I spent part of my afternoon on Tuesday chatting with an IT manager and an internal audit manager at a large U.S. stock brokerage about how they had successfully implemented a document security solution. This call was set up by data protection vendor Varonis, which I’ve become somewhat fascinated with in the last few weeks, largely because it appears to have the only real solution to the kind of document control problem at the heart of the Edward Snowden leak at NSA. I spent a big chunk of my life in security, internal audit and as an executive, and that one event scared the hell out of me. You need a very special solution to mitigate this kind of problem and, like other firms I’ve spoken with, this stock brokerage looked at a lot of vendors before investing in Varonis after concluded that no other vendor could do what needed to be done.
Now, from a vendor, such a claim is questionable. From this client, where folks literally bet their jobs on the result, I’m rather impressed, and they didn’t say this once, they said it a number of times.
I’d assumed the stock brokerage got to Varonis because of concern surrounding document leakage. Stock trading and the rules surrounding insider trading and stock manipulation set my expectation that this would be the initial focus of any information management solution in a place like a brokerage. I was totally wrong here; the driver was Sarbanes-Oxley and compliance.
In other words, they were focused on assuring accounting accuracy and that the executives who are now by law assumed to have access to material information actually do have it so they don’t make mistakes about company performance.
In a world concerned about leaks, hearing that a tool like this was used to assure the people who needed to see things actually saw them kind of blew my mind. It never would have occurred to me to use a tool like this to assure that executives could do their jobs, or prevent them from accidentally committing a crime, as opposed to keeping them from intentionally committing a crime.
I realized that the idea of an honest executive, or politician for that matter, had become an oxymoron, at least in my head.
Most companies are a mish-mash of merged entities, all using different technologies and systems. This is where most information management solutions fail. They work in one environment but not in another, resulting in a screwed-up set of utilities that don’t integrate into a dependable solution. One of the reasons that the folks at this large brokerage said Varonis was unique was because it covered everything they had. As a result, they were sure they were now covered. Nothing else they looked at even came close.
This client isn’t a small shop and at this scale you really don’t hear the “nothing else works at all” reason for choosing a product. But I agreed that this ability to work across all of the platforms they had, including Exchange, would be a near unbreakable requirement for a solution like this.
Let’s be clear, it wasn’t just IT operations that was blessing this, but internal audit.
Internal Audit and Edward Snowden
One of the complaints that this client's internal audit was hearing was that executives thought system admins were reading their email. Having been in audit myself, I know you can find some pretty juicy things in email. And you’ll recall that it was excessive privilege by Edward Snowden, a system administrator, that critically damaged the U.S.’s intelligence gathering efforts and diplomatic missions.
Now, even if an employee is trying to get access to something they aren’t supposed to see, it will flag, which should prevent the theft from occurring in the first place. Finding out something was stolen after it is gone, as the NSA discovered, doesn’t really do that much good.
This is the core value to internal audit; they can assure that only people who are supposed to see things see them. While they can’t be sure system admins weren’t reading executives’ email before Varonis, they can now. None have done so, because they all knew this tool was being put in place. Now executives and auditors sleep much better than they likely did.
One thing both groups liked was the ability to identify information that hadn’t been used for years so it could be deleted, reducing both storage costs and the risks of litigation discovery finding something damning that no one in the company remembered as having ever existed.
Wrapping Up: Sleeping Soundly
Today, you likely couldn’t pay me enough to be a CIO. There are just too many things you can’t possibly keep track of that could go wrong and result in not only your termination but early retirement, and I’m too old to flip burgers at a McDonalds. But products like Varonis go a long way toward mitigating that risk, at least when it comes to information security and management, and given this very large client's glowing report, if I were a CIO, I’d have this thing on my short list if only to assure my personal survival.
Varonis is on an extremely short list of companies that supply products I wouldn’t be without in any major executive role in any public company, three-letter agency, government office, or IT firm.
Rob Enderle is President and Principal Analyst of the Enderle Group, a forward-looking emerging technology advisory firm. With over 30 years’ experience in emerging technologies, he has provided regional and global companies with guidance in how to better target customer needs; create new business opportunities; anticipate technology changes; select vendors and products; and present their products in the best possible light. Rob covers the technology industry broadly. Before founding the Enderle Group, Rob was the Senior Research Fellow for Forrester Research and the Giga Information Group, and held senior positions at IBM and ROLM. Follow Rob on Twitter @enderle, on Facebook and on Google+