Carl Weinschenk spoke with Eric Ogren, security analyst at Enterprise Strategy Group. ESG recently released a report, "Messaging Security: Beyond E-Mail."

Weinschenk: What did the study look at, and what did you find?
Ogren: We looked at purchasing motives. We wanted to know what the corporate security problems were and what [customers] want the industry to do for them next. We wanted to know how they defined messaging: Was it focused on e-mail, or did it include IM, mobile devices and Webmail? We also wanted to know whether they were myopic on malware or were also looking at auditing, controls and policy management. It was amazing that they are lacking in control almost across the board. When I asked them if they were to have an extra million dollars where would they spend it, they said comprehensive auditing and archiving systems. But not many people have implemented that yet. Most couldn't name a policy management or archiving vendor.

Weinschenk: You found that companies don't pay as much attention to Webmail, IM and other messaging services beyond corporate mail platforms. Did this surprise you?
Ogren: It's shocking, stunning to me. I think if you are a public company, you are responsible for attachments to IM and Webmail just as much as to e-mail. The lack of control, visibility, and ownership of the problem was stunning. I think it could be a gigantic problem. Just wait for the first couple of public disclosures and people will say, "How can IT have overlooked this stuff?" Now IT is about compliance. … But they have to look at what will be going on in the business in the future and they have to do a little bit better job [preparing for] that. Part of a security person's role is to say that the company is a little at risk and we have to think of more comprehensive solutions than we have. He should say what is a risk to the company, that it is not in compliance and is at risk of losing data without even knowing it. [He should say that] we should start putting controls in place and start with auditing and archiving capabilities, which allow you to go back and see what happened. If I'm a small business, I would look at a service provider to do this.

Weinschenk: What does this mean to vendors?
Ogren: I think from the vendor side a lot of tools are going to be consolidated instead of being released as point products. I think that will help with management and administration. There may still be some special stuff for BlackBerries or whatever. But for the most part, products will be consolidated in terms of management and visibility.