The post The Good, The Bad, & The Techy – Webservers with Liam Crilly of NGINX appeared first on Gigaom.

The post The Good, The Bad, & The Techy – Burning Everything to the Ground with Sarah Polan appeared first on Gigaom.

The post The Good, The Bad, & The Techy – Technology Product Marketing Pitfalls appeared first on Gigaom.

We at GigaOm are constantly looking to make our research processes more efficient and more effective. Vendors often tell us what it’s like to work with us—we welcome these interactions and look to address every comment (so thank you for these!). We spent a good part of 2023 on driving far-reaching improvements in our processes, and we’re building on that in the knowledge that better efficiency leads to higher quality research at lower cost, as well as happier analysts and vendors!

That’s why we’re making a small yet necessary change to our briefings process. Historically, we’ve asked vendors to complete a questionnaire and/or schedule a briefing call, and we haven’t specified the order these should take place. The small tweak is to request that vendors first complete a questionnaire, THEN participate in a call to clarify details.

In practice, this means we will enforce receiving a completed questionnaire 24 hours before a scheduled briefing call. Should we not receive it within this timeframe, we will reschedule the briefing so the questionnaire can be completed and reviewed prior to the call. Analysts need time to review vendor responses before a briefing, so getting the questionnaire five minutes before won’t cut it.

As well as fostering efficiency on both sides, the broader reasons for this change are founded in our engineering-led evaluation approach, which reflects how an end-user organization might conduct an RFP process. What we do is to set out a number of decision criteria we expect products to possess, then ask for evidence to show these features are in fact present.

Briefings are actually an inefficient mechanism for delivering that information; the questionnaire is far better at giving us what we need to know to assess whether and how a product delivers on our criteria. Briefings should supplement the questionnaire, giving analysts an opportunity to ask follow-up questions about vendor responses which will cut down on unnecessary back-and-forth during fact check.

Briefings also have their own distractions. Keep in mind that we care less about market positioning and more about product capability. General briefings (outside of the research cycle) are a great place to set out strategy, have the logo slide, run through case studies, and all that. We love those general briefings, but the research cycle is the wrong moment for the big tent stuff (which often exists as a prerecorded video that we’d be happy to review, just not as part of a report briefing call).

I’ve often told vendors we’re not looking for all the bling during briefings. In the best cases, our engineers engage with your engineers about the key features of your products. We don’t need trained spokespeople as much as an honest conversation about functionality and use cases—10 minutes on a video call can clarify something that reams of marketing material, and user documentation cannot. Hence the change.

This shouldn’t add any extra time to the process—the opposite, in fact, as briefings are more productive when the questionnaire is already in place. We can reduce costly errors, decrease back-and-forth clarifications, and minimize misinterpretation (with the consequent potential backlash on AR, “how did you let them write that?”).

So, there you have it. We’ll be rolling out this change in early June for our September reports, so nothing will happen in a rush. Any questions or concerns, please do let us know—we’re constantly adjusting timeframes based on national holidays, industry conferences, and competitor cycles, and we welcome all input on events that might impact delivery.

We are looking at other ways we can improve efficiency, notably simplifying or reformatting the questionnaire, so watch this space for details—and we welcome any thoughts you may have! We also understand that logistics can be tough: we are all juggling time, resources, and people to enable research to happen.

We absolutely recognize the symbiosis between analysts and vendors, and we thoroughly appreciate the efforts made by AR teams on our behalf, to enable these interactions to happen—from familiarization with GigaOm and explaining our value, through negotiating the minefield of operational logistics! Our door is always open if you need anyone to help support your endeavors, as we work toward a win-win for all.

The post On Questionnaires and Briefings: Explaining the GigaOm Policy Change appeared first on Gigaom.

What Is the Ruling?

The new SEC ruling requires disclosure following an incident at a publicly traded company. This should come as no surprise to any organization already dealing with data protection legislation, such as the GDPR in Europe or California’s CCPA. The final rule has two requirements for public companies:

• Disclosure of material cybersecurity incidents within four business days after the company determines the incident is material.
• Disclosure annually of information about the company’s cybersecurity risk management, strategy, and governance.

The first requirement is similar to what GDPR enforces, that breaches must be reported within a set time (72 hours for GDPR, 96 for SEC). To do this, you need to know when the breach happened, what was contained in the breach, who it impacted, and so on. And keep in mind that the 96 hours begins not when a breach is first discovered, but when it is determined to be material.

The second part of the SEC ruling relates to annual reporting of what risks a company has and how they are being addressed. This doesn’t create impossible hurdles—for example, it’s not a requirement to have a security expert on the board. However, it does confirm a level of expectation: companies need to be able to show how expertise has come into play and is acted on at board level.

What are Material Cybersecurity Incidents?

Given the reference to “material” incidents, the SEC ruling includes a discussion of what materiality means: simply put, if your business feels it’s important enough to take action on, then it’s important enough to disclose. This does beg the question of how the ruling might be gamed, but we don’t advise ignoring a breach just to avoid potential disclosure.

In terms of applicable security topics to help companies implement a solution to handle the ruling, this aligns with our research on proactive detection and response (XDR and NDR), as well as event collation and insights (SIEM) and automated response (SOAR). SIEM vendors, I reckon, would need very little effort to deliver on this, as they already focus on compliance with many standards. SIEM also links to operational areas, such as incident management.

What Needs to be Disclosed in the Annual Reporting?

The ruling doesn’t constrain how security is done, but it does need the mechanisms used to be reported. The final rule focuses on disclosing management’s role in assessing and managing material risks from cybersecurity threats, for example.

In research terms, this relates to topics such as data security posture management (DSPM), as well as other posture management areas. It also touches on governance, compliance, and risk management, which is hardly surprising. Yes, indeed, it would be beneficial to all if overlaps were reduced between top-down governance approaches and middle-out security tooling.

What Are the Real-World Impacts?

Overall, the SEC ruling looks to balance security feasibility with action—the goal is to reduce risk any which way, and if tools can replace skills (or vice versa), the SEC will not mind. While the ruling overlaps with GDPR in terms of requirements, it is aimed at different audiences. The SEC ruling’s aim is to enable a consistent view for investors, likely so they can feed into their own investment risk planning. It therefore feels less bureaucratic than GDPR and potentially easier to follow and enforce.

Not that public organizations have any choice, in either case. Given how hard the SEC came down following the SolarWinds attack, these aren’t regulations any CISO will want to ignore.

The post Navigating the SEC Cybersecurity Ruling appeared first on Gigaom.

The post The Good, The Bad, & The Techy: Insider Risk Management appeared first on Gigaom.

The post The Good, The Bad, & The Techy: Is There Life After Incidents? appeared first on Gigaom.

The post The Good, The Bad, & The Techy: Workplace Transformation appeared first on Gigaom.

The post The Good, The Bad, & The Techy: The (Not So) Hidden Costs of AI with Noble Ackerson appeared first on Gigaom.

The post The Good, the Bad, & The Techy: Edge Kubernetes with Said Ouissal appeared first on Gigaom.