By: Louella Fernandes, Principal Analyst, Quocirca Posted: 2nd February 2012 Copyright Quocirca © 2012

Nuance is a company with a plethora of products that cover the gamut of voice recognition, document capture and print management. Nuance has largely grown through acquisition (about 50 in the last ten years) so it is probably better known by its product names which include established brands such as PaperPort (desktop productivity), OmniPage (OCR), Dragon Dictate (voice recognition), eCopy (document capture and workflow) and Equitrac (print management) – its most recent acquisition. Overall, Nuance’s 2011 revenue reached $1.318 billion in 2011 with 2012 sales expected to reach $1.6 billion.  Boosted by its eCopy and Equitrac acquisitions, its imaging division growth has been strong, revenue reaching $177m in 2011 and expected to exceed $200m in 2012.

At its first European analyst event in London, Nuance discussed its strategic priorities for 2012, which include integration of its scan and print products and expansion of mobile and cloud delivery platforms. Nuance’s goal is to become the “MFP software standard” through delivering integrated cross-platform document capture and print management products – eCopy and Equitrac. Today, both products are well established, and Equitrac is already widely used to control and monitor print usage and costs across many verticals, with a particularly strong presence in the legal market – Nuance estimates that, globally, over 3,000 law firms use Equitrac. Its strong MFP and printer partner alliances mean Equitrac has long been used by major printer and copier OEMs such as HP, Ricoh and Xerox to provide enhanced multivendor print management capabilities for tracking, monitoring and reporting on scan, copy and print usage to their managed print services (MPS) customers.

This broadens the already strong OEM relationships on the eCopy side, including Canon, Konica Minolta and others.  With Equitrac, eCopy and its desktop products, Nuance has business relationships with nearly all major MFP, printer and scanner manufacturers worldwide.

Capturing the MPS opportunity
Nuance sees MPS as a key driver for its growth in the coming year and views the Equitrac and Nuance document imaging solutions as important components of helping MPS providers to succeed. Indeed there is rapid adoption - Quocirca research shows that around 45% of large corporates now have some form of MPS as they seek to reduce the cost and complexity of operating previously unmanaged printer fleets, typically characterised by a patchwork of devices from different manufacturers, with different consumables, paper, supplier and service requirements. Few organisations have the tools to track and monitor usage leading to spiralling print costs – both financial and environmental. Security is also an issue as all too often documents are left in output trays exposed to prying eyes.

MPS addresses these issues through three major phases – assessment, optimisation and on-going continuous management. Nuance’s Equitrac products have a strong part to play in all phases, helping organisations to not only reduce print wastage through tracking and reporting, but also enhance security, promote user mobility and reduce environmental impact. Key to this is Equitrac’s “Follow-You” or pull-printing which releases documents only upon user authentication – through either user PIN or smart card authentication. The results are compelling - Liverpool John Moores University discussed how they had saved £100,000 and reduced page volumes by 4.5 million per year through implementing Equitrac.

Nuance is also looking to address the largely untapped opportunity for MPS in the SMB market, via the reseller channel. Many resellers lack the resources or skills to deliver their own MPS, and are looking for a low-cost approach based on 3rd party platforms. Nuance intends to participate in this market which is seeing the emergence of cloud-based MPS offerings from vendors such as HP and Xerox. To capitalize on the emergence of cloud-based technologies and to support its partners’ Managed Services initiatives, Nuance will continue to expand its product portfolio (print management, capture and OCR) from on-premise deployments to off-premise (cloud) models. This will provide a set of cloud-based print management, document capture and OCR technology services to partners who wish to include them as part of their own managed services offerings. 

With the likes of HP and Xerox already having established cloud MPS platforms, Quocirca believes that Nuance will need to get these solutions to market quickly, particularly if it wishes to target the emerging ecosystem of independent MPS providers who will be looking for multivendor supported cloud-based services.

Quocirca believes that Nuance has product breadth, technical resources and channel reach to create a compelling set of enterprise cloud services around its eCopy and Equitrac products. However, given that both eCopy and Equitrac platforms have been gained through acquisition, Nuance still has some work to integrate them.

Talking to printers?
Given its heritage in speech recognition consumer technology, Nuance is uniquely positioned to apply this technology to enhance the printer and MFP user experience. The printer industry is far from immune from IT consumerisation, which continues to influence user expectations in the workplace. Whilst employees are used to the convenience, elegance and usability of tablets and smartphones, MFPs, in comparison, are in danger of becoming the elephant in the room.

Whilst most people are familiar with how to press print or copy, few users bother navigating complex nested menus to access finishing options or scan features. Businesses may therefore miss opportunities to minimise paper wastage through using features as duplex or booklet printing instead of single side printing. 

One technology that could improve the use of MFPs is voice recognition. Nuance has long been a leader in this field, and quietly provides back-end voice recognition functionality for Apple’s Siri. Could we in the future be telling our printers to print and staple 5 copies of a document – or scan and document and email it to a colleague? Yes - according to Nuance, the technology is already here to make it possible. It remains to be seen whether hardware vendors will embrace this opportunity to bring printers and MFPs into the 21st century.

By: Mark McGregor, Research Director, Bloor Research Posted: 31st January 2012 Copyright Bloor Research © 2012

In my recent article "The Game of Process Improvement", I referred to a book called "Innovation Games". The book is packed with details on how any of us can leverage Innovation Games to gain greater insight into our customers and users. Something that is critical to the success of BPM and Process projects, but also can be applied to the vendors of these, and other products too. Last week I spend some time talking with Luke, the author, about the book, the games and his company.

When it comes to the use of games in business I am a firm believer that they should enable people to learn. As I mentioned in my previous article, we learn more by play than by analysis. Luke, though, is concerned about making sure people understand that his games are not seen as simply a learning tool, but a business tool directed towards delivering specific outcomes. Of course he still believes that they can and should be fun!

Luke has undertaken a lot of research into the linkages between the brain and productivity. In his words: "Productivity Games are not simply 'more fun' - they are literally more effective. This is due to the fact that the concept of play is deeply integrated into human beings' mental development."

"Studies tell us that there are parts of the brain that we do not access when we are simply discussing our views, or trying to think through a complicated situation. However, when we play a well structured game with other interested players, our actions, interactions with other players, and explanations of our behaviour can provide a better, more comprehensive view of how and why we make certain decisions."

Innovation Games, although a relatively young company, boasts an extremely impressive customer list. Companies, including Adobe, SAP, Aladdin, Wyse, Google and Qualcomm, have all leveraged Innovation Games to to improve holistic design thinking, discover new business opportunities, drive strategy and product road map decisions, improve the effectiveness of sales and service organisations, fine tune marketing messages, and create more intimate, durable relationships with customers.

One of the challenges that Luke has faced over the years is the stigma associated with the idea of using games in business. In part this is due to the mistaken understanding that games do not equate to work. This has led to him and others using the term "serious games", although he (and I) prefer the term that he also uses - "Productivity Games" - to try and overcome these obstacles.

I agree totally with Luke that the objective has to be to deliver objective, useable business outcomes, and Innovation Games amply delivers on this front. I also come from the perspective that, for effective change to take hold, then people need not just outcomes but the learning. The ability to come to their own "Aha!" or "Light Bulb" moment. So for me it is also about going back and seeing how people learn most effectively and, as we say, this is through structured play.

What I can see is that there is a need for people to be able to understand how to differentiate between unstructured and structured play. I can also see that even the most boring of analysis tasks can be made to be more fun through games. So perhaps we could use terms like "Strategy Games" or "Objective Gaming" to make it clear that in board game terms it is more like 'Risk' or 'Diplomacy' rather than 'Ludo' or 'Snakes & Ladders' - e.g. it is a game, should be fun, but is directed toward a targeted outcome. As mentioned in the previous article, there are many business leaders who have successfully grown businesses using their love of, and skill at, the game of chess to succeed.

Truly successful games need to deliver both concrete outcomes and learning. The outcomes ensure that you are making good use of your time and getting business value, while the learning ensures that your people continue to grow and develop. The great thing about the Innovation Games concept, as developed and promoted by Luke, is that it delivers on both counts. One only has to take a look in more depth at the success stories to see how much has been saved/made/changed to understand that the results are definitely there. If you take the time to talk with people who have been involved in those projects, you will hear them enthuse about learning things that they did not even realise were important.

Next month, during my trip to California, I hope to meet with Luke and learn first hand more about the way he and the team leverage Innovation games.

By: Dana Gardner, Principal Analyst, Interarbor Solutions Posted: 5th January 2012 Copyright Interarbor Solutions © 2012

This special BriefingsDirect thought leadership interview comes in conjunction with The Open Group Conference this January in San Francisco.

The conference will focus on how IT and enterprise architecture support enterprise transformation. Speakers in conference events will also explore the latest in service oriented architecture (SOA), cloud computing, and security.

We’re here now with one of the main speakers, Joseph Menn, Cyber Security Correspondent for the Financial Times and author of Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet.

Joe has covered security since 1999 for both the Financial Times and then before that, for the Los Angeles Times. Fatal System Error is his third book, he also wrote All the Rave: The Rise and Fall of Shawn Fanning's Napster.

As a lead-in to his Open Group presentation, entitled "What You're Up Against: Mobsters, Nation-States, and Blurry Lines," Joe Menn explores the current cyber-crime landscape, the underground cyber-gang movement, and the motive behind governments collaborating with organized crime in cyber space. The interview is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions. [Disclosure: The Open Group is a sponsor of BriefingsDirect podcasts.]

Here are some excerpts:

Gardner: Have we entered a new period where just balancing risks and costs isn't a sufficient bulwark against burgeoning cyber crime?

Menn: Maybe you can make your enterprise a little trickier to get into than the other guy’s enterprise, but crime pays very, very well and, in the big picture, their ecosystem is better than ours. They do capitalism better than we do. They specialize to a great extent. They reinvest in R&D.

On our end, on the good guys’ side, it's hard if you're a chief information security officer (CISO) or a chief security officer (CSO) to convince the top brass to pay more. You don’t really know what's working and what isn't. You don’t know if you've really been had by something that we call advanced persistent threat (APT). Even the top security minds in the country can't be sure whether they’ve been had or not. So it's hard to know what to spend on.

The other side doesn’t have that problem. They’re getting more efficient in the same way that they used to lead technical innovation. They're leading economic innovation. The freemium model is best evidenced by crimeware kits like ZeuS, where you can get versions that are pretty effective and will help you steal a bunch of money for free. Then if you like that, you have the add-on to pay extra for—the latest and greatest that are sure to get through the antivirus systems.

Gardner: When you say "they," who you are really talking about?

Menn: They, the bad guys? It's largely Eastern European organized crime. In some countries, they can be caught. In other countries they can't be caught, and there really isn't any point in trying.

It's a geopolitical issue, which is something that is not widely understood, because, in general, officials don’t talk about it. Working on my book, and in reporting for the newspapers, I've met really good cyber investigators for the Secret Service and the FBI, but I’ve yet to meet one that thinks he's going to get promoted for calling a press conference and announcing that they can’t catch anyone.

So the State Department, meanwhile, keeps hoping that the other side is going to turn a new leaf, but they’ve been hoping that for 10 or more years, and it hasn’t happened. So it's incumbent upon the rest of us to call a spade a spade here.

What's really going on is that Russian intelligence and, depending on who is in office at a given time, Ukrainian authorities, are knowingly protecting some of the worst and most effective cyber criminals on the planet.

Gardner: And what would be their motivation?

Menn: As a starting point, the level of garden-variety corruption over there is absolutely mind-blowing. More than 50 percent of Russian citizens responding to the survey say that they had paid a bribe to somebody in the past 12 months. But it's gone well beyond that.

The same resources, human and technical, that are used to rob us blind are also being used in what is fairly called cyber war. The same criminal networks that are after our bank accounts were, for example, used in denial-of-service (DOS) attacks on Georgia and Estonian websites belonging to government, major media, and Estonia banks.

It's the same guy, and it's a "look-the-other-way" thing. You can do whatever crime you want, and when we call upon you to serve Mother Russia, you will do so. And that has accelerated. Just in the past couple of weeks, with the disputed elections in Russia, you've seen mass DOS attacks against opposition websites, mainstream media websites, and live journals. It's a pretty handy tool to have at your disposal. I provide all the evidence that would be needed to convince the reasonable people in my book.

Gardner: In your book you use the terms "bringing down the Internet." Is this all really a threat to the integrity of the Internet?

Menn: Well integrity is the key word there. No, I don’t think anybody is about to stop us all from the privilege of watching skateboarding dogs on YouTube. What I mean by that is the higher trust in the Internet in the way it's come to be used, not the way it was designed, but the way it is used now for online banking, ecommerce, and for increasingly storing corporate—and heaven help us, government secrets—in the cloud. That is in very, very great trouble.

I don’t think that now you can even trust transactions not to be monitored and pilfered. The latest, greatest versions of ZeuS gets past multi-factor authentication and are not detected by any antivirus that’s out there. So consumers don’t have a prayer, in the words of Art Coviello, CEO of RSA, and corporations aren’t doing much better.

So the way the Internet is being used now is in very, very grave trouble and not reliable. That’s what I mean by it. If they turned all the botnets in the world on a given target, that target is gone. For multiple root servers and DNS, they could do some serious damage. I don’t know if they could stop the whole thing, but you're right, they don’t want to kill the golden goose. I don’t see a motivation for that.

Gardner: If we look at organized crime in historical context, we found that there is a lot of innovation over the decades. Is that playing out on the Internet as well?

Menn: Sure. The mob does well in any place where there is a market for something, and there isn’t an effective regulatory framework that sustains it—prohibition back in the day, prostitution, gambling, and that sort of thing.

... The Russian and Ukrainian gangs went to extortion as an early model, and ironically, some of the first websites that they extorted with the threat were the offshore gambling firms. They were cash rich, they had pretty weak infrastructure, and they were wary about going to the FBI. They started by attacking those sites in 2003-04 and then they moved on to more garden-variety companies. Some of them paid off and some said, "This is going to look little awkward in our SEC filings" and they didn’t pay off.

Once the cyber gang got big enough, sooner or later, they also wanted the protection of traditional organized crime, because those people had better connections inside the intelligence agencies and the police force and could get them protection. That's the way it worked. It was sort of an organic alliance, rather than "Let’s develop this promising area."

... That is what happens. Initially it was garden-variety payoffs and protection. Then, around 2007, with the attack on Estonia, these guys started proving their worth to the Kremlin, and others saw that with the attacks that ran through their system.

This has continued to evolve very rapidly. Now the DOS attacks are routinely used as the tool for political repression all around the world—Vietnam, Iran and everywhere you’ll see critics that are silenced from DOS attacks. In most cases, it's not the spy agencies or whoever themselves, but it's their contract agents. They just go to their friends in the similar gangs and say, "Hey do this." What's interesting is that they are both in this gray area now, both Russia and China, which we haven't talked about as much.

In China, hacking really started out as an expression of patriotism. Some of the biggest attacks, Code Red being one of them, were against targets in countries that were perceived to have slighted China or had run into some sort of territorial flap with China, and, lo and behold, they got hacked.

In the past several years, with this sort of patriotic hacking, the anti-defense establishment hacking in the West that we are reading a lot about finally, those same guys have gone off and decided to enrich themselves as well. There were actually disputes in some of the major Chinese hacking groups. Some people said it was unethical to just go after money, and some of these early groups split over that.

In Russia, it went the other way. It started out with just a bunch of greedy criminals, and then they said, "Hey—we can do even better and be protected. You have better protection if you do some hacking for the motherland." In China, it's the other way. They started out hacking for the motherland, and then added, "Hey—we can get rich while serving our country."

So they're both sort of in the same place, and unfortunately it makes it pretty close to impossible for law enforcement in [the U.S.] to do anything about it, because it gets into political protection. What you really need is White House-level dealing with this stuff. If President Obama is going to talk to his opposite numbers about Chinese currency, Russian support of something we don’t like, or oil policy, this has got to be right up there too—or nothing is going to happen at all.

Gardner: What about the pure capitalism side, stealing intellectual property (IP) and taking over products in markets with the aid of these nefarious means? How big a deal is this now for enterprises and commercial organizations?

Menn: It is much, much worse than anybody realizes. The U.S. counterintelligence a few weeks ago finally put out a report saying that Russia and China are deliberately stealing our IP, the IP of our companies. That's an open secret. It's been happening for years. You're right. The man in the street doesn’t realize this, because companies aren’t used to fessing up. Therefore, there is little outrage and little pressure for retaliation or diplomatic engagement on these issues.

I'm cautiously optimistic that that is going to change a little bit. This year the Securities and Exchange Commission (SEC) gave very detailed guidance about when you have to disclose when you’ve been hacked. If there is a material impact to your company, you have to disclose it here and there, even if it's unknown.

Gardner: So the old adage of shining light on this probably is in the best interest of everyone. Is the message then keeping this quiet isn’t necessarily the right way to go?

Menn: Not only is it not the right way to go, but it's safer to come out of the woods and fess up now. The stigma is almost gone. If you really blow the PR like Sony, then you're going to suffer some, but I haven’t heard a lot of people say, "Boy, Google is run by a bunch of stupid idiots. They got hacked by the Chinese."

It's the definition of an asymmetrical fight here. There is no company that's going to stand up against the might of the Chinese military, and nobody is going to fault them for getting nailed. Where we should fault them is for covering it up.

I think you should give the American people some credit. They realize that you're not the bad guy, if you get nailed. As I said, nobody thinks that Google has a bunch of stupid engineers. It is somewhere between extremely difficult to impossible to ward off against "zero-days" and the dedicated teams working on social engineering, because the TCP/IP is fundamentally broken and it ain't your fault.

...[These threats] are an existential threat not only to your company, but to our country and to our way of life. It is that bad. One of the problems is that in the U.S., executives tend to think a quarter or two ahead. If your source code gets stolen, your blueprints get taken, nobody might know that for a few years, and heck, by then you're retired.

With the new SEC guidelines and some national plans in the U.K. and in the U.S., that’s not going to cut it anymore. Executives will be held accountable. This is some pretty drastic stuff. The things that you should be thinking about, if you’re in an IT-based business, include figuring out the absolutely critical crown jewel one, two, or three percent of your stuff, and keeping it off network machines.

Gardner: So we have to think differently, don’t we?

Menn: Basically, regular companies have to start thinking like banks, and banks have to start thinking like intelligence agencies. Everybody has to level up here.

Gardner: What do the intelligence agencies have to start thinking about?

Menn: The discussions that are going on now obviously include greatly increased monitoring, pushing responsibility for seeing suspicious stuff down to private enterprise, and obviously greater information sharing between private enterprise, and government officials.

But, there's some pretty outlandish stuff that’s getting kicked around, including looking the other way if you, as a company, sniff something out in another country and decide to take retaliatory action on your own. There’s some pretty sea-change stuff that’s going on.

Gardner: So that would be playing offense as well as defense?

Menn: In the Defense Authorization Act that just passed, for the first time, Congress officially blesses offensive cyber-warfare, which is something we’ve already been doing, just quietly.

We’re entering some pretty new areas here, and one of the things that’s going on is that the cyber warfare stuff, which is happening, is basically run by intelligence folks, rather by a bunch of lawyers worrying about collateral damage and the like, and there's almost no oversight because intelligence agencies in general get low oversight.

Gardner: Just quickly looking to the future, we have some major trends. We have an increased movement toward mobility, cloud, big data, social. How do these big shifts in IT impact this cyber security issue?

Menn: Well, there are some that are clearly dangerous, and there are some things that are a mixed bag. Certainly, the inroads of social networking into the workplace are bad from a security point of view. Perhaps worse is the consumerization of IT, the bring-your-own-device trend, which isn't going to go away. That’s bad, although there are obviously mitigating things you can do.

The cloud itself is a mixed bag. Certainly, in theory, it could be made more secure than what you have on premise. If you’re turning it over to the very best of the very best, they can do a lot more things than you can in terms of protecting it, particularly if you’re a smaller business.

If you look to the large-scale banks and people with health records and that sort of thing that really have to be ultra-secure, they're not going to do this yet, because the procedures are not really set up to their specs yet. That may likely come in the future. But, cloud security, in my opinion, is not there yet. So that’s a mixed blessing.

You need to think strategically about this, and that includes some pretty radical steps. There are those who say there are two types of companies out there—those that have been hacked and those that don’t know that they’ve been hacked.

Everybody needs to take a look at this stuff beyond their immediate corporate needs and think about where we’re heading as a society. And to the extent that people are already expert in the stuff or can become expert in this stuff, they need to share that knowledge, and that will often mean, saying "Yes, we got hacked" publicly, but it also means educating those around them about the severity of the threat.

One of the reasons I wrote my book, and spent years doing it, is not because I felt that I could tell every senior executive what they needed to do. I wanted to educate a broader audience, because there are some pretty smart people, even in Washington, who have known about this for years and have been unable to do anything about it. We haven't really passed anything that's substantial in terms of legislation.

As a matter of political philosophy, I feel that if enough people on the street realize what's going on, then quite often leaders will get in front of them and at least attempt to do the right thing. Senior executives should be thinking about educating their customers, their peers, the general public, and Washington to make sure that the stuff that passes isn't as bad as it might otherwise be.

Listen to the podcast. Find it on iTunes/iPod. Read a full transcript or download a copy.

By: Gerry Brown, Analyst - Digital Marketing & CRM, Bloor Research Posted: 22nd December 2011 Copyright Bloor Research © 2011

Marketing and IT have never been a match made in heaven. Extrovert creative communicators and geeky analytical techies rarely choose to passionately embrace. However, corporate needs, rather than partner choices, will take precedence in 2012.

Corporate confidence has been rocked by the ferocity and intensity of competition encountered during the current global economic downturn. Key clients and deals have been lost, salespeople are omitted from the early stages of procurements as customers research possible solutions online, and many products increasingly look undifferentiated and 'me-too'.

Many highly profitable companies are now 'looking down the gun barrel' of commoditisation and low margins caused by global competition. Senior management wants Marketing to make their companies more presentable, attractive, and relevant in order to restore premium pricing.

Marketing is now expected to take a central user role in selecting new customer-centric technologies. These include creating a Single Customer View (SCV) and involvement in customer-oriented uses and applications for 'big data'. Marketing needs to report on customer insights and analytics, better manage the customer experience, and to embrace new social media and mobility. Even 75% of marketers identify these latter elements as 'important' says a recent Marketing Week / SAS study. Little wonder then that 'familiarity with marketing technologies' is the most desirable attribute for new hires in marketing, according to an eConsultancy / Eloqua report.

To date, many digital marketing technology investments have been piecemeal and low cost, and funded out of general discretionary marketing budgets. Often marketers outsource digital marketing to ESPs (Email Service Providers) and creative agencies to manage customer and sales prospect databases, email campaign execution, search and online advertising, and web site management.

In 2012 marketers will take back some control of digital assets from external agencies. Digital marketing will emerge as an enterprise mission-critical core competence, managed in-house and supplemented with specialist agency skills, not the other way around. More techie analyst / statistician types will be recruited into marketing. Digital marketing investment will need to ratchet up a gear in 2012 as data-driven Marketing takes centre stage.

"So what has this got to do with the IT Department?" you might ask. Well, Marketing mostly will not have the line-item budget to support the level of digital marketing investment required. Secondly, marketers may be gaining desktop IT skills, but have a limited understanding of enterprise IT architectures and the constraints and complexities associated with managing and controlling enterprise data. Marketers rarely have the attention to detail, the numerical and statistical disciplines, and the procedural rigour that is commonplace in the IT Department.

Marketing needs financial help and technical support from the IT Department to make digital marketing happen in the all-embracing manner envisioned by corporate management. New scalable digital marketing technologies, common platforms, and open standards will be required to ensure interoperability with cloud services. Legacy digital marketing systems will be migrated or replaced. 'Proper' IT management and support is required from the IT Department. Marketers need to get on with the day job of being professional marketers, rather than tactical amateur technologists with the resultant risks to data integrity, security, and compliance, as has been happening recently.

In summary, IT and Marketing will need to create a close and harmonious relationship to produce the customer-centric end-result demanded by corporate management. The passionate embrace required may take some humbleness from both sides. However, such a business-IT partnership has a great opportunity to deliver against corporate goals, and enhance the image of two much-maligned departments that often suffer from a lack of corporate credence and credibility.

By: Nigel Stanley, Practice Leader - IT Security, Bloor Research Posted: 20th December 2011 Copyright Bloor Research © 2011

Criminals are criminals. Although there are some novel crimes committed against computer systems, almost all of these crimes fit into the mould of a good old fashioned offences such as theft, fraud and harassment. Unfortunately the often remote, cross jurisdictional and complex technical nature of many computer crimes make these offences far more difficult to investigate and successfully prosecute. Physical crimes are normally so much more straightforward to deal with.

Another complicating factor of computer crime is the sheer scale of the offences being committed. Adding more zeros to a fraudulent bank transfer is easy - so why not go for tens of millions rather than just millions? Creating a Botnet controlling 5 computers is as easy as creating a Botnet of 5 million.

Intellectual property theft and industrial espionage have been around ever since one person was seen to have a better idea than another. The problem with computerised intellectual theft is that we see the stealing of designs, plans and technical documents on an industrial scale - way beyond the imagination of a cold war spy equipped with a micro camera.

We now face organised attempts to steal intellectual property in whatever form it may take. It seems to me that, in many cases, there are organised attempts to suck up as much intellectual property as can possibly be found.

Motivations may be commercial espionage or, in many instances but difficult to prove, state-sponsored espionage designed to enable, in the main, emerging economies to accelerate their growth.

Much of the reporting around this area is accompanied by a nudge and a wink, and the usual state perpetrators alluded to rather than open and direct accusations being made, probably as the diplomatic fall out could be considerable. With the current state of western economies, upsetting the provider of your country's national loan may not be the wisest of strategies.

IP Protection
Returning from the macro to the micro what can companies and organisations do today to protect their intellectual property?

The good news is that by applying some good user education and sound, proven technologies most intellectual property attacks can be thwarted. In many instances these attacks are successful due to people doing silly things rather than deliberate theft. I call this type of inside threat the incompetent and non-malicious rather than the competent and malicious. In many instances, and we have all seen it and maybe done it, accidentally sending an email attachment to the wrong email address can happen all to often.

The ability for many email client applications to automatically resolve addresses is often to blame, as one Fred Smith may be your boss and another Fred Smith may be your competitor. A couple of years ago this type of problem was attracting the attention of IT security vendors selling data loss prevention products, designed to stop just such accidental leaks. This was done by building up a data flow knowledge base and trapping out of course errors. Unfortunately for a number of reasons this type of solution didn't take off as much as I thought it might do. I think this was down to implementation issues and the fact that this type of intelligence-based solution is quite difficult to get right.

Tools and Technologies
There are a number of tools and technologies placed to help protect against intellectual property loss or theft. There is no silver bullet and technologies across all of these areas will need to be carefully considered.

Turning plain data into unreadable gibberish using encryption enables a business to protect its data. Modern day encryption technologies are effectively unbreakable without a suitable key and the implementation of a good system should not see any detrimental affect on speed of data transfer or a slowing of business systems. The encryption system should include recovery and accessibility options so that in both the short term and long term the data can be made available to the business. Key management is a vital part of any data encryption strategy.

There are increasing amounts of technology that can detect a pattern of behaviour symptomatic of an inside threat. Intrusion detection systems, coupled with intrusion prevention systems working as a form of smart firewall, can be extremely useful tools.

Access controls enable an audit trail such that if there is a data leak it can be traced back to a likely culprit. Combining identity management with a separation of duties strategy can prevent the likelihood of any one individual having such a holistic view of systems that they could compromise the data by themselves. A strategy of "least privileges" to do their job should be implemented for all staff.

As emails are now regarded on the same legal basis as a note on headed paper, outbound emails can easily violate a company's security policy either following a deliberate act or one of incompetence. Putting in place tools to enforce best practice email management can help reduce this risk. These tools can also reduce the chances of intellectual property slipping out unnoticed..

Preventing the download of a customer or product design database is probably high up on the agenda for anyone monitoring an inside threat. Some attacks can be more sinister and less obvious than an entire download, such as financial data being queried at the wrong time of year. By putting in a database assurance layer to the threat protection matrix you can detect and deal with any out of course or abnormal database access behaviour.

By putting in place an Enterprise Security Management product it is possible to have a holistic view of your inside threat from a central monitoring point. Risk can be uncovered by monitoring contextual data to see what is going on inside the business and algorithms used to flag unusual or threatening behaviour in real time. These issues can be flagged to IT or the business for immediate, appropriate action.

Inappropriate or unusual web-based activity can be an indicator that there may be an emerging inside threat. By using a tool to help enforce corporate web usage and Instant Messaging guidelines you can also detect an inside threat in real time, be it reputational as users visit unauthorised sites, or a more direct threat as they start a business in direct competition to their employer.

Software development is complex at the best of times - but how do you know that one of your developers has not written code that either accidentally or deliberately compromises your product or internal systems? Few IT security professionals understand software development as well as they do IT security, and this weakness can and has been exploited by developers.

Monitoring data as it moves through an organisation is critical, as it can easily be diverted to a USB key and taken outside the business with a couple of mouse clicks. By putting in place a data loss management system each data move can be monitored and unusual movements flagged for immediate action. Contextualising data access is important, for example product design data being accessed from home at 3 am on a Sunday morning could be suspicious.

Solutions are now available that can restrict device and port control at an extremely granular level, such as defining specific data that can be copied to a specific USB key with a particular serial number. These products will often use encryption technologies to protect data on the USB key.

Users, maybe frustrated with poor applications, can very easily start to threaten the stability of a software estate. Tools and policies need to be implemented and then monitored to ensure that only approved software is loaded and used. Unlicensed software can also prove a reputational risk as it is illegal to use and the associated publicity can be an embarrassment.

Anti Virus and Malware has a big part to play in terms of offering a basic line of defence and good quality advice, training and consultancy at the right time can save an organisation a lot of time and money. The more objective the advice, the more valuable it is likely to be.

The Smartphone Risk
I do want to mention what I consider to be a big threat to intellectual property protection and that is the huge increase in the use of smartphones. Every company I work with has an executive team fully equipped with these fantastic tools that I believe are the most intimate form of IT we have ever had. We take them everywhere and their capability is every bit as good as fully fledged PCs were only a few years ago. Unfortunately smartphones are now coming under the spotlight of hackers and malcontents as they fully understand that the value of intellectual property on these devices can be significant. This data is often the freshest and most relevant to the business being targeted as it is residing on executives' mobile devices ready for immediate access.

The security industry has failed to embrace these devices as quickly as the consumer, resulting in some major security issues remaining unfixed, increasing smartphone vulnerability. For many companies, securing these devices should be a top of the list priority.

In Summary
The threat to intellectual property is very real. Even the most motivated, committed and enthusiastic staff can and will make mistakes that may result in significant data loss. By investing in appropriate technology solutions coupled with regular staff training and awareness sessions to mitigate your inside threat, you are taking proactive steps that should see this problem significantly reduce.

By: Bob Tarzey, Service Director, Quocirca Posted: 20th December 2011 Copyright Quocirca © 2011

For IT users, the most important things are the applications that enable them to do their jobs and the devices they access those applications from. However, system administrators (sys-admins), responsible for ensuring end-user devices can link to the applications, know it takes a lot more in between. Resellers know this too; selling both the high and low profile equipment is their bread and butter. What resellers may not realise is the extent to which their customers fail to manage much of their equipment securely and effectively and the additional opportunity this represents.

A new Quocirca research report—Conquering the sys-admin challenge—underlines the extent of the problem. It looked at three broad areas: the management of privilege, the ability to automate sys-admins' tasks and ensuring compliance.

The over-granting of privilege is a common problem; sys-admins are often granted access to more equipment than is necessary and they often have access to data they have no need to see (Figure 1). This is a problem, not because sys-admins are innately malicious people (although a few have turned out to be) but because, just like anyone else, they can make mistakes.

Errors made when acting under privilege can have a serious impact on the availability of IT systems. For example, the failure to backup up a server properly (or at all) may mean data is lost and a project is put back by days or weeks; wrongly reconfiguring a network firewall may lead to remote users being locked out of systems they need to access; or spinning down the wrong disk volume for maintenance purposes may leave an email server out of action.

The new research shows that the average sys-admin's error rate is about 7%. One way to reduce error rates is better management of privilege. To achieve this it is necessary to have tools in place to manage the scope of privilege access, limiting the range of data and devices a sys-admin has access to and the time they have access for.

There is another way to reduce error rates—more automation of sys-admin. Many tasks are mundane and repetitive. A good example is data protection, most organisations regularly backup file servers and many have automated this. However, other devices need protecting too and it is less likely that the settings of firewalls, routers and load balancers are backed-up (Figure 2). This is important for ensuring a quick recovery in the case of failure and the task is an easy one to automate with the right tools. Other tasks can also be automated, including the gathering of data for audits.

This brings us full circle, because one area that auditors are keen to see IT departments have control of is the use of privilege. Some standards are specific about the management of privileged users. One of the controls in the IT service management standard (ITSM) ISO 270001 states, “the allocation and use of privileges shall be restricted and controlled”. The Payment Card Industries Data Security Standard (PCI DSS) recommends, “auditing all privileged user activity”.

Many organisations do not have the controls in place to make sure this required data is gathered. Indeed some admit to appalling practices, in particular the uncontrolled changes to sys-admin procedures immediately prior to audits, which then lapse following the audit. Over two thirds of respondents admitted this happened at least occasionally; for some it was a regular practice (Figure 3).

When it comes to helping customers with the management of privilege, the automation of sys-admins and ensuring compliance, resellers can take one of two approaches. They can either ensure the tools to do their job are available as part of their portfolio or they can use such tools themselves to provide managed services. Vendors that focus on the management and privilege and the automation of IT include Osirium (the sponsors of Quocirca latest report), CA, Cyber-Ark, Quest Software and Lieberman Software.

Quocirca’s new report is freely available to IT-Director readers via this link: http://www.quocirca.com/news/88

This article first appeared in the Computer Reseller News (CRN) UK print edition.

By: Bob Tarzey, Service Director, Quocirca Posted: 19th December 2011 Copyright Quocirca © 2011

Network and security devices age just like any other IT equipment. As the IT industry moves toward 100 gigabit/second Ethernet and 100 megabit/second broadband connections, many existing devices will no longer cope with traffic volumes. The need to replace routers, firewalls, load-balancers, content filtering devices etc. is an on-going process.

Some devices may be reusable by smaller organisations and have a second-hand value; others may just be fit for the dump; when the latter is the case they must be disposed of in line with environment regulations such as the UK Environment Agency’s waste electrical and electronic equipment (WEEE) directive.
 
Either way, such devices will end up in the hands of third-parties, and their eventual destination will not be guaranteed. These devices have all sorts of confidential data and settings stored on them, such as user details and network access settings. In the wrong hands these could be used to gain access to private networks, and anyway, the leaking of such data may constitute a data privacy breach. If is therefore necessary to ensure all such data is securely deleted before devices are disposed of.
 
It varies by industry, but a recent Quocirca research report shows that around 40% of all organisations said they were not confident all such data was safely removed prior to device deposal. Quocirca suspects that even those who claim to have done so have not actually shredded data but just “deleted” it, and a determined hacker may still be able to retrieve it. Only audited disk shredding or secure reformatting tools, carried out by screened staff, can ensure such devices are completely safe to dispose of.
 
To see the full research behind this and get a free copy of Quocirca’s report – “Conquering the sys-admin challenge” – click here http://www.osirium.com/alpha-files/wp

By: Philip Howard, Research Director - Data Management, Bloor Research Posted: 14th December 2011 Copyright Bloor Research © 2011

All the recent compliance headlines in the financial services sector, at least in the UK and Europe, have been around Solvency II, Basel III and MiFid II. A regulation that has been largely overlooked (except by Trillium (which has just announced the Trillium FATCA Compliance Data Assessment service) by the IT industry is FATCA.

FATCA (foreign account tax compliance act) is a US law that comes into effect on 1st January 2013. It is designed to ensure that US citizens who hold assets abroad pay relevant taxes. So, suppose I lived in Boston (Massachusetts not Lincolnshire) and had an account with a UK-based bank, through which I held various investments. Today, I might be able to get away with not paying US tax on any profit I made from these investments. FATCA has been designed to ensure that that will not be possible in future.

FATCA applies to both US financial institutions that have any dealings overseas and to so-called foreign financial institutions: USFIs and FFIs respectively. These include banks, insurance companies, alternative investment companies, private equity companies, hedge funds and so on and (subject to their being some level of non-US interaction) to any financial company that either has US citizens as customers or which holds US assets.

FFIs can either register as participating or as non-participating. Non-participation means that you are effectively opting out. However, if you do this, or if you are a participating company and fail to comply with the regulations, then the US tax authorities will apply a 30% withholding tax against any sales of US assets. Moreover, this is not against profits but against revenue so you could sell a stock at a loss and then have the 30% deducted. It is difficult to imagine any company that has any significant US business not wanting to both participate and comply.

If you decide to participate then you must be able to recognise which of your clients are US citizens and you will be required to provide relevant information about those clients. You must also have relevant processes in place to recognise whether new clients are American or not. The same is also true if you formally decide not to participate: you will need to demonstrate that you have procedures in place to recognise if new clients are American and, therefore, reject them as clients.

Unfortunately, the requirement for participating FFIs to provide relevant information about their US clients will fly in the face of the data protection laws of a number of countries. Where this is the case then the FFI will need to obtain a waiver from each of its clients to confirm that that information can be passed to the IRS or it will need to close that account.

Needless to say there are significant data governance implications in order to support FATCA, whether you are a USFI or are an FFI. You will need to know which clients are US citizens, ensure that they have signed a waiver, if relevant, have procedures for identifying whether new clients are US citizens or not, and have processes that ensure that only information about US citizens is provided upon request and that you do not break data protection laws by inadvertently sending information about non-US citizens. You will also need to be very clear about your data quality processes and careful about de-duplication and merging of records.

I have to say that this makes me feel a little sorry for financial services companies. In the UK they have only recently had to comply with FSCS regulations and the insurance sector and banks (those that provide asset management) have to comply with Solvency II, which is the same official start date (it may be delayed) as FATCA. That's a lot to do in a short space of time (not to mention MiFID II and Basel III waiting in the wings). The one consolation is that you need good data governance for all three of these. Those that thought they could get away without seriously addressing data governance for FSCS may not be wishing that they had done it properly the first time.

By: Louella Fernandes, Principal Analyst, Quocirca Posted: 25th November 2011 Copyright Quocirca © 2011

Nearly every enterprise – including commercial businesses, educational institutions and government organisations – relies on printing to support essential business processes, whether it is back-office operations such as accounting or payroll or front-office activities such as sales and marketing.

Regardless of how dependent an organisation is on printing, IT departments struggle with similar management challenges: providing reliable print services that meet organisational expectations while containing operational costs.

Too often, organisations own a broad range of print, copier, scanner and fax equipment, often from different vendors, requiring different software, consumables and supplies. Devices may often be outdated and inefficient, and few organisations know how many assets they have, how they are being used, and how much it costs to own, maintain and operate them.

This makes it increasingly difficult to optimise efficiency and control costs, and creates a huge IT and administration headache. Organisations facing staff shortages or lacking the correct technology expertise do not have the resources and skills to keep on top of print management issues, leaving them exposed to spiralling print costs, reduced productivity and increased risk due to unprotected devices.

This has prompted many businesses to move to a managed print service (MPS) to ensure more efficient and effective print infrastructure operation and management, from the office to the print room.

A managed print environment can deliver strategic business advantage, supporting cost reduction imperatives and environmental demands along with improved compliance and reduced risk. Today, the strongest uptake of MPS has been among large enterprises (1000+ employees). Our recent research suggests that half of European large enterprises have implemented or are piloting MPS.

The emergence of independent MPS providers that offer vendor-agnostic, best-of-breed technology, software and services is promising to expand the penetration of MPS beyond the exclusive domain of large enterprises.

This channel provides an important role in delivering impartial assessment services and unbiased MPS recommendations. Services such as multivendor break-fix, support and supplies replenishment enable organisations to protect existing hardware investments rather than moving immediately to a standardised print environment.

By retaining the flexibility to add devices from multiple vendors, independent MPS providers can innovate with the latest technology and introduce new capabilities independently of any single incumbent printer or copier supplier.

While hardware vendors will have a vested interest in moving the customer to a standardised environment, most of the major MPS vendors are able to support and manage a multivendor environment at the initial stages of an MPS engagement, sweating the assets as needed.

Not many organisations operate a standardised fleet at the outset. It is therefore vital to select an MPS provider that can provide an impartial assessment of the print environment.

However, if an organisation is planning to move to a standardised environment, a hardware-centric MPS may be the best approach. This can be supplied by a hardware vendor, SI or independent MPS provider. Many hardware vendors will use channel partners to deliver MPS midmarket.

Vendor-neutral providers can often negotiate the best prices on equipment and supplies, delivering quality at lower cost.

It is in the interest of an independent MPS provider to offer the right device for the purpose, regardless of brand. While a single-vendor strategy forces an enterprise to settle for a single vendor's offer for each area of the enterprise, a multivendor strategy enables a true best-of-breed approach across the organisation.

Pricing for traditional MPS contracts is often based on minimum volumes. We have found that is the top inhibitor of MPS adoption. Independent MPS providers often use different pricing models such as pay-per-print, so customers do not pay for pages they have not printed.

Although hardware vendors have been the predominant MPS suppliers for decades, the market is at a tipping point, evolving to encompass a wider range of providers. Independent firms should take advantage, particularly if they have the resources and infrastructure to design and deploy MPS.

This window of opportunity is limited, though: the technology that enables independent MPS providers to move up the MPS stack is also available to competitors such as SIs, managed services providers and hardware vendors, which are using the same or similar technology to move down the stack.

As MPS providers look to gain further mid-market traction, we expect further consolidation in the market. Specifically, we expect hardware vendors to acquire more independent providers to strengthen their multivendor MPS delivery and service capabilities. A report is here.

By: Mark McGregor, Research Director, Bloor Research Posted: 24th November 2011 Copyright Bloor Research © 2011

It was interesting to see that TIBCO's acquisition of Nimbus generated so many negative comments in the analyst and blog community. Some suggested it was a strange acquisition, while others suggested it was a "Fire Sale". Perhaps I stand alone in thinking that it was a clever move by both parties.

Nimbus has acquired something of a reputation among their competitors for closing sales where others did not even know that there was a requirement! In part this is down to the difference of the Nimbus sales model. The management team at Nimbus almost all came from major consulting firms and, as such, have great connections at the CXO level. Over the years Nimbus very cleverly worked that network and focussed on real business engagement with business leaders, resulting in them being able to open doors, make a pitch and then close the door before others knew anything about it.

Many other vendors talk about selling to the business, but invariably still end up talking to the IT side. Nimbus has always talked about and executed a strategy that focussed purely on senior business leaders.

By extension, this means that TIBCO has acquired a team of senior staff who can now start to take TIBCO and the TIBCO offerings in at the very top of organisations, something that others will struggle to do.

Then we come to the issue of a "Fire Sale" with a reputed price paid of in excess of $42m dollars against probable revenues around $15m. Then a 3 times revenue price seems pretty high for a burning platform and instead looks like a pretty good deal for the Nimbus shareholders. I can think of a number of vendors who can only dream of trying to exit at this ratio. Indeed I understand that TIBCO were considering a number of players in the space before settling on Nimbus.

The Nimbus approach is very different from others in the BPA space to which they are often associated. They are not a modelling vendor in the true sense, but do fill a gap which other BPA vendors have done a poor job with over the years - that of operationalizing the maps and models. Nimbus has always focussed on the last piece of the puzzle, making required information readily available to those who need it, in ways that they can use and act on. (As a footnote, Nimbus were the first vendor in the BPA/BPM space to deliver a native app solution for IOS devices).

This focus on the consumer of the information is something that other vendors need to be more active with. It is not simply about making maps and models available but providing help, guidance and intelligent information at the point of need,

The fact that TIBCO will be maintaining Nimbus as a separate group means that existing Nimbus customers can continue to enjoy the relationships they have built up, while knowing that the company has the security of strong financial backing behind them. Beyond that, the team at Nimbus have already started to integrate other TIBCO technology into the Control product. Detailed plans have not yet been announced, but it seems as though with products like Spotfire and tibbr available to them that the analytic and social networking capabilities will be far in excess of what others in the BPA sector can offer.

As with any acquisition it will take time to fully play out, but the impression is that this is a clever move for both parties, with significant upside for customers of both companies. I do, however, wonder whether TIBCO might still consider acquiring another vendor in the BPA space, one who has a much stronger modelling component. Neither Nimbus or TIBCO are especially strong there, but adding the Nimbus offering to a full fledged BPA tool would provide a far more valuable offering to users. Indeed, I would suspect that with an integrated offering there would be significant opportunity to sell Control into the existing modelling user base, replacing what has historically been poor back end publishing capability.

One area that will be interesting to see is how Nimbus make use of the TIBCO process execution engines. This could be used in 3 ways.

• Not at all - leaving Nimbus in the publishing/operational information space.
• As an integral part of Control - enabling smarter use of process within the Nimbus application, particularly for areas such as change management.
• Or it could also be used as an external application, taking Nimbus more into the BPMS type space and allowing people to create process-based applications from within Control.

Of these the most likely is the second scenario, where Nimbus could add greatest value by adding as the container for process applications e.g. expense handling, vacation requests or change management. This would leave the company to stay focussed on the consumers of technology and the business managers around them - rather than to mix it with the normal BPMS type players.

In conclusion, Nimbus customers should feel comfortable that there is greater financial certainty to support their purchase decision, along with faster access to technology that will enable even greater leverage from their investment to date. Meanwhile, TIBCO customers may wish to take a look at how adding Nimbus Control could help them ensure that the right information is available in an easy use format for their business users.

By: Fran Howarth, Practice Leader, Bloor Research Posted: 18th November 2011 Copyright Bloor Research © 2011

Location-based mobile applications such as Facebook, Google and others are used by a large percentage of adults and teenagers. Applications that pinpoint a user's physical location introduce unprecedented new risks. The potential threats range from fraud and identity theft to crimes such as burglary or physical violence.

Geolocation is your physical location and is derived by technology using data from your computer or mobile device. It could relate to your physical location (position on the earth's surface) or the virtual (internet) environment. Both can be collected in many ways:

• Web browsing via your computer (IP[1] address is your identification)
• Mobile phone usage
• GPS (Global Positioning System) devices
• Credit/debit card transactions
• Tags in photographs and postings (Facebook and Twitter).

Location can be collected in an active or passive mode. The active mode is a user device that provides the Geolocation using software to determine the user's position by wireless, GPS[2] or by "request and response". The passive mode is server-based and determines the position via IP (internet protocol), 3G or 4G and wireless positioning.

What are the benefits location brings?

• To the Customer: optimal request routing or navigation, instant purchasing decisions (shopping, restaurants), nearest station or bus stop and social networking opportunities.
• To Business: targeted marketing, delivery and asset management, insurance risk management, logistics etc. The list is endless.

Location, combined with other personally identifiable information, can be used or abused. The capabilities of this technology empower social networking, support law enforcement, enable many mobile services and also provide a serious concern in the hands of criminals.

Location information can be seriously abused. For example, an individual who announces holiday plans or activities on a social networking site may be signalling to a criminal that their house is currently unoccupied, leading to a higher risk of being burgled, whilst more general personal information could be used in social engineering attacks against them.

For organisations, location information can lead to unwarranted surveillance of their current activities. An example could be tracking the location of a company's executives. This could provide its competitors with pointers regarding ongoing business negotiations, such as potential mergers or acquisitions. This could affect the organisation's brand and reputation, or even dent it financially if the competitor were able to scupper the deal. Organisations must also be wary themselves when using location-based services. They should be careful that information collected regarding the location of their employees does not constitute illegal tracking of their activities outside of business hours. In addition, any location-based services offered to customers or suppliers should take into account the privacy and ethical concerns of those parties.

In dealing with such risks, ISACA[3], which provides issues and guidance with regard to the governance, security and audit of information systems, cautions that the legal obligations of users and developers of geolocation data are currently unclear. In the absence of legal guidelines, it cautions that organisations need to carefully consider what controls are appropriate. These could be strong access controls and anonymisation techniques or the use of encryption for all personally identifiable information. It urges all organisations using geolocation to develop its own framework to address privacy and security locations, making use of existing information security frameworks such as CobIT[4].

How to safeguard yourself? We quote the ISACA recommends this 5-step practice:

1. Read your mobile application agreements to see what information you are sharing.
2. Only enable Geolocation when the benefits outweigh the risks.
3. Understand that others can track your current and past locations.
4. Think before posting tagged photos to social-media sites.
5. Embrace the technology, and educate yourself.

With such safeguards in place, you will be in a much better position to embrace the exciting benefits that are offered by geolocation technologies.

This article was prompted by the discussion within "Why geolocation apps can be dangerous" and the ISACA's new white paper, "Geolocation: Risk, Issues and Strategies."

[1] IP - Internet Protocol
[2] GPS - Global Positioning Systems
[3] ISACA - Information Systems Audit Control Association
[4] CobIT - Control objectives for Information and related Technology

By: Gerry Brown, Analyst - Digital Marketing & CRM, Bloor Research Posted: 15th November 2011 Copyright Bloor Research © 2011

Most companies have not fully 'got' social media yet. Sure, they have a Facebook page, a Twitter account and a LinkedIn presence, but then what? Wait for the world to beat a path to your door? Run a few promotional campaigns and see few results? Wait for the CEO to ask "why have we only got X number of Facebook followers?"

Many brands have a somewhat passive, reactive approach to social media marketing. EngageSciences is an interesting UK start-up with a pro-active social media formula for businesses and brands wishing to attract new social media followers, and then to monetize that presence.

Firstly, you need to sign up a critical mass of fans. EngageSciences encourages its clients to create viral campaigns on Facebook and Twitter that give away something for free. Digital marketers might run prize draws, online sweepstakes, contests and quizzes, or offer exclusive premium downloadable content, such as a white paper, for example.

These incentives can prove surprisingly effective. For example, Unilever (Pot Noodles) increased their Facebook fans from 3,000 to 25,000 and Play.com increased from 40,000 to 80,000 Facebook fans within 8 weeks of using EngageSciences.

Sign-up requires an opt-in email address to be provided, so that the prize winners can be notified. Email addresses are critical pieces of digital marketing data. For digitally-savvy vendors, this contact data can then be cross-correlated with other databases and company web site visits; so that a pattern of personal behaviour can be detected that triggers further more personalised marketing communications.

Secondly, you need your fans to spend money with you. The best incentives are those that can easily 'go viral' i.e. are forwarded to friends, family and other followers. Typically these include redeemable coupons and 'flash deals' (time-constrained discount offers), such as the '2 for 1' deals used by Café Rouge and Strada restaurants, that have proved so effective. Exclusive ("offers only for you, dear fan") web page offers also work well.

As a recent IBM CRM survey proved, contra to conventional wisdom, for the most part, consumers don't really want 'relationships', and 'connection' and 'dialogue' with corporates. Consumers want offers, discounts and the ecommerce ability to purchase online. ExactTarget research reveals that Facebook consumers who are promiscuous (who "Like" a lot of brands) and those a little older (age 27+) want something of value in return for their "Like".

The EngageSciences Fan Relationship Marketing Platform provides all the technology required to push attractive offers into the key social media channels i.e. Facebook and Twitter, and capture followers' contact details for segmentation and online re-marketing.

EngageSciences' SaaS-based hosted solution is a relatively low-cost method of quickly creating a cloud-based social marketing database as a repository for follower demographic details, social behaviour, and engagement with online social media marketing campaigns. A 'test' campaign or a monthly subscription costs c. £1,000.

EngageSciences is an invaluable short-cut to market for marketers wanting to get started with executing social media marketing campaigns. Many marketers are fumbling with DIY approaches or 'big ticket' solutions that take too long to develop.

Consumers are receptive to creative online promotions now. ExactTarget research reveals that 45% of Facebook customers currently "Like" a company at least once monthly. Already the average US Facebook user "Likes" an average of 14 companies / brands. Consumer fatigue will set in over time, and fan or follower acquisition will become increasingly more difficult and expensive.

To date EngageSciences has managed to attract some impressive high calibre brands as users - Nokia, TNT and Forbes for example. One fact is clear. EngageSciences can help to re-energise a lethargic social media presence - and there are plenty of companies out there in that broad category.

By: Rob Bamforth, Principal Analyst, Quocirca Posted: 14th November 2011 Copyright Quocirca © 2011

Two recent events with rather different audiences reveal that not everyone is convinced that the benefits of technology adoption will be evenly shared. In particular, what was highlighted were some disconnects between organisational gain and personal risk.

At a gathering of senior IT executives at a CBR dining club dinner sponsored by Riverbed and Dimension Data, a number of CIOs voiced their thoughts regarding the IT industry’s current apparently all-enveloping rising star—‘cloud’. While there was widespread appreciation of the possibilities and potential for the deployment of IT resources into the cloud, there were some significant reservations about the reality.

Vendors and service providers have been keen to promote the benefits of cloud, but they need to appreciate how implementation will affect their customers, in particular one part of the decision making process; the CIO, IT director or individual IT manager most directly responsible. This is the person that gets it in the neck when something goes wrong—irrespective of who in the external cloud ecosystem is really to blame.

The selling job elsewhere in the organisation is slightly less daunting. Those involved directly on the financial side recognise the cost savings of pushing (human and/or IT asset) resource demands into a virtual infrastructure provider, especially if they can cut precious capital expenditure at a time when borrowing is difficult. Many users recognise the flexibility of ‘on demand’ access to IT, storage and services, especially while on the move. Mobile and remote access, fuelled by consumer behaviours and social media, have become a regular expectation and a perceived necessity.

However, IT managers, whose jobs depend on the reliability, fidelity and robustness of the services being delivered, see risk. And who can blame them when recent downtime and outages from what seemed unshakeable cloud service providers—Google, RIM, Amazon, Microsoft—demonstrate that even large and well planned IT systems can fail?

Quocirca regularly advocates the use of a total value proposition to understand the wider benefits and drawbacks of technology adoption. This goes beyond a simple ROI or TCO financial proposition, to encompass the less tangible positive and negative impact on the organisation, its competitive positioning and, crucially, on the individual or individuals making a technology implementation decision. In this context the total value proposition also considers an element often missed out by those looking at technology change in an organisation—a “total liability proposition”, perhaps—to understand the potential negative consequences, as these weigh most heavily on those making the decision, as it is their neck on the line.

The second event indicated where a respectful approach to risk might emanate where other critical players in the value chain discussed where they might contribute and benefit from cloud adoption. This was a gathering of diverse telecoms companies and service providers at the NetEvents, Italy conference. Here the interest in cloud as potential new sources of revenue and enterprise influence was strong, but it was dosed with a heavy realisation that significant credibility would be at stake if something went wrong.

Telecoms providers, unlike some of the IT industry, have a healthy respect for Murphy’s Law (if something can go wrong, it will), in addition to the more famous ones that are attributed to the value and growth of Moore’s Law of transistor numbers doubling every eighteen months and Metcalfe’s Law of the increasing value of connectedness. They know that their survival is dependent on fundamental attributes that some vendors in the IT industry like to portray as differentiated marketing benefits, like security, availability, interoperability and predictability.

The telecoms industry’s measured approach and involvement in the blossoming cloud market is to be welcomed, and should, over time, start to allay the understandable fears of those within enterprise who are responsible for delivering IT services. As well as trusting them to provide resilient networks, CIOs and IT directors might look to their telecoms providers to supply computer power. Then maybe Sun Microsystems (and Oracle, through its acquisition) was right after all, the network really is the computer?

By: Bob Tarzey, Service Director, Quocirca Posted: 3rd November 2011 Copyright Quocirca © 2011

In the old days, those tasked with ensuring their organisation’s networks were secure, reliable and sufficient for their needs were dealing with known resources and predictable usage. Network equipment was confined to the organisation’s various premises, the larger of which were linked via dedicated leased lines; smaller locations were often deemed unworthy of network access. The applications that ran over the network were nearly all planned and provisioned by the IT department. That has all changed in the last twenty years as the internet has become a fundamental business resource and employees have become far more mobile.

Today, ensuring the performance, reliability and security of network usage requires that a holistic view is taken of internal network resources, the internet and mobile network services. Only when this is the case can the impact the network has on the end-to-end user experience be understood and a minimum acceptable service level aspired to.

The problem is exacerbated by unpredictable workloads. IT departments themselves have been loading networks with ever more resource hungry applications, for example voice and video conferencing. They have also been cramming more and more processing power in to data centres through the use of virtualisation, which means more network resource is required per physical server. They are also using online resources to supplement internal infrastructure which requires a reliable and suitably “broad” interface to the internet.

On-demand services also make it easy for lines of business to provision their own applications and IT resources. Employees can do this too; accessing social media sites and firing up mobile apps at will, sometimes for good business reasons, but more likely for personal use. Such unplanned use makes ensuring network performance and security problematic, to say the least.

Data from Plan B Disaster recovery reported in Quocirca’s recent report, “Don’t forget the network”, shows that the most common reason for application failure is a network communications breakdown of some sort. In other words the network is the soft under belly of most organisations’ IT infrastructure. To get on top of this requires that the user experience is constantly monitored and that when that experience is not good enough, the impact that the network is having is understood.

Mitigation may require upgrades to network services or equipment, but it may be sufficient in some cases to simply adjust and optimise usage of the existing network. A port assessment by Networks First, a network management company (who sponsored Quocirca’s recent report), shows that in many cases network equipment is actually underutilised. With intelligent application it should be possible to drive more performance out of existing resources.

For many it makes sense to hand the complexities of ensuring minimum network service levels to a third party management company. The initial stage of any such assignment is discovery. What equipment and services are in place and how do they map together to form the total network. It may seem surprising that a given organisation does not already know this; however, most networks have been cobbled together over a number of years by a succession of network managers and contractors, often dealing with tactical issues without regard for an overall long term network strategy.

Once the network components are understood, the network’s current base performance and loading can be assessed. Whether this is good or bad, it is a necessary measure to provide a benchmark for measuring how the management company improves service levels going forward. The user experience needs to be measured on an on-going basis and ensuring it does not regularly drop below a target baseline and that when it does this the reasons why are understood, and if necessary, remedied.

The tools required for monitoring and managing network performance tend to be sophisticated and expensive. Open source ones are available but need good technical skills to make effective use of. Smaller organisation may not have access to any such tools and larger organisations may lack the time or wherewithal to get the most out of them. Network management companies will have developed the expertise to use such tools and can share their cost over a number of customers, making them available to their customers, whatever their size.

Whatever steps are taken to ensure the on-going performance, availability and security of a network, the cost of doing so must be justified by three factors. First, it must be possible to reduce running costs, or at least ensure better on-going performance, without excessive short to medium term investments in new equipment and/or services. Second, the business risks posed by the network and problems with its performance and security must be mitigated and minimum service levels guaranteed. Third, a stable network that performs well and has excess capacity should be able to be relied upon to provide new business value as and when required.

The majority of businesses will not have the in depth understanding of their networks to be sure of achieving many of these goals. Most will not even have had a recent network assessment. If they did, they may well be surprised at how poorly it is serving them and how much may be gained from addressing this. A functional network is imperative for a 21st century business. A well-managed high-availability, high-performance and secure network can be a distinct competitive advantage; a poorly managed one a fundamental business risk.

Quocirca’s report, sponsored by Networks First, “Don’t forget the network”, is freely available here: http://www.networksfirst.com/dontforgetthenetwork.aspx

By: Bob Tarzey, Service Director, Quocirca Posted: 2nd November 2011 Copyright Quocirca © 2011

From recent briefings with a number of IT security vendors, it would seem that most can now identify any new threat immediately and that at the same time none of them can. This contradiction is down to the “we can, they can’t” mantra that any vendor of any product is bound to use against its competitors. Of course, they can’t all be right; in fact all who make such claims are wrong.

One thing most are right about is that relying on signatures of known malware to protect their customers has not been enough for a long time now. Signature based recognition is still an important way to cut down the amount of malware moving around; better that spam-bearing emails are stopped in the cloud than at the desktop. However, many of the IT security threats that businesses face cannot be characterised by a simple digital signature.

Security vendors are also right when they identify one of the biggest risks to their customers as zero day threats (i.e. new ones that have not been seen before and cannot therefore be recognised by existing signatures). Such threats are becoming more and more common as the tools for writing and distributing malware become more sophisticated. It is now possible to ensure every incidence of a new virus is different enough from its siblings to appear unique compared go any existing signature.

So IT security vendors are rightly focussing more and more on identifying and stopping previously unknown threats and coming up with increasingly clever ways of doing so; the IT security arms race continues apace. Where they overreach themselves is to claim they can spot any new threat. This was brought home to Quocirca recently when a new entrant to the IT security market made such a claim, but then said it has delayed its launch because the rise of WikiLeaks and LulzSec had led it to make further changes to its product. In other words it has not foreseen some threats that customers may face.

No single IT security vendor can spot every existing threat and identify every new one. However, between them they are doing a pretty good job. None of us, businesses or consumers, can rely completely on a single security technology. Even if you believe you have catch-all anti-virus software on your PC, iPad or smartphone, it does not make sense to turn off security at your wireless router or decline spam and malware filtering services from your internet and/or email service provider.

Good IT security will always be about multiple layers of protection and using products from a variety of vendors. When well-managed, to ensure all know threat vectors are covered, using various security technologies will maximise the chance of recognising and stopping malware. But, even this is not enough. Other measures should also be in place.

For example, organisations should reconsider their security posture; a more open approach to business could mean less worry about protecting intellectual property. Training employees of their responsibilities with regard to personally identifiable information (PII) and providing regular reminders about this are as important a part of ensuring compliance as any security technology. With IT and data security, belts and braces is the only approach. Beware the vendor who promises all.

By: Bob Tarzey, Service Director, Quocirca Posted: 1st November 2011 Copyright Quocirca © 2011

People of a certain age often enjoy recalling for younger folk the size of the early mobile phones that were lugged around in the mid-1980s, whilst marvelling at the latest smartphones. These brick-sized devices could not even send text (SMS) messages (the first of which was sent in 1992); they were good for voice only. But, what would it have taken almost three decades ago to have had all the capabilities of a 2011 smartphone based on the available technology of the day?

This was one of the subjects covered in a recent New Scientist article titled “They said it couldn't be done: 7 impossible inventions”. To quote the article:

“The components for the iPhone à la 1985 we've listed so far would fill a large wheelbarrow. But we have left out something important.”

“The processor at the heart of the iPhone 4 can perform up to a billion operations per second (the new iPhone 4S is even zippier). You might have matched that in the mid-80s if you had bought the Cray X-MP, then the world's most powerful supercomputer. But the Cray would have filled an office cubicle and also required an industrial-strength refrigerator to remove the waste heat. So cancel the wheelbarrow. To haul the 1985 iPhone around, we're going to need a truck.”

Interesting stuff, which underlines why the consumerisation of IT has become such a big issue. When I left the academic world for the commercial one in 1986, for the first time in my life, on my desk at work I had dedicated access to a computer (albeit a text-only dumb terminal) which was linked to a network providing me with any information my employer had stored that it felt would be useful to do my job. I also now had a telephone with its own number; my friends and family could now contact me when I was at work (before that hand written letters had been the main method).

The new entrant to the work place now has all this and much, much more in their pocket. This is the issue driving IT consumerisation. Employers can no longer impress new recruits with technology and connectivity, they are more likely to disappoint. Competitive employers today are those that allow their employees to use the advanced technology they have become used to at home in the workplace.

Consumerisation does of course throw up many challenges, not least how data security, contracts and billing are handled. These issues were discussed in a recent free Quocirca report “Carrying the can” sponsored by ttMobiles and the subject of a recent conference organised by the Wireless Improvement Group (WIG). Quocirca’s presentation given at the conference can be downloaded here.

By: Gerry Brown, Analyst - Digital Marketing & CRM, Bloor Research Posted: 1st November 2011 Copyright Bloor Research © 2011

Chief Marketing Officers' (CMOs) main role is to serve as 'brand custodians' on behalf of their employers today. They know that what their customers buy today is not so much product features, functions and form; but more 'the brand promise' - the image of the brand, what it stands for, and how the brand makes them feel.

Hence CMOs obsess about keeping the brand's integrity intact and ensuring that creative images and messages they use are globally consistent, and are mutually supportive of the brand promise. This has always been tricky. Local country operations often employ their own agencies to build local language versions of promotional materials, and different and often contradictory logos and messages appear, serving to confuse the customer and dilute carefully woven corporate marketing stories.

What CMOs need is a central brand control system to ensure global discipline of its troops. The solution is Brand Asset Management (BAM) which is a mix of Digital Asset Management (DAM) and its parent category, Marketing Resource Management (MRM), where Aprimo (acquired by Teradata earlier this year) is perhaps the best-known supplier.

Less well-known is the UK-based company VYRE, which is making waves in the Brand Asset Management market. Over 400 brands use VYRE's Unify BAM platform. Its clients include Diageo (owners of drinks brands like Guinness, Smirnoff and Baileys) and Shell.

Typically, brand managers use Unify as a central access point and portal for brand guidelines, creative display pieces, video, pictures, blog content etc. VYRE's larger customers have many thousands of Brand Managers globally accessing up to 100,000 brand assets as part of their daily work. These assets are then combined by local marketers into finished content, brochures, flyers, advertising etc. for their marketing promotional campaigns.

This finished content is then loaded into an Approvals workflow module so that the necessary management authorisation and sign-off can be obtained. This means local language versions can be tightly controlled by Corporate, so that brand integrity can be maintained. In addition, wasteful 're-inventing the wheel' is avoided as content can be created once and re-purposed for many different promotional uses. Such systems make simultaneous global promotional product launches a reality, maximising impact and product availability. Apple and Microsoft do this effectively.

VYRE's Unify is ideal for a large company like Shell or Diageo - it allows for a high degree of flexibility and customisation so that established working practices can be simulated within the software. Now VYRE has launched a midmarket, more packaged solution called On Brand. This is only available as a SaaS version, and starts at £2,500 per month. This means for roughly the cost of a marketing executive, a brand can deploy a fully featured BAM system. This has to be tempting, as the ROI is potentially around 3x to 5x.

The On Brand price will be attractive to marketing and advertising agencies too. The global agency, Lowe + Partners, is already a big VYRE user. Marketing agencies typically provide much of the creative content for the big brands (for example Lowe serves Microsoft, Unilever, and Johnson & Johnson) and can better manage the logistics and workflow between themselves and their clients in an extranet configuration using shared systems such as On Brand.

Traditionally, many brand marketing organisations have used generic IT systems such as OpenText as databases for their brand assets. These multi-level filing systems are not that easy to use, especially for marketing folk not known for their computer-savvy skills. A system like On Brand, designed for use by Brand Managers, is preferable and offers the potential for fast global SaaS deployment (typically 6-8 weeks).

VYRE is an established 20-year industry veteran that has quietly been building clients and competencies around BAM. It has plans to grow its presence in the US and recent contracts there bode well. On Brand may just provide the vehicle to accelerate their growth and provide a stronger global presence as a leader in the BAM market.

By: Andy Jones, Director and General Manager, Europe, Xerox Global Document Outsourcing Posted: 31st October 2011 Copyright Xerox Global Document Outsourcing © 2011

The term “sustainability” used to be a buzzword heard in company meetings. Today it’s an essential concern in the boardroom.

In a global survey  of 766 CEOs conducted last year, 93 percent said sustainability is critical to the future success of their companies. Their responses support what we’ve heard from Xerox customers for years: sustainability is no longer just “nice to have” but a fundamental part of business.

Long before going green was popular and sustainability entered our daily vocabulary, Xerox put sustainability practices into place across the company. We know (based on decades of experience) the challenge organisations face in bringing their sustainability vision to life, especially when it comes to daily practices in the office.

Taking the first step
One of the first places to start is taking stock of how office equipment currently is used. The printer you can’t live without at work may be your biggest green offender. Older printers often take up a lot of energy and a single-function device is rarely as efficient as one that also copies and scans.

Small changes to everyday habits can reduce an office’s carbon footprint, like these fast, inexpensive ways to reduce the amount of power used:

1. Unplug devices that aren’t frequently used: Devices consume phantom power even while in standby mode. If there are scanners, printers, or guest computers that aren’t needed every day, unplug them in between use.
2. Purchase ENERGY STAR-qualified equipment: When purchasing new office equipment, consider the cost and features and how it will impact your energy use. Arm yourself with a list of products that are ENERGY STAR qualified to make a smart purchasing decision.
3. Make use of energy-saving settings: Enable the built-in energy-saving settings found on current technology products. These are like the low-power mode on your printer and the hibernation mode on your computer.

Document and printer Management
Over the years Xerox has seen a number of common practices that hinder efforts to reduce an organisation’s carbon footprint. One of the most common is the tendency to support far more devices than necessary, including old, energy-inefficient machines.

Other challenges to sustainability include:

• Lack of departmental control over how / what people print.
• Devices not placed in an optimal position, so they are either under- or over-utilised by staff. Energy can be spent unnecessarily if staff don't make the most of available devices.
• Ordering and storing more consumables than needed. This takes up valuable office space.
• Unconnected network-enabled devices aren’t remotely monitored or proactively fixed, leading to an excess of printer-related calls to the IT helpdesk and more engineer site visits.

Organisation-wide print policies to restrict print volumes can help with many of these challenges. The policy could include:

• Mandatory double-sided printing.
• Limiting job sizes.
• Developing rules to ensure certain document sizes and types are printed only on certain devices.

As simple as these steps are, we’ve found many businesses don’t implement these well.

And there are other areas for improvement. Innovations in printer hardware and software, such as new energy-saving printers which include sleep, can help significantly. And some devices feature green-friendly parts made from recyclable plastics. There's also new imaging technology like Xerox’s proprietary solid ink  which has substantial sustainability benefits. A solid ink printer or multifunction printer uses solid sticks (or blocks) of no-mess, non-toxic ink instead of toner or inkjet cartridges. It is easy to use, produces great colour print quality, is cost-effective, and very good for the environment.

These innovations, combined with an organisation’s proactive approach to managing its own unique printing environment in a more sustainable way can go a long way toward ‘greening’ a business.

Seeking assistance
Many organisations outsource print management to address these issues. Our customers have realised cost savings of up to 30 percent whilst also reducing energy usage, solid waste and carbon footprint by at least 20 percent (and in many cases significantly more) across the lifecycle of devices.

We do this by introducing a managed print service (MPS), which gives an organisation visibility into its document output costs. This environment is then managed on an ongoing basis whilst delivering against mutually agreed KPIs and SLAs. At Xerox, we’ve seen this approach deliver impressive results for a number of different clients – from the Sandwell Metropolitan Borough Council to defence provider Selex Galileo.

Like the CEOs questioned in the survey, these organisations see sustainability as critical to future success and have sought help in changing what was once just a vision into reality.

By: Bob Tarzey, Service Director, Quocirca Posted: 26th October 2011 Copyright Quocirca © 2011

A recent Quocirca blog post pointed out there were good business reasons for disclosing data breaches as well as an increasing number of regulatory ones. For those organisations not convinced by these arguments and still intent on attempting to brush leaks under the carpet, there is new evidence that consumers think they should come clean too.

New research commissioned by LogRhythm, a vendor of SIEM (security information and event management) tools, surveyed 2,000 UK consumers and concludes that they are “losing patience with organisations that endanger their customers’ data”. 80% were “concerned” about trusting organisation to keep their data safe from hackers, up 17% from a similar survey in 2010. 26% assert they would “definitely” not transact with the affected organisation again, with a further 61% saying they would try to avoid future interactions.

Of course, for many, their bark will be louder than their bite; it is often said that a man is more likely to change his wife than his bank. However, what the research does show is that all the recent press coverage of data leaks has not gone unnoticed. There is widespread awareness amongst consumers of the issues and the responsibilities of organisation to who they entrust their data and the importance of disclosure.

SIEM tools help in two ways. First, they can monitor network traffic and help spot unusual activity, providing a feed to intrusion prevention systems (IPS) and data loss prevention (DLP) tools to block attempted data thefts. Second, they help clear up afterwards, enabling affected organisations to rapidly gather the information about what data has been lost and who has been affected. It is not good enough for an affected organisation to lazily issue a blanket warning to all customers, instead they should be in a position to inform those (and only those) whose data has definitely been compromised.

LogRhythm claims to be the biggest independent vendor of SIEM tools. This follows a recent round of acquisitions of its rivals by larger vendors. In 2010, HP acquired ArcSight, and this month two more intended acquisitions were announced; IBM targeting Q1 Labs while Nitro Security was approached by McAfee. There is no shortage of other vendors; for example, Symantec has its Security Information Manager and EMC/RSA has tools based around the acquisitions of Network Intelligence and enVision. However, this has not put off new entrants, such as Red Lambda, a high-end data processing vendor attempting to re-position itself in the network security market by treating it as a 'big-data' problem.

Businesses rightly expect consumers to be careful with their confidential information, account details, login credentials and so on. In return, consumers should expect business to take good care of the same data and come clean when it is stolen or they have screwed-up and leaked it to the public domain.

By: Bob Tarzey, Service Director, Quocirca Posted: 21st October 2011 Copyright Quocirca © 2011

Quocirca saw an estimate recently that IT security managers can spend as much as 30% of their time preparing for and delivering audits. This is mundane and uninteresting work and if it can be automated – all the better. However, recent Quocirca research, sponsored by sys-admin tools vendor Osirium, shows that less than 20% of organisations fully automate the gathering of data for audits and less than 10% automate the remediation of audit gaps.

What’s more, over 70% admitted that in some cases system administrators (sys-admins) made informal, uncontrolled changes to sys-admin procedures immediately prior to audits in order to meet the audit requirements, which then lapse following the audit, with 8% saying this was a regular practice. Obviously, this is extremely bad practice; if auditors uncovered the fact the procedures had been temporarily changed to satisfy them, then the audit would surely be failed anyway?

Osirium has published the research and some suggestions for achieving better practices as the first of its Alpha Files, a series of short reports on sys-admin, privileged user management and auditing practices. Quocirca will be publishing a new free report later in 2011 that will detail and analyse in detail all the new research.

By: Bob Tarzey, Service Director, Quocirca Posted: 18th October 2011 Copyright Quocirca © 2011

Recent Quocirca research among European, US and Australian small businesses shows how far the trend to consumerisation of user access to IT has progressed. Over 70% of those interviewed said they allowed at least some of their employees to access certain data and applications from their personally owned devices.

When Quocirca speaks with chief information security officers (CISO) in larger businesses they admit that one of the reasons their organisations are also observing the same trend is that in practice it is hard to stop. Senior staff will insist on such access, junior ones will seek ways around controls, including the use of other communications channels if they are blocked from access to formal ones, such as corporate email, from the personal devices.

However, as the Quocirca research shows, there are positive reasons for allowing such access. The use of smartphones is fundamental to enabling remote working. Over 90% of the small business managers interviewed had staff that worked out of the office at some point during the week and they were the ones most likely to be using such devices for remote IT access.

Of course, it is not just smartphones. Many of those employees will already have notebook and laptop computers and they are also rapidly turning to tablets. Over 40% of the respondents in the recent research said some of their employees were using such devices and another 20% expected this to be the case within 12 months.

In many cases, remote workers, for example field service engineers logging faults and social workers filing home visit reports, will be using company-issued mobile devices to participate in locked down business processes. However, for a growing majority it is simply about more flexible working and access to information as and when it is needed—such information workers are behind the mobility revolution that is going on in the IT industry and readers here will mostly fit that category.

However, regardless of all the benefits, information workers present their employers with a problem. How do you keep control of the information itself? How do you benefit from mobility and consumerisation without losing control, becoming a victim of data loss and coming to the notice of regulators? There is also a problem for the users themselves. As they switch from one device to another for convenience, how do they get a consistent view of their data?

There is no silver bullet for solving the employer’s problem, but there are ways of reducing the risks. First, a business must take as much control of its data as it can. It is possible to secure mobile devices using encryption and host based end-point security, but there is the problem of device ownership; installing software on the users’ own devices creates licencing and management issues.

For many, a better way is to impose centralised controls; that is, to provide a means of accessing data which is easy to use and requires minimal modification of the user’s device. There are three basic approaches, to achieve its goals a given organisation may need to use one or more of them: 

1. Virtual desktops. Here, data is not actually processed on the device, but the device is simply an access tool to a desktop that is available anywhere the user can get online. There are limitations with this approach when it comes to smartphones (due to screen and keyboard size), but software in this area is improving fast (for example Citrix Receiver). However, it may still require some locally installed software for some advanced functions.
2. Provide access to applications that allow data to be viewed and updated, but not copied. For example, just because you allow employees to read email remotely does not mean the actual content need be copied to a device. Such applications can be provided through the creation of corporate app stores that support the range of devices employees want to use and the users can proactively download providing their consent for installation in the process. This is the best way to provide access to corporate applications (CRM, ERP etc.) for those on the move.
3. Provide direct access to central document stores. Here, with the right products, access can be provided to view files with appropriate caveats. Public domain documents (e.g. market materials) can be freely copied and used later offline, whilst restricted documents can only be viewed whilst online helping to protect an organisation’s digital rights. Some products require no local software be installed to provide such access.  Offerings here include portals such as Microsoft SharePoint or specific file sharing/backup services such as Trend Micro SafeSync and Druva InSynch.

The last of these also helps solve the employee’s problem; if the central data store supports access from multiple operating systems (iOS, Windows, Android etc.) it gives them access to documents from whatever device they happen to be using. Providing this is a secure service it also helps prevent another insidious problem; if there is no easy to use a method for centrally storing documents then employees may synch their devices using other services—some secure, some less so—employers may then have no idea where their data is ending up.

Generally speaking, the benefits of embracing consumerisation outweigh the risks, providing those risks our mitigating in so far as is possible. Employers that are proactive in doing that will ultimately find they get more out of their employees, without taking unnecessary risks with their data.

Quocirca’s report; The data sharing paradox, is freely available here: http://www.quocirca.com/reports/620/the-data-sharing-paradox

 This article first appeared in Oct 2011 on http://www.silicon.com

By: Dana Gardner, Principal Analyst, Interarbor Solutions Posted: 12th October 2011 Copyright Interarbor Solutions © 2011

This latest BriefingsDirect discussion takes on the rapidly increasing threat that enterprises face from complex IT security breaches.

In just the past year, the number of attacks are up, the costs associated with them are higher and more visible, and the risks of not securing systems and processes are therefore much greater. Some people have even called the rate of attacks a pandemic.

The path to reducing these risks, even as the threats escalate, is to confront security at the framework and strategic level, and to harness the point solutions approach into a managed and ongoing security enhancement lifecycle.

As part of the series of recent news announcements from HP, this discussion examines how such a framework process can unfold, from workshops that allow a frank assessment of an organization’s vulnerabilities, to tailored framework-level approaches that can transform a company based on its own specific needs.

Here to describe how a "fabric of technology," a "framework of processes," and a "lifecycle of preparedness" can all work together to help organizations become more secure—and keep them secure—is Rebecca Lawson, Director of Worldwide Security Initiatives at HP. The discussion is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

Here are some excerpts:

Gardner: Why has the security vulnerability issue come to a head?

Lawson: Open up the newspaper and you see another company getting hit almost every day. As an industry, we've hit a tipping point with so many different security related issues—for example, cyber crime, hacktivism, nation-state attacks. When you couple that with the diversity of devices that we use, and the wide range of apps and data we access every day, you can see how these dynamics create a very porous environment for an enterprise.

So we are hearing from our customers that they want to step back and think more strategically about how they're going to handle security, not just for the short term, when threats are near and present, but also from a longer term point of view.

Gardner: What do you think are some of the trends that are supporting this vulnerability?

Lawson: In HP’s recent research, we've found that thirty percent of the people know that they've had a security breach by an unauthorized internal access, and over 20 percent have experienced an external breach. So breaches happen both internally and externally, and they happen for different reasons. Sometimes a breach is caused by a disgruntled customer or employee. Sometimes, there is a political motive. Sometimes, it's just an honest error ... Maybe they grab some paper off a printer that has some proprietary information, and then it gets into the wrong hands.

There are so many different points at which security incidents can occur; the real trick is getting your arms around all of them and focusing your attention on those that are most likely to cause reputation damage or financial damage or operational damage.

We also noticed in our research that the number of attacks, particularly on web applications, is just skyrocketing. One of the key areas of focus for HP is helping our customers understand why that’s happening, and what they can do about it.

Gardner: It also seems to me that, in the past, a lot of organizations could put up a walled garden, and say, "We're not going to do a lot of web stuff. We're not going to do mobile. We're going to keep our networks under our control." But nowadays that’s really just not possible.

If you're not doing mobile, not looking seriously at cloud, not making your workers able to access your assets regardless of where they are, you're really at a disadvantage competitively. So it seems to me that this is not an option, and that the old defensive posture just doesn’t work anymore.

Lawson: That is exactly right. In the good old days, we did have a walled garden, and it was easy for IT or the security office to just say “no” to newfangled approaches to accessing the web or building web apps. Of course, today they can still say no, but IT and security offices realize that they can't thwart the technology-related innovation that helps drive growth.

Our customers are keenly aware that their information assets are the most important assets now. That’s where the focus is, because that’s where the value is. The problem is that all the data and information moves around so freely now. You can send data in the blink of an eye to China and back, through multiple applications, where it’s used in different contexts. The context can change so rapidly that you have to really think differently about what it is you're protecting and how you're going to go about protecting it. So it's a different game now.

Gardner: And as we confront this "new game," it also appears that our former organizational approach is wanting. If we've had a variety of different security approaches under the authority of different people—not really coordinated, not talking to each other, not knowing what the right hand and left hand are doing—that’s become a problem.

So how do we now elevate this to a strategic level, getting a framework, getting a comprehensive plan? It sounds like that’s what a lot of the news you've been making these days is involved with.

Lawson: You're exactly right. Our customers are realizing that there is no one silver bullet. You have to think across functional areas, lines of business, and silos.

Job number one is to bring the right people together and to assess the situation. The people are going to be from all over the organization—IT, security and risk, AppDev, legal, accounting, supply chain—to really assess the situation. Everyone should be not only aware of where vulnerabilities might be, or where the most costly vulnerabilities might be, but to look ahead and say, "Here is how our enterprise is innovating with technology—let's make sure we build security into them from the get-go."

There are two takeaways from this. A structured methodical framework approach helps our customers get the people on the same page, getting the processes from top-down really well-structured so that everyone is aware of how different security processes work and how they benefit the organizations so that they can innovate.

[But] it's also about long-term thinking, about building security in from the get-go; this is where companies can start to turn the corner. I'll go back again to web apps, building security into the very requirement and making sure all the way through the architecture design, testing, production, all the way through that you are constantly testing for security.

Gardner: What are the high-level building blocks to the framework approach?

Lawson: The framework that I just mentioned is our way of looking at what you have to do across securing data, managing suppliers, ensuring physical assets, or security, but our approach to executing on that framework is a four-point approach.

We help our customers first assess the situation, which is really important just to have all eyes on what's currently happening and where your current vulnerabilities may lie. Then, we help them to transform their security practices from where they are today to where they need to be.

Then, technologies and services to help them manage that on an ongoing basis, so that you can get more and more of the security controls automated. And then, we help them optimize that, because security just doesn't stand still. So we have tools and services that help our customers keep their eye on the right ball, as all of the new threats evolve or new compliance requirements come down the pike.

Gardner: What is HP Secure Boardroom, and why is it an important as part of this organizational shift?

Lawson: The Secure Boardroom combines dashboard technology with a good dose of intellectual property we have developed that helps us generate the APIs into different data sources within an organization.

The result is that a CISO can look at a dashboard and instantly see what's going on all across the organization. What are the threats that are happening? What's the rate of incidents? What's going on across your planning spectrum?

To have the visibility into disparate systems is step one. We've codified this over the several years that we've been working on this into a system that now any enterprise can use to pull together a consistent C-level view, so that you have the right kind of transparency.

Half the battle is just seeing what's going on every day in a consistent manner, so that you are focused on the right issues, while discovering where you might need better visibility or where you might need to change process. The Secure Boardroom helps you to continually be focused on the right processes, the right elements, and the right information to better protect financial, operational, and reputation-related assets.

... Because we've been in the systems management and business service management business for so long, I would elevate this up to the level of the business service management.

We already have a head start with our customers, because they can already see the forest for the trees with regard to any one particular service. Let's just say it's a service in the supply chain, and that service might comprise network elements and systems and software and applications and all kinds of data going through it. We're able to tie the management of that through traditional management tools, like what we had with OpenView and what we have with our business service management to the view of security.

When you think about vulnerabilities, threats, and attacks, the first thing you have to do is have the right visibility. The technology in our security organization that helps us see and find the vulnerabilities really quickly.

Because we have our security technology tied with IT operations, there is an integration between them. When the security technology detects something, they can automatically issue an alert that is picked up from our incident management system, which might then invoke our change management system, which might then invoke a prescribed operations change, and we can do that through HP Operations Orchestration.

It really is a triad—security, applications, operations. At HP, we’re making them work together. And because we have such a focus now on data correlation, on Big Data, we're able to bring in all the various sources of data and turn that into actionable information, and then execute it through our automation engine.

... For example, we have a technology that lets you scan software and look for vulnerabilities, both dynamic and static testing. We have ways of finding vulnerabilities in third-party applications. We do that through our research organization, which is called DVLabs. DV stands for Digital Vaccine. We pull data in from them every day as to new vulnerabilities and we make that available to the other technologies so we can blend that into the picture.

The right kind of security fabric has to be composed of different technologies that are very focused on certain areas. For example, technologies like our intrusion protection technology, which does the packet inspection and can identify bad IP addresses. They can identify that there are certain vulnerabilities associated with the transaction, and they can stop a lot of traffic right at the gate before it gets in.

The reason we can do that so well is because we've already weaved in information from our applications group, information from our researchers out there in the market. So we've been able to pull these together and make more value out of them working as one.

Gardner: Is there a path now toward security as a service, or some sort of a managed service, hybrid model?

Lawson: A lot of people think that when the words cloud and security are next to each other, bad things happen, but in fact, that’s not always the case.

Once an enterprise has the right plan and strategy in place, they start to prioritize what parts of their security are best suited in-house, with your own expertise, or what parts of the security picture can you or should you hand off to another party. In fact, one of our announcements this week is that we have a service for endpoint threat management.

If you're not centrally managing your endpoint devices, a lot of incidents can happen and slip through the cracks—everything from an employee just losing a phone to an employee downloading an application that may have vulnerabilities.

So managing your endpoints devices in general, as well as the security associated with the endpoints, make a lot of sense. And it’s a discrete area where you might consider handing the job to a managed services provider, who has more expertise as well as better economic incentives.

Another great example of using a cloud service for security is application testing. We are finding that a lot of the web apps out in the market aren't necessarily developed by application developers who understand that there's a whole lifecycle approach involved.

In fact, I've been hearing interesting statistics about the number of web apps that are written by people formerly known as webmasters. These folks may be great at designing apps, but if you're not following a full application lifecycle management practice, which invokes security as one of the base principles of designing an app, then you're going to have problems.

What we found is that this explosion of web apps has not been followed closely enough by testing. Our customers are starting to realize this and now they're asking for HP to help, because in fact there are a lot of app vulnerabilities that can be very easily avoided. Maybe not all of them, but a lot of them, and we can help customers do that.

So testing as a service as a cloud service or as a hosted or managed service is a good idea, because you can do it immediately. You don't incur the time and money to spin up a testing of center of excellence—you can use the one that HP makes available through our SaaS model.

Gardner: As part of your recent announcements, you're moving more toward a managed services provider role.

Lawson: One of the great things about many of the technologies that we've purchased and built in the last few years is that we're able to use them in our managed services offerings.

I'll give you an example. Our ArcSight product for Security Information and Event Management is now offered as a service. That's a service that really gets better the more expertise you have and the more focused you are on that type of event correlation and analysis. For a lot of companies they just don't want to invest in developing that expertise. So they can use that as a service.

We have other offerings, across testing, network security, endpoint security, that are all offered as a service. So we have a broad spectrum of delivery model choices for our customers. We think that’s the way to go, because we know that most enterprises want a strategic partner in security. They want a trusted partner, but they're probably not going to get all of their security from one vendor of course, because they're already invested.

We like to come in and look first at establishing the right strategy, putting together the right roadmap, making sure it's focused on helping our customer innovate for the future, as well as putting some stopgap measures in so that you can thwart the cyber threats that are near and present danger. And then, we give them the choice to say what's best for their company, given their industry, given the compliance requirements, given time to market, and given their financial posture?

There are certain areas where you're going to want to do things yourself, certain areas where you are going to want to outsource to a managed service. And there are certain technologies already at play that are probably just great in a point solution context, but they need to be integrated.

Most of our customers have already lots of good things going on, but they just don't all come together. That's really the bottom line here. It has to be an integrative approach. It has to be a comprehensive approach. And the reason is that the bad guys are so successful causing havoc is that they know that all of this is disconnected. They know that security technologies tend to be fragmented and they're going to take advantage of that.

I'd definitely suggest going to hp.com/go/enterprisesecurity. In particular, there is a report that you can download and read today called the "HP DVLabs’ Cyber Security Risks Report." It’s a report that we generate twice a year and it has got some really startling information in it. And it’s all based on, not theoretical stuff, but things that we see, and we have aggregated data from different parts of the industry, as well as data from our customers that show the rate of attacks and where the vulnerabilities are typically located. It’s a real eye opener.

So I would just suggest that you search for the DVLabs’ Cyber Security Risks Report and read it, and then pass it on to other people in your company, so that they can become aware of what the situation really is. It’s a little startling, when you start to look at some of the facts about the costs associated with application breaches or the nature of complex persistent attacks. So awareness is the right place to start.

Listen to the podcast. Find it on iTunes/iPod. Read a full transcript or download a copy.

By: Bob Tarzey, Service Director, Quocirca Posted: 11th October 2011 Copyright Quocirca © 2011

There is a paradox at the heart of 21st century business processes. The effective sharing of data makes these processes more efficient but carries an inherent risk that the data may be compromised. This applies both to providing access to data for mobile and remote employees and the sharing of data with external users. In the latter case, Quocirca research has recently suggested that improving the way business processes operate, among SMBs at least, is the primary motivation for such sharing (Figure 1).

The risks involved with sharing data can be mitigated. How this is best done depends on a number of factors, including the user, the device, who owns the device, the application involved and the type of connection. Historically, users have gained access to centrally managed data and applications via employer-owned and -managed mobile PC devices using VPN connections to internal servers.

Today, many SMBs do not have their own physical servers, often turning to cloud, and while VPN access can be set up relatively easily on employer-supplied laptops, it is harder if external users are using their own devices. It is also more likely to involve smartphones and tablets than traditional PCs, due to consumerisation (Figure 2). In theory, VPN access can be provided for these, but this creates a host of management issues, such as those surrounding the licensing of corporate software on externally owned devices.

Regardless, business data is at risk, as it is most commonly shared using ad hoc methods such as email and memory sticks, over which the business has little control (Figure 3). Not only can data be shared insecurely, it can also end up on those mobile devices owned by employees or outsiders, and be completely unprotected if such devices are lost or stolen.

There is no silver bullet here, but there are ways of reducing the risks. A business must take as much control of its data as it can. It is possible to secure mobile devices themselves using encryption and host-based end-point security, but again there is the problem of device ownership. It may make sense to allow employees to use their own devices—the employees will probably do so anyway—but managing the devices, and installing and licensing software on them, can be costly and difficult.

A better way of reducing risks is to impose centralised controls. That is, provide a means of accessing and sharing data that is easy to use and requires minimal modification of the user’s device. There are three basic approaches:

1. Virtual desktops. Here, data is not actually processed on the device, which is used simply to gain access to the desktop, anywhere the user can get online. There are limitations to this approach when it comes to smartphones due to screen and keyboard size, but software that makes this a better user experience is improving fast (see, for example, Citrix Receiver). However, this option still requires some locally installed software.
2. Provide access to applications that allow data to be viewed and updated but not copied. Just because you allow employees to read email remotely does not mean the actual content has to be copied to a mobile device. Such applications can be provided through the creation of corporate app stores that support the range of devices employees want to use. Staff can download from there, providing their consent for installation in the process.
3. Provide direct access to central data stores. Using this approach, access can be provided to view files through the right products, with caveats. Public domain documents such as marketing collateral can be freely copied and used later offline, while restricted documents can be viewed only online, helping to protect an organisation’s intellectual property. No local software is needed to do this. Offerings here include portals, such as Microsoft SharePoint, or specific file-sharing/backup services, such as Trend Micro SafeSync.

One thing is certain: no business can ignore the mobility revolution. All need a strategy to manage it. Those who embrace it with controls in place will benefit in the long term, while those who bury their heads in the sand will lag behind.

This article first appeared on http://www.channelweb.co.uk and in the print edition of Computer Reseller News (CRN)

By: Dana Gardner, Principal Analyst, Interarbor Solutions Posted: 5th October 2011 Copyright Interarbor Solutions © 2011

The popularity of mobile devices like smartphones and tablets has energized users on the one hand, but on the other hand it’s caused IT and business leaders to scramble to adjust to new models of applications delivery.

That's why enterprise app stores are quickly creating productivity and speed-to-value benefits for PC users and IT departments alike as they grapple with the new models around consumerization of IT. The author of a recent Ovum white paper on app stores says they are increasingly important for enterprises as they consider ways to better track, manage, and distribute all of their applications.

Join this podcast discussion then as we examine the steps businesses can now take to build and develop their own enterprise app stores. We'll further see what rapid and easy access to self-service apps on PCs and notebook computers through such app stores is doing for businesses.

And we’ll learn how app stores are part of the equation for improved work and process success on and off the job. Furthermore, we uncover how Embarcadero’s AppWave solution brings the mobile apps experience to millions of PC users in their workplace in the enterprise.

The panel consists of Tony Baer, Principal Analyst at Ovum; Michael Swindell, Senior Vice President of Products and Marketing at Embarcadero Technologies, and Richard Copland, Principal Innovation Consultant at Logica. The discussion is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions. [Disclosure: Embarcadero is a sponsor of BriefingsDirect podcasts.]

Here are some excerpts:

Gardner: Richard, in your looking over the landscape for IT innovations, is there something about the app store model that you think will encourage users to adopt new technologies and new applications faster?

Copland: Undoubtedly. The whole socialization and the social trend which I see as probably the biggest driver behind this is for the way in which people use software and the way in which people comment on a software.

The organization will cluster around the toolkits for which the feedback from the users is positive. I can think of one large global financial organization here that has 5,000 apps within their world. They would look to simplify their landscape by over 60 percent, because they recognize that they've got so many kinds of individual pockets of activity going on in the organization.

And you need to support those individual pockets of activity that, in terms of your users in the tail effect, they’ll be the mainstream enterprise apps, such as Windows-based or Office-based, which the majority will use. But if you could tap into an environment, in which you are giving the people what they want, then the return on investment (ROI) from that is going to be a lot faster.

My role as a Principal Innovation Consultant is effectively twofold. It's to find new things and introduce new things to our clients. Something innovative to me is something that's new to you and provides a benefit. This can be cash, people, or green ideas. I spend my day looking at cool new stuff, which means ways of working, technologies, partners, and even wacky research coming out of the various universities here in Europe.

At Logica, we're a business and technology service company. We provide business consulting, system integration, and outsourcing to our clients around the world including many of Europe’s largest businesses.

For me, these app stores are also the whole Generation Next piece which is about a whole new generation that is educated and tech-savvy. They're multitasking all the time. They work as consumers. They're purchasing products and customize them to their needs in terms of their lifestyles. So they’re regularly sharing insight and comment on things which are good for them.

That’s playing out in terms of lifestyle and that's being brought into the business scenario, whereby the formal and informal hierarchies of organizations are blurring.

Gardner: Tony, this sounds like it’s something quite new.

Baer: From the end-user standpoint, there certainly is quite a new win to this. But we also have to look at the fact that this is going to change the way IT serves the organization. At least this aspect of it is really going to become more of a service provider. And there are a lot of implications for that.

For one thing, IT has to be more responsive but they also have to work on more of a shorter fuse, almost like a just-in-time type of model.

... I was a little bit surprised because there is certainly a concept leap from a $1.99 little applet that you pull down from the iPhone app store or from the Android marketplace to a full-blown enterprise desktop application.

That being said, it’s not surprising, given that there’s been a huge demand from the bottom-up, from the people in the workplace. So it’s a phenomenon that’s probably better known as the consumerization of IT — "I have these sophisticated mobile devices and tablets. Why can’t I get that easy to use experience on my regular machine for my day job?"

Therefore, the demand for the comfort and convenience of that was inevitably bound to spread into the enterprise environment. You've seen that manifested in a number of ways. For example, companies have basically embraced more social collaboration. And you’re also starting to see some use of many of these new form factors.

So again, what Embarcadero has been starting to introduce is symbolic in a way that’s really not surprising.

But there's no free lunch in all this, it still requires management. For example, we still need to worry about dealing with security governance, managing consumption, and also making sure that you lock down, or secure, the licensing issues. As I said, there’s no free lunch, but compare that to the overhead of the traditional application distribution and deployment process.

So again, from the end user standpoint, it should be a win-win, but from the IT standpoint, it's going to mean a number of changes. Also, this is breaking new ground with a number of the vendors. What they need to do is check on things such as licensing issues, because what you're really talking about is a more flexible deployment policy.

Gardner: Michael Swindell, tell me a little bit about AppWave and what it takes for an IT organization to make the transition from that long process that Tony outlined to a more streamlined app-store approach.

Swindell: The best way to describe AppWave is that it’s just a pretty simple three-step process. The first step is taking traditional software, which is traditionally complex for end users and for organizations to manage. This includes things like installations, un-installations, considerations about applications, of how they affect the users’ environment.

Then, converting those traditional software applications into the concept of apps where they are self-contained, don’t require installation, can be streamed and run to a user anywhere they are, and really delivering the mobile-like experience of mobile software to the more complex traditional desktop PC software.

AppWave has tooling that allows users to take their applications and convert them into apps. And that’s any type of application—commercial application or internally developed.

That's the first step. The second is to centralize those apps in an app store, where users can get to them, and where organizations can have visibility into their usage, manage access to them, etc. So the second step is simply centralizing those apps.

The third is the user experience. One of the key drivers behind the success of apps in the mobile space has been the visibility that users have into application availability. It’s very easy for users to search and find an app as they need it.

Think about how a user uses a mobile phone to come up with an app. Maybe they’re walking down the street, they see a business, and they have an idea, or they want directions to something. They can simply search in an app store on their mobile device and immediately get an app to solve that problem.

If you look in the business space and inside the workplace, when a user has a problem, they don’t really have a mechanism to sit down and search to solve a problem and then get an application to solve it immediately.

As we talked about earlier, and Tony really well described that the process, once they identify an application to solve a problem, that can take weeks or months to roll out. so you don’t have that instant feedback.

The user experience has to be instantaneous. An area that we focused on very heavily with AppWave is to provide the users an ability to search, find apps based on the problems that they’re trying to solve, and instantly run those apps, rather than having to go through a long process.

Gardner: Can we perhaps make the association that app stores can fundamentally change the way workers behave in an innovation sense?

Copland: Absolutely. You’re on the money. We talked a little bit about looking at the mobile aspects of it and moving to this on-demand usage and the challenges for the organization to do that.

Certainly, the components within the AppWave solution give you the opportunity to move to more of what I would describe as smart working or remote working, by which the user doesn't necessarily have to come into the office to access the tools, which are traditionally being provided to them at their desk in their environment.

If you start remote working or are given a broader range of remote access, then you can be operating a much stronger work-life balance. So if you're in a situation where you’ve got a young family and you need to take the kids to school, you can come on and go off the company network and use the tools which are provided to you in a much more user-friendly flexible environment. That would be certainly from the user's perspective.

From the business’s perspective, I start moving to a scenario where I don't necessarily need to maintain a real estate where if I’ve got 5,000 users, I need to have 5,000 desks. That certainly becomes quite empowering across the rest of the organization, and other stakeholders—the facility’s officers, business managers—start taking real notice of those types of savings and the nature of how work is achieved.

Gardner: How far can the app store model be taken in terms of legacy, the installed base of apps?

Swindell: Our vision is any type of application in the organization will eventually be supported by AppWave. The initial support is for PC apps in organizations, which is the vast majority of productivity applications that end users need. It also is where the largest problem set is, both from an end-user perspective and from an organization's perspective.

So we're tackling the hardest problem first and then our plan is to roll in other type of apps, web apps, and applications that you might be using in an organization, using other types of delivery technologies.

But the idea is to take any type of these applications and present them as an app inside the AppWave ecosystem. So a user can have a centralized way to search for any type of app whether it’s a corporate HR, a web application, a hosted software as a service (SaaS) application, or a PC application. Certainly, mobile would be an obvious direction as well.

There are really two sides to the benefit of using the app store methodology. There's an organizational side of understanding application usage, as you said maybe sunsetting applications, understanding how applications are used within their organization, so that they can make good decisions.

Then we have the user side, where users have a lot more information that they can provide that’s very useful for both the organization and other users.

The app store metaphor works very well in sharing that type of information. It gives the organization usage information and statistics, and the demand information that's valuable for the organization to plan and understand their application usage. It also provides information to other users on the applicability of applications for certain scenarios, whether applications are good or bad for a particular scenario.

This has worked well in the mobile space with public app stores, and we see that there's a lot of applicability inside the firewall, inside organizations, to be able to use this information and create more value out of their applications and to help users get more value and understanding about their applications.

One of the things that AppWave and the app store concept can do is to help create a centralized app view of the different types of applications and even the different types of services in your organization, and to be able to understand what’s available.

There are also opportunities for the same types of socialization and sharing of information and knowledge about services using the app store concept, as there is with apps.

The important thing is to take these different types of applications and present them in a common way in the same place, so that it really doesn’t matter whether the app is a web app or it’s a PC app. Users can find them, run them, and share information about them at the same place.

Gardner: Tony, back to your Ovum white paper, what do you see as the efficiency aspects to this?

Baer: Compare this model to the traditional application deployment model ... Number one, it's a much more of a long-fused process. There is elaborate planning of the rollout. You're trying to figure out all the different client targets that you're trying to address. Even if you do have locked-down machines, you're still going to have issues. Then, package the release. Then, regression test it to death. Then distribution, and you actually get the thing installed. Hopefully, it's up during some off hour, let's say, at 3 a.m. Then, you prepare for all the support calls.

That's a pretty involved process. That consumes a lot of time both for the end user, who is waiting for the functionality that he or she may want—or not. And it's also, of course, a considerable overhead in the IT organization.

If you take that all away into a more modular model, more like a radio broadcast model, essentially it becomes a lot more efficient. You lose all this lead time, and as Michael was talking about, you then get all the visibility for all these apps being consumed. End users have more sway. As long as they are authorized to use these apps, they have this choice.

So it's not that all of a sudden they have a whole number of apps that are loaded on their machine, whether they like it or not. We haven't done anything to quantify this, because trying to quantify productivity is like asking “what's the cost of downtime?” And in a lot of sectors that can be a very subjective number. But intuitively, this model, if it scales out, should basically provide a much lower cost of ownership and much greater satisfaction.

Gardner: Richard Copland, as someone who is out there hunting down innovations that they can bring to their user organization and their clients, was there anything about AppWave or app stores in general for enterprise use that was interesting and attractive to you that we perhaps haven’t hit on yet?

Copland: In AppWave and the Embarcadero team, we have a global innovation venture partner program. They were our recent winner. They went up against competition from around the world. We believe that the app store concept has got so much within it in terms of the user experience, the socialization aspects, and the collaboration aspects of it.

The area which we haven't touched on so much is that it's a bridging point between your legacy systems and your more visionary cloud-type solutions where you really are SaaS, on-demand and pay-per-click.

The thing that will kill innovation is just operating slowly. One of the biggest blockers that organizations face with regard to innovation is the nature of how that sets out and the speed at which they react to what are their internal ideas.

Swindell: You can look at this as being in a way a cultural preparation for transition to the cloud, if indeed the cloud is suitable for specific parts of your application portfolio.

... Having an on-premise private app store that runs within your organization that is on site really addresses a lot of those concerns and uses the cloud simply to deliver new applications and apps from ISVs and from other vendors.

Once they are inside your organization, they're operating within your security and governance environment. So you don't really have to worry about those concerns, but it still delivers a lot of the benefits of the user experience of cloud and the on-demand nature.

Gardner: I know this is going a little bit out further into the future and perhaps into the hypothetical. It sounds as if you can effectively use this app store model and technology and approach like AppWave to be a gateway for your internal PC apps, but that same gateway might then be applicable for all these other services.

Swindell: The foundation is there, and I think it will be demand driven by users. Every time we talk to a customer with AppWave, the list of possibilities and where customers want to use and take the environment is exciting, and the list continues to grow on how they can use it in the long-term.

So we're building facilities today to connect the private AppWaves into our cloud infrastructure, so that we can deliver certainly apps but there could be other types of services that connect into that as well.

Gardner: Okay, and just to be clear. AppWave is available now. I believe we have a 30-day free trial, is that correct?

Swindell: Yes, there is a free trial, and we also offer free version of AppWave that organizations can download and use today with free apps. There's an entire catalog of free apps that are included and are streamed down from our cloud.

So you can get set up and started with AppWave, using free apps in your organization. What can be added then is your own internal custom apps or commercial licenses that organizations have. So if you've hundreds of commercial licenses, you can add those in or add your own internally developed apps. You can go to www.embarcadero.com/appwave and try it for free.

Listen to the podcast. Find it on iTunes/iPod. Read a full transcript or download a copy.

By: Gerry Brown, Analyst - Digital Marketing & CRM, Bloor Research Posted: 4th October 2011 Copyright Bloor Research © 2011

The nascent digital marketing industry is currently growing very rapidly (c. at 20% to 30%) and is attracting a plethora of competitors. But what can it learn from the similar CRM growth market of the late 1990s? And how can it avoid the mistakes and the damaged reputation that the CRM market has suffered from?

The CRM market grew fast on the strategic premise that 'by managing your customer relationships, customer churn falls, retention rises, and sustainable cashflow and share price gains follow'. However, building trust, loyalty, and lifetime value takes many years. Venture capital-backed vendors and customers needing to show a fast ROI took a more short-term view.

So CRM became mainly used for capturing, measuring and controlling sales activities - the feared 'stick' with which to punish salespeople. End users that followed the original 'customer relationship' dream found vendor promises inflated beyond product capabilities, and millions of customer IT dollars were wasted. Gartner reported CRM implementation failure rates of 80%+. The king of the market (Siebel) was toppled, replaced with a lower-cost and more flexible Cloud-based alternative (Salesforce.com).

In digital marketing, the original strategic promise was to 'engage with customers, have relevant conversations, and build products to meet their needs'. In this scenario, marketers listen, analyse, and predict customer buying behaviour and optimise their offerings to meet customer needs.

As with CRM, in digital marketing short term is trumping longer term brand building considerations. Customers use digital marketing primarily to run price discount email campaigns, and analyse and target web site visitors. The results can be surprisingly crude. For example, Groupon does not even differentiate its email promotional offers between men and women. Hence men are regularly invited to women's spas for pampering weekends. Irritating.

At last week's ad:tech show in London, the focus was how to increase sales 'conversions'. Cost Per Acquisition (CPA) is the key metric describing the cost to 'buy' a new customer. We customers need to be 'monetized'. One vendor boasts of "quickly transforming conversations into conversions" another is an expert in "the art of building and monetizing a social following". They offer quick profits rather than 'satisfying customer needs' - which is what marketing is supposed to be about.

'Multi-channel marketing' is another key message which means sending the same adverts to your email tray, your mobile phone, and where you browse on the Internet. Then there is 're-marketing' as championed by Criteo, which means that a web site visitor can never escape from adverts following them around. For example, whenever I surf the Internet a box pops up advertising John Lewis' pillows, as I viewed them on the John Lewis web site but didn't buy. Irritating.

The advertising industry has always championed creativity and brand distinctiveness. Digital marketing today is focused on where to push the next potential customer 'over the cliff' into becoming a user. Hence online betting companies such as Littlewoods and Betfair give you money to start gambling with them. Others are following.

Digital Marketing is in danger of becoming a 'snake oil' - a cure to all marketing ills. In truth, all companies need some digital marketing. But what you buy has many dependencies - your IT infrastructure, your online presence, your industry, the size of your company, your culture, your business model, your customer attributes, your stakeholders, your product portfolio etc.

Do not be fooled by the rhetoric, there is no such thing as a generic digital marketing strategy. One size does not fit all. Hence an informed consulting approach is required, rather than random purchases of free or low cost digital marketing products that may not scale nor integrate.

An industry champion like Siebel has yet to emerge, however few would bet against Google and even Facebook having a big say in how the digital marketing industry develops. They own the customer data after all. For sure, the traditional enterprise vendors IBM (Unica), Adobe (Omniture), and Webtrends need to dramatically increase their speed-to-market, thought-leadership and innovation if they are going to continue to set the agenda and drive the market.

By: Dana Gardner, Principal Analyst, Interarbor Solutions Posted: 30th September 2011 Copyright Interarbor Solutions © 2011

Social media and the increased role that linked communities of users have on issues, discourse, and public opinion are changing the world in many ways -- from how societies react such as in the Middle East turmoil to how users flock to or avoid certain products and services.

The fact is that many people are now connected in new ways and they’re voicing opinions and influencing their peers perhaps more than ever before. Businesses cannot afford to simply ignore these global -- and what now appeared to be long-term -- social media trends.

The latest BriefingsDirect discussion then focuses on the impact that social media is having on enterprises. We specifically examine with an executive at Capgemini on what steps businesses can take to manage social media as a market opportunity, rather than react to it as a hard-to-fathom threat. Hear too how services are being developed to help businesses to better understand and exploit the potential of social media.

The discussion with Paul Cole, Vice President of Customer Operations Management and Business Process Outsourcing at Capgemini, is the first in the series of podcasts with Capgemini on social media issues and business process outsourcing. The interview is conducted by Dana Gardner, Principal Analyst at Interarbor Solutions. [Disclosure: Capgemini is a sponsor of BriefingsDirect podcasts.]

Here are some excerpts:

Gardner: It seems a bit of a twisted logic when we say that social media can be both a threat and an opportunity. How could social media be both?

Cole: It's all in how you decide to respond. Social media, in and of itself, is a neutral topic. It could be viewed as a utensil or a platform, upon which you can do things. And depending on your intent, whether you’re an enterprise or a customer, those activities could be viewed favorably or negatively. And that's true as much in the sociopolitical world as in business.

The important thing is that social media is the platform, not the action itself, and it’s really what you decide to do over that platform that makes the difference in business and in the world at large.

Gardner: Do you have any evidence, research, or findings of any sort that bolster this notion that social media is a sea change and not just a blip?

Game changer

Cole: Well, based on a survey we commissioned last winter, somewhat surprisingly, a bit more than one in 10 executives did characterize it as a fad relative to the business world.

However, you can look at it in the everyday world around us and the media as it relates to impact on society and in the sociopolitical spectrum, and there's very little doubt that it’s changing the game there. I believe it will have an equally profound impact on business over time.

Social media has become the bullhorn of the 21st century. It allows people to spread their message, to amplify that message, to mobilize the community, and also to monitor in real time the events as they unfold.

We are having to deal with it across the political, social, and cultural spectrums. Witness, unfortunately, the emergence of something that we’re now calling flash mobs, a case where the platform is being misapplied toward organizing a community of people who have damaging intentions.

So back to your question on threat or opportunity, significant or insignificant impact, it’s all based on the intent and actions of the individuals utilizing the utensil.

Gardner: On one hand, we seem to see a lack of control or at least different aspects to how people behave. We don’t have the necessary tools. But on the other hand, we're seeing a lot more information generated, and information often is the lifeblood of how organizations react and adjust to markets.

Cole: Information overload is one potential consequence of this. It’s all a matter of how you take that information and translate it into actionable insights, against which you can make some smarter business decisions, and from our perspective, ultimately deliver a better customer experience which will help you grow.

What’s neat about what’s happening in the world of technology, on top of the social environment, is that there is a whole new generation of tools emerging that allow you to develop that insight.

There are four steps that a company can go through to generate social intelligence. First, is listening to what is going on out there. There has not been an earpiece for us to really take the pulse of the market, and what's happening in the virtual world or the internet world until the recent development of some of these social listening tools. So the ability just to know what's going on, who is saying what, who are the influencers, what are their sentiments is an important first step.

Monitoring change

The second step is the ability to monitor that over time and see how attitudes, perceptions, and most importantly, behaviors are changing and what are the impact and implication of that for your business, either from a marketing or a selling or customer service standpoint. In addition to monitoring that, you’re also now able, with text analytics tools to not simply track and describe what happening, but also isolate cause and effect.

So if I'm launching a Twitter campaign, putting a new product out there, running a contest, or engaging in some kind of social care activity, what is the impact it's having in terms of the customer’s behavior and what adjustments can I make to be more successful?

It's being able to get attribution and get to a root cause by applying these analytic tools. So you've listened, monitored, and analyzed. The killer app, if you will, is the last step of closing loop in terms of your ability to respond. So many companies today are putting their toe in the water in the social world by listening with these tools and trying to understand what's being said. It's new enough where not that many have actually industrialized their process for responding.

Ultimately, your ability to now go back into that community and influence the customer or attempt to influence the customer and their behavior is where there is a tremendous upside for companies in terms of generating higher growth and profit.

Gardner: How is Capgemini working toward some solutions on this?

Cole: As a global provider of consulting technology and outsourcing services, Capgemini attempts to keep its finger on the pulse of market. You have to be blind and deaf to not recognize that social media has quickly emerged on the scene. The question then becomes, as a provider of services, how to translate that into sets of offerings that add value for our clients.

At one level, you could look at social media as a wave or a phenomenon. I’ve been in the professional services, technology services business for 30 years, and we’ve seen the waves come and go, whether that would be CRM or ERP through SAP or eCommerce, which I think this mirrors quite a bit, and Y2K. So there's always an emerging area that people will try to understand, chase, and then capitalize on.

My particular area of expertise is around customer management. So I look through the lens of how a company acquires, develops, and retains its customers and how can we manage some of that process for them in a faster, better, or cheaper manner. We do that today in traditional forms with managing their call centers or their customer service operations, helping them present stronger web content, providing them with insights through analytical services, and so forth.

What social media started to suggest to us was that there was a new opportunity to bring another service to the market that allowed clients to focus on the business problem that they’re trying to solve and provided us the opportunity to provide them with everything they needed to mobilize around that objective in the social world.

Marketing enhancement

In and of itself, social media is not going to drive your business forward. As we've discussed, it's really a platform or a utility upon which you can engage customers for one or more activities based on a business objective. It does, at the end of the day, relate back to what you're trying to accomplish.

When I went to school, we were trained on the four Ps in marketing. You develop a product that the marketplace is interested in. You price that product at a level that the consumer or customer perceives value so they want to transact with you. You need to promote that in terms of distinguishing you against your competitors and bring that product to market with some form of distribution. We call that the four Ps.

Obviously you still need to do all those things, but in the social world now, there is a new twist. If you think about the product, we used to take a very linear approach to doing market research, testing concepts, via surveys and focus groups. In today’s social world, you can do that much more dynamically. There's a whole phenomenon around crowd sourcing with which you can solicit people's input and feedback and iterate on that massively, and closer to real time.

Your ability to get really close to the marketplace is enhanced tremendously by social media. In terms of promoting, it used to be broadcast media, but now you're able to do micro campaigns. You can do tweet campaigns. You can do campaigns through Facebook. Your ability to target the individual that you are trying to influence has gone up exponentially.

We've always talked about the segment of one, but it was very difficult to do. Now, you can get in there and really understand who is driving popular opinion, who are the big influencers, who do you need to convert to be an enthusiast or an advocate of your product, and launch very specific campaigns against them. It's a different form of promotion.

It's the same thing with pricing and distribution. While you still need to do many of the same activities, the way in which you will execute on those activities has evolved and become much more dynamic.

Every function within the organization has a potential application in the social world. I don't think it's the kind of thing that any one executive or any one function is going to own per se.

It's a matter of looking at it through the lens of the process that you're responsible for, and trying to understand how to apply new thinking and activities to improve your efficiency or your effectiveness of that area. That could be public relations and the brand, marketing and developing effective positioning, product development and management, selling through more targeted campaigns or, at the end of the value chain, a better servicing of the customer to generate greater loyalty.

Different ways

Gardner: Are we going to repeat history and have a fragmented approach to this or is there a better way?

Cole: You’ve really put your finger on a core issue. It all depends. What is social media? That depends on who you are and what you're trying to accomplish. That’s going to be variable based on your area of responsibility within the enterprise.

There is something to be said for standardization and taking a platform-based approach to avoid the recurring tendency of investing in your own individual solutions and then lacking interoperability or having to face integration issues and so forth.

While the application of what you do on top of the social platforms may vary, there is potential for the organization to operate as an enterprise on top of a single instance of a platform. That’s part of why we got into offering a managed service.

We allow the client to focus on what they are trying to do in the marketing, selling or customer service world. We provide them with the infrastructure, the technology, the process discipline, the data, and importantly, the social media advocates, the human intelligence layer that is ultimately conducting the monitoring and the analytics and the interpretation of what’s happening there.

By buying into a managed service the company can avoid having to make capital investments in the technology, avoid the potential risk of different groups going off and doing their own thing. They can remain current, because they don’t have to pay attention to this fast paced dynamic technology market and what is the state of the art. That would be our responsibility.

Hopefully, it's the best of both worlds. They can each, as user communities, decide what they want to get out of social media, but be able to leverage the fact that they're all investing in a common platform. ... It is a different way of storing, distributing, and accessing the data.

What it translates into for us is the ability to provide process as a service. That’s a fundamental shift in the marketplace that’s occurring as a result of the development of cloud capabilities.

Organizations can just tap into a service, and that makes it easier for them to get into a new area. It’s faster, it’s less expensive. We're trying to apply that same concept to social media. We can provide a faster, better, and/or cheaper approach. The client buys the process as a service on a subscription model.

We assure the integrity and security of the data. We provide the data management, the repository, the infrastructure, and the toolset. You're buying a service around a process, whether that be listening to your customers, wanting to launch marketing campaigns, providing social care or whatever.

The whole SaaS cloud phenomenon is just changing the distribution model and also facilitating an easier approach for companies to get up and running in this area.

Gardner: How are organizations getting started?

Cole: As evidence of the fact that it is a new phenomenon, you can just notice the volume of conferences that are out there with social media in the title. It just reinforces that companies are trying to understand still what "good" looks like. They’re out there looking for best practices. They are still paying for "PowerPoint," for consultants to come in and help them understand the strategy, the power of social, what that translates into in terms of metrics and governance, and so forth.

The market is very much in its exploratory stage. I'm not sure you can over-architect what social media means to you at the moment. This is something that you have to get in and dip your toe in the water. Instead of "ready, aim, fire," it's probably "fire, fire, aim, ready, fire." This means that you need to iterate.

You don’t know what you don’t know….. until you get in to the market and you start to listen to what is happening out there, identify who the key influencers are, where they're talking about, who are the advocates for the brand, and who are the potential saboteurs who can represent a threat? What are some of the kinds of programs and activities that one can run?

Rather than the grand strategies, the big-bang approach, this particular area is deserving of more experimentation, and iteration. Then, over time, we need the development of a broader strategy. But, you need to get in there, and listen, and learn, and act, and from that you'll figure out what works and what doesn’t work.

Part of what we’re trying to offer our clients is the ability to do that faster than doing it themselves, where they have to go out, acquire the tools, hire the people, and put in place the processes.

In this case, they can say we want to launch a campaign and we’d like to understand how we can use the social world to solve customer service problems or whatever. We provide all the tools and capabilities to do that. They focus on learning and evolving their strategy of what to do in the social world.

... As part of that, in our Social Media Management Solution, we’ve built a joint solution with a company called Attensity, which really comes at the market initially from the text analytics world, but offers a nice suite of applications that enable your ability to listen, monitor, analyze what's being done, and then respond to the customer in terms of workflow and direct customer engagement. So it's what you decide to do, but it's also having the right toolset with which to do it.

Gardner: Are there any places to which we could direct our listeners and readers for additional information, perhaps whitepapers, other research, and/or more information on your services?

Cole: Certainly capgemini.com. We do have a featured social media section on the website. We've recently published a whitepaper called "Harvesting the Fruit from the Social Media Grapevine". We hope that clients will find that insightful. It's a bit of a point-of-view on where the market is today and where it's headed.

Listen to the podcast. Find it on iTunes/iPod. Read a full transcript or download a copy. Learn more. Sponsor: Capgemini.

You may also be interested in:

Proliferated, Outmoded Applications and Data Explosion Hamper Enterprises in Innovation, Any Quick Move to Cloud Computing Capgeminim CSC Line Up for AppLabs Enterprise IT Plus Social Media Plus Cloud Computing Equals The Future What Can Businesses Learn About Predictive Behavior from American Idol? I Collaborate, Therefore I Think, Therefore I Am ... An Enterprise

By: Louella Fernandes, Principal Analyst, Quocirca Posted: 29th September 2011 Copyright Quocirca © 2011

The overarching message of Xerox's recent analyst briefing was about being  "services-led, technology-driven". Xerox is certainly a company in the midst of  transformation. Its total revenue has grown from $15.2bn in 2009 to  approximately $23bn in 2011.

Services now represent about half its business, up from 25 per cent two years  ago. Already an established player in the document management/processing  outsourcing market, its acquisition of ACS last year, a BPO firm, means it is  now a leading player in the services market, with an estimated value of $500bn  that combines document outsourcing, business process outsourcing (BPO) and IT  outsourcing.

While the ACS integration promises to expand Xerox's penetration into the  enterprise, it is also actively pushing its managed print services (MPS) capabilities to the SMB and mid-market sectors. Globally, Xerox is working to  accelerate the transition of its global partner network to a services-led  model.

Xerox now has more than 2,500 partners offering some form of MPS. In addition  to its traditional channel partners, its global MPS partner network also  includes a range of managed IT services, technology and software partners,  including Cisco and Computacenter.

In an increasingly commoditised hardware market, MPS is a reseller opportunity  to increase revenue through providing customers with a contractual approach to  purchasing or leasing hardware together with service and supplies.

Central to Xerox's channel MPS initiative is Xerox Partner Print Services,  which sits between its basic equipment service packages, such as eClick and  PagePack, and its direct enterprise MPS offerings.

Xerox XPPS is a cloud-based platform hosted by Xerox and offers a range of  standardised components to support a multivendor environment, such as assessment  and optimisation, device discovery and monitoring, sales contract management,  business intelligence (BI) reporting, service management and delivery, and a  customer service portal. Its recent acquisition of NewField IT and its AssetDB technology has been key  to partner enablement providing the backbone for assessment and proposal  generation architecture for XPPS, as well as an ongoing optimisation of customer  contracts.

Xerox has built a comprehensive certification and accreditation process for  XPPS salespeople and partners to support their MPS sales efforts. Accredited  XPPS partners must be able to demonstrate successful delivery for a client's  managed print service. In Europe, Xerox has approximately 170 XPPS partners,  having grown from 90 at the end of 2010. Almost 80 per cent of these partners  are fully accredited XPPS partners. One of the key strengths of Xerox's  XPPS offering is its multivendor device support, which will appeal to multibrand  resellers and also offers opportunities for Xerox's concessionaires.

In particular, the managed IT services market represents an opportunity for  multivendor MPS platforms such as XPPS, as it enables managed service providers  (MSPs) to integrate MPS with their existing managed service platforms. Although so far printing is not typically an integrated  component of managed IT services, Quocirca believes MSPs will be the next  development in expanding the opportunity for MPS among SMB and midmarket  businesses.

Xerox has certainly set a stake in the channel MPS ground, and many of its  competitors are seeking to emulate its actions. The vendor has already  successfully remodelled its Enterprise MPS tools and technologies for the SMB  and midmarket. And, as such, Xerox is positioned well to support its partners'  transition from box-shifting to a services-led approach.

Its XPPS offering appeals to a wide range of resellers, in our view particularly those strategically focused on MPS. Xerox, of course, recognises that not all its resellers will transition to  XPPS. There will always be some that are reluctant to use a vendor-hosted  infrastructure to manage their multibrand base, which may have concerns about  where and how their customer data is hosted. It should be noted, though, that Xerox has extensive ISO 27,001 security  standardisation and proper contractual terms in place to mitigate such concerns.  In such cases, resellers may consider independent third-party management tools backed up by their own networks of service engineers.

Nevertheless, for those resellers ready to develop their MPS capabilities,  using a flexible and robust hosted platform such as XPPS is a viable approach,  for both Xerox-only and multibrand resellers. Not only does this limit the risk when investing in building a MPS platform,  it also gives resellers access to Xerox global supply chain and delivery  centres. This should appeal particularly to resellers that want to expand their MPS  delivery across regions.

For now Xerox is ahead of the game when it comes to its channel MPS  initiatives, but competitors are following fast and competition will not only  come from its traditional competitors but also from those in the managed IT  services market with which Xerox, wisely, has already engaged.

By: Rob Bamforth, Principal Analyst, Quocirca Posted: 21st September 2011 Copyright Quocirca © 2011

Despite fears of being replaced by robots or computers, the terms that twenty-five years ago described the use of IT in different professional sectors were less about substitution and more about support. Programmers used computer aided software engineering (CASE) tools, doctors used computer aided tomography (CAT) scanners and engineers used computer aided design and manufacturing (CADCAM) systems.

As IT has crept insidiously into all elements of life with applications and ‘amateur’ users everywhere, there has been a tendency towards over-reliance on the technology. This is often to the detriment of individuals with poorer employee training and to the detriment of business processes that are often simplified to fit the technology, rather than the end need.

Business processes should be strategically aligned to the overall goals of the organisation and tactically deliver on the day-to-day demands of stakeholders – in particular customers and ultimately shareholders. All to often solutions have been introduced by IT that don’t quite meet the operational business requirements, and adjustments are typically only one way. No wonder that the UK comedy programme Little Britain’s catchphrase “computer says no” has so much resonance, highlighting limitations of the technology and the initiative of the employee involved as well as inadequacies of the business process.

Losing the ability to spell and do simple arithmetic have also been put down to individuals relying on technology to do the thinking for them, with students even using internet search engines to generate entire pieces of work. Individual over reliance on technology is also well demonstrated by the appearance of road signs indicating ‘sat–nav error’. Some drivers slavishly follow their personal navigation systems, rather than thinking about their surroundings or using the sat-nav as only a guide and have become trapped or lost.

There is nothing wrong with using the computers to support, aid and assist, but abdicating all responsibility for the process that has been badly or incompletely thought out is not showing signs of artificial intelligence but automated stupidity.

This is not just a problem of navigation and sat-navs, but also more fundamental business processes, which ought to be supported, streamlined and improved by technology, rather than simply or clumsily automated. Printed communications from large businesses and institutions offer clear examples of this. 

Contact databases are often mined and mail merged to automatically generate letters, which completely fail to apply even the most basic intelligence to the process. For example letters from hospitals exhorting octogenarian outpatients to bring in money for prescriptions, when the IT system should have all the data it needs to ‘know’ they are exempt, but a suitable software trigger is not in place.

Perhaps some of the blame for this could be placed in the money grabbing palms of IT vendors and consultancies who advocated business process re-engineering (BPR) in the 1980s and 1990s, and offered it, silver bullet-like, as an externally delivered service. In prior years, many companies, especially in manufacturing would have had their own internal ‘organisation and methods’ departments, or would have employed consultants to simply measure or rationalise existing processes with time and motion studies and progress chasers.

The problems with BPR were two-fold; often due to the high cost it was a huge one-off exercise rather than continual incremental process, and it was often conducted by consultants with little direct experience of the specific market sector. Not only would these consultants often fail to understand the nuances of the industry sector they were advising, but the need to maximise their billable hours would mean they were unlikely to have sufficient time to keep completely up to speed with advances in technology. Result? BPR was an expensive blip, and now has a damaged reputation.

The type of ‘re-engineering’ generally proposed smacked of being so big an exercise that not only did it take too long, but no single person could understand its totality and it was not sufficiently flexible to deal with rapid changes and advances in IT. The emphasis shifts from assistance of something that anyone can understand to dependence on something too big to fail or be wrong.

However, new technologies and innovation – mobile working, social media, services in the cloud – force change in business processes, and so some different aspects of engineering should be applied from systems engineering – encapsulation and insulation.

The impact of the highly connected digital world on a business does not have to be tackled in one go in some massive unified or convergence process, but in incremental steps. The clever human part is in defining the separate objects and the intelligence to link them together, and then use IT to provide automated aid and deliver efficiency in each element.

By: Bob Tarzey, Service Director, Quocirca Posted: 20th September 2011 Copyright Quocirca © 2011

There has been plenty written, not least by Quocirca, on the danger of data loss and how to prevent it. Less has been said about how to clear up afterwards; when the measures taken to protect a business from such losses have failed or were not present in the first place. In particular the responsibilities an organisation has when it comes to disclosing that such an incident has occurred.

One of the reasons for this is that legal situation is a bit vague, so there is a temptation to think that the problem can be brushed under the carpet.  Organisations that do this may find themselves in hot water if details emerge at a later date, or at least hotter water than they would have been had the leak been reported in the first place.

For any UK based business, the first stop is the Data Protection Act (DPA) enforced by the Information Commissioners Office (ICO). The specific advice on the ICO web site with regard to disclosure is as follows:

“Although there is no legal obligation in the DPA for data controllers to report breaches of security which result in loss, release or corruption of personal data, the information Commissioner believes serious breaches should be brought to the attention of his Office. The nature of the breach or loss can then be considered together with whether the data controller is properly meeting his responsibilities under the DPA”

So that’s alright then, keeping hush-hush is OK? Not really, just because the “data controller” (that is the person in any given business charged with the security of personal data) is not required to report a leak, it does not mean that the leak has not occurred. If the problem comes to light at a later date, and this is when the ICO finds out, then he is likely to take a dimmer view than if the leak had been reported up front. And remember, if personal data is involved, “data subjects” (that is you and me, in our roles as private citizens) may the first to find out and their privacy is enshrined in the Europe Human rights Act (article 8).

Furthermore, the pressure to disclose was increased on May 26th 2011, at least for certain organisations. The “Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011” (PECR), specifically requires service providers to notify the ICO, and in some cases individuals themselves, of personal data security breaches. PECR was introduced mainly to target the use of cookies that internet service providers can use to gather personal data to personalise web services.

Beyond the DPA and ICO there are other pressures to disclose. For example, the Financial Services Authority (FSA) arguably obliges the firms it regulates to notify data breaches as part of their general reporting duties. Another standard that requires disclosure and already affects many businesses is the Payment Card Industry Data Security Standard it (PCI-DSS).

PCI-DSS compliance is required for any business that accepts payment cards – even if the quantity of transactions is just one. It is enforced via the major card brands (VISA, MasterCard, AMEX, Discover and JCB) and the obligation to disclose is in their contracts. For example VISA advises the following steps be taken:

• Contact law enforcement
• Contact bank
• Contact VISA fraud control
• Preserve logs
• Make notes of all these actions

VISA also advises:

“Make sure you have a written policy with an incident response plan and make sure all employees are aware of it”.

VISAs advice is pretty good for handling any data loss, getting control of the situation at early stage and informing effect parties makes sense for any data leak.

Beyond payment card data, there is plenty of other advice available.  Field, Fisher and Waterhouse, a law firm specialising in data protection law has a 10 point plan for handling the theft of a laptop. One point it makes is to have a media strategy, not just to get the media on side ASAP, but it may also be the most effective way of informing data subjects. This will depend on the nature of the data loss and if a criminal investigation is likely to ensue.

The trend towards an obligation to disclose data leaks is clearly happening on a number of fronts. However, even if you think a given circumstance you can get away without disclosing a leak, you would almost certainly be wrong to do so. A leak is a leak, whether you disclose it or not, it needs pro-active management from the moment it has occurred and your organisation needs to be prepared for the seemingly inevitable.

Quocirca will be presenting at the UK Infosecurity Virtual Conference on Sept 27th 2011 on the topic of “Responsible Data Braech Disclosure”, for more information go here.

By: Rob Bamforth, Principal Analyst, Quocirca Posted: 20th September 2011 Copyright Quocirca © 2011

Consumerisation of IT has been a popular recent discussion point, and it is the encroachment of consumer mobile devices – in particular smartphones and tablets – that appears to be causing most passion. The pro argument generally starts with one of the following; employees are already used to better tools in their personal life, we have to do this to recruit younger workforce, our brand will suffer if we’re not seen as leading edge, or it’s cheaper.

Whatever the reality or merits of the first three, the last point deserves closer investigation along with the impacts on organizational security. The problem is that allowing employees to pick, choose, buy and bring their own mobile tools into the workplace seems like a simple outsourcing of a particular procurement issue to someone who cares more passionately about it. However, it brings a lot more complex baggage than the neat little black or white cardboard box the hardware arrives in and aligns into three significant aspects to mobile consumerisation – device, contract, content.

Device is the part that most focus on, and why not? It’s the shiny gadget that has become cool and desirable. It taps into people’s feelings about self-esteem and status as well as any social needs for connection or geeky desire for the latest toy. These devices are expensive, and so on the face of it encouraging employees to BYOD (bring/buy your own device) saves money.

However there are bigger costs and risks at stake elsewhere for the organisation. Mobile devices typically need network contracts, unless relying on pay-as-you-go or free Wi-Fi for connection. All-embracing corporate contracts come with many financial economies of scale that a chaotic collection of independent employee ones will lack. Quocirca has explored this challenging issue more fully in its recent free to download report “Carrying the can”.

The third area, content, is equally complex, as whoever owns and pays for a mobile device - employee or employer - its use is likely to straddle personal and business activities. In addition to communications tools and access for business applications there will always be a mass of consumer content. For smartphones and tablets, “content” includes both software and data. The line is often blurred, and despite many technical and religious discussions along the lines of “app or browser”, the underlying issues of enterprise control of costs and risks apply either way.

The convergence of work and personal content on one device, no matter who purchased the hardware or pays for the connection, raises the issues of content security, suitability and diligence.

For most organisations mobile security is a major concern, and rightly so, as it is not only malicious acts such as theft and hacking or the careless loss of a device that might lead to breaches of security. Simply cutting corners for the sake of ‘expediency’ will not do. Two doctors were recently overheard on the train discussing how their operation lists were being downloaded to their iPhones. They found it useful, but wondered if it might not really be good practice, although they ‘presumed’ there was insufficient detail to indentify patients.

Whether this procedure was instigated by the users trying to make their lives simpler or someone in IT wanting to appear useful, is irrelevant. Mobile security needs to be seen to be taken seriously as well as actually being addressed through suitable on-device software, content access practices and services from providers. All too often it appears that there has been only a limited mobile security risk assessment or insufficient user training. These aspects may lack the intellectual pizzazz of security software, VPNs and all things prefixed ‘cyber’, but the social or human elements are critical for addressing the weakest link – the user.

For mobile devices, even the technical aspects of security are rarely completely understood in IT departments, and the more complex issues involving the diligence of checking suitability of use can really only be answered by those responsible for business processes. What is the right usage of any given application on a mobile device? It might depend on the individual role or department, work needs, employee location at the moment of access and actual device in use at the time. This is a complex mix of business and social requirements that need suitable policies and tools for enforcement.

Employees should know where they stand, what is acceptable and what is not. There are a number of mobile device management tools vendors that have stepped into this adjacent area of monitoring, directing and curtailing user behaviours. While this might seem a bit ‘big brother’ to some, many organisations will need audit trails to show they have sufficient safeguards in place to protect sensitive data. If the details of someone’s operation was found on the train, the health authority or employer would be where blame would be cast first, not the employee.

With BYOD these management tools now have the more difficult task of projecting the need for organisational control onto the personal device of an individual. They need to do this without compromising the integrity of business activities or violating the individual’s personal content or device. It is a fine line, and an easier way to tackle it would be to have one device for work, one for home - as many do now - but ultimately a portfolio of functions or personalities will need to reside on a single device.

The wave of virtualisation that hit the datacenter is already travelling through the network as virtual private networks and virtual desktop infrastructures. These offer an insight into how businesses might secure BYOD, and may extend virtualisation further into multiple virtual personalities (and operating systems) on the mobile devices at the edge. 

All of this has cost implications, and these content considerations as well as the contract issues need taking into account when organisations consider the savings of allowing employees to acquire their own devices. ‘Consumerisation’ is looking as simple and pain free as ‘convergence’.