL.  Ain’t gonna happen — get over it.



So, except for regulation and litigation where Big IG is being forced into an arranged marriage with Big Discovery, there’s no one else out there for Big IG.  On the other hand, a whole bunch of little IGs really add up to a whole lot of love.

1 Comment »

Category: compliance Legal IT     Tags:

WSJ: Target Warned of Vulnerabilities Before Data Breach

by French Caldwell  |  February 15, 2014  |  1 Comment

I wouldn’t read too much into the headline of this WSJ article.  Security intel people warn of problems all the time – it’s their job.  A real bit of news is in the last paragraph of the article:

Several members of Target’s cybersecurity team left the company in the months before the hack, according to people familiar with the matter and a search of social media profiles. Many left for more prestigious jobs at other firms, the former employee said.

As cysec becomes a prominent issue for execs, chief legal officers and corporate directors, companies who are building IT security teams are going to be poaching experienced security pros from other companies.  This poaching is a significant risk and companies should do an assessment of their own susceptibility to poaching.

1 Comment »

Category: Cybersecurity     Tags:

A Revolution in GRC Affairs at Gartner (or burning the EGRC mq)

by French Caldwell  |  February 4, 2014  |  3 Comments

Burning mq

Gartner’s coverage of vendors in the GRC marketplace is about to change.  The main reason for the change, as noted in the most recent Enterprise Governance, Risk and Compliance Platforms Magic Quadrant, is that GRC solutions buyers are shifting away from a platform-centric approach to one focused on targeted solutions for specific use cases.

A platform approach is attractive for its ability to get all risk management and compliance professionals on the same system of record.  Being on the same system of record allows more effective sharing of risk and controls information, and the elimination of inefficient overlaps between risk management and compliance silos.  Internal auditors for instance can gain access to IT security’s risk assessments, thus enabling more effective allocation of audit resources to higher risk areas.  And IT security and audit, by using the same taxonomies for risks and controls, can reach agreement on where remediation is most needed.  Platforms also enable improved executive and board level reporting through aggregation of risk and control data across risk management and compliance programs.

On the other hand, buyers of platform-based solutions usually end up sub-optimizing something.  For instance a GRC vendor may have a superb solution for corporate compliance management, but poor operational risk management capabilities.  When most enterprises had fairly immature risk management and compliance organizations, the trade-off of sub-optimizing some technology solutions in order to get all the organizational silos on the same system of record was reasonable.  However, as organizational maturity improves, the gaps in technology support become more of  a limitation.

As more enterprises have matured their risk management and compliance functions, the market has reached the point where buyers want targeted solutions that fit their needs for specific use cases.  The following use cases are the subject of ongoing GRC research at Gartner:

  • Use case 1: IT Risk Management (ITRM). The use of GRC tools for management, measurement, and reporting against IT risk. While this may include security operations data and processes, implementations that are primarily focused on security operations, analysis, and reporting will be considered “below the line” and not part of this use case.
  • Use case 2: Operational risk management (ORM). The use of GRC tools for management, measurement, and reporting against operational risk.  Enterprise risk management, considered as the impact of risks on enterprise strategic objectives, will also be addressed in this use case.
  • Use case 3: Audit management. Audit solutions used by internal audit teams that document and track phases of the audit cycle — audit planning, audit risk assessment, audit project management, time and expense management, issue tracking, audit work paper management, audit evidence management, and reporting. Implementations primarily for the benefit of non-audit functions are excluded.
  • Use case 4: Vendor risk management (VRM). The use of VRM tools for management, measurement, and reporting against vendor and third party related risk.  This will include capabilities to identify, classify, monitor, and recommend risk mitigation to support business operations and regulatory requirements.
  • Use case 5:  Business continuity management (BCM). Supporting the coordinating, facilitating and executing activities that ensure an enterprise’s effectiveness in identifying and mitigating operational risks that can lead to business disruptions, and recovering mission-critical business operations after a disruptive event turns into a disaster.
  • Use case 6: Corporate Compliance and Oversight. Compliance management and reporting associated with corporate governance codes, ethics, and financial reporting integrity regulations, such as Sarbanes-Oxley, Turnbull and others, and other regulations, standards and policies that materially affect the compliance posture of the overall enterprise.

Having all these use cases supported by the same vendor on the same platform is helpful but not mandatory.  Vendors who are opening up their platforms to make integration easier are more competitive in this new phase of the GRC marketplace.

Recognizing the shift in the GRC marketplace from platform-centric to targeted solutions, Gartner  will no longer publish the Enterprise Governance, Risk and Compliance Platform magic quadrant or the IT GRC Management marketscope.  We have instead developed an aggressive 2014 GRC technology agenda with specific deliverables for targeted solutions, including the following, with lead author:

  • Market Guide for Audit Management – Khusbu Pratap
  • Magic Quadrant for Operational Risk Management – John Wheeler
  • Magic Quadrant for Security & IT Risk — Paul Proctor (Erik Heidt will lead additional Gartner for Technology Professionals deliverables)
  • Magic Quadrant for Business Continuity Planning — Roberta Witty
  • Magic Quadrant for Vendor Risk Management — Chris Ambrose
  • Market Guide for Corporate Compliance and Oversight — French Caldwell

These deliverables will assess both broad-based GRC platform vendors, as well as vendors who offer only targeted solutions.

Of course, the GRC platform market is far from dead.  Besides using platform solutions to enable cross-silo collaboration, many enterprises designate one of their GRC platforms as the platform of record for higher level reporting for enterprise risk management, strategic planning, and incident management.  To facilitate collaboration between risk silos, and cross-enterprise coordination and reporting, we recognize that many buyers in the market will still want to compare GRC platforms.  To enable comparison of GRC platform vendors who address multiple use cases, we will produce the following research note that will rate the top 10 GRC vendors on each of the use cases and also provide an overall ranking of the platforms:

Most of the above research notes will be delivered in Q3 and Q4 of 2014.  In the meantime, our clients are welcome to contact the analysts above.  Vendors, whether client or not, who wish to brief us on their capabilities to support any of the use cases above or who have questions on the process should please contact Gartner’s vendor relations to schedule a briefing.

We recognize this is a large change to how GRC is covered at Gartner, but it is indicative of the market direction.  We expect our competitors to follow suit.


Category: Applications compliance GRC IT Governance Risk Management     Tags: , , , ,

To Improve Cloud Security, by 2020, Enterprises Will Fire Senior Managers

by French Caldwell  |  January 17, 2014  |  1 Comment

I came across a survey report last week from security and investigations service firm Stroz-Freiberg that highlights the fundamental tenet of effective compliance and risk management – tone at the top.   The survey of 764 information workers shows that senior managers are the worst offenders when it comes to using personal cloud services to manage work related information.  87% of them regularly upload work documents to personal cloud accounts or e-mail.

This revelation of senior manager culpability in poor cloud security led me to share an ironic prediction with my colleagues – By 2020, enterprises will incorporate senior management redundancies into their infosec maturity programs.  No, this is not an official Gartner prediction!

Seriously, though – think about it.  If senior managers are willing to bypass the IT organization and its security strategies, then what about the rest of the employees?  Now, here’s some real irony – the report says that 54% of lower ranking employees believe that security is the IT organization’s problem.  Essentially, these employees are saying, “Catch me if you can.”  So, is that passive-aggressive behavior, or what?  And it all starts at the top.

Meanwhile, IT is jumping through hoops to make sure that they can prove that cloud service providers used by the enterprise can demonstrate that they have effective security compliance and risk management.  And thousands of providers are responding to their customers’ demands for site visits, third party audits, certifications, and responses to bespoke questionnaires that have hundreds of questions.  Most often all this activity is driven by compliance mandates – meaning that there are penalties for not properly controlling certain types of information, most often personal information.  But when they use personal cloud services, there’s a risk that senior managers and their followers are bypassing all of those controls that IT and the service providers are working so hard to ensure are in place and working.

The question on whether all this compliance and audit activity is worth it is legit.  With respect to enterprise-grade SaaS vendors, my colleague Jay Heiser says he’s yet to find a SaaS risk event that had a material impact.  If you know of one, please call Jay.

Regardless of what we may think of the risks, the bottom line on the Stroz-Freiberg survey is that tone at the top matters – and it matters more than anything else.  When something goes wrong, are senior managers at your organization asking what they did wrong, or are they asking what IT security did  wrong?  At Gartner’s 2013 Barcelona Symposium I attended an organizational change workshop run by business relationship guru Keith Ferrazi.  Keith said that any real change starts with the leader who wants change – and first that leader must change.  So, to improve security and risk management, business leaders must look first to themselves and their own behavior, and be open to making the biggest change in their own behavior.

Unfortunately, my colleague Tom Scholtz said in his recent security  managers survey that involvement of non-IT leaders in security governance is waning, a finding that is seconded by another colleague John Wheeler who found in his risk managers survey that investment in technology for risk management is shifting to technical security solutions.  This lack of involvement by leaders and the dependence on technical solutions is unlikely to encourage employees to follow the rules.

With the explosion of cloud services and the ease of use of personal clouds, it’s unrealistic that employees would quit using them for work purposes.  Senior managers need to remember that what they do, their employees will do.  Business leaders who seriously assess the risks of personal cloud services, establish responsible (and simple) rules on the use of personal clouds, and then follow those rules themselves, are the ones that will be most successful at protecting against the loss of sensitive information.  It’s those leaders and not IT security who will best protect the enterprise.

1 Comment »

Category: Cloud compliance IT Governance Risk Management     Tags:

Praise or Punishment? You Decide — Take the poll

by French Caldwell  |  January 16, 2014  |  1 Comment

The comments from readers on this story about two Yale students who built an online course comparison service are as interesting as the story itself.  (Click here for poll.)  Aggregating data has created a boon for internet information services, and these Yale students were aggregating information to help their fellow students make hard decisions. After all, these students are spending thousands of dollars per course. These two brothers took information that was practically obscure, such as evaluations of professors — perhaps especially evaluations of professors — and made it more transparent.

The university may have a point in that some of the information may not have been collected for the purposes that these two students were using it for; yet, does that make the service they were providing less legitimate, or does that demonstrate the value of information when it is aggregated in a meaningful way to support decision making? In fact, what good is information if it is not aggregated in a useful way — why spend the time and effort to create the information anyway, if you are just going to disperse it in a fashion that makes its value trivial?

University’s support and promote research that does just what these two students did — bring together information that is legitimately available and present it in a way that enables important decisions. The service provided by these two students most likely supported more actionable decision-making in the span of a few days than all the public policy research published by Yale faculty in the last year.

After you read the story and some of the comments, especially the comment from Harry Yu, one of the services creators, how about taking this poll?  Click here for poll.  Thanks!

For poll results, click here.

1 Comment »

Category: Social Technology Transparency     Tags:

New FFIEC Guidance on Social Media Risk Management Effective Immediately

by French Caldwell  |  December 13, 2013  |  1 Comment

The final guidance from the FFIEC on social media risk management for financial institutions has been promulgated.  It is effective immediately.  As I mentioned earlier this year, regulatory guidance of this sort is not optional.

I did a study recently on the public comments for my doctor in law and policy program at Northeastern University– if you’d like some rather poor entertainment I did a 7 minute youtube video summary of the analysis of public comments.  Through the analysis of public comments, perceptions of cost and complexity emerged as consistent themes.  Cost was expressed by the commenters in terms of both time and expense that would be needed to comply with the regulations, as well as technology investments that could be required.  Complexity was expressed as the breadth of proposed guidance with concerns that it attempted to offer a broad-brushed overlay on existing regulations without actually modifying the regulations. Examples of complexity cited in the public comments included having to comply with the proposed guidance as well as existing social media guidance from other regulators which could conflict, the question of the legality of monitoring employees’ personal use of social media, concerns with respect to ensuring consumer privacy, and the challenges with the means of presenting mandatory disclosures to consumers within the technical limits of social media.

While  the most common public comments from the financial institutions look to have been addressed in some fashion, it is indubitable that the guidance will require more strict attention to social media compliance, which will require more investments in time, process and, in some larger firms, technology.  One issue that remains particularly salient for Gartner clients is the issue of employee monitoring.

I am working through the final guidance with the goal of publishing a Gartner impact analysis.  After you read through the guidance, if you identify a particular aspect you would like to make sure is addressed, then please comment here in this blog.

1 Comment »

Category: Cloud compliance GRC public policy Risk Management Social Technology     Tags: , , ,

A Worst Probable Case Scenario for U.S. Government Shutdown Planning

by French Caldwell  |  October 4, 2013  |  3 Comments

If you follow the shutdown news, you’ll no doubt hear some talking heads saying the shutdown will last a few more days, and some cleverer  pundits starting to link the timing for the shutdown to the debt limit deadline of 17 October.  Business, government and IT executives need a scenario on which to base longer term decision making related to the shutdown, so I’ve put on my inside the beltway strategist hat and come up with one.  I hope it helps.

First, the background.  Without going into political issues at stake, it’s clear that Congress is hopelessly deadlocked.  Neither political party is in control of Congress, and both parties are split further by factions.  There’s no clear path forward for a bipartisan coalition to pass a continuing resolution to fund government operations, and to raise the debt limit.  We are in a constitutional crisis.

With this deadlock, consider the following probabilities:

1 — There will be no agreement on a continuing resolution before 15 October, the next payday for government employees (0.8 probability).

2 — The debt limit will not be raised by 15 October, two days before the ceiling is reached (0.5 probability).

3 — If the debt limit is not raised, the Department of the Treasury will identify further extraordinary means to extend the debt limit for at most two more weeks through the end of October (0.4 probability).

4 — Come 1 November the U.S. government will not pay some of its bills, perhaps things like Medicare reimbursements and utilities of some federal facilities (0.2 probability).

As the above probabilities play out, the following scenario becomes more likely:

  • Government agencies will be told to identify the absolute minimum skeleton crew required to maintain public safety and security.  Courts will shutdown.
  • Plans for the use of National Guard and other military units to protect abandoned federal facilities will be established.
  • The government will announce a prioritization plan that will focus on paying many items not affected by the continuing resolution such as social security, veterans benefits, and interest payments on government debt.
  • It is highly unlikely, a virtually nil probability, that the U.S. Government will default on its debt.  Rather than allow even a temporary default, it is likely that as the ultimate debt limit is approached, Congress will pass incremental increases in the debt ceiling to assure world markets of a commitment not to default.

Federal agencies should assume a prolonged governmental shutdown which may require mothballing some facilities that current continuity of operations (COOP) plans assume will stay operational. State and local governments, and businesses that depend on federal data and federal IT systems should assume that data will not be available for up to two months.

This scenario is not the absolute worst case.  Rather it is a worst probable case. In 2010 and 2011, the Belgian government was deadlocked for over a year, but a caretaker government was able to pass a budget and continue running governmental services until a new government could be formed.  The U.S. Government constitutionally does not have that flexibility and it is mammothly consequential to the global economy, both of which mitigate against a prolonged constitutional deadlock, but also magnify the shock of one.


Category: public policy Strategic Planning Uncategorized     Tags:

Leaving the Screen Door Open for the G-Man

by French Caldwell  |  July 17, 2013  |  2 Comments

Colleagues today were discussing again the Snowden revelations about service providers giving governments access to digital business and social media data.  One colleague suggested that we should not use the term back door in this context since by the traditional IT security definition this would imply that government agencies had direct access to the operational systems of service providers.

photo (2)That’s a good point. Another way to think about the access for governments is that it’s the back screen door that is left unlocked.  The door to the house remains locked.  Facebook, Yahoo and others are putting out things on the back porch that the government milkman can pick up.

When talking to relatives and friends, they seem okay with that.  But when I raise to them that if Facebook is doing that for NSA, don’t you think they are doing it for other governments, then they get a bit nervous.

But they still insist that they don’t put anything on Facebook that would get them in trouble.  And then I ask, are all your friends doing the same?  And what about their friends?  What if you get scooped up in an investigation because you have a relationship, even 2nd or 3rd degree, with someone else?  What if you were denied a clearance on that basis, or a job?

I guess we just don’t remember history.


Category: Cybersecurity public policy Social Technology Uncategorized     Tags:

Where Are the Vendors? Please Don’t Play Hide and Seek With the Analysts

by French Caldwell  |  May 23, 2013  |  1 Comment

As John Wheeler and I work on the updated Enterprise GRC Platform magic quadrant, I wonder what has happened to many of the vendors that used to brief us.  Actually, I know where they are, and now and then I’ll see them at a trade show, or shoot them an e-mail asking for an update.  I always tell these vendors to make sure they stay in touch with, at a minimum, an annual briefing.  Some do, some don’t.

Not keeping the analysts up to date is a mistake.  Everyday I recommend vendors to clients that are looking for solutions, and often those recommendations include vendors who have a special capability, industry domain knowledge, or geographic focus, but who do not meet all the magic quadrant inclusion criteria.

Another thing I do is make sure I include vendors in other research, such as hype cycles.  For instance in the enterprise GRC platforms profile on the GRC hype cycle, I include vendors who have updated me in the last year, and I remove any who have not.  Same for the continuous controls monitoring profile.  So the best way to get yourself removed from the “example vendors” on the hype cycle is to make sure you do not brief the analysts.

Vendors are also often mentioned in technology overview notes.  Sure, I’ll reach out to try to get them to brief me for the third party risk management and social GRC notes I’m working on, but could I miss a particular vendor because they have not kept in touch?  Yes, I could.

1 Comment »

Category: Uncategorized     Tags: