Osterman Research Blog

Since everyone else seems to be weighing in on Facebook’s IPO and the subsequent surprise in its valuation in the days following, I thought I might pass along a few thoughts on what I think this might mean:

• Learning from the past is important:  Before the dot-com bubble burst a little over a decade ago, the inclusion of “Internet” or “Web” in a startup’s business plan was about all that was needed to get investors to throw cash their way.  After the bubble deflated rather rapidly, investors and business managers re-learned the basic principle that business fundamentals and realistic market assessments are more important than hype.  Then along came social media and most of the lessons learned were lost, and are now being relearned since last Friday’s Facebook IPO.  Admittedly, Mr. Zuckerberg was a teenager when the dot-com bubble popped, but many of his older advisors who lived through it should have been paying more attention.
• Real-world thinking and math are important:  One of the fundamental problems that the Facebook IPO surfaced is that many investors considered the social media business as fundamentally different than other types of businesses.  It’s not.  For example, would you buy a restaurant if it was priced at $115 per customer – and if its average customer spent $4.84 per year?  Probably not, but many Facebook investors were willing to do just that – up until a few days ago anyway.
• Social media is still important:  A knee-jerk reaction by some might be to discount the importance of social media in the workplace, for advertising, or for commerce in general.  After all, if the biggest, most popular and most pervasive social media company can’t generate sufficient interest in its IPO, some might surmise that the category isn’t as important as they were led to believe.  However, it is important to remember that social media is perhaps the most important development in communications and collaboration for the past decade.  In the workplace, it offers enormous potential on a variety of fronts, including real-time analytics to improve business processes and decision making, the ability to establish deeper connections with those inside and outside a company, the ability to enable informal interaction and insight gathering in a way that other tools cannot – and we’re just scratching the surface.
• Reputation and likability are important:  A recent survey found that Facebook is the most hated social media company in the United States, while Google is among the best-liked companies.  Facebook’s IPO has seriously disappointed, while Google’s stock price has increased nearly six times since its IPO.  I think there’s a connection here.
• Beware of popularity without impact:  Facebook is extraordinarily popular, used by 900 million people around the world and the numbers continue to grow.  However, users spend relatively little money with Facebook as a result of their interaction with it.  The lessons here are a) that popularity doesn’t necessarily lead to impact, b) impact doesn’t necessarily need popularity, and c) build your brand (and your life) so that if you disappeared tomorrow you would be missed.
• Nothing has really changed:  Although Facebook’s IPO has been a debacle in a way that relatively few could have guessed just a few days ago, nothing fundamentally has changed.  Facebook is still used by 900 million people and counting, you can still “like” the breakfast or vacation or video that one of your friends just posted, and the money that some people lost investing in Facebook last week is still there, just in different pockets.

The Bring Your Own Device (BYOD) trend is consuming lots of digital ink on blogs, IT managers are wrestling with the problems created by it, and a growing number of vendors are addressing the issue with innovative new solutions.  But when we talk about the “Device” in BYOD, what do we really mean?  I contend that BYOD should really be BYODA:  Bring Your Own Devices and Applications (remember, you saw it here first!).

The problems with BYOD in a device-only context are several:

• IT must spend more of its already scarce time to manage employee-owned devices like iPhones, iPads, Android smartphones, Android tablets, etc., in addition to the devices they supply to employees.  This consumes an increasing amount of staff time in IT departments that are already resource- and budget constrained.
• More strategically, employee-owned devices that access corporate applications, download email, store attachments and the like are mini-repositories of sensitive and confidential information that can create a variety of compliance problems.  For example, a lost device that cannot be remotely wiped (not all companies have yet implemented this capability) can create enormous data breach notification problems, not to mention the potential exposure of intellectual property.
• Even for devices that are not lost, imagine going through an e-discovery, regulatory audit or similar exercise in which you have to identify, search and extract data from potentially thousands of devices that are spread around the globe.
• When employees leave your company, you have to ensure that a) sensitive or confidential corporate data has been returned to the company along with the device itself and b) that copies are not stored in repositories outside of IT’s control.

How are these problems any different for an organization when users download Dropbox, share company files via Hotmail to get around file-size limits in the corporate email system, or post information to Twitter or Facebook?  Fundamentally, the problems are the same for devices as they are for applications: IT must spend time managing/blocking/creating policies about these applications if they want to exercise any sort of control over the content stored or sent using them, they face compliance issues when data is stored in personal cloud repositories, they face the same kinds of search and extraction problems when going through e-discovery or regulatory audits, and they have no assurance that corporate content is not still somewhere in the cloud after an employee leaves.

In short, the BYOD problem is not really a device-focused issue, it’s part of a larger governance issue that encompasses both devices and potentially thousands of different (mostly cloud) applications.

Google has finally announced Drive, its storage and synchronization solution that – at least on one level – is designed to compete with Dropbox, Microsoft SkyDrive, YouSendIt, Trend Micro SafeSync, SugarSync, GoodSync, Syncplicity and other file-synchronization tools.  On an overly simplistic level, file synchronization is a superset of online backup, often focused on individual users, because of its addition of automatic synchronization features – and it’s one of the hottest areas of growth in the storage space right now.  Secure file transfer – another growing area of interest and investment – is a related market, but somewhat different because of its emphasis on the transfer of content as opposed to its storage.

Drive now creates a new front in the ongoing, multi-front battle between Google and Microsoft in the context of communications (Gmail vs. Exchange Online), online productivity applications (Apps vs. Office Web Apps), search (Search vs. Bing), real-time communications (Talk vs. Lync), etc.  However, Drive may represent the biggest headache for Microsoft in a couple of ways.  First, by integrating so tightly with Gmail and Google Docs, Drive creates even more of an ecosystem in the cloud, allowing organizations to create and store everything online.  Drive does not represent a dramatic shift toward making it easier to migrate to the cloud, but is another – albeit important – push in that direction.  To underscore this, Google is making cloud storage very inexpensive and focusing on both individuals and corporate customers.  For example, Drive offers 16 terabytes of storage for $800 per month, or five cents per gigabyte per month.  This is dramatically lower than Amazon’s S3 pricing of 11 cents per gigabyte per month at that storage level – even at 5,000 terabytes of storage per month, Amazon’s pricing is 5.5 cents per month.  Yes, different markets for Drive and S3, but an interesting pricing comparison nonetheless.

Second, and perhaps more importantly, the growing ecosystem of cloud capabilities offered by Google and even Microsoft itself, as well as the addition of very inexpensive storage in Drive, will be yet one more thing that deemphasizes the importance of the OS in the minds of many corporate decision makers.  As has been discussed by many others, the rise of the browser’s importance is more or less coincident with the fall of the OS’ relevance.  That’s not to say that the choice of operating system is not an important one, but justifying an expensive migration from Windows 7 to Windows 8 (or even Lion to Mountain Lion) will become more difficult in an age where applications and communications tools are accessed increasingly using a cloud model.

What Drive represents, then, is much more important than just another Dropbox competitor, but rather another arrow in the Google quiver directed against Microsoft.  Microsoft has already taken some preemptive steps as a result, lowering the price of Office 365 last month and increasing the amount of free storage on SkyDrive just this week.

I had dinner last night with people from Symform (about whom I blogged late last year) and some of their prospects.  Symform is a Seattle-based company that has applied what is, in essence, the Skype model to data storage in an attempt to dramatically drive down the cost of cloud-based storage.  Rather than build out a traditional data center, Symform customers provide all of their storage themselves on a quid pro quo basis.  Here’s how the system works:

• Content is uploaded to the cloud from your environment and segmented into 64-megabyte chunks that are protected using 256-bit AES encryption.
• Each of these 64-megabyte chunks is then divided into one-megabyte segments.
• For each group of 64 one-megabyte segments, 32 one-megabyte parity fragments are added using a RAID 96 algorithm.
• These 96 one-megabyte fragments are then distributed randomly across the base of Symform customers worldwide (although most are currently in Europe and North America, with a handful throughout the rest of the world).

When a Symform user downloads content from the cloud, it is gathered from these disparate sources and assembled into the content that has been requested.  The 32 parity segments for each block of 64 one-megabyte segments add 50% to the overall storage load, but makes the system highly redundant when local storage is corrupted, customers’ storage systems are turned off or otherwise unavailable, etc.  Any 64 of the 96 blocks of data are all that is needed to restore each segment of data.

One of the key advantages of the Symform approach is its extremely low cost: the first 200 gigabytes of storage is offered at no charge, while unlimited storage costs $3.50 per user per month.  The only “string attached” is that customers provide as much storage locally as they receive, since their local storage is essentially part of someone else’s cloud.  However, Symform also offers an option for those who do not want to contribute local storage.

In addition to offering cloud-based storage at low cost, Symform has also developed interesting solutions to some of the problems associated with cloud storage.  For example, their “Turbo Seeding” technology allows IT solution providers to upload customer data to the cloud more securely than when drives filled with customer data are shipped to the cloud provider for the initial data upload.  Their “Hot Standby” copies data to the cloud and to another local or remote device for instant access in the event the primary data storage is destroyed or otherwise taken off-line, thereby speeding data restoration.

Another advantage of the Symform approach is its extremely high level of security.  Because the data uploaded to the distributed cloud of storage providers is essentially shredded into bits of data, they are useless to anyone who might intercept and decrypt them.  Practically speaking, this renders various national requirements to store data only in certain geographies moot – whether all regulators around the world will be enlightened enough to accept this might be another matter.

Symform’s approach is clearly innovative and provides a unique and distributed cloud experience as opposed to one based on remote data centers.  They are definitely worth a look.

Press reports of data breaches are all too common these days, with some breaches exposing millions of records to at least potential exposure to criminals and others.  These breaches can be caused by any number of issues, ranging from lost or stolen laptops or smartphones, misplaced backup tapes or USB sticks, direct hacker attacks, installation of keystroke loggers resulting from malware infiltration, advanced persistent threats, malicious loss of data from disgruntled or departing employees, social media exploits, malvertising, etc.  Any IT or business manager will agree that data breaches are a serious issue, but how real do they believe the threat to be?  For example:

• Are tools like Dropbox used in your organization without solutions in place to protect against the loss of data from them?
• Is every company-supplied laptop, smartphone and USB stick encrypted so that, if lost, corporate data won’t be lost along with them?
• Are your users accessing your corporate network and data assets with their own iPads, smartphones, laptops and home computers without solutions in place to manage their use?
• Are DLP solutions in place to prevent unencrypted Protected Health Information, credit card numbers or other sensitive information from being sent through the corporate email system?
• Are your users employing their personal Webmail accounts when the corporate email account won’t let them send very large files?
• Can files sent outside of your organization be time-limited so that they disappear after a set period?
• Can personally-owned smartphones and tablets that contain corporate information be remotely wiped in the event they are lost?
• Are you archiving your electronic business records so that this content is not inadvertently purged?

These are just a few of the questions your IT and business decision makers need to be asking and the issues for which funding should be a priority if the answers are not satisfactory.  Data breaches can be extraordinarily expensive given that privacy notification laws are becoming the norm, not to mention the cost of losing the sensitive data itself.

Solving a problem  begins with taking it seriously.

There are numerous stories in the press about companies who demand to see the Facebook profiles of job applicants or current employees.  In some cases, employees have been denied employment, suspended or fired for refusing to provide this access.

The argument offered by employers for demanding this access is that it provides them with more information about prospective or current employees, much like a credit check or background check would provide.  And, from a purely factual standpoint, employers who hold to this position are right: examining a Facebook profile will provide more information about someone than not examining that profile.

But are employers wise to demand access to your Facebook profile?  In my opinion, absolutely not.

There is an interesting open letter – albeit a fictional one – that offers a resignation from a director of software development.  This resignation was in response to his company’s new policy of requiring prospective employees to allow the company to look over their shoulder when accessing Facebook, or preferably to give the employer their Facebook login information.

In one interview after implementing the new policy, a prospective new hire – after providing her Facebook login credentials – promptly declared that she was a lesbian and was prepared to file suit if a heterosexual “less qualified in any way” was hired instead of her.  She went on to explain that even if she was hired she might demand to see the employment contracts of all other employees to determine if she was being paid less than her male or heterosexual counterparts.

A few interviews later, another applicant declared – again after providing his Facebook credentials – that his partner was expecting a child and he would be exercising his right of taking six months of leave as allowed by law in Ontario.  He went on to ask, “you would never refuse to hire someone because they plan to exercise their legal right to parental leave, would you?”

This director resigned because he was no longer able to hire whom he wished.  By knowing too much about prospective employees, his hiring decisions could immediately be suspect even if his motives were completely above reproach.

Here are two lessons I think we can draw:

1. Employers are better off not asking for prospective or current employees’ Facebook credentials because knowing too much can make their hiring decisions much more complicated and litigious than they have to be.
2. Don’t overshare or post content that you don’t want to come back to haunt you.  Does the entire Facebook world really need to know your drinking habits, your every idle thought, or every opinion you hold?  For example, as I write this I’m looking at the public Facebook profile for someone who looks like a teenager and has posted information about a body part that I might consider inappropriate if I were an employer.  Another profile uses profanity in the “Activities and Interests” section.  Yet another profile is of a 20-something woman whose clothing in her profile picture might not fully cover my MacBook Air.

The bottom line, in my opinion, is simply to use common sense:  employers, don’t ask too much; employees, don’t post too much.

This week, Microsoft announced significant price cuts on Office 365, ranging from 13% to 20% for its Office 365 Enterprise plans, 22% to 24% on SharePoint, and 92% on SharePoint storage.  Microsoft indicated that the reasons for the significant price cuts are a) greater efficiencies in its data center operations, and b) improved leveraging of its administrative and security staffers.

While I don’t doubt that Microsoft is gaining greater efficiencies in managing its Office 365 data centers, I suspect (along with lots of others) that there may be more to the price cuts than that.  A key reason for the price cuts is likely that Microsoft’s enterprise adoption numbers are not quite where the company wants them to be (only 10% of Office 365 corporate customers have 50 or more employees), although detailed numbers are not published.  While Microsoft has gained some high profile adopters in the enterprise space, Office 365 – and cloud services in general – are integral to the future of the company (as evidenced by Steve Ballmer’s personal involvement in many deals).  Hence, its enterprise adoption targets are probably somewhat higher than it has so far been able to achieve.

Will price cuts help to drive demand for Office 365?  Probably, but only to a point.  Our own research finds – not surprisingly – that price cuts spur demand, but there is substantial variability in the increase of demand at different levels of price reduction.  For example:

• At $20 per seat per month, 16% of mid-sized and large organizations are likely or definite adopters of cloud-based email services.
• Dropping the price by $5 increases likely or definite adoption to 27% (an increase of 69%).
• Dropping it another $5 increases potential adoption to 49% (an increase of 81%).
• Dropping prices another $5 will increase demand, but only a modest 24%.

I suspect that Microsoft has done its own research and come to a similar conclusion – that the just-announced price cuts may be significant enough to create sufficient demand among its potential enterprise customers to meet the company’s enterprise adoption targets.  Moreover, Microsoft is probably banking not only on the price cuts themselves, but on the fact that they may create enough of a perceived delta between enterprises’ internal calculations of on-premise TCO and Office 365 that decision makers will finally be convinced of the cost benefits of migrating to the cloud.

The best protection against malware, spam, hacker attacks, policy violations and other threats is a layered set of defenses in which software, services, hardware and policies are used to protect data and other assets at the network, system and application levels.  However, an obvious – but often-forgotten – layer in this cake of protection is the common sense of your users – one of the critical layers to prevent threats from gaining a foothold.  For example:

• Social media tools are a great way for users to share information – and a great way for a spearphisher or whaler to target someone.  For example, as I write this I’m looking at the Facebook page of someone with whom I am not connected.  I can see that she is a realtor, has listed a home at 657 Noble in [city name withheld], was born on January 26^th, has a dog named Lou, is a member of the Agent Leadership Council at a southern California realty organization, goes ice skating, lives in Thousand Oaks, speaks French, and took a trip to Orlando on February 11^th.
• If I was a bad guy intent on sending her a spearphishing email – perhaps with the intent of infecting her PC with Zeus – I could use this information to craft an email that she would be likely to open.  For example, an email with the subject line “Need to schedule a vet appointment for Lou” or “We mistakenly overcharged you on your recent trip to Orlando”, or perhaps a LinkedIn invitation that includes personal details, would likely get her attention and increase the chances of her becoming a victim of a spearphisher.  This is not to say that this Facebook customer lacks common sense, but the information she has posted could be used against her and needs to be evaluated in that light.
• Spam filtering technology is effective at blocking emails that contain links to malware sources (albeit with some spam filters more effective than others).  The RSA exploit in April 2011, in which some employees received an email with an Excel attachment, was the result of spearphishing emails that were effectively quarantined by spam filtering technology, but later opened by employees from the quarantine.
• A spearphishing email at the Oak Ridge National Laboratory in April 2011 was received by 530 employees, 11% of whom clicked on a malicious link.
• Many users are not sufficiently skeptical when asked for information.  For example, before last year’s royal wedding between Prince William and Kate Middleton, a Facebook scam was making the rounds asking respondents to create their royal wedding guest name.  This name consisted of one grandparent’s name, the name of a first pet, and the name of the street on which the victim grew up – all likely responses to security questions one might get asked when resetting a password.
• A study by Trusteer found that 73% of Web users employ the same online banking password that they use at other Web sites.

The bottom line is that common sense exercised in the normal course of using corporate systems – mixed with a bit of skepticism – needs to be the initial line of defense to protect systems, data, financial accounts, sensitive data and other assets from compromise.  Without it, technology is less effective and organizations are at greater risk.

Our research finds that many organizations don’t have the budget to address many of the problems they face, such as managing certificates in a careful and coordinated way, monitoring and archiving social media content, implementing data loss prevention systems that can check for intellectual property or sensitive information sent outside the company without encryption, or retaining content for the length of time required by statute or legal precedent.  The argument is that budget is simply not available or the problem is not of sufficiently high priority to warrant doing anything about it.

While the cost of implementing technology or services can be substantial, so is the cost of doing nothing.  For example:

• In a white paper we published this past October, we demonstrated that in an organization of 500 users, going through 10 e-discovery exercises over a three-year period with an email archiving system will result in savings of $395,000 compared to going through e-discovery without archiving.  Our calculations determined that the Total Cost of Ownership of an archiving system will be $35,000 per e-discovery event (including the amortized cost of the archiving system or service), while the cost of e-discovery without archiving will be $74,500 per event.  The result, assuming just 10 e-discovery exercises in three years, is that the TCO of archiving is $233 per user per year.  However, the TCO of not archiving to satisfy e-discovery requirements will be $497 per user per year.  The result is that the cost of doing nothing is the difference between these two, or $264 per user per year, or 13% more than implementing an archiving system.

• In another white paper published this past July, we demonstrated that the cost of major, serious and minor malware and hacker attacks will be about $278,000 for the typical organization over a four-year period (we explain the methodology in detail in the white paper).  Moreover, the cost of a robust Web security gateway to prevent these attacks will be about $108,000.  Consequently, the cost of preventing attacks, assuming a 500-seat organization, will be about $54 per user per year, while the cost of doing nothing (the difference between the cost of attacks minus the cost of the gateway) will be $85 per year, a difference of 57%.

• There have been many reports of sexual harassment via email and other forms of communication, one of the most notorious being Chevron’s $2.2 million settlement in 1995 ($3.27 million in 2012 dollars).  Sexual harassment is potentially more serious when communicated electronically – one study found that jurors were 3.6 times more likely to find that sexual harassment occurred via email than in face-to-face communication.  If we assume that an organization has only a 1% chance of such a claim occurring in any given year, using a quantitative business analysis approach demonstrates that the actual cost of such a judgment is $32,721 annually – the cost of doing nothing to prevent this from occurring.  Given that the US Equal Employment Opportunity Commission received more than 11,700 sexual harassment claims in 2010 that resulted in $48.4 million in settlements (not counting settlements from private actions), this is a problem that must be addressed through email, social media and other types of monitoring, but often is not.

The bottom line is this: when considering the deployment of any new technology, it is critical to consider its TCO.  Equally important, however, is the need to consider the TCO of doing nothing, which often carries with it a much higher cost.