By George V. Hulme
Winter 2007

By most accounts, the vast majority of e-mail isn’t legitimate: On any day, millions of the messages circulating around the Internet are simply spam or phishing attacks, and many carry viruses designed to infiltrate corporate in-boxes. Yet there are risks associated even with legitimate e-mail, and once such e-mail has made its way past antivirus and antispam filters into someone’s in-box, the legal implications of subpoenas, the processes of e-discovery and government regulations — for example, those related to the Sarbanes-Oxley Act and Health Insurance Portability and Accountability Act (HIPAA) — become real considerations.

The University of Rochester (UR), which takes e-mail management seriously, is in the midst of developing an e-mail compliance policy — a process that requires tough choices spanning human resources, compliance teams, IT team members, legal departments and IT security. “Deciding what e-mails need to be kept, and for how long, isn’t easy,” says Kim Milford, the university’s information security officer. “The legal department is currently working to decide what types of e-mails must be kept,” she says. New York State law requires retention of all university employment records, including e-mail, of former employees for the several years that follow their departure, Milford says. As a result, UR has decided to manage its e-mail and message-archiving systems as if it were a public company. “While Sarbanes doesn’t technically apply to us, most of these laws that focus on privacy are, in fact, setting the standard of due care,” she says. “So we want to move as close as we can to a Sarbanes-type environment. That’s where we feel we need to be.”

More Is Better
Western & Southern Financial Group, a Cincinnati-based diversified family of financial services companies with assets owned and under
management in excess of $39 billion, has been archiving its e-mail messages for about two years. The firm archives the e-mail of all employees —
including traders — who perform work regulated by the Securities and Exchange Commission (SEC), says Mark Pfefferman, assistant vice president and director of distributed computing services. In fact, to make sure that Western & Southern retains every message it might ever need, the company also archives the e-mail of other employees who frequently interact with regulated employees. “There may be a supervisor who hasn’t conducted a trade in two decades, yet all of his or her e-mail also is archived,” he adds. “It’s better to err in having too much rather than not enough.”

Both Western & Southern and UR appear to be ahead of most other organizations. A 2006 survey, “Compliance: It’s Real, It’s Relevant, and It’s More Than Just Records,” conducted by the Association for Information and Image Management, found that although 65 percent of users believe that there is a clear understanding of what constitutes a paper record and how each should be retained, nearly 35 percent have the same understanding of electronic information. An even greater concern, the survey reports, is that nearly 65 percent of respondents had not assessed the risk they face from the mismanagement of electronic information. The need to store e-mail creates huge management and infrastructure burdens for companies
of all sizes. Although the cost of storage systems has been on the decline, both the volume of corporate e-mail and the size of attachments continue to grow, and the costs and management burdens of messaging are rising accordingly. Many companies have tried to enforce policies that require employees to delete e-mail within 30 days. Some have imposed strict limits on in-box storage — in some cases, as low as 250 MB — to stem spiraling costs and avoid the legal risks associated with lingering business e-mail messages that could one day be subpoena targets. “We’re seeing more corporate interest than ever as companies research e-mail and message-archiving solutions,” says Michael Overly, a Los Angeles-based partner in the IT and outsourcing practice of the law firm Foley & Lardner LLP. “First, companies want to be confident that all of their e-mail is being properly preserved. Second, companies are realizing that their assumption that old e-mail can only hurt them legally may be incorrect. They’re learning that in disputes, or even litigation, the e-mails that have been deleted could very well have helped their cause,” Overly says.

Brian Babineau, an analyst at Enterprise Strategy Group (ESG), says that half of all companies have experienced some type of e-discovery request in the past year, and more than three-quarters of those requests have been for e-mail. Yet, according to many legal experts, the vast majority of companies are woefully unprepared for such demands. “It’s common for us to get calls from companies that have already been sanctioned for failing to properly respond to some type of e-discovery request,” Overly says. The reason? Even companies with sound e-mail-archiving polices — that require, for example, retention of all messages for 90 days — don’t have as much control over their archives as they think. “When they end up going down to their IS department, they discover that the e-mail backup tapes have been overwritten. There have been big sanctions relative to the size of the company in cases like this,” Overly says. “It’s amazing how many companies do not have mechanisms in place to respond properly to these legal requests. So every time they get subpoenaed, they run the risk of being sanctioned.”

Brandy Peterson, chief technology officer for FishNet Security, a security solutions provider based in Kansas City, Mo., says that lacking the proper technology and procedures to retrieve electronic messages could easily quadruple the costs associated with finding documents. “We see that all the time,” he says. “Companies forced to conduct forensic investigations try to pull information from 20 different possible sources.” E-mail messages reside on desktops, handhelds, e-mail servers, storage systems and backup tapes, and, of course, such e-mail sprawl makes the task of finding specific messages more than a challenge. “The fact is that the deployment of e-mail applications is much more complicated than is often assumed,” says Babineau. “While the hardware and software to run e-mail — servers and storage systems — are clearly part of the cost, it’s really the ongoing management and operational costs that increase as a company’s use of e-mail rises.” Those cost increases often are the result of the very operational and technological inefficiencies that also make e-discovery so troubling.

And government regulations, along with those inefficiencies, are driving tremendous growth in the market for message management and archiving systems. Research firm Gartner predicts that the global market for e-mail-archiving systems will grow from $89 million in 2004 to $883 million by 2009 — an average annual growth rate of nearly 60 percent.

Filling the Void
Forrester Research estimates that a large organization generates nearly 1 million e-mail messages a day. But whether a company is generating a million or a thousand, it needs the tools that can ensure control of the entire life cycle of its e-mail, so that any message or attachment can be stored securely and accessed easily. E-mail management spans such an array of business requirements — legal, regulatory, business continuity and disaster recovery, and IT cost savings. It also affects virtually every corporate division, department and employee. For these reasons, companies need to take care in their choice of e-mail archiving and management vendors, says Erica Driver, a principal analyst at Forrester Research. Today, there are a number of e-mail and message management choices, ranging from single-purpose message solutions and appliances to managed messaging services. But Driver says that’s changing, as enterprise content management, storage management and message management vendors get into the message archiving market. “Point message archiving vendors are going to continue to be acquired by vendors that have a broader focus,” she says. “Many [user] companies are going to seek vendors that can provide comprehensive solutions.”

The market already reflects Driver’s observations. Large enterprise software vendors are acquiring standalone electronic-messaging vendors and integrating their technology into existing enterprise-class storage and document management-systems. CA has done just this. It recently acquired iLumin Software and MDY to expand its storage portfolio to include enterprise e-mail management and records management capabilities. This expanded set of capabilities lets CA customers manage data based not only on storage availability, but also on business rules. These rules can reflect business needs, such as how long data should be retained, who can change and delete data, and who even has access to the data. This is a must for regulatory compliance and e-discovery associated with litigation. “Our solution allows messages to be easily accessible to the organization through intelligent information management,” says Eric Lundgren, vice president of product management for CA’s storage business unit. “We can enable employees to access the e-mails they’re authorized to access for as long as they’re required to be archived, based on enforceable policy — without imposing on companies the enormous expense of having to  dig down deep and sort through racks of backup tapes.” Soon, Lundgren adds, customers will have the ability to flag business-critical e-mail and assign a specific value to each message that should be saved. “Out of the 50 e-mails employees get each day, there will be one or two they want to keep longterm,” he says. “The process is centered around e-mail, but it can be extended to include file-system archiving with CA’s file-system management.”

Archive Automation
“Users are asking for more highly automated e-mail management,” Lundgren says. Currently, products such as CA Message Manager allow for flagging e-mail with keywords that indicate whether particular messages are subject to a regulatory burden or violate internal governance policies. “Right now, we can stop and review such e-mail before it is even sent,” he adds. On-the-fly auto-classification of e-mail messages as they’re sent or received in corporate in-boxes is another possibility. “A company is required to keep employment applications sent to its HR department for seven years. These could be automatically identified and processed to be retained for that period,” Lundgren says.

ESG’s Babineau agrees that such a capability is on the horizon: “In the not-too-distant future, e-mail will be automatically classified in much the same way that spam is today.” But unlike antispam systems, messaging systems of the future will automatically examine and vet messages for compliance
with corporate policy, classifying and appropriately archiving and managing them. For example, should the CFO of a public company issue a message containing certain financial terms to a team of company executives, the system would instantly flag the e-mail as a message that very likely is covered by Sarbanes-Oxley regulations, preserving it appropriately. “The goal is to have a system analyze a message once, classify it and have
all e-mails that fall within a classification automatically managed consistently,” Babineau explains. For most corporate legal and compliance departments, that day can’t come soon enough.

George V. Hulme is a freelance writer based in Minneapolis. He has covered business and technology for nearly 20 years.

By Esther Shein
Winter 2007

From the minute Randy Williams arrived at video systems manufacturer Pelco In March 2005, he knew Job 1would include automating technology processes that were then being done manually. That’s because Williams, Global IT Operations manager at the Clovis, Calif., company, was charged with building a centralized IT organization from the ground up, and he wanted to discontinue the ongoing practice of merely putting out fires and keeping desktops running. Automation, Williams decided, was the key to becoming more efficient from a time- and cost-savings standpoint.

“The group that was here had pigeonholed themselves to the point where they were spending all of their time supporting desktops. They were not out adding value to any of the business units,’‘ Williams recalls. “That meant finding lots of processes we could automate to help those departments focus on their core value.”

Herb Schmoll also discovered the value of automating processes when his company, Jarden Consumer Solutions of Boca Raton, Fla., went on an acquisitions spree. Schmoll, who is manager of end-user services at the manufacturer of small home and commercial appliances, says that with each acquisition, little attention was paid to the additional burden of supporting increasing numbers of end users.

For example, Jarden acquired a company of 900 employees supported by four full-time IT support people. “The assumption was if we kept those support people, support would be adequate,’‘ Schmoll says. But what management failed to realize was that those IT people were geographically in the wrong place to support employees on Pacific time. “Knowing I wouldn’t be able to fix that, I felt it was necessary to automate processes,’‘ Schmoll says, specifically the company’s virtual call centers—a solution that would be transparent to end users. “The company got its money’s worth, because we automated in some cases with some very simple processes that resulted in more efficiencies from the same number of IT people.”

Industry wide, operational costs comprise as much as 75 percent of IT budgets, according to technology research firm International Data Corp. (IDC). And the largest part of that goes to staff labor. “One new challenge IT is facing is how to continue to innovate, meaning deploy new applications and move up to more efficient hardware and software while at the same time continuing to operate, given that budgets are not increasing or are only increasing modestly,’‘ says Tim Grieser, vice president of enterprise systems management software research at IDC.

Heavy Burden
Application maintenance is also a huge burden. Overall, IT organizations are spending 80 percent of their budgets to keep existing applications operational and maintained, according to Forrester Research. “It’s a lot of money, and the terrible part of it is [that] it could be a lot less,” says Phil Murphy, a principal analyst at Forrester.

What is preventing the cost from decreasing is the business’s “complete preoccupation with new development — ‘I want what I don’t have,’” Murphy says. “If you’re blowing too much money maintaining what you already have, every application you build goes into the maintenance pool next year.” So how does IT meet the challenges of manually maintaining systems while increasing innovation? Enter automating processes, which helps reduce labor costs, manual error costs, downtime and lost productivity, as well as improving process efficiency and service delivery. Several tools and technologies are available to automate enterprise IT tasks like job scheduling, event management, storage management and security management. The lists of tools/technologies in all instances are very long, says IDC’s Grieser, with many vendors. Because of consolidation over the past few years, rather than having lots of small to midsize vendors with point-product solutions, there are now a few large system management vendors offering software in a number of different areas to help achieve automation. The big four software system management vendors, according to IDC, are CA, IBM, BMC Software and Hewlett-Packard. The automation of IT processes is pretty well suited for all industries, Grieser says. The best candidates for automation are the repeated, routine tasks. For example, tasks such as managing servers and storage needs are “pretty generic and focused on the actual hardware and operating software,” Grieser explains. Other automation candidates are the things a company does not want highly paid IT professionals doing. “You want them focused on more complex tasks or innovation,” Grieser says.

‘Obvious Savings’
The cost savings that can be realized from automating IT processes varies widely and can occur in many different ways. For example, Grieser says, if a company can manage more hardware with the same number of people, or even fewer, “that’s an obvious savings.”

Similarly, if IT can perform remote management rather than sending staff to remote sites, there is a direct savings in both travel costs and time. And if business productivity goes up, that’s an indirect cost savings, which IT doesn’t see in its budget but is reflected by customer satisfaction. The kinds of cost savings IDC sees often “will amount to several times the investment made in the software in a relatively short period of time,’‘ Grieser says. Additionally, some automation software may allow for the elimination of other software.

At Insurance House, a Marietta, Ga., insurance broker and carrier, automating some aspects of the project management office (PMO) have resulted in savings of $1 million, according to Robert Golden, director of strategic business services. Though Insurance House had a PMO in place for a number of years, the company was unable to efficiently measure the effectiveness of its technology spend. Historically, individual groups within Insurance House made IT purchasing decisions independently, without consideration for how products integrated with existing technology. Processes and decisions were sometimes inconsistent across departments. As a result, the IT infrastructure could be complex to manage.

Golden was hired by Insurance House in 2003 to refresh the PMO for greater business results. Central to his plan: offer high-value information products based on a centralized SQL database platform, supporting enterprise data management via a robust operational data store. With this approach, policy applications could be aggregated, transformed and sent back to independent agents for use in their own management systems.

Next, the company set up an IT Governance process to ensure that the appropriate budgetary decisions are made, balancing spend across strategic initiatives and more tactical projects. Insurance House selected CA ClarityTM to help track and manage all its IT projects as part of a portfolio— and to provide views of that portfolio from a variety of perspectives including status, potential ROI and cost. The CA Clarity suite also enables Insurance House to manage day-to- day projects including auditing, budget projections, planning, and time and resource allocation. “We have to be able to gauge how far along we are, how much business reward and benefit we’re likely to gain and how to manage projects as part of the whole package of investments,” says Golden.

Toe Dipping
At Los Angeles’ Cedars-Sinai Medical Center, IT is dipping its toes into process automation and hasn’t realized any hard costs savings yet — but it has improved efficiencies by using software to reduce false alerts, says Jim Brady, the medical center’s e-mail administrator.

Brady’s group went to management asking for a better handle on monitoring its messaging systems. They were having difficulty accurately managing the performance of their systems because of miscalculated performance thresholds. “We quickly discovered that our environment was not a typical IT environment when it came to performance monitoring,” Brady says. “We were constantly struggling with where to set thresholds. We were either inundated with false alerts or were informed of problems through unhappy employees.”

To automate the threshold administration process and decrease false alerts, Cedars-Sinai integrated real-time analysis software into its existing performance management solution. Brady says the hospital has seen the value of having a product that does monitoring, minimizes false alerts and provides a report on baselines. Although he says he can’t quantify the savings in hard costs, using the tool has saved IT from hiring two additional workers and draining existing staff’s time. “It’s freed us up to spend more time on capacity planning and focus on server upgrades, and there’s a constant influx of new technology and maintenance that needs to be done,” Brady says.

“If you’re busy putting out fires and running around retroactively reacting to issues, you don’t have time to get your environment up to a high level, and you’re wasting time. Where to begin with process automation? First, industry experts say, assess the problem and define the process you want to automate by talking to business units and other IT workers. In the case of Cedars-Sinai, Brady says they knew all along that there was a problem. “The issue was finding a solution to take out the human element,” he says.

Once a process has been identified, an organization needs to create a flow chart that shows what the process does. The flow chart should also show what Jarden’s Schmoll calls “all the latches in between.” By fully documenting the process, CIOs can understand all the variables and possibilities. “It’s like defining the scope of the project before you go down the path to automation,” Schmoll adds. Understanding and documenting the process is the most time-consuming part of the work. By contrast, implementing the automated process is only 25 percent of the effort, Schmoll estimates.

Tools Rush In
Next, an organization needs to research the various tools available to accomplish the automation task. This is followed by determining whether outside help is needed for implementation and training. Finally, the company should identify which manual processes can be automated, and then prioritize them. Williams of Pelco, for example, did this by interviewing his company’s department vice presidents. First up was automating IT processes coming from disparate systems like Cisco, EMC and Dell, which all have their own management tools and ways of interfacing and creating alerts and capacity planning. Pelco turned to an event correlation system that combines alerts and logs from disparate systems into a unified view. Williams says the immediate goal was to have an automated monitor watching where Internet traffic was coming from and to create a load-balanced environment that could meet the demand in real time. He recently gave an annual technology review to the business leaders, and he says the attitude from last year to this year differed markedly.” Last year, they were all sitting with a ‘show me’ attitude, and now they’re all on board and willing to talk about what they need,’ ‘Williams says. Adds Grieser of IDC: “By and large, IT organizations are way over tasked in terms of what they’d like to do.” Therefore, the opportunity lies not in spending expensive staff time on routine operations, but in making automation and process improvements that matter.

Esther Shein is a freelance writer based in Massachusetts. She has been writing about business and technology for more than 10 years.