Why Don’t We Change?

In July, Ashton Kutcher attempted to start a dialogue about gender equality in the workplace and was roundly savaged for his trouble:

  • “This is grossly offensive”, noted one person.
  • Joelle Emerson, the founder and CEO of Paradigm tweeted, “Yikes. These are definitely *not* the right questions. Most rely on flawed assumptions and perpetuate problematic myths.”
  • Someone else commented, “Aston [sic], you embarrass yourself for a very good reason. Your questions tell me more (again) about how you perceive women, not how women are! Please pull together the correct questions, and a dialogue that deals with the issue, instead of reiterating the sexist view in the workplace will begin to heal us.”

While not addressing the specifics of Kutcher’s comments, I’m troubled by the fact that people are permitted less and less to posit ideas or do new things without being trashed for their trouble. One of the fundamental rules I learned many years ago about brainstorming sessions — the goal of which is to foster an environment in which people are encouraged to present ideas to help solve problems — is never to criticize ideas as they’re presented. It’s fine to present alternative or contradictory ideas, but criticizing the brainstormer is antithetical to the ultimate goal of solving the problem because it discourages people from trying to be innovative. Sadly, in our hyper-politically correct environment, we are moving ever further away from the ideal of encouraging people to be innovative or disrupting the status quo. And without that kind of disruption and a culture that supports it, we just can’t solve our problems.

This is also the case for ideas in the workplace that have nothing to do with third-rail issues like politics, gender equality or immigration. Early in my career I did not have a computer on my desk and didn’t have email (the dinosaurs had just recently gone extinct and we just weren’t as technologically savvy in those days). The first company (a leading market research and consulting firm)  I worked for out of university used a Wang word processing system and we were expected to dictate our reports into a handheld recorder, hand the tapes to the word processing staff, and wait for the printouts to appear on our desks. When I opted to do my own word processing, I was severely criticized by not only the word processing staff, but even made the company president quite upset. Two years later, all of the analyst staff were expected to do their own word processing.

If you’re a change agent, and if Vendor X is firmly entrenched in your enterprise and you suggest migrating to Vendor Y that offers a better user experience, you might be shut down without getting a hearing about the merits of your suggestion. Perhaps you want to deploy a social network that allows people to share information with the goal of increasing employee engagement, but management believes that people surfing the web and sharing articles with others is a waste of time — be prepared for a rough ride in many organizations. The good news for change agents in those types of organizations is that you probably won’t be working for that company for very long.

The bottom line is that we need to be open to new ideas, be polite to those who share them, and be willing to change. Innovative people and companies do that — those who orbit the status quo don’t.


We have recently completed a survey of IT decision makers that are knowledgeable about security issues in their organizations, and we found something surprising: the concern about “shadow IT” — employee use of unauthorized cloud apps or services — is significantly lower in this year’s survey than it was just over a year ago. While there can be variability between surveys because of sampling and other issues, the difference we found is not explained by sampling variability, but instead represents a significant shift of concern away from the problem of shadow IT and BYOD/C/A (Bring Your Own Devices/Cloud/Applications).


Three theories:

  • First, we have not seen big, headline-grabbing data breaches result from the use of personally owned smartphones, tablets, laptops and other employee-owned and managed devices, cloud applications and mobile applications. While these breaches occur and clearly are a problem, the horror stories that were anticipated from the use of these devices have been few and far between.
  • Second, senior management — both in IT and in lines of business — have seemingly acquiesced to the notion of employees using their own devices. They realize that stopping employees from using their own devices to access work-related resources is a bit like controlling ocean surf with a broom.
  • Third, there are some advantages that businesses can realize from employees using their own devices. While lower business costs are an important advantage because IT doesn’t have to purchase devices for some employees, another important benefit is that IT doesn’t have to manage them either. For example, when an employee leaves a company and company-supplied devices need to be deactivated, some organizations aren’t exactly sure who’s responsible for doing so — IT, the employee’s manager, HR or someone else. A survey we conducted some time back asked, “when an employee who had a company-supplied mobile phone leaves your employment, how confident are you that you are not still paying for their mobile service?” We found that only 43 percent of respondents were “completely confident” that the mobile service was deactivated, and 11 percent either were “not really sure” or just didn’t know. Employees using their own devices and plans gets around this problem nicely.

To be sure, unfettered and unmanaged use of employee devices in the workplace is not a good idea. It can lead to a number of problems, such as the inability for IT to know where all of a company’s data is stored, the inability to properly archive that data, the inability to produce all of it during an eDiscovery effort or a regulatory audit, lots of duplicate data, a failure to establish an authoritative record for corporate data, a greater likelihood of data breaches if a device is lost, and the potential for not being able to satisfy regulatory obligations.

That last point is particularly important, especially in the context of the European Union’s General Data Protection Regulation (GDPR). A key element of the GDPR is a data subject’s “right to be forgotten”, which translates to a data holder’s obligation to find and expunge all data it has on a data subject. If an organization cannot first determine all of the data it holds on a data subject and then cannot find all of that data, it runs the risk of violating the GDPR and can pay an enormous penalty as a result.

In short, BYOD/C/A offers a number of important advantages, but it carries with it some serious risks and should be addressed as a high priority issue in any organization.


You Need to Archive Mobile Text Messages

Osterman Research has found that roughly one-third of the typical information worker’s day is spent working on a mobile device, and an even greater proportion of work-related content is accessed using mobile devices. The impetus for the growing use of mobile devices is driven by a number of factors, although the use of personally owned devices is a key factor in their adoption in the workplace. As shown in the following figure, the use of company-owned and personally-owned smartphones is on the increase.

Source: Osterman Research, Inc.

The use of messaging applications on mobile devices, such as email and SMS/text messaging, are among the most common applications of mobile devices in the workplace. The vast majority of users who employ a smartphone for work-related uses employ some type of messaging-related application on a regular basis.

There are a number of difficulties associated with the archival of text messaging content. For example:

  • Text messages sent using telecom carriers are often retained only for brief periods, and so these providers cannot be relied upon a source of archived text messages for long periods.
  • Since some companies operate in multiple countries using carriers that often do not provide any sort of text messaging archival service, enterprises often employ different methods to archive text messages, such as doing a physical backup of a device.
  • Further complicating the archival of text messages is the lack of commonality for archiving content depending on the device in use. Some solutions pull content directly from the server (e.g., with the BlackBerry Enterprise Server), while others install an app on the mobile device that transmits text messages to the archive. Other tools, such as SMS Backup+ for Android devices, will move text messages into a user’s Gmail account where they can be backed up or archived indirectly.

The bottom line is that organizations using various and inconsistent methods for archival of text messages makes the process inefficient, expensive and prone to error. The result can be incomplete archives of text messages and the consequences that go along with this level of inconsistency. Therefore, it’s essential to choose the right vendor that can provide a consistent and unified method for text message archival.

We have recently published a white paper on text messaging archiving that you can download here.


Is the Cloud Always Cheaper?

Office 365 and Exchange Online are good offerings – they provide useful functionality, a growing feature set, pretty decent uptime, and they’re relatively inexpensive. Microsoft, in this third major iteration of cloud services, has done a good job at offering a comprehensive set of applications and services. (We use Exchange Online internally and are quite pleased with it.)

From Microsoft’s perspective, the primary reason to move their customers to the cloud is to make more money. In 2015, Microsoft told Wall Street financial analysts that moving its customers from a “buy” model to a “rent” model will generate anywhere from 20 percent to 80 percent more revenue for the company. As evidence of how right Microsoft was, the company’s Office 365 revenue for the fourth quarter of 2017 is now greater than its revenue generated from traditional licensing models.

From a customer perspective, one of the key reasons for migrating to Office 365 is to reduce the cost of ownership for email, applications and other functionality. Our cost modeling has demonstrated that this actually is the case.

So, Microsoft makes more money from the cloud, but its customers spend less when migrating to the cloud. On the surface, that doesn’t seem to make much sense until you realize that the cost savings for customers are coming primarily from the labor that you no longer have to pay to manage an on-premises system, and from the stuff you no longer have to buy to maintain it, especially when considering hardware and software refresh cycles.

But what if you’re a small organization that wasn’t spending much on labor because you have an easy-to-manage email server, for example, and your hardware requirements to run it are not significant? Let’s go through an example comparing Exchange Online Plan 1 with Alt-N Technologies’ MDaemon Messaging Server for a three-year period for a 50-user organization:

Exchange Online Plan 1

  • $4.00 per user per month
  • $7,200 for 50 users for three years

MDaemon Messaging Server (with priority support)

  • $2,433.04 initial cost, or $1.35 per user per month for three years

MDaemon Messaging Server (with priority support, Outlook Connector and ActiveSync)

  • $4,678.43 initial cost, or $2.60 per user per month for three years

So, the on-premises platform will save a 50-seat organization anywhere from $2,522 to $4,767 over a three-year period. If we assume that an on-premises email system like MDaemon could be managed by an IT tech making $35,839 per year (the national average for that position according to Glassdoor), that means the tech could work anywhere from 4.1 to 7.7 hours per month on the MDaemon infrastructure to bring its cost up to that of Exchange Online Plan 1, although it’s unlikely that much of a time investment would be required. Of course, I have not factored in the cost of the hardware necessary to implement an on-premises email system, but most organizations already have that hardware on-hand already.

The point here is not to abandon consideration for Exchange Online or other cloud platforms, since they offer a number of important benefits and there are good reasons to go that route. But for organizations that need to get the most bang for their buck, they will be well served to consider using on-premises solutions, especially if their hardware and software refresh cycles are longer than three to four years. That’s especially true for things like desktop productivity platforms like Word, Excel and PowerPoint, where the average refresh cycle is quite long (one survey found that Office 2010 remained the most popular version of Office in use five-and-a-half years after its release.)

Automatic Monitoring of Key Systems

One of the problems that IT often has with business systems — especially those on which users or customers are dependent for real-time or near real-time interactions or transactions, such as email or eCommerce systems — is that users are often the “canary in the coal mine” in determining when a problem has occurred. For example, IT will often learn about an email downtime only when there’s a spike in traffic to the corporate help desk, or calls to a help line will be the trigger that notifies IT that a customer-facing system has gone down or is providing unacceptable performance.

dinCloud has introduced an interesting offering called “James“, what they’re touting as a virtual robot designed to monitor systems on a 24×7 basis. James is designed to monitor a wide variety of systems, such as eCommerce platforms, corporate email, databases and a variety of other systems that support business processes and workflows. The basic goal of James is to monitor systems continually for events like outages, system errors or performance that drops below a predetermined threshold, and then alert IT about the problem so that the issue can be rectified as quickly as possible. The example below, from dinCloud’s web site, is a basic example of how James works.


Although James can be used in any environment, it seems especially well-suited to smaller organizations that may not have the technical expertise or other resources needed to monitor key systems on a continual basis. dinCloud offers a turnkey approach for customers, helping them determine what to test and providing services around configuration and deployment of the system. James also supports a real-time dashboard that enables decision makers to keep an eye on system performance and receive alerts when problems are discovered.

While I’m not crazy about the name “James” as it applies to this offering (perhaps something like “Virtual System Monitoring Robot” might be more descriptive), I really do like what dinCloud is doing here. Downtime and poor system performance are the bane of online systems because even small glitches can create major problems. For example, an older study found that about 40 percent of US consumers will give up on a mobile shopping site that won’t load in just three seconds, and a 2016 study found that the cost of unplanned downtime for a large organization will cost an average of nearly $8,900 per minute. Our own research finds that email outages of even just 10 minutes can create problems.

In an era of ransomware, DDoS attacks, hacking and other threats that can create significant levels of downtime in addition to the more traditional causes like server crashes or application faults, system monitoring should be high on every IT manager’s priority list.

Open Questions About the GDPR

The European Union’s General Data Protection Regulation (GDPR) will take effect on May 25, 2018. In short, the GDPR will provide data subjects (i.e., anyone who resides in the EU) with new and enhanced rights over the way in which their personal data is collected, processed and transferred by data controllers and processors (i.e., anyone who possesses or manages data on EU residents). The GDPR demands significant data protection safeguards to be implemented by organizations, regardless of their size or their geographic location. You can read the full text of the GDPR here, as well as our recently published white paper and survey report on the subject here and here.

The goal of the GDPR is quite clear: to protect the privacy rights of EU residents and to ensure that they have a right to be forgotten by any organization that possesses data about them. However, there are some situations in which legal jurisdictions and whose rights should prevail are not yet clear. For example:

  • US organizations have an obligation to apply a legal hold on relevant data if they have a reasonable expectation that a legal action may be forthcoming. But what happens if some of the data that a company is obligated to hold includes data on an EU resident that has asked for that data to be expunged?
  • Broker-dealers and others under the jurisdiction of FINRA must retain various types of communications, such as communications between registered representatives and their clients. What if a client of that representative ends the relationship, but immediately wants his or her data to be deleted?
  • Manufacturers routinely keep customer information in support of warranties that they offer on their products. If a customer in the EU asks that all of their data be forgotten, does that relieve the manufacturer from their obligations to honor the warranty?
  • Will governments be permitted to retain data on visitors from the EU, such as the data provided on the embarkation forms that visitors are obligated to complete upon entry to a country, if those visitors ask that the data be deleted?

As with any new regulation there are always unanswered questions, unique situations that had not been contemplated when the regulation was written, and various unintended consequences — the GDPR is no different in that respect. What is different are the consequences of getting things wrong, which can include fines as high as €20 million ($23.7 million), or four percent of an organization’s annual revenue, whichever is higher. For a company with $1 billion in annual revenue, that would be a $40 million fine!

Will the EU impose such large fines shortly after the May 25, 2018 implementation of the GDPR? That’s an open question, but given the EU’s aggressive stance toward companies like Google and Facebook, my guess is that they will seek a test case to let everyone know that they mean business.

Do You Manage Social Media Well?

Some actual social media posts:

  • “….we need to hold this f%#@er and all his racist supporters accountable.”
  • “Threatened with a $200k lawsuit from idiot client who misrepresented the scope of their project and took longer than originally planned.”
  • “What a stupid client, how can he be an engineer for so many years!”
  • “I have 2 moods. 1) I love working let’s get moneyyyy 2) I never want to work again I want to kill every customer.”

Given that somebody’s employees have already posted these comments, what would you do if it was your employee that did so?

  1. Nothing.
  2. Accept the fact that employees can do what they want on their own time, regardless of the consequences for your company?
  3. Communicate with your employees about the importance of considering what they post on social media before they do so.
  4. Remind employees about the importance of following your company’s social media policy that specifically addresses identifying their employer on their personal social media pages.

Any company can choose a, b or c, but many companies can’t opt for option d because they don’t have a social media policy – or at least one that is sufficiently thorough or detailed that would address a situation like these.

Even with the best tools in place to monitor and review social media, this issue has implications beyond just those that are focused on technology and policies. Should employees be allowed to tweet anything they want while in your employ? Should employers have the right to restrict employee activities on social media after-hours? Should courts or regulators have the right to access employees’ social media posts?

We will be writing a white paper shortly on the importance of managing social media well – not only from the perspective of providing robust security capabilities so that social media can’t act as a conduit for malware, phishing or other threats – but also from the perspective of establishing good social media policies, monitoring what people are saying via social media when using the corporate network, and archiving business content in social media posts.

How to Deal With the Travel Ban on Laptops and Tablets

On March 21st, the Department of Homeland Security (DHS) announced that any personal electronics larger than a smartphone cannot be carried in the passenger cabin on US-bound flights originating from Jordan, Qatar, Kuwait, Morocco, United Arab Emirates, Saudi Arabia, and Turkey. The airlines affected, all based in the Middle East, have 96 hours to implement the appropriate changes to ensure that non-compliant electronic devices are carried only in checked, not carry-on, luggage. The UK followed suit, implementing essentially the same policy for flights to the UK originating from Egypt, Jordan, Lebanon, Tunisia, Turkey and Saudi Arabia.

The reasons for the new policy by the US and British governments were not made entirely clear, but the US raid on Al-Qaeda forces in Yemen in January of this year apparently yielded intelligence about the terrorist organization’s development of “battery bombs” that could be large enough to destroy a commercial aircraft. Also cited were the destruction of a Russian A321 over the Sinai Peninsula in October 2015, and a bomb blast aboard a Somali A321 shortly after it left Mogadishu in February 2016, either or both of which may have been the target of battery bombs or similar devices.

While the ban on personal electronics in carry-on luggage affects only direct flights to the US and the UK from the countries noted above, it’s possible that the ban may be extended to other countries and maybe even to domestic flights in the US, UK and elsewhere.

If you rely on your laptop and/or tablet when traveling, what would you do if the ban suddenly applied to your next trip, as it already has for thousands of travelers? Here are some options:

  • The obvious (and worst) option is to travel with your laptop and tablet in checked luggage. While the rate of lost luggage, at least in the US, is relatively low at 3.09 bags per 1,000 passengers, a dramatic increase in number of laptops and tablets flying in checked luggage might motivate some baggage handlers to help themselves to the suddenly more valuable cargo. Even in the absence of theft, there is a significant risk that rough handling of luggage could damage the devices.
  • Another option is to work only from your smartphone. That will work for things like checking email and making presentations, but for writing, creating presentations or working with spreadsheets, that’s not a viable option.
  • A better option is to use a Windows to Go drive that will allow you to plug this USB device into any Windows-based computer or a Mac and use the computer only as a host. These bootable devices can be imaged with corporate applications and data, they store data only on the USB device leaving nothing on the host, and some are hardware-encrypted, providing a highly secure platform for storing data. Using a Windows to Go drive, a traveler could take with them an outdated Windows 7 or Windows 8 laptop that wouldn’t cause much angst if it was stolen, or they could borrow someone’s laptop at their destination.

There are a number of vendors that offer Windows to Go devices, including Kingston, Spyrus, Kanguru and Super*Talent. These devices offer a robust experience that is more or less indistinguishable from a native PC experience, they’re fairly inexpensive, and they are not likely to be the subject of a ban of the type discussed above. If you must have access to a laptop or tablet when traveling, Windows to Go drives should be an option you should evaluate sooner rather than later.


Microsoft vs. Google vs. IBM

While there are a large number of cloud-based communication and collaboration solutions available, the “Big Three” in cloud-based communication and collaboration today are Microsoft Office 365, Google G Suite and IBM Connections Cloud (which includes a very good email solution called IBM Verse). I won’t go into what you get with each offering, but you can check out the various components, features and capabilities at the following links for Office 365, G Suite and Connections Cloud.

All of these offerings include robust email, instant messaging, document collaboration, file sharing and other tools, as well as lots of storage. All of these solutions are reasonably priced, although Microsoft’s high end plans are significantly more expensive than the other two (but they also include more capabilities). Microsoft’s solutions require the least disruption to the way that most information workers work, since the vast majority already use the Office suite of Word, Excel and PowerPoint; and Office 365, from a desktop productivity standpoint, is nothing more than a switch from purchasing a perpetual license for these applications to renting them in perpetuity.

From a long-term perspective, however, particularly for enterprise customers, IBM’s solution should be the subject of most decision makers’ serious consideration because of Watson Workspace. Watson, the “computer” that trounced Ken Jennings and Brad Rutter on Jeopardy back in 2011, uses cognitive capabilities to analyze social interactions among information workers. Watson is currently being used for cancer research, tax analysis and other data-intensive applications, but Watson Workspace is specifically focused on using these cognitive capabilities in the workplace. The goal of Watson Workspace is to help workers manage information overload, present the right data at the right time, and otherwise streamline work processes with the goal of making people more efficient. Microsoft and Google have analytics and other capabilities that are focused on similar aims, but neither of these vendors have capabilities that compares to Watson at this point. In short, Watson has the potential to revolutionize the way that people work with one another.

The problem for IBM, however, is two-fold:

  • First, IBM is generally more bureaucratic than either of their key competitors and has a more difficult time moving products from the conceptual stage into stuff that people can actually deploy.
  • Second, Microsoft and Google make it easy to buy Office 365 and G Suite, respectively. IBM does not.

As a test of the latter point, I had one of our researchers run a test to see how long it would take to set up an account in Office 365, G Suite and IBM Verse. She started on a weekday afternoon and found that it took six minutes to complete setting up an Office 365 account, four minutes to set up an account in G Suite — and 31 minutes to set up an account in Verse.

Now admittedly, IBM is not really focused on the single user market to nearly the same extent as Microsoft and Google. But the difficulty and length of time associated with setting up an account are indicative of IBM’s need to make its account acquisition process a bit easier and more transparent. This one-off market can result in the deployment of perhaps a few million seats, a market that just about any communications and collaboration vendor should pursue for its own sake, but also for the potential impact it could have on making these tools more familiar in the enterprise space.

In short, IBM’s communication and collaboration solutions are the best of the Big Three, but also the most difficult to acquire.

Is BlackBerry Dead in the Water?

A blog post from yesterday asks the question, “Would you say that BlackBerry is pretty much dead in the water at this point or is there hope left for the struggling Canadian company?”

The question is a good one. In the first quarter of 2009, BlackBerry had  55.3 percent of the US smartphone market and 20.1 percent of the global smartphone OS market; as of the last quarter of 2016, BlackBerry’s share of global smartphone sales had fallen to 0.048 percent. The company’s revenues fell from a peak of $19.91 billion in FY2011 to $2.16 billion in FY2016. It’s operating income and net income have been in negative territory since FY2013. It’s stock price went from $138.87 on April 30, 2008 to $7.45 as of today. In September of last year, BlackBerry stopped making its own phones.

So, yes, a case can be made that BlackBerry is “dead in the water” or very nearly so.

However, I believe that 2017 and 2018 will see a modest resurgence of the company, albeit not to levels that we saw before the iPhone and Android devices began eating BlackBerrys for lunch. Here’s why:

  • BlackBerry isn’t really a smartphone company anymore, but is transforming itself into a software and cyber security company. If they’re successful in doing so, that will turn their 30-something margins into 70-something margins. The company’s financial results are at least hinting that margins are going in the right direction.
  • BlackBerry still has a very good security architecture for mobile devices, one that many decision makers should (and, I believe, will) seriously consider as mobile devices increasingly access sensitive corporate applications and data repositories. BlackBerry’s DTEK technology offers robust user control over privacy and that’s going to be important for many enterprise decision makers.
  • While BlackBerry’s market share in the US and many other markets is really, really poor, the company is still doing reasonably well in places like Indonesia and in some key verticals, such as financial services. For example, a major US bank is standardized on BlackBerry mobile technology, as is HSBC, among others.
  • BlackBerry is increasingly focused on markets that are quite far afield from its traditional phone business. For example, BlackBerry Radar is the company’s first IoT application and is designed for asset tracking, currently in use by a major Canadian trucking firm. BlackBerry QNX, a real-time operating system focused on the embedded systems market, is currently used in 60 million cars worldwide (and replaced Microsoft Sync at Ford). BlackBerry has some interesting and innovative solutions focused on addressing enterprise BYOD/C/A concerns.

The bottom line is that BlackBerry is nowhere near out of the woods, but is definitely showing signs of life. John Chen has done a good job at starting to turn the company around, there is promise in several of BlackBerry’s key markets, and the company has a decent base of working capital. I have some confidence that in a couple of years BlackBerry will see something of a resurgence.