Sunday, April 09, 2006
InformationWeek Spring Conference (Part three of three)
One of the best sessions I attended was on the topic of automating compliance. This would have been a session that James Governor of Redmonk would have enjoyed.
There seems to be a lot of pent up demand in not having compliance-oriented approaches be yet another product the enterprise needs to acquire but to instead build compliance into their relational databases and enterprise applications. Log Management was briefly discussed and even quicker dismissed. The notion though of data masking seems to be on everyone's plate. Through the grapevine, I have learned that one database vendor (headquarterd in NY) actually has a built-in solution to data masking within relational databases and briefed the folks at Redmonk several Friday's ago. Would have expected James Governor to blog out that conversation. Have to ping him to see why he hasn't shared this important discovery with a larger community.
The notion of Sharing IT Security Innovation seemed to resonate with attendees. InformationWeek will be doing an upcoming article on this topic which should stimulate the analyst marketplace to start doing deeper dives into this notion.
The folks from Citigroup seemed to have the most mature thinking in the room in that they have realized that identity management as currently discussed within the marketplace is a good first step but otherwise insufficient and want is needed is deep entitlement approaches.
I have been of the belief that XACML is the perfect specification to build an entitlements platform on but for some reason, most analysts are really talking about this important problem space. Citigroup's entitlements platform was homegrown primarily due to the timeframe in which it was built. Nowadays, there are commercial platforms that can be purchased.
In my travels, I came across a wonderful consulting firm named Sena Systems that seems to have deep thought leadership in this space. I am speculating that they may have helped Citigroup with their internal platform. Have to catch up with these guys.
It seemed as if the enterprises headquartered in the Northeast seemed to have a headstart on many compliance-oriented initiatives over folks in other geographic regions. Not really sure if the pattern is due to the fact that folks who live in the Northeast are smarter, have more access to money or some other trait.
About 80% of the room had solutions around providing enterprise email encryption. Would love to see the open source community step up and right plugins to Microsoft Exchange Server such that this problem space is done in a standards based way. So far all implementations are proprietary and do not interoperate.
About 1/2 of the attendees have moved beyond "selling" security and have changed their budgeting process within IT to the notion of a tax. Security has been somewhat challenging to the culture in that traditionally, IT was all about becoming ROI driven but then came SoX which forced a sort of hybridism.
Also, about 1/2 of the room had a notion where a single individual in their enterprise had the title of Chief Security Architect whose folks was on enabling applications to support secure software development practices. Of the enterprises that had this position, 90% of them were either at the director or junior VP level which is an encouraging trend.
I wonder if folks know that they can attend this conference absolutely free! There are no expensive conference admission fees, so asking your boss to approve $1,500 like you have to for other conferences is simply non-existent. You will meet peers from other Fortune enterprises and not be overran with buzzword-oriented presentations.
I know that industry analysts provide guidance to their software customers on how to attract the attention of Fortune enterprises but do they ever recommend which conferences their marketing folks should pursue? If not, maybe they should...
Links to this post: