Tonight I’m blogging from the PCI Council Community Meeting here in Orlando, FL.  Tomorrow we’ll be talking about the new changes in version 2.0 of the PCI DSS audit requirements (set to go into effect in 2011), but tonight was the welcome reception for the 1000 attendees here at the Buena Vista Palace Hotel.

Participation in the PCI Council Community Meeting conference is on the rise.  Two years ago there were about 500 attendees from 300 participating organizations – now the numbers have roughly doubled.  There are probably two major factors behind this.

One factor is the de facto status of PCI DSS as one of the gold standards of information security.  When five competing credit card companies came together in 2004 to publicly agree on a single security standard there was much rejoicing throughout the industry.  And the standard has held up: though major releases have come every two years, the original twelve categories and most of the subcategories remain essentially unchanged from the original.

The second factor is the ever-widening circle of companies that fall under the scope of PCI compliance.  Originally it was large credit card processors and retailers, but in recent years even companies that only handle a few dozen credit card transactions a year have had to take notice.  And as the scope widens, there are more people who want their voices to be heard in the decision-making process, which is where this week’s conference comes in.

I’ll be posting a few more items about this conference in next few days – please stay tuned.

I just finished reading a great article in Network Computing titled “Managed File Transfer Asserts Data Governance In Transit”.  Author Neil Roiter hit the nail right on the head by calling out the importance of visibility and governance over person-to-person file transfers.  And if you don’t believe us, just ask any eDiscovery judge!

Sure, organizations absolutely positively must carefully consider how to transfer staggering volumes of data between systems and servers, both inside and outside the organization – all with management, policy enforcement and visibility capabilities.

That being said, individual employees are sending files to other people too… And unless IT provides them with an easy-to-use process to accomplish this, they will find their own ways, such as personal email accounts, USB drives, online file sharing services, etc.

Increased focus on data security, governance, regulatory compliance and eDiscovery has really put pressure on IT to not only have complete visibility into the processes involved in data transfer, but ALSO THE PEOPLE.  Frank Kenney,  sums it up well  in the article:

“MFT can bring (person-to-person) file transfer under the corporate governance umbrella. We can give people ad hoc technology and enforce the use of those technologies. We make capabilities dead easy to easy and enterprises have the right policies in place about how to use them. MFT products provide visibility and validation through dashboards, reporting, real-time updates on data transfer and audit trails.

Some day, an eDiscovery judge may ask you to provide an audit trail with proof of chain-of-custody for a particular file that has bounced around your company and between people.  Here are just a few questions you’ll need to be able to answer:   Who sent what?  When?  Where?  To whom?  Was it encrypted?  And did it get there?

What will your answer be?

When interviewing job candidates, I’m always on the lookout for dedicated, motivated, passionate people that relish in rolling up their sleeves and doing whatever it takes to get the job done.  Why?  Because a little bit of chutzpah goes a long way towards being a successful and productive employee.

But can employees “going above and beyond” backfire and result in severe damage to a company?

Unfortunately, yes, they can.

In his guest blog post on LastWatchdog, Gary Shottes, President of Ipswitch File Transfer, describes an example of how hard-working employees are causing new security and legal liability implications that organizations need to carefully consider when deciding what tools to provide people with.

“Highly-motivated workers are willing to do whatever it takes to get the job done, with or without IT.  Employees, whose job requires them to send information to colleagues, partners, vendors or customers around the globe, have literally thousands of file transfer options.

If IT fails to provide employees with a fast and easy way to share information, they will take matters into their own hands, even if that means using technology that’s not sanctioned by IT. They may use a personal webmail account, smartphones, USB drive, or even transfer data via Facebook and LinkedIn.”

Combining that increasingly familiar scenario with some recent survey data indicating that over 80% of IT executives lack visibility into files moving both internally and externally drives home the scary point that there’s a big security hole in many companies…. And organizations need to be careful that employees can’t crawl through it, even if it’s with the best of intentions.

Fortunately, there are some great tools out there to arm employees with a quick, easy-to-use and secure way to share information with other people, both inside and outside the company — While at the same time provide the company with the critical visibility, management and enforcement it needs to protect sensitive and confidential information.  This is one situation where it makes a lot of sense to lead the horse to water & make it drink.

Multi-enterprise collaborative implementations and deployments can be extremely difficult to benefit from because all too often the companies deploying these solutions overly emphasize the security mechanisms and protocol support. While those aspects are important, the ecosystems around companies are expanding to include smaller partners and Prosumers that need to be managed, provisioned, and have their expectations met. In short, companies will need to spend the time and effort on better managing all aspects of the interactions in their ecosystem.

The agreement between Cleo Communications and Stonebranch is a good step in this direction, but we continue to advise our customers, prospects, and the overall market to strongly consider the visibility, management, and enforcement aspects of any type of integration and collaboration. Much of this partnership seems to be based on technology around providing multiple protocol and security support. I will never underestimate or undervalue the importance of protocols and security mechanisms, but I will always focus on the larger aspects of governance: visibility, management, and consistent enforcement of policies related to security and performance. These are the things that matter. This agreement furthers my strong and publicly stated beliefs that companies are consolidating their approaches to integration and collaboration.

Simply put, there continues to be a high degree of volatility (this impacts the entire marketplace in a positive way) in the managed file transfer market.