You hear this in the voice of so many digital marketers today. They’re fired up by big visions. But they often have more passion than conviction—because, let’s face it, this stuff isn’t exactly easy.

This observation inspired a thought: At its heart, great content is really the great equalizer. While doing content marketing well is by no means easy, it’s a challenge that’s somehow more familiar—more tractable—to a lot of marketers. It’s about storytelling. It’s about merchandizing moments of inspiration. It’s about taking some risk, having some fun and allowing a little soul and humanity to seep into our work. It’s about producing artifacts that challenge thinking, enlighten, enliven, entertain, engage.

Red Bull is a great example. For adrenaline junkies—or, more likely, voyeurs of adrenaline-producing experiences—their content is utterly irresistible. But, you may suggest, there’s nothing particularly equalizing about Red Bull’s content marketing efforts. They’ve become a publisher in their own right, producing extraordinary videos of extraordinary quality. They sponsored and staged a supersonic space jump, after all. No shortage of ambition there.

Fair enough. Red Bull is a category-defining example, a class unto itself. But I’d argue that the sort of earned visibility they’ve generated would have been prohibitive using paid media or other digital tactics.

And that’s the point I’m trying to make: Great content is the great equalizer because, compared to so many other digital strategies, it’s more cost effective at any scale. When it’s done right, content marketing amplifies reach, engagement and makes your brand soar.

You might even say it gives you wings.

VMware has previously had a strategy of being an arms dealer to service providers who wanted to offer cloud IaaS. In addition to the substantial ecosystem of providers who use VMware virtualization as part of various types of IT outsourcing offerings, VMware also signed up a lot of vCloud Powered partners, each of which offered what was essentially vCloud Director (vCD) as a service. It also certified a number of the larger providers as vCloud Datacenter Service Providers; each such provider needed to meet criteria for reliability, security, interoperability, and so forth. In theory, this was a sound channel strategy. In practice, it didn’t work.

Of the certified providers, only CSC has managed to get substantial market share, with Bluelock trailing substantially; the others haven’t gotten much in the way of traction, Dell has now dropped their offering entirely, and neither Verizon nor Terremark ended up launching the service. Otherwise, VMware’s most successful service providers — providers like Terremark, Savvis, Dimension Data, and Virtustream — have been the ones who chose to use VMware’s hypervisor but not its cloud management platform (in the form of vCD).

Indeed, those successful service providers (let’s call them the clueful enterprise-centric providers) are the ones that have built the most IP themselves — and not only are they resistant to buying into vCD, but they are increasingly becoming hypervisor-neutral. Even CSC, which has staunchly remained on VMware running on VCE Vblocks, has steadily reduced its reliance on vCD, bringing in a new portal, service catalog, orchestration engine, and so forth. Similarly, Tier 3 has vCD under the covers, but never so much as exposed the vCD portal to customers. (I think the industry has come to a broad consensus that vCD is too complex of a portal for nearly all customers. Everyone successful, even VMware themselves with vCHS, is front-ending their service with a more user-friendly portal, even if customers who want it can request to use vCD instead.)

In other words, even while VMware remains a critical partner for many of its service providers, those providers are diversifying their technology away from VMware — their success will be, over time, less and less VMware’s success, especially if they’re primarily paying for hypervisor licenses, and not the rest of VMware’s IT operations management (ITOM) tools ecosystem. The vCloud Powered providers that are basically putting out vanilla vCD as a service aren’t getting significant traction in the market — not only can they not compete with Amazon, but they can’t compete against clueful enterprise-centric providers. That means that VMware can’t count on them as a significant revenue stream in the future. And meanwhile, VMware has finally gotten the wake-up call that Amazon’s (and AWS imitators) increasing claim on “shadow IT” is a real threat to VMware’s future not only in the external cloud, but also in internal data centers.

That brings us to today’s reality: VMware is entering the public cloud IaaS market themselves, with an offering intended to compete head-to-head with its partners as well as Amazon and the whole constellation of providers that don’t use VMware in their infrastructure.

VMware’s thinking has clearly changed over the time period that they’ve spent developing this solution. What started out as a vanilla vCD solution intended to enable channel partners who wanted to deliver managed services on top of a quality VMware offering, has morphed into a differentiated offering that VMware will take to market directly as well as through their channel — including taking credit cards on a click-through sign-up for by-the-hour VMs, although the initial launch is a monthly resource-pool model. Furthermore, their benchmark for price-competitiveness is Amazon, not the vCloud providers. (Their hardware choices reflect this, too, including their choice to use EMC software but going scale-out architecture and commodity hardware across the board, rather than much more expensive and much less scalable Vblocks.)

Fundamentally, there is virtually no reason for providers who sell vanilla vCD without any value-adds to continue to exist. VMware’s vCHS will, out of the gate, be better than what those providers offer, especially with regard to interopability with internal VMware deployments — VMware’s key advantage in this market. Even someone like a Bluelock, who’s done a particularly nice implementation and has a few value-adds, will be tremendously challenged in this new world. The clueful providers who happen to use VMware’s hypervisor technology (or even vCD under the covers) will continue on their way just fine — they already have differentiators built into their service, and they are already well on the path to developing and owning their own IP and working opportunistically with best-of-breed suppliers of capabilities.

(There will, of course, continue to be a role for vCloud Powered providers who really just use the platform as cloud-enabled infrastructure — i.e., providers who are mostly going to do managed services or one sort or another, on top of that deployment. Arguably, however, some of those providers may be better served, over the long run, offering those managed services on top of vCHS instead.)

No one should underestimate the power of brand in the cloud IaaS market, particularly since VMware is coming to market with something real. VMware has a rich suite of ITOM capabilities that it can begin to build into an offering. It also has CloudFoundry, which it will integrate, and would logically be as synergistic with this offering as any other IaaS/PaaS integration (much as Microsoft believes Azure PaaS and IaaS elements are synergistic).

I believe that to be a leader in cloud IaaS, you have to develop your own software and IP. As a cloud IaaS provider, you cannot wait for a vendor to do their next big release 12-18 months from now and then take another 6-12 months to integrate it and upgrade to it — you’ll be a fatal 24 months behind a fast-moving market if you do that. VMware’s clueful service providers have long since come to this realization, which is why they’ve moved away from a complete dependence on VMware. Now VMware itself has to ensure that their cloud IaaS offering has a release tempo that is far faster than the software they deliver to enterprises. That, I think, will be good for VMware as a whole, but it will also be a challenge for them going forward.

VMware can be successful in this market, if they really have the wholehearted will to compete. Yes, their traditional buying center is the deeply untrendy and much-maligned IT Operations admin, but if anyone would be the default choice for that population (which still controls about a third of the budget for cloud services), it’s VMware — and VMware is playing right into that story with its emphasis on easy movement of workloads across VMware-based infrastructures, which is the story that these guys have been wanting to hear all along and have been waiting for someone to actually deliver.

Hello, vCHS! Good-bye, vCloud Powered?

The same has so far not proved consistently true for public cloud IaaS and PaaS. To be sure, these areas are growing; recent financial analyst AWS revenue estimates are impressive indeed. Step back a minute and let the reality sink in that the market for cloud services is at least as large as the existing market for enterprise IT (hardware, software, and hosting) itself – then, the AWS number doesn’t look nearly as big. There’s still a lot more cash burned in traditional data centers than there will be in public cloud IaaS and PaaS for some time. We can argue until we’re blue in the face about whether that’s a good thing or not, but it is what it is…

And, what IT is, at least with respect to PaaS, is a growing enterprise desire for Private PaaS. Mock it at your peril – just like private cloud, the ship has sailed and will be pulling into a harbor within an enterprise data center near you. The value proposition for Private PaaS seems compelling – an increasing number of stories suggest that Private PaaS can get you both reduced operational burden and higher developer productivity. As anybody who reads my blog knows, I think that developer productivity is a big deal.

Private PaaS is coming, but how do you adopt it if you’re the “classic” enterprise IT organization with a diverse portfolio of home-grown applications and integrations, running on what I will for the purposes of this discussion call “classic” middleware? Do you wait around until 2015 (or later) for Java EE 8 to bring you the cloudy features you’re looking for, now that we know for sure that Java EE 7 won’t have any? Or, do you just wait for your preferred IT megavendor to get around to offering you a for-real, multitenant, cloud-native, Private PaaS that goes beyond simply slapping a pre-built middleware stack onto a virtual machine?

If for your enterprise, technology is just a necessary evil, a cost of doing business, then the answer is probably yes: wait until the early movers have wrung all the new value from the PaaS model and pick it up when prices are cheap and the systems commoditized. My guess is nobody reading this blog feels that way about IT.

If for your enterprise, technology is expected to expand the business, to serve as a differentiator in your market, to deliver what MBA types like to call competitive advantage – then Private PaaS can no longer be ignored.

I wrote this note with friend and collegage, Marc Halpern, and I published a note with the simple title, “Not All Enterprises Need Intelligent Item Numbers”.  This note was effectice collaboration across information standards, governance, and business applications. 

It so happens that I have worked in organizations (engineering firms, at that) where the part numbering scheme were meaningful.  That is, the actual codes and squence of codes means something business relavent to the user.  In other words, the first two digits describe the market this product sells into (defense, non defense),  The next 3 codes describe the product category; the next 3 the type of product and so on – even down to size, and even color etc.

I was very young when I joined this firm – and I had to lrearn the way to “read” the numbersing scheme – in order to communicate with everyone else at the firm.  It was in effect a localized language.  This language even extended to sister companies and smaller suppliers from whom we procured materials.  It was also an efficient short hand – so it was efficiently used.

This research asked the question – why is this even needed today?  The today was 2003, and even at that point, new business applications where being desigened with fast look-up tables, glossaries and so on.  In fact new technology was easily surpasing the needs of “intelligent item numbers” but we still received (and do today!) questions from users about the need, or lack thereof, for intelligent item numbers.

The bottom line finding, between the lines of the published research note, was this:

-       If the average age of your employees (using the relavent business systems) was over 35, it is mostly likley you would suffer extreme resistenace to cahnge and so you would perpetuate whatever numbering scheme you had.  And older firms had intelligent numbersing schemes.

-       If the avertage age of your employees was under 35, or even nearer 25, the chance is you would more easily convert to random numbering-based systems (and hence leverages the new business application designs).

It Is not that intelligent item numbersing schemes are less productive – that is not the point.  The point is that it is harder to predict what should work well for your organization; and therfore productivity is probebly best suited with the appropriate response.

It’s funny how old ideas go round and round.  Something my good friend Bill Blitch told me.

However, it is being challenged at some enlightened organizations that deploy SIEM, network forensics or other analytics technologies (notice how elegantly I am avoiding the marketer-corrupted term “big data” ).

A fellow SIEM literati once called it using “tech support workflow” for security incident response – and, let me tell you, he didn’t like it much. Many users of network forensics tools (NFT) have discovered that their tools are not alert-centric at all  (such as discussed here), but require active data exploration. One NFT team manager even went as far as to say “we don’t hire alert responders here.” He meant to say that in his team he doesn’t want people to wait for alerts, but to go and explore, “hunt” for insights rather than “gather” alerts. Starting from a hypothesis, a “thread to pull”, a question rather than an alert is characteristic of this newer way of approaching security.

Here is how I am thinking about:

In any case, hopefully it is insightful and  useful for your security analytics / SIEM / SOC thinking and planning.

And, hey, vendors – don’t assume that security monitoring is ALL about alert-driven workflows… The smartest of your tool users already don’t.

Posted related to my network forensics research:

• On Futility of Dead Packet Storage

• Processes for Network Forensics

• Use Cases for Network Forensics Tools

• Network Forensics Defined?

If an article, 10 years after its initial publication date, is featured in several look backs, reviews, Q&As and still gathers reactions and emotional analysis, it can be concluded it must have struck a chord – or in this case – more an open nerve.

In May 2003*, the Harvard Business Review published “IT Doesn’t Matter” , an article by then still largely unknown editor  ”at large” Nicholas Carr.

The premise of the article was that infrastructure has a diminishing impact on competitiveness and that IT was infrastructure (although Carr in the recent Q&A seems to indicate he meant IT Infrastructure is Infrastructure, a lot less controversial idea).

Given all the recent analysis around, I only want to zoom in on one aspect.

What still amazes me after all these years is how the last decade of IT was impacted/hindered/predicted/paralleled  (pick one based on your personal emotional state with regard to the article) by the three short recommendations that were included – almost as an afterthought – in a small breakout box on page 8 of the article.

The article gave the following three “New rules for IT management”

• Spend Less  : Which arguably coincided with a decade of corporate IT anorexia?
• Follow, don’t lead  : Today we know that consumer-play IT – and not corporate IT – leads most of IT innovation (think Facebook, Twitter, Google, Netflix), and Web-scale IT is arguably about corporates following consumer-plays?
• Focus on vulnerabilities (as for any utility the dependence on external providers increases) - Which ironically is today’s main argument for corporate’s preference for private (over public) clouds?

To do this, marketers are increasingly extending multichannel marketing from purely outbound campaigns to include inbound marketing in the form of offer management, real-time decision making and event-triggered marketing, giving marketers targeted interaction when the customer is reaching out.

However, many vendors are offering inbound capabilities that are not integrated; therefore, creating another interaction silo. Expect half the multichannel campaign management market to provide true inbound/outbound fusion by YE2013.

There are five major benefits for multichannel inbound/outbound fusion:

1.  Ability to Measure:  Multichannel inbound/outbound fusion promises marketing access to a single view of campaign effectiveness.  Top questions for marketing accountability include: What is going on in the campaign management pipeline? What is the return on investment (ROI) for campaigns? How should budget be allocated in the future for which campaign, offers or channels? An integrated inbound/outbound environment will provide more data to start answering these questions.

2. Lower TCO: Financial benefits will come from several sources. Besides the negotiating leverage of single sourcing (which would accrue whether the solutions were truly integrated or not), the organization can benefit in two primary ways:

                               Integration (such as single sign-on, a unified graphical user interface [GUI], and a common data source) will lower deployment, training and additional support costs.

                               A unified predictive analysis and a single-offer library and shared segmentation will make more-effective use of marketing time, with higher productivity without adding staff.

 3. Increased Revenue:  Inbound/outbound fusion provides access to customer data from more channels for segmenting and targeting the customer base. Taking advantage of functionality such as unified propensity modeling and universal preference management techniques means better targeting and higher conversion rates as well as information to align with the rest of the organization (for example, a connection to sales to help convert revenue).

4. Increased Responsiveness:  A goal for marketing is to execute better campaigns more frequently. Multichannel inbound/outbound fusion capabilities, including one GUI, one inbound/outbound-capable dialogue, a common set of analytical tools and a signal-administration for sign-on, can significantly provide effectiveness and efficiency.  Reduction in time for campaign creation, execution and reporting  along with combining inbound and outbound customer data can allow marketers to make necessary changes to ongoing campaigns based on the real-time response and feedback of customers en route.

5. Consistent Customer Experience: Knowing which marketing campaigns are going to whom, what is being offered as an outbound campaign, what is being communicated as an inbound offer and how to reconcile the two for consistency will be a key benefit for inbound/outbound fusion. Capabilities (such as a common data source, access to an online/offline shared offer and segment library) and connected inbound/outbound-capable dialogue will have a substantial impact on a consistent experience.  The ability to extend a relevant, planned offer during a spontaneous customer interaction has shown response rates approaching 15 times that of non-targeted outbound campaigns.

See our upcoming note on Inbound/Outbound Fusion Checklist for Multichannel Marketing where we we separate hype from the reality, and we outline and define the eight technology conditions for true two-way, inbound/outbound fusion.

The Shibboleth project is an open-source implementation of SAML that is widely used by research and educational institutions. It is great to see the official launch of the international Consortium, which will provide a mechanism for the Shibboleth community to make financial contributions to the Shibboleth project. The Consortium is intended to be a lightweight support function for the Shibboleth project. The creation of the Consortium will enable the Shibboleth project to focus on its technical work.

As the use of federation technology becomes more and more mainstream, it is important that there are a variety of options for acquiring and consuming federation technology. Open source is a key option. Another important option in some industries is an operating identity federation hub such as the InCommon Federation. The InCommon Federation operates an identity trust framework used by almost 6 million end-users in higher education institutions. Hundreds of educational and research institutions leverage the Shibboleth software as part of this federation.

First is one you touched on, which is the ambiguity built into seemingly simple questions. For example, when it asks “city where you were born”, does it mean literally the city where the hospital was (which I almost never go to), the city where I grew up and would answer if someone at a party asked “where were you born?”, or the greater metropolitan area (which is what I’d answer if someone from another city asked)?  Is the first thing I learned to cook “Italian”, “pasta”, or “pesto”?  Is my favorite singer “Mellencamp”, “John Mellancamp”, “John Cougar Mellencamp”, …  Yeah, my mind works that way and comes up with multiple correct answers.

Second is answers that change over time, like “favorite” questions.  Asking my favorite restaurant or song really means trying think what my favorite was five years ago when I bought my last computer and answered that question.

Third is that many questions don’t guard against ex-friend or pernicious relative hacking, which I’d imagine is a serious problem for some people.  Someone who used to know you well and you don’t want hacking your accounts probably knows all sorts of questions about the street you lived on, model of car, name of high school, pets, and maybe “favorite” questions.  There are probably a dozen people I know that could answer most of these personal questions about me.

Fourth is that half of them don’t have an answer for me, from favorite film star to childhood nickname.

Since these questions are usually offered in batches of six or so, I have sometimes looked down all of the questions and not found a single one that I can answer consistently.  Maybe I have to invent an alter ego with a strong, consistent personality that has led a simple, unambiguous life.

Until, like everything, it gets carried to an extreme.  Like for instance, the Apple ID reset process.  Let’s look at these security question…

I suppose the standard response would be (if the answer is not readily available) MAKE SOMETHING UP and remember it!  But wasn’t it the purpose of these security questions NOT to have to remember ONE MORE THING.  Heck, if that were the case I wouldn’t have forgotten my password in the first place!

…and then there was the concept of REUSE.  Use a question that is personal information, but whose use is fairly standard across websites (mothers maiden name, for example).  But then that, of course, leaves one open to the possibility of a breach at one site is a breach of all of them.

This, we at Gartner, would classify as a wicked hard problem of identity and authorization.   And there is no answer yet (two factor authentication aside).  The Achilles heel of virtuality.

These first job questions – do you mean my news route, part time job after high school, full-time job after college? The first one that actually paid me? or paid me a salary?

That first album I purchased?  duh, maybe it was Jimi’s “Live at the Fillmore East”, which explains why I can’t remember a dang thing….

We’ll talk about wicked hard problems like that, and more, at this year’s Catalyst Conference in San Diego.

Why Tumblr and why now are sensible questions and lack clear answers save for the common meme that Yahoo is trying to “buy hipsters.” While that may be fun fodder for the Twitter cybergabfest, Mayer and Yahoo no doubt have some concrete plans beyond PR value and such pat answers as “because they were available” and “we bought Tumblr before one of our competitors did.” After going through a checklist of Yahoo needs and Tumblr strengths, here is one realistic path—content platforms.

The content platform play: Previous Yahoo execs have always talked about Yahoo’s “content buckets”—original, licensed and user generated (i.e. Yahoo Contributor Network) as one of its key strengths, and as a leading vertical content portal for such areas as sports, finance and gossip/celeb news, Tumblr makes sense as a content management-meets-curation platform. Such a move would allow consumers, brands and marketers (i.e. content marketing) to curate Yahoo’s syndicated content (original and licensed) and use those pictures, videos and stories to create personal and professional Tumblr pages. Coke and Campbell’s are just two of countless brands that have created Tumblr sites to showcase their wares and tell their stories to consumers. The content platform plan allows Yahoo a few revenue paths including a freemium service option and a venue for targeted advertising. It also allows Yahoo to get even more mileage out of one of its key “cool” brands—Flickr (another e-less product).

One has to applaud Marrisa Mayer’s “go big or go home” move and the notion that Yahoo’s board is standing behind this purchase will (reportedly) full support. A successful integration of Tumblr into Yahoo’s forward-looking strategy could end a losing streak of purchases and fizzled launches which includes Maven Networks and Geocities as well as Livestand and Yahoo 360. Mayer’s biggest challenge—something Yahoo has not shown to be a strength—is to integrate Tumblr into Yahoo’s product set and get the cash register ringing again.

Certainly one cannot overlook the power of Yahoo attempting to make itself cool and relevant again, but this must be more than a very expensive PR move. The Tumblr purchase has to be followed up with other moves to bolster its mobile and social strategies. The yodel may be on its way back—time will tell.

One of the interesting items there are a set of acoustic mirrors:

As you can see, the mirrors are pretty far apart (I’d guess 50 yards).  If you sit in one (like my daugther is on the left) and someone else sits in the other, they can hear each other talking, even if you are speaking in a whisper.  It was definitely an interesting and unique experience.

I went searching for more information on these mirrors.  As it turns out, they were originally used in Britain to help detect the sound of enemy aircraft (before the invention of radar).  Now, they are mainly used in science museums to demonstrate how to focus sound.

As marketers, it would be great if all of our audiences were sitting in acoustical mirrors, ready and willing to listen to our messages, not matter how quietly we speak them.  But that is not the case.  Instead, we need to find ways to get our messages heard through a din of noise and competing messages.   Expecting an acoustical mirror effect is unrealistic.

There is a great model for communications that was originally put forth by Don Schults, Stanley Tannebaum, and Rober Lauterborn  in the book, The New Marketing Paradigm: Integrated Marketing Communications, which was published in 1996.  There model which still applies today is shown here (with a recreated graphic): 

The model shows that awhen a sender wants to communicate with a receiver the ability for that message to be received is impacted by how much of a shared field of experience the two parties have and the impact of noise in distracting the receiver.  Furthermore, if feedback can be provided, that enables the sender to verify for the receiver that they got the right message or to make adjustments until the communication is received properly.

Acoustic Mirrors are a lot like fields of experience–they create an environment for more focused communications.  In today’s world, marketers must use context to increase the overlap in fields of experience and reduce the likelihood of noise being introduced into the communications stream. 

In effect, context is the modern version of acoustic mirrors and a key focus area for all forms of business communication.

This year, my colleague Dale Hagemeyer and I identified three vendors in our published report Cool Vendors in Consumer Goods, 2013.  These Cool Vendors share a set of common innovative approaches that seek to bring more value to consumer goods companies. They all  demonstrate knowledge of the consumer goods space, have embedded that knowledge into their applications, and seek to offer solutions that can drive more personalized offers and provide more insight into shopping behavior and retail execution:

• Fifth Dimension: Leveraging 3D visualization tools and data to drive new levels of retailer and consumer goods manufacturer collaboration. www.fifth.uk.com
• QThru: Innovatively engaging consumers with context-aware, personalized offers at the point of purchase in retail stores via a self-scanning mobile application www.qthru.com
• Quri: Using crowdsourcing to help consumer goods companies monitor in-store execution. www.quri.com

Even if you are unable to access our report, definitely check out the websites for these companies and see what makes their services cool.

We are always on the look out for new vendors that offer exciting technology possibilities than enable sales and marketing for our consumer goods clients. We welcome any ideas or suggestions as we scout for vendors for next year’s report and in our ongoing research.

I covered some of the strategies for implementing app management and security in my January research note on containerization. Using one method, where there is a proprietary SDK from the multitude of MDM vendors, what we call app specific has been around for a couple years now.  But at best only 40-50 apps have been developed this way. The problem is the management SDK is proprietary to each vendor so a management tool can only support its specific (hence app specific) app. Plus pre-existing apps need to be rewritten. Most app developers have held off of committing because of this. Another method is to wrap the app, but getting access to the binary, especially for third-party apps found on public app stores is difficult–and still proprietary to the application wrapper for management. What’s needed is some type of standard that app developers could use, that all MDM and app management vendors could integrate into. Of course that would mean getting all those vendors to agree on one method–probably some type of open source mobile app management SDK.  Then these vendors could compete on managing and securing apps, not on wooing app developers to use their standard. Another method would be to use app wrapping, but seperate the admin functions and APIs from the wrapping technology itself. This does have the advantage of quickly adapting existing apps without a lot of recoding.

One well known MDM vendor, MobileIron, is beginning to create an open SDK standard it’s calling (for now) the Open App Alliance, which was mentioned last month on brianmadden. It’s hoping to go public with the details in the next few weeks, but the alliance should include some big app providers, app development tool vendors and maybe even some adopter companies at the start. MobileIron would rather compete on its MDM platform than spend the time convincing adopters and developers to use its proprietary app SDK. One thing missing, at least for now, is other MDM vendors. In the end, their buy-in is essential for this to succeed. Maybe if enough adopters and app providers hop on board, this may convince other MDM vendors to head in this direction. Many of the big MDM vendors I talked to around this are interested, but have not committed yet.

It remains to be seen whether this will have the momentum to move forward. There’s a lot of work left to do and not a lot of time to do it, but in my mind, something needs to be done to alleviate the fragmentation of the mobile technology, get apps manageable and secured– and this is at least a step in the right direction.

IT Compliance Doesn’t Exist!

IT clearly has a significant amount of compliance work that it performs – no doubt about it, especially in highly regulated industries. IT, of course, exists solely to support business objectives. The compliance requirements that IT fulfills are derived from those business objectives. Here are a few quick examples:

• PCI compliance results from a business desire to accept payment via credit cards.
• IT and Information Security have a role in achieving overall SOX compliance, which results from an organizations status as a US based public corporation (and desire to remain so).
• IT requirements for HIPAA result directly from an enterprise need to process confidential healthcare data.

Yet, it seems that in many enterprises IT compliance is seen as separate from and in conflict with “meeting business requirements”. This is in spite of the fact that none of the examples above can be achieved without significant efforts from business partners themselves.

So, why is this interesting? In a word: “Resources” – time and money. In most organizations, funding and prioritization of compliance activities is very hard to come by. Much of this may be a perspective problem, as IT organizations often do not include compliance efforts in project prioritization processes side-by-side with other initiatives – that may be a lost opportunity.

Compliance is Risk Management – Just NOT YOUR Risk Management!

Compliance is not a substitute for risk management. Compliance requirements are the result of an external group’s anxiety regarding risk. Usually the external group is either a government body or large commercial concern. Let’s take a second look at the three examples from above:

• SOX is the result of anxiety over the risks of financial reporting errors and a response to a number of major corporate accounting scandals.
• PCI is the result of the payment card industry’s desire to ensure minimum standards for the safeguarding of payment card information and transactions.
• The HIPAA Privacy Rule is a direct result of concerns regarding the use (or misuse) of individual healthcare records by the general public.

In all of these cases, the compliance requirements are designed to address issues to reduce risk to a level that is tolerable by the government or commercial group. The fact that compliance requirements are designed to provide broad and general coverage often results in cases where enterprises could more effectively manage the risk using controls specific to their environment and situation. The fact that this is often not acceptable to examiners is a significant source of frustration.

The last decade has seen compliance mandates become more risk oriented and begin to include risk assessments and control design as a part of the compliance process. Regrettably, all too often new compliance requirements continue to come in the form a checklist.

There are few options available to us to improve the situation. Participation in regulatory rule making is a time consuming process that rarely contributes to success in our “day jobs”. Improving compliance and regulatory rule making is a long game, and the best thing for many enterprises to do is to share their risk management and control design approaches with examiners. Educating the examiners who often have significant influence over the rule making process make be the most productive approach.

Cheers, Erik

When Larry Light was CMO of McDonalds he found parallels between marketers, editors and writers. Just as writers collaborate with their editors to develop the many facets of a story, marketers develop stories with their customers. Happy Meals was one outcome of Light’s storytelling exercise, convincing him that brand managers shouldn’t tell product stories, rather stories about the outcomes their products produce for customers. Mr. Light soon coined the term “brand journalism” to describe this new twist on brand communications.

In the digital age, opportunities to tell brand stories multiply. Buyers for example, freely share stories of their favorite brands everyday – by the thousands – so much that some pundits say marketers have ceded control of their story to others, whether they like it or not. This is hugely overstated. While we can’t control what customers say, we can certainly coach them. 

Marketo for example, knows its story well – to help marketers generate high quality prospects; the type that convert to customers – faster.  Some users say Marketo’s solution has accelerated their sales cycles two to three times. When this story plays out revenue accelerates and sales costs decline. And so, Marketo simply asks customers to tell their stories within this context. Customers happily comply (see Marketo’s video testimonials).

Brand managers at P&G, Starbucks, BMW and Mercedes have all gotten hip to this storytelling idea, coaching customers to share their own experience, within the context of the company’s brand promise. Look on any auto enthusiast site; BMW owners can’t wait to share exactly what BMW wants them to share: driving excitement. Some do it willing; some are nudged a bit by BMW marketers. 

There are of course, those customers who decline coaching – and we welcome those too, for it’s those customers that produce the kind of surprises we like, especially product usage we hadn’t even thought of (as General Mills found when many customers said Cheerios was their favorite bedtime snack).

Like any disruption, find a way to embrace it. Let your customers tell your story over Facebook, Twitter, LinkedIn, the blogosphere, and community forums. Coach them (or not) but let those stories flow – for stories engage, stories inspire. Stories help us remember, which after all, is what brand awareness is all about.

It has been great fun and I have learned much from all of the smart people who have taken the time to read, comment and contribute to the blog.  My deepest apologies as the blog often featured grammar that would make an English teacher cringe.  I will admit to not really proofreading every post all the time as the ideas and the desire to publish them got ahead of prudent respect for the reader.  Please accept my apologies.

I have provided a few links below to the posts that garnered the greatest interest, comments or are worth remembering.

Leading in Times of Transition: the 2010 CIO Agenda   - the most links via Bitly

Gartner announces a new magic quadrant – the most comments

The Nature of Change is Changing: A new Pattern — the most comments for a serious post

An IT value sampler for the holidays

Chief Digital Officer, What type does your organization need?

Digitalization creates new dimensions for disruption

Everyone will recall the source of the title of this post from Douglas Adams’ book of the same name.  Part of the Hitchhiker  set of books that should be on everyone’s must read list.  I took his title as the title for this post not because things are ending, but because they are always beginning.   That beginning in 2009 started with a simple question about IT budgets and now I turn the conversation over to my peers at Gartner and to the community in general.

Thank you for your time, attention, energy, knowledge and experience all shared on this blog.  It is not mine; it is ours.  It is also my privilege to share.

If you give an intern control of your Facebook page, one or two or three of many things could happen. He/she might…

Feel empowered…

Feel confused…

Establish the customer-facing social media strategy you lack…

Get angry with you and post something inappropriate…

Build a foundation on which you can express your brand’s brand on social media…

Build a foundation for your brand that is not really your brand’s brand…

Flourish under your leadership and become a change agent and leader in your organization…

Go work for a competitor, while still having admin access to your Facebook page…

As intern season springs upon us and the doe-eyed young’ns enter our white-walled dwellings, let’s keep in mind that the tasks we assign them are tasks that have an impact on both the intern and the organization. When I was a wee intern, some of the folks at my former employer gave some of us a camera, they gave others the equipment to podcast, and others the opportunity to blog. That one day where someone believed in us and entrusted us to go out and express how we felt about the company we were working for changed our understanding of “career” and what we could do to impact a “stiff” organization.

But also keep in mind that these interns don’t know the history behind your brand. They don’t necessarily understand your industry and your competitors. They might not even understand your product. And worse, they will be gone at the end of the summer. Don’t have them start something you can’t carry on.

And with those few words of wisdom, everyone enjoy your summer

Let the music play out…

Bamboo has now found a software development home to enhance its business continuity management software. Gartner believes xMatters has the most opportunity to grow Bamboo adoption by supporting the importation of Microsoft Word and Excel files as well as a SharePoint Web service API for those who do not use business continuity management planning (BCMP) tools now. Gartner also believes xMatters should consider evaluating its EMNS pricing strategy to make it more competitive with the rest of the market for increased adoption of Bamboo by prospects that do not already have an EMNS tool.

xMatters adds a mobile app that supports push technology for recovery plan updates, role-based and offline recovery plan access, and GIS-enabled tracking of all capabilities used for real-time incident management. Integration with the xMatters IT alerting system may be a future enhancement.

Before this acquisition, Gartner observed limited Bamboo adoption by our clients, who cited additional costs compared to perceived benefits; Australia-only product support with uncertain future support from Deloitte (which is not known for mobile application development); and limited business continuity management tool integration.

In both current and combined forms, Bamboo powered by xMatters lacks many of the capabilities of the larger BCMP market, particularly related to planning functions, including:

• Business impact analysis
• Risk assessment
• Recovery plan development, maintenance and exercising

But the offering could appeal to xMatters customers that lack a mobile app for real-time incident management.

Recommendations:

BCMP tool customers: If you are looking for EMNS and enhanced real-time incident management capabilities through a mobile device, encourage your BCMP vendor to integrate with xMatters.

EMNS tool prospects: Consider xMatters because it now has an enhanced mobile app for offline recovery plan access, emergency contact list dialing and GIS for resource tracking — all used for real-time incident management support.

BCMP vendors that only have mobile Web browser access: If you are looking for an EMNS tie-in, either integrate with xMatters or enhance your mobile app to provide push technology for recovery plan updates, role-based and offline access to plans through the mobile device, and EMNS integration.

xMatters EMNS competitors: Enhance your mobile app to support push technology for recovery plan updates, role-based and offline recovery plan access and GIS-enabled resource tracking. (EMNS leaders currently support GIS-enabled resource tracking.)

Existing Bamboo customers: Discuss with your EMNS vendor whether it will continue supporting Bamboo, as it may be a direct competitor to xMatters.

Recommended Reading

“Best Practices: EMNS Implementation Advice” — EMNS implemented without a well-considered plan can hurt the constituencies that rely on these services for everything from basic safety to basic survival. By Roberta Witty and John Girard

“Market Analysis in Depth: EMNS Magic Quadrant” — Buyers of EMNS should use this research to guide their vendor selection projects. By Roberta Witty, John Girard and Catherine Goldstein

Short but sweetie today – my colleague Jeff Brooks and I have been on our grind through the initial round of IT Service Support Tool Vendor Magic Quadrant demos, with a handful more to complete this week. We’ve also been doing our fair share of inquiries, strategic advisory sessions and client engagement days through this first quarter, and while we get together often to discuss client chatter, industry trends and the most recently watched episode of  ”Girls”,  we recognize that there is clearly a need to go out and get more information. To help extend our reach, we have recently launched an IT service desk survey.

We’re after the IT leader buying trends, concerns, and  framework considerations to supplement our research, and we need your help.

Our love doesn’t cost a thing, but we are fully aware that your time is valuable, so for that we would like to offer anyone who completes the survey a Gartner research note of their choosing to be emailed directly to them.

The survey can be found here:  http://tinyurl.com/bhtv2ej

But wait, there’s more! (#BillyMaysVoice)

Jeff Brooks will be attending the SITS2013 show (http://www.servicedeskshow.com/)  in London,  April 23-24. Jeff will establish an official Gartner presence in the Expo Hall, and anyone  interested in a meet up can find him there. In addition to insight, Jeff will be handing out Gartner schwag, while supplies last, and trust me – you don’t want to miss out.  Jeff is also schedule to present and host separate sessions; one of which will be a fiery debate on whether or not ITIL has an expiration date. Surely Jeff didn’t think having that debate in the UK was a great idea, but he informed me that he’s watched enough Jerry Springer to know to duck flying chairs at his head if necessary. Gartner Analyst and UK resident Ian Head will also be in the building, so if things get really dicey, Jeff is covered.

So please – feel free to take the survey, either online or in person at SITS in a few short weeks!

Either way, thank you in advance for your participation!

• Meta Group 1996-2005
• Burton Group 2005-2010
• Gartner Jan 2010-July 2010

Over those years, I’ve covered a range of topics but they all intersected with collaboration and social software – with a particular deep research focus on topics related to social networking. I enjoyed my experience on the vendor-side of the world while at Cisco. It was interesting to see how technologies are brought to market and some of the opportunities and challenges vendors face when moving into new markets. But research is my passion and I’m happy to be back doing something that is so deeply ingrained in the way I look at the world. There are some differences in the way I approach this role now then before that I’d like to share:

• Theory: I’m in the middle of a Master’s program in Media Studies at The New School. The experience has reinforced my intent to anchor my research to scholarly sources whenever possible and relevant.
• Culture: While media and technology plays an important role in the life of an analyst, knowing more about the cultural context of how people go about their routines through the eyes of its participants can reveal tremendous insight – it’s changed the way I think about and approach research.
• Practice: Which leads me to better understanding the things people do, their patterns in everyday life (how people participate and contribute), the social processes that influence how people take action (or not), and how all of these dynamics are applied in a work environment to get something done.

In a way, I’m more exploratory and observant in areas that might appear to be far removed from technology yet those experiences influence how people go through everyday life as a consumer, customer, employee, teammate, community member, management leader, etc. Everyone has multiple identities. All human interaction occurs in a network context. While I find these topics important from a research perspective, don’t worry – I express my views in the language of our business and IT clients. I do pass along articles related to these topics (e.g., anthropology, ethnography, design, social networking, identity, social capital, etc), I find interesting via Twitter (@MikeGotta) if you’re interested.

Shifting away from my academic side, I’ll be focusing on a variety of challenges and opportunities faced by IT leaders involved in collaboration and social software strategies. I look forward to hearing from you and sharing my views on:

• How to put together an internal collaboration or social strategy
• How to approach the cultural aspects of teaming, community-building, and social networking
• What impact can new approaches towards research and design have on adoption of collaboration and social applications? To get an idea of where I’m heading with this, see this report recently published: Leverage Design Ethnography to Boost Enterprise Social Networking Success  (Note: you need to have the appropriate client access rights.
• How to approach the business case. What can be done to express the value of collaboration and social solutions in terms that show business value (e.g., key performance indicators, ROI, etc.
• Can integration of collaboration and social technologies into applications and process improve their use and create better business outcomes? How can we design environments that enable people to better mobilize their professional networks to improve the effectiveness of informal work processes

General questions such as:

• The impact of social on the employee life-cycle
• Why is social networking important from a management and employee perspective
• Applying design ethnography to improve use of social application
• Re-thinking cultural change through the eyes of its participants
• Mobility aspects of social and collaboration strategies. This is an area I’ll be ramping up on. I’m especially interested in how we can improve the research and design aspects of social and collaborative apps.

Specific technology questions related to:

• Social networking applications and platforms, including profiles, social graphs, activity streams, social objects, and social analytics
• Expertise location and Q&A applications within the enterprise
• Various vendor collaboration and social platforms
• Mobile social and collaboration apps (Note: ramping up)

In terms of some long-range questions I have for myself – here’s what I’m thinking about – somewhat academic but my findings would be expressed in business and IT terms:

• How do social structures emerge (e.g., teams, communities, networks) and the influence of management, culture, and media on those relationships?
• How do people cultivate and mobilize their social networks?
• How do we encourage a more participatory employee culture? What impact do media literacies have on people’s ability to contribute effectively?
• How does mobile (as a more intimate form of computing) affect how people communicate, share, and build relationships?

As I investigate these open-ended research inquiries, I recast my findings into an enterprise context, taking advantage of quantitative and qualitative studies and all of the various resources and interactions I have here at Gartner.

That’s it. I hope this helps outline areas where I can help. Sorry if it’s a bit long.

BTW, if you are an organization applying various qualitative research approaches (like ethnography), I’d very much like to hear about your experience – whether it’s externally or internally focused.

But as we listen to the pundits’ comments, and those of the IT industry groups and lobbyists, let’s bear in mind a few facts that are applicable worldwide. (My turn to pontificate!)

• The IT industry is not special. It’s an important industry, but no more so than any other. It employs a good number of people, as do other industries. It adds value, as do all viable industries. When well deployed and used, its products and services can help make its users more productive and effective; so can good HR consultants, well targeted financial services, the right plant & equipment, cost-effective transportation, the education sector and good public policy makers  … and one could go on and on.
• Any special treatment for the IT industry, tax concessions or handouts, are going to be paid for by other taxpayers in the end, and many of those are themselves in the IT industry, or would spend money on IT.
• Seeking government “incentives” for investing in IT or in IT companies should be unnecessary if it’s such a great industry. (And if it’s not, why invest?)
• If an industry needs to be “promoted”, something must be wrong. Why can’t its sales and marketing people do that?
• In those countries where the government funds much of the education, a focus on specific IT vocational or technical skills is short-sighted. Those are already out of date by the end of the course. IT providers, like all business people, should be looking for the economy in which they operate to be providing a pool of educated people. Those are people with an education that prepares them for the rapidly changing and challenging business environment, people who can think and learn, and continue to do so when the world changes, as it will.
• It isn’t just specific IT spending initiatives in the budget that we should look for to see what the government itself will spend on IT.  Every government activity, every existing and new program requires IT to make it work. Nothing much happens without IT. Therefore, commenting on the supposedly good news or disappointing news about IT initiatives misses the point.

These blog posts will continue to discuss the business of IT Services.

I did not jump onto the personal cloud storage bandwagon until recently. I generally accessed data from home, and I preferred to manage backups myself. However, I recently did an about-face and now use cloud storage as part of my personal backup strategy. Why? It’s not because I didn’t want to manage my data anymore (I still back up my files locally too). It’s not because I need to access it from anywhere (I still access it primarily from home). It’s because I’m human and I make mistakes.

This decision came about when I painted myself into a corner migrating from an aging laptop to a new desktop. (Yes, a desktop. At the price I’m willing to pay for the options that I want, a desktop still beats a laptop.) The first time I booted up, my desktop had two, mirrored 1TB hard drives. After copying critical files from my laptop and setting up the new system just the way I like it (solid black wallpaper, no desktop icons), I promptly backed everything up to an external USB hard drive. I then had five copies of my most important data: one on my laptop’s internal drive, two on my desktop’s internal drives (mirrored copies), one on my external drive, and one older copy on a USB stick (the last one may be a bit paranoid). Surely, I thought, this would protect me from most any form of conceivable disaster? Unfortunately, I failed to consider the single point of failure: me.

About two weeks after the desktop arrived, I received an exciting package in the mail: my SSD, which I immediately slotted into my desktop. However, during the process of getting the OS properly installed on the SSD, certain actions were taken and certain mistakes made. At one point during the evening, I had an improperly formatted SSD (very much my fault), a split of the internal mirror rendering the disks unreadable (mostly my fault), and a reformatted external drive (also very much my fault). In one fell swoop, three of my five copies of data were now inaccessible, leaving my aging, prone-to-overheating laptop as the only up-to-date copy of my personal data. The root cause analysis? User error.

Eventually, I managed to untangle the mess I had made and ended up with an SSD containing my OS, hard drives with my data (no longer mirrored), and an external hard drive with a backup of both. However, as the complexity of my environment grew, even a slight misstep could cast my data into oblivion. Shortly after saving my data from myself, I found a cloud service to supplement my local backups, and all of my local data is kept in sync with that service. Critically, the copy that resides on the cloud is all but immune to the many ways I could accidentally ruin my own local copy.

I would consider myself a reasonably computer-literate person, but that doesn’t prevent me from making mistakes, which in this case had nearly catastrophic consequences. A cloud backup provides insurance not only against technical failures, but also against our own mistakes.

We just published a note entitled Exploit the Intersect of IBM’s Social Business and Solution Selling Strategies. 

A part of that note, probably one quarter, dives into what has been fascinating me for many, many years. There’s only so many features you can stick into an email program or a content editing tool. Particularly if you’re text-centric. Where do we go after the 177th version of a personal productivity tool suite? The 34th iteration of instant messaging? The 500th document database? So much of what we’re doing now is reinventing and refining what we were already doing in the pre-client-server era. Back in the late 80′s at Digital Equipment, we had a vision and architecture for compound documents in GUI environments…how many more iterations of that do we really need?

There’s more coming, very different. It’s not a new kerning tool. Or the next great slide transition mechanism. It’s about the rise of smart assistants. Natural language processing. Semantic analysis. Massive parallelization. Rule-based systems with machine learning. Pattern recognition and matching. Marry that to the scale of what Google can do and what IBM, with Watson and co-development partners can do.

Start with Google. Witness, for example: 

In a research note that was published yesterday, Gartner introduced the term “web-scale IT.”  What is web-scale IT?  It’s our effort to describe all of the things happening at large cloud services firms such as Google, Amazon, Rackspace, Netflix, Facebook, etc., that enables them to achieve extreme levels of service delivery as compared to many of their enterprise counterparts.

In the note, we identify six elements to the web-scale recipe: industrial data centers, web-oriented architectures, programmable management, agile processes, a collaborative organization style and a learning culture.  The last few items are normally discussed in the context of DevOps, but we saw a need to expand the perspective to include the changes being made with respect to infrastructure and applications that act to compliment DevOps capabilities.  So, we’re not trying to minimize DevOps in any way because we view it as essential to “running with the big dogs,” but we’re also saying that there’s more that needs to be done with respect to the underlying technology to optimize end-to-end agility.

In addition, while the term “scale” usually refers to size, we’re not suggesting that only large enterprises can benefit.  Another scale “attribute” is speed and so we’re stating that even smaller firms (or departments within larger IT organizations) can still find benefit to a web-scale IT approach. Agility has no size correlation so even more modestly-sized organizations can achieve some of the capabilities of an Amazon, etc., provided that they are willing to question conventional wisdom where needed.

Web-scale IT is not one size fits all as we don’t want to replace one IT dogma with another. In true pace-layered fashion, use the approach to IT service delivery that works best for your customers. Gartner suggests that so-called “systems of innovation” which are applications and services needing high rates of change are the more likely initial candidates, but IT organizations are urged to experiment to see what makes sense for them.

Stay tuned for more on web-scale IT from Gartner in the future! 

At the bottom level of the architecture, a core enterprise metadata framework provides a small set of metadata elements that are applicable to the majority of enterprise information assets under management. These elements are often drawn from a well known standard set of elements such as the Dublin Core but can include whatever common elements are useful to the enterprise. This common framework provides the unifying thread that will facilitate locating content from across the enterprise, making an initial assessment of its relevance and of submitting it to the content ingestion pipeline.

The second layer of the Big Content metadata architecture consists of domain specific elements that are not necessarily applicable to all enterprise content, but are useful to a particular area such as a brand, product or department. At this level, common metadata often exists under different labels depending on where it is created and which department owns it. This increases its value and utility to that department but makes it more difficult to leverage for content integration and analysis. To reconcile domain metadata it is often necessary to create a metadata map that resolves naming and semantic conflicts.

The top layer of the metadata architecture consists of application specific metadata. This is additional information about content that is only relevant to the use-case at hand and the application facilitating its execution. As such it is not created or stored in the content management systems hosting the source content. It is created solely for the purpose of structuring and augmenting the content to be utilized within a vertical application in the Big Content environment.

Throughout the entire Big Content lifecycle ensuring metadata quality and integrity is of the highest importance. Quality measures must go beyond simply reconciling field names. It is important that the steps taken to enrich and refine content are applied consistently. If some dates are not normalized, entity extraction is incomplete, or terminology is not reconciled, the accuracy of the data behind the insights comes into doubt. As a result any analysis and its findings become questionable. Metadata represents a significant upfront investment and ongoing requirement when large amounts of content are involved. Never the less, it is a critical factor in effective content management and the key enabler of the Big Content ecosystem.

For the last two years, IT-GRC has started to bifurcate into IT-related GRC functions and security operations functions. These market changes have caused us to reset Gartner’s use of the term IT GRC to provide useful guidance to our clients in selecting appropriate technologies for their requirements.

GRC is the most worthless term in the vendor lexicon. Vendors use it to describe whatever they are selling and Gartner clients use it to describe whatever problem they have. See my previous post Why I Hate the Term GRC.

In 2013, there is little evidence that security technology data is being used in any material or comprehensive manner to directly support senior IT and business leadership in decision making. However, there is an important evolution in the prioritization and remediation of vulnerability and security configuration management data using business context that is changing vulnerability management and other security operations use cases. This evolution will be covered separately from IT GRC technologies.

Gartner experience on client and reference calls has indicated that IT GRC needs fall roughly in two areas. The first supports oversight and governance functions that typically bridge IT information to support IT and business leadership for reporting and decision making. This is present in use cases such as vendor risk management, policy management, integrated risk reporting and risk assessment. The second supports information security operations requirements through the centralization of security technology data. This is present in use cases such as vulnerability management, continuous monitoring and the management of technology-centric compliance requirements such as Payment Card Industry Data Security Standard (PCI DSS).

Consider a metaphor where a horizontal line is used to separate IT from non-IT business needs (see figure below). The first area can be described as "above the line," and the second area can be described as "below the line"

Using patch management as an example, the operations functions that monitor patch states, prioritize and guide remediation are all within the first line of defense. They are considered below the line and not within the definition of IT GRC. The governance functions that use patch information to rate business units on patching effectiveness to guide risk-related decision making are part of the second line of defense. They are above the line and considered to be a part of core IT GRC activity.

IT GRC technologies and providers for above-the-line use cases will be published in the latest MarketScope for IT GRC. Below-the-line requirements will be addressed, in part, as an extension of vulnerability management. There is no hard definition for below-the-line use cases that have been excluded from IT GRC because this is an evolving set of solutions that include traditional IT GRC vendors and vulnerability management vendors.

Our new definition of IT-GRC

IT GRC technologies are used primarily to bridge IT-related data in support of senior IT and non-IT decision making. This is composed of functions for mapping controls into control objectives, survey capabilities, workflow to support non-IT decision making, and non-IT executive reporting.

The use cases for security operations will no longer be referenced as IT GRC at Gartner and will be considered an extension of vulnerability management research for the benefit of IT operations. This is composed of functions for the import of technical data from third-party products, workflow to support prioritization and IT remediation activities, and an IT asset database supporting IT decision making.

IT GRC is composed of functions to support non-IT decision making and non-IT executive reporting:

• Controls and policy mapping.
• Survey capabilities.
• GRC asset repository.
• Workflow.
• IT risk evaluation and dashboards.

The functions supporting data import from third-party security tools, such as vulnerability assessment and security configuration management, remain a part of IT GRC. However, these functions are primarily used in support of the below-the-line security technology use cases.

These changes seem to have everyone in a tizzy. But here’s the bottom line: Security operations is security operations. Gartner is not going to call that IT GRC. So there.

Follow me on Twitter (@peproctor)

Participants this year all have at least 200 active customer installations, $5M per year in revenue.  These vendors are also actively brought up by our clients on calls and thus have created some recognition at the enterprise level.  There are many other products in the market that are effective for specific roles or at the project level, our goal is to look at tools that are effective at scale and most of the vendors being covered have installations with 1000 or more users.

We will be using the same criteria as the prior edition of the MQ.  We will however, have an additional use case for product development which supports the 2011 Maverick research by Matt Hotle on the shift from Projects to Products. 

We will also update several surrounding documents and are working on pieces around the market sub-segments.

The genesis of the Customer Engagement Center idea is evolutionary, and in no way revolutionary. Call Centers ruled the ’70s through 1990s, and Contact Centers have ruled ever since. Dinosaurs too ruled for a long time, and in the same way, Contact Centers are having their own asteroid collision theory now. Why? Because just responding to a customer’s immediate request for help is grossly insufficient. Phone, email, IVR, chat are all fab when designed properly. But that is reactive for the most part. Today, were we to drop our organizational handcuffs, we have the ability to extend our reach into Social Media. Is a customer or prospect who posts to Facebook, or to a community site, or out to Twitter, any less deserving of our attention?

The major transition is from “Contact” to “Engagement.” It will take most organizations a long time to relinquish the idea that the Digital Marketing group does the listening, but no one does responding – at least not systematically. It is not marketings job, but neither is it the job, in most organizations, for Customer Support to engage on social media. And what about consistent business rules? Today there is one set of rules for traditional contact, and another set of quasi-al fresco approach to social engagement.

The bottom line: sometimes it’s good to stretch ones field of vision. The phrase “Customer Engagement Center” may or may not ever enter the common vocabulary of IT or business buyers. Already there have been many nay-sayers (life Hem, Haw, Sniff and Scuffy from Who Moved My Cheese) who think the change is too big, or that it is much ado about nothing. And that might just be. Life has a way of self-healing, and the new term may be scabbed over and gone. OR, something else might happen: organizations will start to see that the concept of customer engagement – the act of treating customers with intent, integrity, consistency and gaining their trust – is a winning ticket.

What do you think? Flash in the pan, or an idea with legs?

(Thank you for an amazing Customer360 Conference in San Diego – just great attendees, providing such great feedback and asking wonderful questions!! Off to London in a couple of weeks to see how our EU clients – see http://gtnr.it/181SMyp )

Here are just a few of them:

a) One of the more troubling issues of these breaches is the difficulty in determining the points of the network chain that were breached by the fraudsters. This makes it very difficult for card issuers to recover their lost funds because they don’t know who is liable for the breach.

b) From conversations I’ve had with various issuer clients regarding recent breaches, the card brands (Visa and MasterCard) are often not has helpful in helping card issuers recover funds as the issuers would like them to be, perhaps because the card brands don’t know where to assign the liability.

c) Frankly, from a holistic viewpoint, companies that accept or process card payments are in a no-win situation when it comes to a breach. They can do their best and spend lots of money and time becoming PCI certified, but this gives them no safe harbor from penalties that are incurred if they are still breached. And the auditors (qualified security assessors) that certify these eventually breached companies as PCI compliant have BIG disclaimers in their contracts that they take NO responsibility if in fact their clients are breached.

d) There are so many parties in the payment chain that it is very difficult to assign blame in these types of breaches. For example, there can easily be seven roundtrip hops or more between an ATM cash disbursement request and the cash disbursement. The leakage can happen at any of those points or hops.

e) A point-the-finger and assign-blame approach is in the end, a dead-end approach and a lose-lose for all parties concerned. A win-win approach would be to strengthen the security of the card payment system through stronger user authentication and more secure media used to request payments or cash withdrawals (e.g. CHIP and PIN based on the EMV standard).

f) Until then, we will continue to try to keep a leaky insecure payment system secure. It reminds me of the little Dutch boy who stuck his finger in the dyke and successfully stopped the sea water from flooding his home town. He was successful because he stopped the leak when it was very small. I think we are too late when it comes to our global card payment systems. We probably need at the least, a major cyber-army, in this instance.

With the latest insights on how global economics and market forces are challenging IT vendors and departments to act creatively, I hope you’ll find the new blog a valuable resource during your day’s reading. Please keep the discussions rolling by contributing with comments to help further debate and your own insights into how we can survive and thrive in these uncertain economic times.

Richard Gordon