You take your optimism where you can find it these days. Few of us can feel very cheery about the political or economic future on either side of the Atlantic. At times like this, optimism lies in hoping that your own corner of the world is making some headway or, at least, holding the line. Churchill’s speech after Alamein comes to mind:
Now this is not the end. It is not even the beginning of the end. But it is, perhaps, the end of the beginning.
The war, in this context, is that fought against cyber criminals and against those who would infringe our privacy. We are not yet winning the war nor, perhaps, even holding the line, but there is at least a sense that we are fighting back and may be at the end of the first phase of the battle. The tone at the Nuix User Exchange at Huntington Beach in California was one of cautious optimism, both as to that wider war and as to the future of Nuix’s market. The two go together.
Many were pleased, as I was, that Global CEO Rod Vawdrey, began his opening keynote with a tribute to Eddie Sheehy, who brought Nuix from a small Australian forensics player to a international major force in eDiscovery, forensics, cyber security and information governance, to Carolyn Betts (Eddie’s wife who was, by a long margin, the best marketing director in eDiscovery), and to Eddie’s brother Morgan Sheehy, who was COO. This is hard to express for one who was there for most of that journey, but it is an additional and unspoken tribute to the Sheehys that, while their departure left a big hole at the User Exchange, the spirit which they bred at the company persists despite their departure.
Two main themes came out of Rod Vawdrey’s keynote. One was that Nuix has been extending the range of its partners – it is a software company, he said, and is therefore reliant on relationships with others. The other was the theme of convergence, the idea that you can increasingly find multiple Nuix products “in one pane of glass”. There is more on this in my video interview with Rod Vawdrey which will appear in due course.
CTO Stephen Stewart followed with a rousing summary of the factors which affect Nuix’s clients and drive its development and marketing plans.
Stephen Stewart did not have to look far for examples in the news. If Waymo v Uber (trade secret theft case involving the removal of 14,000 confidential files) was to have been his set-piece example, then the Equifax data loss pushed it aside. If one wanted a model case for illustrating cyber security risk, then Equifax is it – grossly inadequate internal controls, stock price crashing, the near-certainty that someone will go to prison, and a whole generation whose need for credit and mortgages has been compromised. If data security and the means of tracking incursions in real time are to go up the agenda, this is the case to drive it.
There is a growing need to learn from the past and from other people’s experience, to reduce the reaction window, and get global visibility into threats. An event like the Nuix User Exchange allows Nuix itself, as well as its users, to share experiences and to benefit from the ideas of others as clients bring ever-wider ranges of problems. What are clients talking about? What is the next frontier? It is no good being one step behind the bad guy.
Among many other topics, Stephen Stewart brought in the GDPR and the corresponding need to identify private data, metadata in pictures (a pet subject of mine at the moment), analysis of voice data, and the forensics problems raised by having many communications channels running simultaneously on one computer.
Stephen Stewart gave us a set of examples which I found myself referring to over the rest of the conference.
My own primary purpose in being there was to take part in two panels. I moderated one called GDPR privacy regulations: preparing for cross-border data management and took the opportunity to open with some GDPR myth-busting, quoting from the recent (very good) series of blog posts from the UK Information Commissioner’s office. The potential level of fines is not to be ignored, and warrants board level attention and budget, but it is not the main or only thing to be talking about. There are misapprehensions about the need for consent and about the obligations to report breaches. A company’s reputation and the willingness of people to send it their business or to work for it are important and, as the ICO said recently, “you can’t insure reputation”. The Talk-Talk breach did indeed involve a fine, in this case of £400,000. You might multiply that by 10 and still not match the cost of 101,000 lost customers, £60 million of direct costs, £80 million loss of revenue, and 4.4% of lost market share.
Of the 72-hour reporting obligation, the thing the ICO really wanted to know about is the potential scope, the cause of the breach and how you plan to mitigate its effects and address the problem. How good is your plan? What skills and what tools should you bring to the subject?
John Lapraik of Advanced Discovery, Rebecca Beard of Shore Consulting, Inc, James Arnold of KPMG, and Brian Tuemmler of Nuix took us through a range of practical points arising from the new obligations. If they are in fact all new to you, then you deserve everything that Equifax and Talk-Talk got.
My other panel was called The future of decision-making. Chris Pogue of Nuix was the moderator and the panel comprised former US Magistrate Judge Ron Hedges, Stephen Stewart of Nuix, and Craig Ball as well as me. Our title was deliberately wide and we swept up a range of things under two different meanings of the expression “decision-making”; one was the role of artificial intelligence, and other was about the factors influencing those charged with responsibility for anticipating problems and driving change.
We should not overlook eDiscovery as a specific subject for discussion at these events – it remains the first of the Nuix Solutions listed on the website, along with Security & Intelligence, Investigation, and Information Governance. This is not just a matter of remembering our roots (“our” embracing my own path into this converged world as well as that of Nuix). The need to give discovery about matters from the past may be less urgent for many than the need to track offences in real time, but it remains a serious duty and a source of risk for many large organisations, particularly US ones. The time will come, no doubt, when Information Governance will become sufficiently part of an organisation’s culture to make discovery a relatively trivial task, but we are a long way from that.
Going to these events is a serious commitment – I was away for five days, of which two were spent entirely in travelling. It was worth it, not just for participation in panels on interesting subjects but for the opportunity to hear about the problems which organisations face and the solutions which they bring to them.
In addition to all that, Nuix works hard to make its guests welcome. As I have noted before, the venue is an appealing one, the more so on this occasion since Nuix kindly gave me a room overlooking the Pacific. I got the opportunity to interview Rod Vawdrey and was interviewed on what I thought was important and interesting at the event.
If you have any interest in the subjects mentioned above, then book your place for next year’s Nuix User Exchange.