Identity Management in Retrograde Motion: Thoughts from Burton Group Catalyst North America 2008

My first post as a Burton Group analyst is now up over at the Identity and Privacy Strategies blog.


(Helps if I actually link correctly… doh!)

No, I didn’t steal the shirt; I actually do work for Burton Group

I have interacted, both socially and professionally, with Burton Group in a variety of ways over many years.  The quality of people, their integrity, and the quality of their work have always impressed me.  In short, Burton Group is the kind of place I want to work for and the people are the kind of eccentric, entertaining people that I love being around.

After a few years in the making, I have joined Burton Group as a senior analyst on the Identity and Privacy Strategies team.  The first day at a new job is always a little gut churning.  When that first day is the first day of the Catalyst conference it gets even more interesting.

Today I found myself on stage with the rest of the team during the Identity Management market overview presentation.  Stoically silent, I scanned the room for friends in the industry.  Needless to say there were more than a few very surprised people.

As my first real act as an analyst I recorded an introductory podcast – Not bad as an intro.  Obviously, there will be more to come as I take on my research projects.  Stay tuned!

Confirmation: HP to stop seeking new IdM customer

Bob, Lori, and Gerry at Burton Group have confirmed what I had heard only in rumor: HP is effectively pulling Identity Center from the market. It will continue to focus R&D on its existing Identity Center customer but will not be actively seeking new ones.I’d love to have seen what the business case was for HP’s original acquisitions into the space and then the analysis to make this decision. Tough choices.

Compliance as a Service: Counter-counterpoint

Compliance as a Service – Counter-counterpoint

Matt and Mark have both responded to my response.  Matt writes:

Thanks for keeping us honest Ian! I would be pretty blind to claim that overall regulatory compliance can be solved with any IT solution (…or set of …or service of). But I didn’t make that distinction in my previous post. But, is that the basic point you’re making? …that IT compliance is a subset of overall Compliance? Or is there more to it?

Yes and no.  I do believe the IT compliance is a subset of overall Compliance, but that wasn’t my basic point.  My most basic point was, because Big C Compliance is so truly tied to people and process it cannot be delivered as a service.  The reason I responded to you and Mark about this was that I didn’t want the conversation to start off with a definition of Big C that was too limited and too IT-centric.

Understanding that big-C Compliance requires much more than IT controls, would it seem more realistic if we said IT-compliance-as-a-service? or IT-Audit-as-a-service?

IT audit/compliance can and should be delivered as a service.  And not just the tools and tooling for it, but ownership of the compliance state and risk as well.  To me this is a natural extension to Managed Security Services and companies like Counterpane and IBM offer this to an extent.

The main thing I’m wondering is if organizations would get value from an external party taking over the IT audit portion so that the org itself (who might be anticipating regulatory pressure) wouldn’t have to figure out which questions to ask, how to ask them, how to build controls to get the right answers, and how to prove that the answers are what they should be.

This is spot on and I believe this is valuable to companies of all sizes.