jump to navigation

Link: Heartbleed update 15 Apr 2014

Posted by Tony Law in Impact of IT, ITasITis, Managing IT, Tech Watch, Technorati, Uncategorized.
Tags: , ,
add a comment

A quick follow up, back from a few days away.

Huffington Post have a recent update which notes that the Open SSL vulnerability applies in major products from Cisco and Juniper Networks. They also repeat what’s becoming the consensus on passwords: change your passwords for services which you know were vulnerable but have now been patched. There’s no point in changing a password which might still be at risk.

They reference the Mashable resource on what’s been patched a,md copy the patchable list: Google (and Gmail), Yahoo (and Yahoo Mail), Facebook, Pinterest, Instagram, Tumblr, Etsy, GoDaddy, Intuit, USAA, Box, Dropbox, GitHub, IFTTT, Minecraft, OKCupid, SoundCloud and Wunderlist.  A quick look, though, suggests that the Mashable article was a one-off and the list is not being kept updated.

The article also recommends turning off external access to your home network: the sort of capability, for example, that you might use for remote access through LogMeIn, TeamViewer or similar. If you’re not using this kind of facility, disable it. Your firewall should already be holding the line on this.

And check what your Internet provider is doing and the status of your wireless router. Being a BT user. with a BT Home Hub, I tried searching the bt.com website for information on Heartbleed but nothing surfaced. It would be nice to know.

Huffington suggests that, at the moment, public WiFi has to be treated as an unknown quantity since you can’t tell what infrastructure they use or whether it’s been patched. BT again doesn’t have any information on the impact of Heartbleed on BT Wifi (Openzone, as was) but it does say that user details are encrypted when you log in to their service. It’s perhaps ironic that they offer free Cisco VPN software, which you can download when connected to one of their hotspots. I didn’t know this. I’ll take it up for my laptop.

I also have an O2 Wifi locator app on my phone. There’s nothing about security on their website. Anyone with other Wifi-finder apps? Please check their sites and post a comment here about what you find.

Links:
• The Heartbleed Bug Goes Even Deeper Than We Realized – Here’s What You Should Do, Alexis Kleinman, The Huffington Post, 11 Apr 2014
• Security when using BT’s Wi-fi hotspots, BTWifi.com, with link to the Cisco offer
• The Heartbleed Hit List, Mashable, 9 Apr 2014
• What to make of Heartbleed? ITasITis, 4 Apr 2014

What to make of Heartbleed? 10 Apr 2014

Posted by Tony Law in Impact of IT, IT is business, IT marketplace, ITasITis, Social media, Tech Watch, Technorati.
Tags: ,
1 comment so far

I watched the BBC News report last night about the security hole in Open SSL. With its conclusion that everyone should change all their passwords, now … and the old chestnut that you should keep separate passwords for every service you use, never write them down, and so on. Thankfully by this morning common sense is beginning to prevail. The Guardian passes on advice to check if services have been patched first; and offer a link to a tool that will check a site for you.

First, as they say, other Secure Socket Layer implementations are available. While a lot of secure web connections do rely on Open SSL, it’s not by any means universal.

Second, as always, dig behind the news. As Techcrunch did. This is the first vulnerability to have its own website and “cool logo”; this was launched by Codenomicon in Finland which started by creating notes for its own internal use and then took what it calls a “Bugs 2.0″ approach to put their information out there. I remember doing something similar way back in Year 2000 days. Incidentally, the Open SSL report (very brief) credits Google Security for discovering the bug. It also identifies the versions which are vulnerable. (There’s a note there that says that if users can’t upgrade to the fixed version, they can recompile Open SSL with -DOPENSSL_NO_HEARTBEATS which, I’m guessing, gives a clue as to the naming of the bug.)

If you want real information, then, go to Heartbleed.com. The Codenomicon Q&A is posted there. In brief: this is not a problem with the specification of SSL/TLS; it’s an implementation bug in OpenSSL. It has been around a long time, but there’s no evidence of significant exploitation. A fix is already available, but needs to be rolled out.

What was clear, too, is that the BBC reporter (and some others) don’t understand the Open Source process. The Guardian asserts that “anyone can update” the code, and leads readers to suppose that someone can maliciously insert a vulnerability. Conspiracy theories suggest that this might even be part of the NSA’s attack on internet security. But of course that ain’t the case. Yes, anyone can join an Open Source project: but code updates don’t automatically get put out there. Bugs can get through, just as they can in commercial software: but testing and versioning is a pretty rigorous process.

Also, this is a server-side problem not an end-user issue. So yes, change your passwords on key services that handle your critical resources  if you’re worried but it might be worth, first, checking whether they’re likely to be using Open SSL. Your bank probably isn’t. There’s a useful list of possibly vulnerable services on Mashable (Facebook: change it; LinkedIn: no need; and so on)

And what do you do about passwords? We use so many online services and accounts that unless you have a systematic approach to passwords you’ll never cope. Personally, I have a standard, hopefully unguessable password I use for all low-criticality services; another, much stronger, for a small handful of critical and really personal ones; and a system which makes it fairly easy to recover passwords for a range of intermediate sites (rely on their Reset Password facility and keep a record of when this has been last used). But also, for online purchases, I use a separate credit card with a deliberately low credit limit. Don’t just rely on technology!

Links:
• Heartbleed, The First Security Bug With A Cool Logo, TechCrunch, 9 Apr 2014
• Heartbleed bug, website from Codenomicon (Finland) – use this site for onward references to official vulnerability reports and other sources
• OpenSSL project
• The Heartbleed Hit List, Mashable, 9 Apr 2014
Heartbleed: don’t rush to update passwords, security experts warn, Alex Hearn, The Guardian, 9 Apr 2014
• Heartbleed bug: Public urged to reset all passwords, Rory Cellan-Jones (main report), BBC, 9 Apr 2014
Test (your) server for Heartbleed, service from Filippo Valsorda as referenced in The Guardian. I’m unclear why this service is registered in the British Indian Ocean Territory (.io domain) since Filippo’s bio says he is currently attending “hacker school in NYC”. On your own head be it.

Peter Kim joins Constellation 21 Mar 2014

Posted by Tony Law in Insight services, ITasITis, Tech Watch, Technorati.
add a comment

R “Ray” Wang’s Constellation Research has announced that Peter Kim has joined the group as Chief Strategy Officer. This is another step in the evolution of Constellation following the appointment of a CEO, Bridgette Chambers, from outside the team, and presumably (although this is not explicit in the announcement) another element of Ray Wang’s founding role which the group has now decided should be devolved. It would be interesting to know how far this shows Chambers making her mark on the direction of the group.

Peter Kim is an acknowledged specialist and his eponymous blog Being Peter Kim is well known (it goes way back to Peter’s days at Forrester Research alongside Ray). Peter will also be a Principal Analyst with the group, bringing his focus on Digital Marketing Transformation.

InformationSpan’s Index of Analyst Blogs has always included Constellation Research because of the high profile names the group includes, and Peter Kim has been added. I’ve also added a note (long intended and finally achieved) on IDC’s online community; the detail may be expanded in due course. For both these groups, follow the tab (above), and look for Others.

Links:
• Constellation Names Peter Kim Chief Strategy Officer, Constellation research press release, 3 Mar 2014
• Ray Wang’s Constellation reaches the next stage, ITasITis, 4 Sep 2013
Being Peter Kim
IDC Community

Gartner buys … what, exactly? 19 Mar 2014

Posted by Tony Law in Insight services, ITasITis, Tech Watch, Technorati.
Tags: ,
add a comment

A recent monitor report (11th March) from Outsell noted that Gartner have bought a small(ish) analyst firm Software Advice: around 100 employees. I’ve spent the intervening week checking to see what Gartner might be buying. The press release is short on detail and I haven’t spotted any other commentary; KCG, SageCircle and others please correct me if I’ve missed something!

Software Advice does what its name implies. It provides advice (“Find software for your business”) across just short of thirty categories: generic enterprise areas (e.g. Business Intelligence); market sectors (Manufacturing); and niche areas (Church Management). More below. Key to Software Advice reporting are Buyer Views, Industry Views and User Views documents (collectively referred to as Views below, when we report redirections within blog sequences). It’s not the purpose of this blog to explore their style. Its story is told by CEO and co-founder Don Fornes in a (separate) blog post.

Software Advice don’t (appear to) have an online list of their analysts, but I’ve been able to recover a list of 110 contributors to their accessible online content (mainly the blogs). Several cover a range of areas (more than ten, in a few cases). I have no way to check how many of them are currently with the firm, but that wasn’t the point of the exercise. My list may not be complete or up to date; but it should help identify if, when and where these analysts re-surface in Gartner, and what happens to the coverage. Will it be merged into mainstream research? Will it disappear into the consultancy business? Will some topics simply be abandoned? Will analysts stay or leave? What will the fallout be? There is far from a good fit between Software Advice coverage and Gartner’s, but Software Advice is probably not enough for Gartner to springboard into these additional areas. Interesting, though, that Don Fornes is now listed as a Gartner Group Vice President. That looks as if Gartner see this as a strategic purchase. Watch this space.

Not all of Software Advice’s categories map either to Gartner’s current list of industry sectors or to their IT topics or roles, although many do. So it will be interesting to see what happens. The big question, going on previous experiences with Burton and AMR Research, is how far and how soon Gartner will integrate these topics and analysts – especially the categories not currently strong on Gartner’s agenda.

As always we can look at the blogs to get the picture. In this case, it’s a confused one. There are two groups of blogs from Software Advice. They are topic related, not personal blogs as Gartner’s are; similar to the former Burton and AMR blogs.

One blog group maps to most of the categories used by Software Advice: many of these seem dormant but some have recent postings. The other is a group of eight current, named blogs. There is overlap and redirection within both. So for example a post indexed in B2B Marketing Mentor redirects to an Industry View document outside the blog structure. Similarly, posts in the Customer Relationship Management blog redirect to CSI, to B2B Marketing Mentor, and to Views.

Here is Software Advice’s list of blogs and topics, with an indication of their status in the blog lists. There are some inconsistencies in naming, which we have resolved. Not all topic blogs carry the topic as a page title; a few carry the generic title The Software Advice Blog.

The following are the titled blogs:
The Able Altruist: Non-profit. Most recent post (of 16): 27 Feb 2014. Gartner coverage in this area: minimal.
The B2B Marketing Mentor: Most recent post (of 33): 12 Dec 2013. Gartner coverage: strong.
CSI: Customer Service Investigator: CRM, Most recent post (of 36): 3 Feb 2014. Gartner coverage: moderate.
Hello Operator: business telephony including call centres. Most recent post (of 11): 16 Jan 2014. Gartner coverage: moderate.
The New Talent Times: Human resources. Most recent post (of 57): 19 Feb 2014. Gartner coverage: moderate.
Overnight Success: hotel and hospitality management. Most recent post (of 7):30 Jan 2014. Gartner coverage: none specific.
The Profitable Practice: medical practice management. Most recent post (of 55): 18 Feb 2014. Gartner coverage: none specific.
Plotting Success: business intelligence. Most recent post (of 23): 29 Jan 2014. Gartner coverage: strong.

There is overlap between these and the older-style (non-titled) blogs. All or some posts in some of these older-style blogs redirect to postings in the titled blogs. Inconsistency is rife! The following list covers all Software Advice categories. The website lists these on the home page; there is also a drop-down menu which breaks them into Industry and Application groups. Asterisks * here indicate categories not included in the drop-down menus which I have added to what seems the most appropriate group.

Industries:
Assisted Living*: no blog.
Church Management*: no blog
Construction: The Construction Blog (66 postings, most recent 4 Feb 2014); one post redirects to a View. No titled blog
Dental*: no blog
Distribution: The Distribution Blog (17; 8 Jul 2013); no titled blog
Home Health*: no blog
Hotel Management*: The Hotel Management Blog; all (7) articles redirect to Overnight Success
Long-term Care*: no blog
Manufacturing: The Manufacturing Blog (37; 23 Sep 2013); no titled blog. Manufacturing is a headline Gartner industry sector.
Medical: The Medical Blog (59; 6 Jul 2011); 18 further articles redirect to The Profitable Practice (though some older articles can no longer be reached by that route) or to software evaluation reports. Healthcare providers is a headline Gartner sector.
Non-Profit: The Non-Profit Blog (1; 6 Jul 2011); further articles redirect to The Able Altruist (one of these appears there under a different title).
Professional Services: no blog
Property Management: Topic blog headed as The Software Advice Blog (34; 9 Jan 2014); no titled blog
Recruiting Agency*: no blog
Retail: The Retail Blog (40; 13 Feb 2014); one further articles redirects to a software evaluation report and another redirects to the generic page for retail software. No titled blog. Retail is a headline Gartner industry sector.

Gartner sectors Banking & Investment Services; Education; Energy & Utilities; Government; Insurance; and Media do not appear to map onto these Software Advice categories

Applications
Accounting: The Accounting Blog (20 postings; most recent 19 Oct 2011); no titled blog
Business Intelligence*: The Business Intelligence Blog, all (9) articles redirect to Plotting Success (29 Jan 2014). Business Intelligence & Information Management is a listed Gartner IT role.
Business Telephony*: topic also referred to as Business VOIP. Topic blog headed as The Software Advice Blog, all articles redirect to Hello Operator (16 Jan 2014)
Career Advice*: not included on the blog index page. Topic blog (8 Aug 2012) headed as The Software Advice Blog; no titled blog. One post redirects to The New Talent Times.
CRM: also indexed as Customer Relationship Management in full, or as Customer Management. The Customer Relationship Management Blog (109; 12 Feb 2013); 17 posts redirect to Views, to The B2B Marketing Mentor or to CSI: Customer Service Investigator.
Enterprise Resource Planning: listed in the blog index as Enterprise. The Enterprise Blog (50; 26 Jun 2013); no titled blog
Facilities Management: in the blog index as Facility Management. The Facilities Management Blog (10; 25 Mar 2013); no titled blog
Human Resources: The Human Resources Blog (56; 76 Dec 2012). 13 further articles redirect to The New Talent Times.
Inventory Management*: no blog
Maintenance Management: Topic blog (3; 26 Jun 2013) headed as The Software Advice Blog; 1 further post redirects to a View document. No titled blog
Project Management: The Project Management Blog (3; 10 Feb 2014); no titled blog. Gartner’s list of IT roles includes Project and Portfolio Management.
Security*: The Security Blog (3; 6 Mar 2014); no titled blog. Security and Risk Management is a listed Gartner IT role.
Supply Chain Management: The Supply Chain Management Blog (20; 5 Mar 2014); no titled blog.

Gartner list Applications and Sourcing and Vendor Management among their IT Roles. Digital Marketing also relates to several areas of Software Advice coverage. Gartner IT roles which don’t appear to map easily to Software Advice coverage include Business Process Improvement; CIO and IT Executives; Enterprise Architecture; Infrastructure and Operations.

Links:
• Gartner acquires Software Advice, Gartner press release, 11 Mar 2014
• Software Advice; link here to Software Advice titled blogs and to Software Advice untitled blogs
How Software Advice Got Started, Don Fornes, A Million Little Wins, Part I, 25 Mar 2013 (the link to part II is at the end of this post)

Changes and updates: the Analyst Blogs index 28 Feb 2014

Posted by Tony Law in Insight services, ITasITis, Tech Watch, Technorati.
add a comment

Within the last few days I’ve undertaken a full refresh of the InformationSpan index to key analyst blogs. I’ve refreshed the Gartner list; as usual there are a handful of changes since last time. I’ve refreshed the list of URLs covered by my custom Google search.

More importantly, there’s been a full review of the index to Forrester’s blogs; a lot has happened since the last one. Forrester’s approach to their blogs is different from Gartner’s: analysts post in different areas, and Forrester roll these blogs up into topics and then into high-level blogs. At the top level there use to be three: Business Technology (that is, enterprise IT); Marketing & Strategy; and Technology Vendors. The last two have been brought together. At the next level down there have been a number of changes; Forrester haven’t removed any category links at this level so you can still, for example, click to the Vendor Strategy blog within the Business Technology stream but this will now redirect you to the CIO stream. There are more changes within the Marketing & Strategy stream.

Forrester do publish content as individual analyst blogs too but they don’t index this. So we provide an index by analyst name and this is now more consistent with the way we list Gartner’s blogging analysts. One main difference though: the topic areas indicated for each analyst identify the roll-up blogs for these areas and not the topic descriptions on Forrester’s website. There isn’t an exact match between the two.

Thirdly I’ve reviewed the content on the Other Blogs page, checked all the analysts referenced, and made a few changes. I intend to make more, to make this page more useful. Candidate blogs from known or less-known analysts would be welcome; please comment.

Click the tab above this posting to see more. Don’t forget to refresh your browser if you use this service regularly.

A rare direct link: TB-L on the Web’s Silver Jubilee 12 Feb 2014

Posted by Tony Law in Impact of IT, ITasITis, Social media, Tech Watch, Technorati.
add a comment

I rarely post a direct link just to another piece of reporting – I prefer to go behind press reports to the originals if I can. But for shortage of time, here’s a link to a report in Wired of an interview with Sir Tim Berners-Lee. To be fair, this is the original because the event was organised by Wired to launch its own March issue celebrating the Web at 25.

So read, in brief, what TimBL has to say, and follow the links for more. The original link came through a tweet from OpenQRS, an Open Source healthcare software community. So, to be fair, there’s a link to them too.

Links:
• Tim Berners-Lee: we need to re-decentralise the web, Wired, 6 Feb 2014
• Open QRS

Horses for Sources: what’s with outsourcing 6 Feb 2014

Posted by Tony Law in Insight services, IT marketplace, ITasITis, Tech Watch, Technorati.
add a comment

I’m on a webinar by HfS Research: my first direct encounter with Phil Fersht’s organisation. It’s a where-are-we-going session called “Outlook for the Extended Enterprise”. This post will update live, as we go.

Primarily we’re discussing “extended’ in the sense of multiple outsourced operations, not of industry alliances and cooperative business. HfS’s own research, done in conjunction with KPMG, seems to be painting quite a poor picture of outsourcing value beyond running standard operations. “Talent, technology and analytics value”, Phil asserts, are frequently absent. Once the initial savings are off the books, value doesn’t develop in, for example, exploiting “big data”.

Business-enablement of IT is a gap. I’m beginning to feel like this conversation might have happened equally any time in the last ten, perhaps 20 years. What’s interesting is a breakdown of “BPO maturity” into four quartiles. There seems to be a gap which companies are about to cross to get into the top quartile.

What are the problems? Fear of change; lack of vision; silo operations. The espoused change is to a centre-led organisation; the pros and cons of this haven’t been discussed though. The point’s already been made that perhaps not all enterprises can achieve effective globally-managed business services (which means IT, HR and so on). Maybe that should be “… nor should they”?

Microphone being passed to Ed Caso of Wells Fargo Securities. He’s a senior analyst and has just switched the screen to presenter split-screen. Finally got into proper presentation mode. He’s offering a survey, I think, of the key providers in the outsource market. It’s the sort of analysis which Gartner and the others started out in … Some comments about the financial situation in India and its impact; changes in some providers. And a note that a lot of early 10-year contracts are coming up for review and re-tender. There are visa and immigration issues in several major economies, which might drive more work offshore as it becomes harder to identify skilled staff entitled to work in the home country.

Enterprise-wide sourcing is linked to wider awareness of options, a portfolio approach (provider, location and skills) rather than single-source, hybrid cloud usage, and worries about data security post-Snowden (see my previous post on this). And the providers are further challenged by SMAC (Social, Mobile, Analytics, Cloud): opportunities for the providers, but long term contracts don’t fit the speed of technology development. There’s still a tendency to be more comfortable with deliverables-based contracting rather than value-based.

Another change of speaker: Mike Friend of HfS. Where Caso was US-focussed, Friend is looking at Europe in the context of some fiscal optimism. There’s a prediction for IT oursourcing to grow at around 3.5% through the next four years, and BPO 6.1%, led by the UK market and particularly public sector spending. He’s mentioning a lot of individual companies.

So where do we go? Charles Sutherland of HfS takes over on process automation – that is, avoiding direct people costs – invoking more capable and “friendly” tools. This is still in the context of sourcing: looking for providers who can offer this as a way forward. It’s a potential differentiator in the market. Sutherland is encouraging buyers to look beyond simple cost. He’s suggesting what the signs might be that this is moving in the market, through 2014.

And the final speaker: Ned May of HfS on “the impact of digital”: the SMAC stack again, emphasising the need to embrace all four elements. The speaker does accept that “digital is not new” but I thought it had been around at least since the inauguration of the Web in the mid 1990s. The examples seem to be describing how what goes round comes around, perhaps with a new view of its capabilities. Experimentation will change to planned projects, but skunkworks projects will be of value. This isn’t just a technology change, it’s a mindset change. Some people have been saying this for a long time!

And finally: workforce issues, Christa Degna Manning. Who doesn’t seem to be accessible … emphasising the importance of a back channel for management issues on web calls! The issue is HR outsourcing as, like other areas, this moves to second/third generation outsourcing. Perhaps no longer primarily to support the HR practitioner, but to support and develop the employee.

The key question is whether this is still same-old outsourcing, or whether the trends discussed earlier apply here too. That is,  to look for what the webinar regards as higher-maturity outsourcing: the role of talent, for example, and long term benefits; managing contractors and non-employees; connection through collaboration technologies and perhaps to the world of crowd-sourcing and micro-work contracting (think Amazon Mechanical Turk). I’m reminded of John Adair’s long-established Venn diagram depicting management as the intersection of Task, Team and Individual.

Webcast preview link: http://www.horsesforsources.com/the-hfs-2014-outlook_012814. A replay link when I have it.

Over time, but a couple of quick questions to wrap up. The question of handling IP (I presume this means the IP that the outsource process generates). Providers like to be able to re-use (perhaps by back-licensing) processes, for example, developed within a contract.  A bit more elaboration about “digital”. I clearly need to figure out what HfS mean when they say “digital” but I think it means digitally-captured business information from, perhaps, unconventional, distributed, and big-data sources. And a question about how this works in a shared services model (which is not the same as global business services, even within the one enterprise).

Time to drop off the call. I’ll add some reflections, and tidy this up, tomorrow.

Security operations: sources 22 Jan 2014

Posted by Tony Law in Insight services, ITasITis, Tech Watch, Technorati.
add a comment

First of all, a belated happy New Year …

I’m shortly to facilitate an online meeting on the topic of Security Operations Centres (SOC). Not something I know a great deal about (an advantage for a facilitator, but there are limits …) so I undertook a little research from the usual sources and this note summarises what I found.

First: there is not, it appears, a great deal of content from the Insight services specifically about centralised security operations. There’s a great deal, of course, about the various elements of security: malware detection, incident response, perimeter protection (firewall) and so on. Gartner have a mid-last year online (free) webinar replay Top Security Trends and Take-Aways for 2013. There’s a Security Information and Event Management (SIEM) Technology Magic Quadrant. Perhaps the one to watch from Gartner is an analyst, Adam Hils: he’s recently returned to Gartner after a few years elsewhere, and SOC is one of the areas he expects to cover. And there’s a definition of the role of a Managed Security Service Providers (MSSP).

Forrester have a Security Architecture And Operations Playbook (collection of documents and tools) which, for clients, would repay exploration. They do have a report (not free) entitled SOC 2.0: Virtualizing Security Operations: but this dates from 2010. There’s a recent (August 2013) Forrester Wave on Emerging MSSPs, and a report (same date) on SOC staffing: so although the Playbook contents list isn’t very revealing it looks as if Forrester are up to speed on this topic. Forrester’s buzz phrase is the Zero Trust Model. Clients, have a conversation with your Sales Manager.

One or two of the smaller providers have some content. ESG (The Enterprise Strategy Group) have a very recent blog post: Enterprise CISO Challenges In 2014; this identifies some challenges and some players, and the need for efficacy linked to a strong security architecture, but doesn’t discuss organisational centralisation. Smart Directions publishes a Security Reference Diagram (architecture) which is worth a close look: based only on the online summary (you’ll need a subscription), there is a top layer here which can be interpreted as the function of an SOC.

But the two most helpful documents I’ve uncovered are not from Insight providers.

DEF CON is a hacker conference. Don’t let that put you off; “hacker” was a respectable attribute until it got hijacked by miscreants. DEF CON 18 included a useful presentation by Josh Pyorre and Chris McKenney entitled Build Your Own Security Operations Center for Little or No Money (the title on the slide deck is slightly different). Although this is also some years old (DEF CON 18 was in July-Aug 2010) this is a useful summary of the What and Why of an SOC. There are some useful hints such as the need for an internal (private) network to carry SOC secure communications. There’s some useful information too, though three and a half years old, on tools.

And probably the best paper, unusually, is from a vendor. Again it’s a year or two old: HP’s Building a successful Security Operations Center is dated 2011. It discusses the why and wherefore of not outsourcing this operation (basically, you get generalised, aggregated operations which while they may be 24×365 are not necessarily optimised to your business context); and its how-tos extend to the kind of staff you need, potential shift patterns, and how to respond to the likelihood that really good analysts will get mentally tired after two or three years, lose their effectiveness, and need to move on.

I’d be most pleased if any source or provider who feel they’ve been misrepresented or left out would add a comment.

Oh, and if searching: don’t forget that most material is American and they spell it Center.

Links:
• Forrester Research: The Security Architecture And Operations Playbook (this is a collection of documents, continuously updated); SOC 2.0: Virtualizing Security Operations (20 Apr 2010)
• Forrester Wave: Emerging Managed Security Service Providers, Q1 2013 (14 Feb 2013)
• Gartner: Top Security Trends and Take-Aways for 2013, free webinar (or download PDF); Glossary entry: Managed Security Service Provider
• ESG: Enterprise CISO Challenges In 2014, blog post, Jon Oltsik (10 Jan 2014)
• Smart Directions: Security Reference Diagram (report flyer), undated (probably 2013)
• DEF CON 18 (30 Jul-1 Aug 2010) Archive: page down to Build Your Own Security Operations Center for Little or No Money, Josh Pyorre, Chris McKenney (PDF download)
You can view or hear the recorded presentation as video or audio from the DEF CON page (see link above)
• HP: Building a Successful Security Operations Center, Enterprise Security white paper, 2011 (direct link, PDF download)
• Gartner Blog: Adam Hils

Insight providers and market evaluation 6 Nov 2013

Posted by Tony Law in Impact of IT, Insight services, IT marketplace, ITasITis, Managing IT, Tech Watch, Technorati.
add a comment

This is a slightly extended version of a response in LinkedIn to Michael Rasmussen, who has published some thought (“a rant”) about Gartner’s Magic Quadrant.

MQ is a highly influential and long established analyst tool. As an insight services user in enterprise IT, I made use of MQs regularly and would also review similar tools such as Forrester’s Wave when a purchasing decision was being made. Like anything else, it’s essential to know just what a tool like this is, how it’s created and what it does and does not convey. The same is true of Gartner’s Hype Cycle, as I’ve commented elsewhere.

Michael highlights several concerns about Gartner’s recently updated MQ in his own area of considerable expertise, that is, global risk and compliance (GRC). Do read his original, which I won’t attempt to summarise; see the link below. Here’s my response.


Michael, having read the whole post in your blog, a couple of comments from a user’s perspective. First: I wholly agree that Forrester’s Wave value is in the open availability both of the evaluation criteria and of the base data; it would be fantastic to see the same from Gartner. This isn’t just an issue of general open-ness. Since a user can adjust the weightings on the Forrester evaluations, it becomes a much more practical tool.

Second, I remember the moment of revelation when I realised there is a whole industry out there called Analyst Relations, that is, people employed by (big) vendors to influence the analysts. Users often don’t realise that’s how the insight market works.

Third, new approaches do emerge. I’d be interested in your take on Phil Fersht’s Blueprint methodology at Horses for Sources (HfS).

My own analysis of the insight market itself classifies providers in various dimensions. One of these looks at reach, both geographic and content: from global generalists (Gartner for example) through to niche (often start-ups – you yourself have progressed from niche to global specialist since you left Forrester). Perhaps tools like the Wave or MQ should have similar dimensions so that the innovative new providers can be properly assessed.


To add a couple more points. As a technology innovation researcher, I was always well aware that small start-ups often offered innovative options which larger vendors didn’t have or hadn’t got round to. But you took the risk of the enterprise falling apart, failing to deliver, or just failing. Experimental technologies always carry risk and the options are tactical (innovation for shorter-term business benefit) not strategic. Gartner I’m sure would assert that innovation is handled by their Vision dimension in the MQ but, as Mike points out, there are thresholds and other elements which mean that these tools don’t make it into MQs. HfS makes innovation explicit.

Second, in business-critical areas which are highly specific to your business area it’s unlikely that an insight provider will know as much as you do. Don’t automatically assume that a MQ or any other tool will deliver the right answer. Use the tools most certainly, but be prepared to reason your way to, argue for and adopt a solution which is at odds with what the tools say. You must of course be able to justify this, but the general answer may not be right for you.

Links:
• Gartner GRC Magic Quadrant Rant, Part 3, Mike Rasmussen, GRC Pundit, 23 Oct 2013
• The HfS Blueprint Methodology Explained, Jamie Snowden and others, HfS Research, Oct 2013
GRC 20/20 research (Mike Rasmussen)

Follow

Get every new post delivered to your Inbox.

Join 111 other followers