June 15, 2005

Thinking Outside the Sarbox

The other day I was reading the latest post from Nick Carr on his Rough Type site entitled The Sarbox Molehill. In the second paragraph he states:

These days, you hear the marketing pitch often: "Don't view Sarbox as just a compliance issue; use it as a lever to overhaul your systems and processes." In other words: Launch big IT projects now!

I have to disagree with his translation. While some sell-side individuals may try to position it this way, we shoud not lose sight of the fact that in compliance (Sarbox, HIPAA, GLBA - whatever) there is the potential for achieving so much more than compliance - BUT not requiring the launching of a big IT project. To agree with Nick's musings is to fall into the trap also expressed in his posting:

It was interesting, therefore, to hear the CIO of a leading manufacturer deflate the Sarbox hype during a panel discussion at a recent conference. So, she was asked by the moderator, do you view the compliance challenge as an opportunity to proactively make broader changes? No, she said calmly, we're just going to do the minimum we need to do to pass the legal tests, and then we're going to move on. Sarbox is a nuisance, she continued, but it won't be long before everyone's forgotten about it.

It's a sensible view, and my guess is that it's shared by more than a few of her counterparts at other firms - even though few would say so publicly.

This is not a sensible view but nonsense. Meeting minimal requirements will require some investment in technology. One need not go beyond any further investments in technology, necessarily, to gain additional business benefit. Innovative approaches to leveraging these technology investments do not require additional software/hardware investments, just a greater creative effort in system design and implementation.

Nick assumes that the compliance issue is a small one that is easily solved, and that anything beyone that automatically turns into a huge IT mega-dollar project. Imagine buying an automobile in order to take yourself to and from work each day. The imagine llimiting your usage of the vehicle to that purpose. Sure, you may have to invest in a bit more fuel, and a map or two - but that single initial investment could be leveraged to achieve school car pooling and cost-effective vacations. My experience has been that the investments made in content managment, process and security technologies that enable compliance are in and of themsleves fairly substantial. By thinking outside the "Sarbox", the functionality achieved can go way beyond just achieving compliance and can be used to increase internal efficiency, collaboration,  create new business value out of existing content. And all you need do is invest in a bit more fuel (creative thinking) and maps (strategy).

Posted by Carl Frappaolo on June 15, 2005 | Permalink | Comments (1) | TrackBack (0) | Bookmark This

May 24, 2005

Re: Remove Forebrain and Serve: Tag Clouds II

This morning I stumbled onto You're It! a blog on tagging via a co-worker, and started perusing the content within. Much interesting content on there, with some of the usual cast (Clay Shirky, David Weinberger, Peter Merholz are top of mind for me), and I happened across Jeffrey Zeldman Presents The Daily Report - Remove Forebrain and Serve: Tag Clouds II. There is quite a lively discussion going on there around the issues of formal taxonomies vs. folksonomies and issue of the mob vs. the professional, etc.

While I posted some comments in Zeldman's separate blogspot discussion area I'm repeating them here for my own permanent record, and to encourage discussion to branch out within our own context here, which tends to be more enterprise-focused than individually focused.

The comments I'd posted:

Jeffrey and all - Great discussion, seems to be generating far more depth than other circles stuck on the folksonomies wave.

I'll just throw a few cents in here, maybe a buck three fifty:

  1. Randomization can do wonders to avoid the pure herd mentality problem. Let's learn from other systems, like expertise location - where you don't want the TOP expert being the only resource used, or you will drive him/her insane and cease all other 'productive work.' Mix it up, and distribute the load a bit. Seeing popular terms and trends is a very interesting artifact of these systems, but not the main benefit, IMHO. This 'tag cloud' visualization business is also one heck of an eye sore from a usability standpoint. Lightweight certainly, but yeesh...
  2. The way that del.icio.us and others work allow (and encourage) people to have multiple tags, rather than the standard controlled vocabulary approach (in an enterprise deployment, not the web at large) which is typically (not always mind you) a SINGLE tag. With multiple tags comes the ability to cross-slice within an individual's collection or across collections. Personally, I wish there was an easy way to create synonym rings or a thesaurus in del.icio.us to squish the folksonomies a bit. Unlike Clay Shirky, I'm not convinced that film, movie, cinema people are from different planets and never intersect.
  3. When I talk about folksonomies and personal vocabs in our Proving Ground on Information Architecture and Taxonomy event, or our consulting work, 90-95% of the people I'm working with look at me like I have two heads, perhaps three (including my own colleagues - which I'm used to). They don't have the slightest clue what I'm talking about, and even after showing it and explaining it, they don't quite get it. Let's not forget that organizations/enterprises move just a bit slower than the cutting edge blogosphere - with any luck that delay lets organizations skip out on this messy beta phase and straight to the next major stepping stone.
  4. Anyone who believes that controlled vocabularies OR folksonomies OR search OR collaborative ranking OR yadda yadda are THE ONE SOLUTION in and of themselves should really take a break from drinking the kool-aid, and get some fresh air. The solution depends on the problem at hand, which depends on context, content, and the community being served. Folksonomies, while ostensibly being about sharing, seem to be about tracking your own important things FIRST, and sharing secondarily, and both of those aspects are still not quite fully baked.
  5. The idea that Clay Shirky had mentioned on using these services to keep found things found is great, except that del.icio.us and most of these systems (outside of Furl, or is it Spurl?) don't keep copies of the content frozen in time, it's just a pointer. Outside of blogs, most systems don't have permalinks, and many sites are pulling dynamic content of one sort or another. Perhaps it's time for Google to leverage their caching mechanisms, along with social bookmarking, their new portal offering (back to the future anyone?), and their traditional search/pagerank capability into the next generation of findability/searchability, fully of Googly goodness?
  6. The inability to search on actual content within del.icio.us et al is a right pain... I like being able to demonstrate the pros and cons of pure tagging vs. pure search and the intersection, so showing del.icio.us vs. Cocoalicious helps to easily illustrate that. Until people can see directly what the good and bad are of these capabilities, it just doesn't sink in. To my earlier point, no single one of these options is likely to be THE solution.
  7. The whole business of all of these social bookmarking systems using their own secret tagging language of spaces, not spaces, commas, CamelCase, etc. - 'normal' people don't want to have to deal with this craziness. This is a real problem for even broader adoption. I'm willing to do it, but then again, I'm a sucker for experimentation.

I'm curious - anyone using these ideas within the walls of their own systems/organizations, or is it just out here in the wild west that folksonomies/social bookmarking is happening?

Cheers,
Dan

Posted by Dan Keldsen on May 24, 2005 | Permalink | Comments (1) | TrackBack (0) | Bookmark This

May 19, 2005

Star Wars Sith Leaked Online

As should've been expected, a copy of the latest Star Wars has been leaked online, although in this case, it is a workprint complete with timecode overlaid on every frame, which is not quite the same as leaking a clean/pure digital copy of the version that millions will be watching in the theater, but still, problematic in the theoretical lost revenuee, or a fantastic promotional opportunity for the launch of Star Wars EP3. Plenty of conspiracy talk around this already.

In any case, assuming it was an insider, this illustrates at least two things for intellectual property protection concerns.

  1. Insiders can more easily compromise systems, with their ready access to systems and content, whether maliciously intended, accidental (unlikely in this case), or for publicity purposes (for good or bad)
  2. Putting security on the finalized content is one area to be addressed, but what about roughs, final drafts, or Golden Masters? Is all of your content secured, throughout the lifecycle, or do you wait until it's about to be released to the world, or a partner, before wrapping security around it? Is it up to authors, editors, admins to add security, or is security process built-in to the creation/editing/distribution/destruction process?

For more details...

Link: Waxy.org: Daily Log: Star Wars EP3 Workprint Leaked Online
Link: Reuters: Final 'Star Wars' film leaked to the Internet

Posted by Dan Keldsen on May 19, 2005 | Permalink | Comments (0) | TrackBack (0) | Bookmark This

May 17, 2005

Star Wars: Revenge of DRM

An interesting overview (Link: Security and Digital Cinema: The Last Big Question) of the techniques, processes and technologies being used to secure digital film, begs the question - if it the content is already in digital form, why is so much effort being made to specifically secure digital film as a separate medium?

Of course the answer is... there is a good deal of money at stake, and the industry wants some assurance that going digital does not also mean going bankrupt.

So the movie industry, via:

Digital Cinema Initiatives (DCI), a limited liability company that was established in March 2002 and whose members include Disney, 20th Century Fox, MGM, Paramount, Sony Pictures Entertainment, Universal and Warner Bros...

...has created a draft of standards to put forth and enforce with content licensees (theaters), to ensure that content can not be leaked, sold, stolen, etc..

Many companies do not understand the value of protecting content itself, particularly outside of the realm of content/data that it they are mandated/regulated to secure - such as healthcare information, credit card information, and the like.

Content that is being distributed for sale, is a more clear cut case, although it seems that buyers/implementors of solutions (such as Digital Rights Management - DRM, as is the case in the digital film example) tend towards the extremes, either doing almost nothing to secure their content, or pursuing these capabilities to the ends of the earth.

A quote that troubles me from this article is:

"This biggest issues now are over fingerprinting and watermarking, and we need to be careful. How do we set those standards without telling the bad guy how to do it?"

This is a well known area of faulty thinking in security, the issue of "security through obscurity." If security measures/technologies can not stand up to scrutiny of the direct code or processes themselves, then it is essentially not secure. For anyone who recalls the controversy when the 'encryption' scheme (Content Scrambling System or CSS) was broken by a Norweigan teenager in 1999 (Link: DeCSS) - the primary issue of that security mechanism was the idea that the algorithm itself could be kept secret, and the wonder of reverse engineering proved that it was not a secret for long. Weak security is weak security, and hiding the details only buys a finite amout of time.

The entertainment industry has gone down this path many times, and while there are some signs that they are getting more saavy about doing this well, there are still hiccups that echo back to past mistakes, directly from their own industry, let alone best/worst practices from the business world at large. At least in this case, they are using more established, strong encryption techniques (AES-128 bit) - rather than the 40-bit (and limited keyspace at that) techniques from CSS, and separating the key mechanism from the storage medium, so progress is being made, but not as quickly or comprehensively as the current available state of the art would indicate.

While Star Wars is now coming to a close, Digital Rights Management and Content Security (the larger roll-up of all technologies securing content at rest, in motion, regardless of file format, transmission medium, etc.) is in relative infancy, although it is much farther along than most organizations realize.

Posted by Dan Keldsen on May 17, 2005 | Permalink | Comments (0) | Bookmark This