Before they will power 21st century business, technology innovations will first disrupt 20th century business models. As NYU media pundit Clay Shirkey puts it, disruptions don’t typically take us cleanly from current business model A to new business model B, but from business model A to chaos to business model B. It is often the case that before we can progress in a new direction we must retrace some steps and take time to map out a new route, and this likely will be the case in spades in the digital millennium.

Strikes and law suits are often signs of disruption.  When they are prompted by innovative digital technologies that threaten the status quo, defensive maneuvering by the establishment is not only expected but called for – until a new order emerges that capitalizes on the advantages brought by unstoppable innovations yet assures their fair and responsible use.

The billion-dollar law suit for “massive intentional copyright infringement” brought last year by Viacom against Google/YouTube for providing access to Viacom content illegally uploaded by fans is a case in point. To address the issue, Google introduced a copyright identification system called Video ID, which tracks unauthorized videos. It enables a copyright owner to either block the clip, leave it up, or enable YouTube to sell ads linked to the material and share the revenue. According to a CNET News blog post, “Google said on its blog… that copyright owners were choosing to turn a buck from unauthorized clips 90 percent of the time.”

The CNET News post quoted Google, “It’s clear to our (more than 300) Video ID partners that our technology has created a framework that allows copyright holders to sanction the creativity of their biggest fans…These partners now have a new way to successfully distribute and market their content online.” The CNET News post went on to report, “Several start-ups are working on technology that will track unauthorized videos wherever they exist on the Web and then insert an advertisement into the clips.”

Digital content actually allows for tighter owner control then ever. In the past, media giants whose terms of sale legally prohibited certain personal uses of content could not discover such illegal uses nor enforce their claims, but now copyright owners can do so via the Internet. The Digital Millennium Copyright Act (1998) supports this new-found ability, a result of the powerful lobbying muscle of the media industry. Ultimately, though, the consumer will not be put back in his box, and a win-win solution, such as Google/Viacom’s, will be hashed out for the Writers Guild strikers in Hollywood (they so far won minor concessions for Internet distribution), the New York City cab drivers (they so far lost their battle to shun imposed GPS devices in their cars), and countless conflicts to come.

The immense disruptive potential of digital innovation, however, will take much time to address – 50 years, according to a gathering of prominent CEOs at the 2008 World Economic Forum in Davos – and I agree.

What do you think?

“Trust” Means …?
“Trust” is a gut word.  It’s one of those words we use all the time, but often struggle to define in the context of its use.  When asked about exactly what we mean, we often mumble through some confused description that often includes such words as “assurance,” “belief,” “confidence,” “faith,” “reliance,” “reliability” or even “security” as we try to invoke an empathic nod from listeners.

We love this word.  It has the power to evoke an approving response in all kinds of circumstances, even if we don’t exactly know what we mean!  For example, banks have historically had “trust” as part of their name (e.g., SunTrust Bank, Pacific Trust Bank, California Bank and Trust, Branch Banking and Trust) to help us feel confident in letting them hold and manage our money.  Today, that application of the word “trust” has been adopted by dozens and dozens of technology and Internet companies as part of their company name, invoking the power of the word “trust” to support presumed market predispositions.  (See Volume 1 or Volume 7 of the Digital Trust report series for a sample of companies using “trust” in their name.)

For a long time we have acknowledged the important sociological and psychological dimensions of the word “trust” and the ability to apply trust as a “quality” for people or institutions.  But, even in this application, we are not quite sure what we mean.  And, we have a lot of choices.  For example, Google reports more than 27,000 “hits” when a search for “definition of trust” is pursued!

Uncopyable?!
In an essay in “The Technium” called “Better Than Free,” Kevin Kelly uses “trust” as an example of a quality (of a person or enterprise) that is intangible and uncopyable, and which therefore can have value in a network economy that copies everything over and over and thereby makes things “worthless.” He goes on to name eight values (qualities), not including trust, as attributes that cannot be copied, and which therefore add value to free copies … making the copies “better than free.” It is an interesting point of view, and certainly worthy of reading.

Digital Trust Value for Real
Notwithstanding the soft claims of value for intangible, uncopyable qualities (even including trust), there is a trust contributor that delivers a real, measurable payoff in new value created through security services and technology.  This is the trust created and delivered by security technology and service.  This is digital trust as defined by the Digital Trust research program and report volumes.  (See all the Digital Trust volumes here.) Specifically, digital trust is evidence-based confidence that systems operate as advertised, and that no unadvertised functions are occurring.  It is:

* Announced with features and functions.
* Completed with life cycle characteristics of design, development, deployment and operation.
* Capable of value creation beyond a reduction in the risk of loss.

Digital trust is an important contributor to the full fabric of trust in any context.  But, when examined by itself, digital trust contradicts popular notions about how trust is created, conveyed and valued.  Unlike the “uncopyable” quality that is described in Kevin Kelly’s essay, we find that:

* Digital trust is hard, real and quantifiable.  It measurably affects both speed and cost, and can create value in other ways as well.
* Digital trust is fast.  In fact, “nothing is as fast as the speed of digital trust.” [1]
* Digital trust can be purchased (with money and effort) in at least four ways as seen in Volume 7 of the Digital Trust report series (see “How Much Does Digital Trust Weigh?” on pages 2-5).

Better Than “Better Than Free”
So, “better than free” is certainly an attractive notion to contemplate.  But, once we know what digital trust really is, the value that can be created, conveyed and sustained with digital trust is even better than that!

-----------------------------------

1 This phrase is adapted from the original “Nothing is as fast as the speed of trust” as seen in Stephen M.R. Covey, The Speed of Trust (New York: Simon & Schuster, 2006).

Digital Disruptions: Technology Innovations Powering 21st Century Business

Complete with its own blog by Alex Fuss, 2008 LEF Associate on Digital Disruptions, and all of you who contribute to this dialogue on disruptive technologies—those technologies that, per Harvard professor Clayton Christensen, introduce to the market very different value propositions than were previously available.

But I am getting ahead of myself. Let me (Alex, here) kick this blog off with an excerpt from a presentation I gave in April at an LEF Client Forum:

The digital disruptions begun with the Internet’s launch at the end of the 20th century and responsible for a tremendous spike in global productivity promise a second-round impact in the 21st century that we can only begin to imagine.  At CSC we have identified seven categories of digital disruptions that are rapidly impacting today’s business models:

1. New Media
2. Augmented Reality
3. Social Power
4. Information Transparency
5. Digital Spectrum
6. Platform Makeover
7. Smart(er) World

The year-long research effort by CSC’s LEF to identify these categories and delve into the implications of specific technologies they comprise will result in the Digital Disruptions research report, to be released in October 2008. 

Looking back, having worked on the Digital Disruptions report for over a year has undoubtedly broadened my horizons, deepened my research and analysis skills, greatly expanded my network of technology innovators and pundits, and left me with some new habits that should serve me well long after the report is officially released.  Foremost among these habits is the tendency to scour the news daily for any and all technology breakthroughs and filter the announcements and pronouncements through the prism of the report, defracting them through the gradients of its seven themes.

Leveraging the blog, I will, in true Web 2.0-fashion, share my personal thoughts on the implications of relevant industry events as they occur, and solicit your personal and professional comments. I am by no means an expert on the subject – “Digital Disruptions” is too broad and too fast-changing a topic for anyone to master – and look to the collective wisdom of all to help us understand the technology landscape forming before us, and how to best use that shared knowledge to advantage.

Though the report is not out yet, if you would like to familiarize yourself with the report’s themes, you can listen to the podcast of the research preview I gave in April by subscribing to the LEF RSS feed (http://www.csc.com/lefpodcast) and adding the podcast from the LEF Forum, April 2008, podcast 12 “Digital Disruptions.” In addition, Clayton Christensen’s book The Innovator’s Dilemma provides a good foundation for understanding disruption in the context of technology innovations.

I’m looking forward to a stimulating collective discussion, an actualization of theme 3 above: Social Power.

À la prochaine (until next time)…

Here we go again.  In the latest round of annual security surveys we now have the “2008 Security Survey” from InformationWeek.  As presented by its authors, the main message of this survey is that “risk management” is the answer to the woes of continued investments in security that has seemingly no real improvement.  The survey is thorough in its analysis of the data collected, and even goes on to point to applications of “risk management” by industries like insurance as models of a proactive strategy that should be emulated by information security managers as well.

The survey once again confirms earlier conclusions and collections of anecdotal evidence that emerge year after year in surveys taken and published not only by InformationWeek but others (e.g., “Global Security Survey” from CIO, “State of Information Security” from CSO, the industry-specific Global Security Surveys from Deloitte, and the “Global State of Information Security” done annually by PriceWaterhouseCoopers, CIO and CSO).

While every one of these surveys delivers powerful reminders of “where we are” with regard to our current information security practices and status, there seems to be a consistent thread of “why are we stuck?” along with exhortations to be more diligent (like the insurance industry) in performing “risk management” to help determine investment and response priorities.  Apparently, no matter how well we do, it’s just not good enough.

What If We Could Perform Information Risk Management “Perfectly”?
No matter where or how it is applied, risk management, including information risk management, is a purely defensive strategy that works in two ways:

1. Protect what value already exists even if some “bad stuff” happens.
2. Reduce the chances of “bad stuff” happening.

While you can see these two objectives expressed in various equations or toolsets or hundreds of different metrics, all of the expressions represent the same two foundation objectives.  Some industries (e.g., gambling, insurance and investment) have evolved more mature tools and techniques to apply the foundations of risk management to their specific industries.  Information risk management has not evolved nearly as well.

What if, despite our acknowledged shortcomings, we could apply information risk management “perfectly” to our enterprise?  What would happen to the existing enterprise information value at risk?  According to the foundation equations of information risk exposure, our information risk would become zero!  And, according to all of the most public of surveys, this is exactly the state we desire.

But, wait!  If we could do information risk management perfectly, what would happen to the total value of the enterprise?  The answer is equally clear: we would not add a single nickel of value to the enterprise!

Somehow, that takes the luster off of the so-called desirable state.  Somehow, pure traditional information risk management doesn’t seem like enough.  Seen through the eyes of senior leaders of business and government enterprises, this outcome falls short of where we need to go today.

Spending “the Other Side of the Coin”
According to the Digital Trust report series there’s another (longstanding) side to this coin of information risk management.  Rather than focus on defense and the preservation of as much existing enterprise value as seems “reasonable,” digital trust applies security technology and services to:

1. Create new value.
2. Increase the chances of “good stuff” happening.

This is referred to in digital trust as “the other side of the coin” for security services and technologies, and points to a whole new strategy for making decisions about security investments.  Furthermore, the digital trust research results show that “you can’t spend just one side of the coin.” That is, by using a digital trust strategy, the information risk exposure reduction is achieved as a beneficial side effect.  Check out all the volumes of the Digital Trust series to see how this strategy works and how others are capturing payoffs.  In particular, scan volumes 1 and 8 (Volume 8 coming soon) for the “quick study” tour.

Digital trust calls on the enterprise to “aim higher” for value creation with security services and technologies, knowing that risk exposure will be reduced as well.  It also calls for a change in the security governance approaches used by the enterprise, especially a change in the assignments and responsibilities assigned to information security leaders.  Digital trust is a learned behavior.

What About Next Year’s “State of Information Security” Report?
As long as we continue to focus on the defense of traditional information risk management, we can expect the next reports on “the state of information security” to show marginal shifts in performance (one way or the other) and to encourage the deployment of different kinds of technologies and practices to deliver marginal improvements in the protection of enterprise value that already exists.  And, since nearly all of our theoretical foundations for risk management (including as applied to information and information services) were discovered and proven during the Renaissance, we have 250 years of evolved behavior and practice to overcome.  (See Peter L. Bernstein’s book, Against the Gods: The Remarkable Story of Risk.)

The annual surveys often note that we measure IT risk management budgets as a percentage of the overall IT budget.  Yet, we find no dependable (and positive) correlation between the percentage assigned and the results achieved.  In fact, in many places we often see attempts to determine just how small that percentage can be before results appear to become measurably worse.

If we want the reports to change, and we want security services and technologies to provide real payoffs to the enterprise, then a digital trust strategy provides a way to go.  Some enterprises are already showing signs of digital trust, and those might be better examples for us to follow than even the most sophisticated applications of traditional risk management.

Aim higher.

Hooray for virtual computing environments!  Freeing the digital enterprise (and users of the digital enterprise) from the shackles of physical platforms and the replication of operating systems and applications everywhere is crucial to capturing the value potential of the “liquid enterprise” (see Volume 5 of the Digital Trust series).  But the payoffs of a liquid enterprise cannot be created and sustained unless there is equally liquid security to flow over, through and around the (newly) liquid digital enterprise.

Liquid security is digital trust when time, place and platform are irrelevant.  As long as digital trust remains “liquid,” then the enterprise can indeed create and capture new value with such techniques as dissolving the intranet altogether, letting users apply their own “consumer IT” for their job, and making all kinds of applications and data usable in all kinds of circumstances, regardless of the networking, platform or support environment.  This is the power of liquid security, and virtual computing technology is one clear contributor to that value creation and capture.  When the right kind of digital trust remains liquid, only the application matters.

Hoping the Phantom Remembers Digital Trust
But, as IBM reminds us, “virtual computing environments still need real security.” To that end, IBM has begun a research initiative named Phantom designed to find and fix security vulnerabilities in virtual computing environments.  Now, such an initiative is laudable.  But it is also reminiscent of the “find and fix” vulnerability programs begun and maintained by every operating system and major application vendor worldwide.  In fact, Tuesdays have assumed a whole new dimension on the weekly calendar with the regular release by Microsoft of patches and fixes to vulnerabilities discovered through its “find and fix” program.

Here’s hoping that the Phantom researchers remember the fundamental reasons for virtualization technology, and especially the value creation and capture possibilities with digital trust (in the form of liquid security).  Otherwise, hypervisors and the “applications” that can operate on specific hypervisors will be in danger of becoming as balkanized as operating systems and their own applications. 

While VMware continues to be the most well known virtual computing environment, Citrix/Xen, Microsoft Hyper-V, Oracle VM, Sun xVM, Parallels and a host of other alternatives are pushing hard for market share.  Integrators are lining up with one or more “virtual vendors” to offer design, installation, applications porting and even complete operating services. 

Furthermore, other levels of virtualization for the liquid enterprise are also great sources of liquid security and subsequent payoffs.  RingCube’s MojoPac and RedCannon’s KeyPoint Access illustrate the value of liquid security without having to become “virtual in the extreme.”

Keep Liquid Security Liquid
So, let’s give a hearty “hurrah” for the Phantom, and let’s remind the Phantom that virtual computing environments need not be burdened with exactly the same kind of “real security” that we’ve plowed into operating systems and applications.  While we are researching the vulnerabilities of virtual computing environments, and planning to insert mechanisms to “lock down” hypervisors and virtual machine monitors, let’s also remember to keep liquid security liquid.

The techniques we use for “real” operating systems and applications have led us to “patch Tuesday” and to platform and configuration dependencies that almost make more problems than they solve.  If we follow exactly the same model for our virtual computing environments, then we’ll no doubt end up with a “virtual Tuesday” patching nightmare, compounding the technology update calendar we already must follow.

Only the application matters … only the application matters … only the application matters …