The end of IBM/Lotus Notes

Last week, IBM sold off its Domino/Notes software business unit to HCL. While you probably haven’t heard of them, they are a billion dollar Indian tech conglomerate. Sadly, this represents the end of one era for Notes. It certainly has had a long and significant life span.

“Notes’ longevity is amazing,” says David DeJean, who co-wrote one of the first books about it back in 1991. “What other corporate software product has had that kind of run? Notes’ success started with its chameleon-like ability to go into a company and work the way the company worked. It let companies computerize their operations at their own pace. Other software packages have been the software of “No” where Notes was almost always the software of ‘Sure.’”

I was present at its conception in the late 1980s, when Ray Ozzie had the idea for what was then an unknown software category that was labeled at the time as groupware. It was the first time that a PC software program could be used to connect multiple computers in a meaningful way, and be used to create applications that leveraged the group. DeJean recalled that these apps were at the heart of what made Notes work: “During a crucial moment in the computerization of the enterprise in the 1990s, Notes applications proliferated like rabbits. It was very easy for companies to get into Notes, and very hard to get out.”

When Notes came out. I was working as an editor at PC Week. My colleague Sam Whitmore told me that “it took us a while to get our brains around the idea of its replication feature. Most of us found it redundant to email.” That was its biggest challenge, and well into its middle age Notes’ biggest competitor continued to be ordinary email. Many of my press colleagues carried a long-standing hatred for it. Nevertheless, Whitmore also recalls that “Lotus appreciated how technical we were, that we understood what Ray Ozzie was bringing to the world. Perhaps because of this, Lotus offered PC Week a lot of money to produce a special report on Notes.”

I had first-hand experience using Notes when I worked at CMP in the early 2000’s when I was an editor at VAR Business and also at EETimes. The CMP IT department had written quite a few Notes applications for various editorial and sales tracking purposes, again showing how extensible it could be.

This is something that many of its critics didn’t really understand, both then and now. One of its earliest customers was  PriceWaterhouse, now PwC. Sheldon Laube was running the IT operation there and made the decision to purchase 10,000 copies of Notes back in 1990. He told me that this “started a transformation at the firm. Notes was truly the first personal computer software product that changed the nature of how people used PCs. Until Notes came along, PCs were personal productivity tools, with the majority of uses being spreadsheets, word processing and presentations. Notes created a social use for personal computers and enabled teams of people, spread across geographies, to communicate, collaborate and share information in a way which was not possible previously. It was the tool that moved PCs and networks onto every desk in every office of PW around the world.”

This is an important point, and one that I didn’t think much about until I started corresponding recently with Laube. If you credit Notes as being the first social software tool, it actually predates Facebook by more than a decade. Even MySpace, which was the largest social network for a few years (and had more traffic than Google too), was created in the early 2000s.

Notes was also ahead of its time in another area. “Notes was a precursor to both the web and social media,” says Laube. “It was all about easily publishing and sharing information in a managed way suited to business use. It is the ease of management and the ability to control information access within Notes securely which allowed its rapid adoption by business.” Laube reminded me that back then, information security was barely recognized as necessary by IT departments.

This isn’t completely an accurate picture, mainly because Notes was focused on the enterprise, not the consumer. Notes “mixed email with databases with insanely secure data replication and custom apps,” said David Gewirtz in his column this week for ZDnet. He was an early advocate of Notes and wrote numerous books and edited many newsletters about its enterprise use. “It was enterprise software before enterprise software was cool.” He wrote about how Notes had elements of Salesforce, Dropbox, Atlassian, Zendesk and ServiceNow — years before any of these products were even invented. Another aspect of Notes that doesn’t get much attention is its integrated group calendars and contacts. Now we take these elements for granted — until they don’t work — and expect them in many communications tools. Back in the early 1990s, this was a rare feature. Scott Mace, who runs the site CalendarSwamp, remembers complaining about how hard shared calendars were back in the late 1990s, and how Notes was an early standout then.

Notes has gone through many transitions in its long life: After IBM acquired it, Big Blue extended the software to Domino, which combined Notes with web services and eventually was used to provide a managed hosting solution as well. Ozzie told me that  Notes was in essence an amazingly powerful applications server with captive clients. This differed from the web model, where web clients were free and Netscape and others made money from selling their own application servers. IBM added the web server because they had to: Ozzie said if they hadn’t, Notes would have died quickly in the web era. Instead, it still flourishes.

Another thing that doesn’t get much attention is that IBM believed so much in Notes that it made it its corporate communications standard for many years. One of their reasons — and a major motivation for many other customers — is that Notes offered an end-to-end encrypted email system, something that wasn’t common at the time.

Even so, IBM was a poor fit for Notes because it was too slow to innovate. While having a web front-end solved one big problem for Notes (its very thick client software), it wasn’t enough to compete against the world of open source and the rich software development of the web. As the web took over the software world, Notes became more of an anachronism, and more nimble solutions (including one product called Nimble, btw) became more attractive to corporate software developers. Ozzie said, “Shame on IBM for losing the corporate email market” to Microsoft and then Google. He reminded me that back then, we had different email systems that couldn’t connect with each other, even within the same office.

Betsy Kosheff, who did PR for Lotus back when it was sold to IBM, told me, “IBM had no business doing software innovation. That point was very obvious right from the acquisition. It’s not their fault – IBM is just not designed that way. I imagine their India-based buyer will be looking for more operational efficiencies. They’re probably not looking for the next big idea, which is what was so much fun about Notes and being part of that product in the early days. I’m not saying you can’t possibly create an entrepreneurial division with exciting innovations from within a larger company. I’m just saying they didn’t do it at IBM and probably not at any other billion dollar IT company.”

Ozzie reminded me that when Lotus was sold to IBM, they were in a head-to-head battle with Exchange. Microsoft had the edge because they owned the operating system and had majority share with office applications. IBM could offer a broader software portfolio that could attract customers.

Was Notes too early for its time? Ozzie says no: “I am just pleased that things have continued to evolve in collaboration tools.There are still things related to human interaction, such as distributed trust and managing overload that we first learned in Notes that have yet to be embraced by anything in the enterprise social world.”

Jon Callas on joining the ACLU

I have known Jon Callas for many years, tracking back to when he was part of the PGP Corporation and bringing encrypted email to the world. He has been a long-time security researcher who has been part of the launch teams at Silent Circle and Blackphone. Recently he has moved from Apple to the ACLU, where he is a technical fellow in the Speech, Privacy and Technology Project.

I spoke to him last week and caught up with what he is working on now, and thought you might be interested. His job now is to help the mostly legal team at ACLU to understand the technical issues, especially from someone who has been deeply steeped in them over the years. “Technology is such a part of the modern world that we need more people to understand it,” he said. One of his focus areas is the recent changes in Australian encryption laws. He is still trying to figure out the implications, and so far he views this bill as more guiding government assistance than actual intervention. The bill also raises more questions than it answers, such as how does a developer secretly insert code into a system that has tracking or build version controls? He is also watching the revelations around the Facebook document trove that was released this week by British lawmakers. (Here is the backstory and ProtonMail’s comments on the law is here.) “Clearly, there are contradictions between what Facebook management said they were and weren’t doing and what was mentioned in these documents,” he said. When I asked him what he what do if he were CTO of Facebook, he just laughed.

One other area of interest is how to understand how the government is acting to curb freedom of speech, and what is going on at our borders. “The government quite reasonably says that they can look inside your suitcase when you cross into our country. That I understand, but shouldn’t your electronic devices be treated differently from what else is in your suitcase? There are many answers here, and we need to have legal and policy discussions and understand exactly what problems we are trying to solve.”

We also spoke about the recent actions by Google employees protesting their Chinese-specific search engine. “I find it encouraging that tech people are looking at the consequences of what they do and where this technology is going to be used and what it all means,” he said. Now, “we are more in tune with privacy concerns. People are thinking about the ethics and consequences of what they are doing. They want to have a part in these discussions. That is what a free society should do.”

The many ironies of the post email era

It has been 20 years since Marshall Rose and I wrote  our book about Internet email. Since then, it has become almost a redundant term: how could you have email without using the Internet? For that matter, how can you have a business without any email to the outside world? It seems unthinkable today.

But for something so essential to modern life, Internet email also comes with multiple ironic situations. I will get to these in a moment.

To do some research for this essay, I re-read a column that I wrote ten years ago about the evolution of email between 1998-2008. Today I want to talk about the last ten years and what we all have been doing during this period. I would call this decade the post email era because email has become the enabling technology for an entire class of applications that previously weren’t possible or weren’t as easy ten years ago. Things like Slack, MFA logins, universal SMS, and the thousands of apps that notify us of their issues using emails. Ironically, all of this has almost eclipsed the actual use of Internet email itself. While ten years ago we had many of these technologies, now they are in more general use. And by post-email I don’t mean that we have stopped using it; quite the contrary. Now it is so embedded in our operations that most of us don’t even think much about it and take it for granted, like the air we breathe. That’s its second irony.

When a new business is being formed, usually the decision for its email provider comes down to hosting email on Google or Microsoft’s servers. That is a big change from ten years ago, when cloud-based email was still being debated and (in some cases) feared. I have been hosting my email on Google’s servers for more than ten years, and many of you have also done the same.

Another change is pricing. This has made email a commodity and it is pretty reasonable: Google charges $5 per month for 30 GB of storage or $10 per month with either 1 TB or unlimited storage. If you want to go with Microsoft, they have similarly priced plans for 1 TB of storage. That is an immense amount of storage. Remember when the first cloud emailers had 1 GB of storage? That seems so quaint — and so limiting — now. For all the talk back then about “inbox zero” (meaning culling messages from your inbox as much as possible), we have enabled email hoarding. That’s another irony.

Apart from all this room to keep our stuff, another major reason for using the cloud is that it frees up the decision as to which email client to run (and to support) for each user. A third reason is that the cloud frees up users to run multiple email clients, depending on what device and for what particular post-email task they want to accomplish. Both of these concepts were pretty radical 20 years ago, and even five years ago they were still not as well accepted as they are now. Today many of us spend more of our time on email with our phones than our desktops, and use multiple programs for our email, and don’t give this a second thought.

Why would anyone want to host their own email server anymore? Here is another irony: one reason is privacy. The biggest thing to happen to email in the past ten years was a growing awareness of how exposed one’s email communications could be. Between Snowden’s revelations and Hillary’s server, it is now crystal clear to the world at large that your email can be read by your government.

When Marshall developed the early email protocols, he didn’t hide this aspect of its operations. It just took the rest of the world many years to catch on. As a result, we now have companies that are deliberating locating in data havens to prevent governments from gaining access to their data streams. Witness ProtonMail and Kolabnow, both doing business from Switzerland, and Mailfence, operating out of Belgium. These companies have picked their locations because they don’t want your email finding its way into the NSA’s Utah data centers, or anywhere else for that matter. And we have articles such as this one in Ars that discuss the issues about Swiss privacy laws. Today a business knows enough to ask where its potential messages will be stored, whether they will be encrypted, and who has control over its encryption keys. That certainly wasn’t in many conversations — or even decisions about selecting an email provider — ten years ago.

One way to take back control over your email is literally to host your own email server so that your message traffic is completely under your control. That has been a difficult proposition even for tech-savvy businesses — until now. This is what Helm is trying to do, and they have put together a sexy little server (about the size of of a small gingerbread house, to keep things festive and seasonal) which can sit on any Internet network anywhere in the world and deliver messages to your inbox. It doesn’t take a lot of technical skill to setup (you use a smartphone app), and it will encrypt all your messages from end-to-end. Helm doesn’t touch them and can’t decrypt them either. Because of this, the one caveat is that you can’t use a webmail client. That is a big tradeoff for many of us that have grown to like webmail over the past decade. Brian Krebs blogged this week that users can pick two items out of security, privacy and convenience. That is the rub. With Helm, you get privacy and security, but not convenience (if you are a webmail user). Irony again: webmail has become so pervasive but you need to go back to running your own server and email desktop clients if you want ironclad security.

Speaking of email encryption, one thing that hasn’t change in the past ten years is how it is rarely used. One of the curiosities of the Snowden revelations was how hard he had to work to find a reporter who was adept enough at using PGP to exchange encrypted messages. Encryption still is hard. And while Protonmail and Tutanova and others (mentioned in this article) have come into play, they are still more curiosities than in widespread general use.

Another trend over the past ten years is how spam and phishing have become bigger problems. This is happening as our endpoints get better at filtering malware out of our inboxes. This is one reason to use hosted Exchange or Gmail: both companies are very good at stopping spam and malicious messages.

It is somewhat of an ironic contradiction: you would hope that better spam processing would make us safer, not more at risk. This risk is easy to explain but hard to prevent. All it takes is just one user on your network, who clicks on one wrong attachment, and a hacker can gain control over your desktop and eventually your entire network. Now that scenario is a common one witnessed in many TV and movie episodes, even in non-sci-fi-themed shows. For example, this summer we had Rihanna as a hacker in Ocean’s 8. Not very realistic, but certainly fun to watch.

So welcome to the many ironies of the post email era. Share your thoughts about how your own email usage has evolved over this past decade if you feel so inclined.

FIR B2B podcast #110: David Lloyd, on how personas are for marketers too

The concept of user personas was originally developed for user interface design, but it’s a powerful tool for marketers, too. David Lloyd, who is the lead strategist and senior data analyst from Brilliant Noise in London. joins us to discuss his post this past summer about The dream of data-driven personas.

Personas, particularly ones that are deeply rooted in data, can help shape marketing campaigns. We talk about the differences between user experience and marketing personas and what are the typical data types that would be used to shape useful ones. His blog post talks about common mistakes that marketers make in creating personas and describes what a typical persona looks like, down to assigning them a name to make them more real. 

He also addresses why you don’t want to go too wide or too specific in creating your personas: the ideal number of personas a marketer should work with is about three. Also, the cloud has made it far easier to create and collect a great deal of online data that can be useful in creating personas. Lloyd tells how marketers can make personas more actionable as part of their marketing plans.

CSOonline: How to beef up your Slack security

When it comes to protecting your Slack messages, many companies are still flying blind. Slack has become the defacto corporate messaging app, with millions of users and a variety of third-party add-on bots and other apps that can extend its use. It has made inroads into replacing email, which makes sense because it is so immediate like other messaging apps. But it precisely because of its flexibility and ubiquity that makes it more compelling to protect its communications.


In this post for CSOonline, I take a closer look at what is involved in securing your Slack installatio nand some of the questions you’ll want to ask before picking the right vendor’s product. You can see some of the tools that I took a closer look at too in the chart above.

Book review: The End of Trust

Last week the Electronic Frontier Foundation published an interesting book called The End of Trust. It was published in conjunction with the writing quarterly McSweeneys, which I have long been a subscriber and enjoy its more usual fiction short story collections. This issue is its first total non-fiction effort and it is worthy of your time.

There are more than a dozen interviews and essays from major players in the security, privacy, surveillance and digital rights communities. The book tackles several basic issues: first the fact that privacy is a team sport, as Cory Doctorow opines — meaning we have to work together to ensure it. Second, there are numerous essays about the role of the state in a society that has accepted surveillance, and the equity issues surrounding these efforts. Third, what is the outcome and implications of outsourcing of digital trust. Finally, various authors explore the difference between privacy and anonymity and what this means for our future.

While you might be drawn to articles from notable security pundits, such as an interview where Edward Snowden explains the basics behind blockchain and where Bruce Schneier discusses the gap between what is right and what is moral, I found myself reading other less infamous authors that had a lot to say on these topics.  

Let’s start off by saying there should be no “I” in privacy, and we have to look beyond ourselves to truly understand its evolution in the digital age. The best article in the book is an interview with Julia Angwin, who wrote an interesting book several years ago called Dragnet Nation. She says “the word formerly known as privacy is not about individual harm, it is about collective harm. Google and Facebook are usually thought of as monopolies in terms of their advertising revenue, but I tend to think about them in terms of acquiring training data for their algorithms. That’s the thing what makes them impossible to compete with.” In the same article, Trevor Paglen says, “we usually think about Facebook and Google as essentially advertising platforms. That’s not the long-term trajectory of them, and I think about them as extracting-money-out-of-your-life platforms.”

Role of the state

Many authors spoke about the role that law enforcement and other state actors have in our new always-surveilled society. Author Sara Wachter-Boettcher said, “I don’t just feel seen anymore. I feel surveilled.” Thenmozhi Soundararajan writes that “mass surveillance is an equity issue and it cuts across the landscape of race, class and gender.” This is supported by Alvaro Bedoya, the director of a Georgetown Law school think tank. He took issue about the statement that everyone is being watched, because some are watched an awful lot more than others. With new technologies, it is becoming harder to hide in a crowd and thus we have to be more careful about crafting new laws that allow the state access to this data, because we could lose our anonymity in those crowds. “For certain communities (such as LBGTQ), privacy is what lets its members survive. Privacy is what let’s them do what is right when what’s right is illegal. Digital tracking of people’s associations requires the same sort of careful First Amendment analysis that collecting NAACP membership lists in Alabama in the 1960s did. Privacy can be a shield for the vulnerable and is what let’s those first ‘dangerous’ conversations happen.”

Scattered throughout the book are descriptions of various law enforcement tools, such as drones facial recognition systems, license plate readers and cell-phone simulators. While I knew about most of these technologies, collected together in this fashion makes them seem all the more insidious.

Outsourcing our digital trust

Angwin disagrees with the title and assumed premise of the book, saying the point is more about the outsourcing of trust than its complete end. That outsourcing has led to where we prefer to trust data over human interactions. As one example, consider the website Predictim, which scans a potential babysitter or dog walker to determine if they are trustworthy and reliable using various facial recognition and AI algorithms. Back in the pre-digital era, we asked for personal references and interviewed our neighbors and colleagues for this information. Now we have the Internet to vet an applicant.

When eBay was just getting started, they had to build their own trust proxy so that buyers would feel comfortable with their purchases. They came up with early reputation algorithms, which today have evolved into the Uber/Lyft star-rating for their drivers and passengers. Some of the writers in this book mention how Blockchain-based systems could become the latest incarnation for outsourcing trust.  

Privacy vs. anonymity

The artist Trevor Paglen says, “we are more interested not so much in privacy as a concept but more about anonymity, especially the political aspects.” In her essay, McGill ethics professor Gabriella Coleman says, “Anonymity tends to nullify accountability, and thus responsibility. Transparency and anonymity rarely follow a binary moral formula, with the former being good and the latter being bad.”

Some authors explore the concept of privacy nihilism, or disconnecting completely from one’s social networks. This was explored by Ethan Zuckerman, who wrote in his essay: “When we think about a data breach, companies tend to think about their data like a precious asset like oil, so breaches are more like oil spills or toxic waste. Even when companies work to protect our data and use it ethically, trusting a platform gives that institution control over your speech. The companies we  trust most can quickly become near-monopolies whom we are then forced to trust because they have eliminated their most effective competitors. Facebook may not deserve our trust, but to respond with privacy nihilism is to exit the playing field and cede the game to those who exploit mistrust.” I agree, and while I am not happy about what Facebook has done, I am also sticking with them for the time being too.

This notion of the relative morality of our digital tools is also taken up in a recent NY Times op/ed by NYU philosopher Matthew Liao entitled, Do you have a moral duty to leave Facebook? He says that the social media company has come close to crossing a “red line” but for now he is staying with them.  

The book has a section for practical IT-related suggestions to improve your trust and privacy footprint, many of which will be familiar to my readers (MFA, encryption, and so forth). But another article by Douglas Rushkoff goes deeper. He talks about the rise of fake news in our social media feeds and says that it doesn’t matter what side of an issue people are on for them to be infected by the fake news item. This is because the item is designed to provoke a response and replicate. A good example of this is one individual recently mentioned in this WaPost piece who has created his own fake news business out of a parody website here.

Rushkoff recommends three strategies for fighting back: attacking bad memes with good ones, insulating people from dangerous memes via digital filters and the equivalent of AV software, and better education about the underlying issues. None of these are simple.

This morning the news was about how LinkedIn harvested 18M emails from to target ads to recruit people to join its social network. What is chilling about this is how all of these email addresses were from non-members that it had collected, of course without their permission.  

You can go to the EFF link above where you can download a PDF copy or go to McSweeneys and buy the hardcover book. Definitely worth reading.

FIR B2B podcast #109: Transparency, Truth and the Rebirth of Long-Form Content

Three items in the news caught our attention this week. The first was a piece that by Agility PR about a tale of two PR crisis responses— and why only one of them worked.  The crises in question are the firing of Megyn Kelly by NBC and Andy Rubin’s departure from Google with a $90 million severance package. Both situations were handled differently by the organizations’ leaders, and both produced very different results in terms of public and employee perception. The contrasting cases are useful to help shape your own crisis response and to understand how you have to get ahead of the news in just the right tone and with actions that speak louder than platitudes.

The second piece we discuss provides evidence that marketing guru Gary Vaynerchuk is wrong about an awful lot of things, largely because he appears to base his observations and predictions more on instinct than on facts. We respect Vaynerchuk for what he’s accomplished, but think that in an environment in which the value of facts is being called into question, it’s incumbent upon thought leaders to use them. This is the big data age, after all.

Finally, we have often debated the optimal length of podcasts and videos for content marketing purposes, but maybe old assumptions about keeping recorded content as short as possible is out of date. Welcome to the Age of the Hour-Long YouTube Video makes the case that long-form content is making a comeback. For the same reason that podcasts have become popular, people are now able to put their idle time to work. This may have implications for marketing videos in the future, and whether you want to go after quality or quantity when it comes to collecting readership. We both are devotees of podcasts that frequently run 90 minutes or more. That’s because the content is great, the hosts do their research and the subjects are interesting. Which would you rather have, eyeballs or fans?

Happy holidays to all, we’ll return next week with fresh insights. You can listen to our podcast here:

Book review: You’ll see this message when it is too late

A new book from Professor Josephine Wolff at Rochester Inst. of Technology called You’ll see this message when it is too late is worth reading.  While there are plenty of other infosec books on the market, to my knowledge this is first systematic analysis of different data breaches over the past decade.

She reviews a total of nine major data breaches of the recent past and classifies them into three different categories, based on the hackers’ motivations; those that happened for financial gain (TJ Maxx and the South Carolina Department of Revenue and various ransomware attacks); for cyberespionage (DigiNotar and US OPM) and online humiliation (Sony and Ashley Madison). She takes us behind the scenes of how the breaches were discovered, what mistakes were made and what could have been done to mitigate the situation.

A lot has been already written on these breaches, but what sets Wolff’s book apart is that she isn’t trying to assign blame but dive into their root causes and link together various IT and corporate policy failures that led to the actual breach.

There is also a lot of discussion about how management is often wrong about these root causes or the path towards mitigation after the breach is discovered. For example, then-South Carolina governor Nikki Haley insisted that if only the IRS had told them to encrypt their stolen tax data, they would have been safe. Wolff then describes what the FBI had to do to fight the Zeus botnet, where its authors registered thousands of domain names in advance of each campaign, generating new ones for each attack. The FBI ended up working with security researchers to figure out the botnet’s algorithms and be able to shut down the domains before they could be used by the attackers. This was back in 2012, when such partnerships between government and private enterprise were rare. This collaboration also happened in 2014 when Sony was hacked.

Another example of management security hubris can be found with the Ashley Madison breach, where its managers touted how secure its data was and how your profiles could be deleted with confidence — both promises were far from the truth as we all later found out.

The significance of some of these attacks weren’t appreciated until much later. For example, the attack on the Dutch registrar DigiNotar’s certificate management eventually led to its bankruptcy. But more importantly, it demonstrated that a small security flaw could have global implications, and undermine overall trust in the Internet and compromise hundreds of thousands of Iranian email accounts. To this day, most Internet users still don’t understand the significance in how these certificates are created and vetted.

Wolff mentions that “finding a way into a computer system to steal data is comparatively easy. Finding a way to monetize that data can be much harder.” Yes, mistakes were made by the breached parties she covers in this book. “But there were also potential defenders who could have stepped in to detect or stop certain stages of these breaches.” This makes the blame game more complex, and shows that we must consider the entire ecosystem and understand where the weak points lie.

Yes, TJ Maxx could have provided stronger encryption for its wireless networks; South Carolina DoR could have used MFA; DigiNotar could have segmented its network more effectively and set up better intrusion prevention policies; Sony could have been tracking exported data from its network; OPM could have encrypted its personnel files; Ashley Madison could have done a better job with protecting its database security and login credentials. But nonetheless, it is still difficult to define who was really responsible for these various breaches. 

For corporate security and IT managers, this book should be required reading.

CSOonline: How to set up a successful digital forensics program

IT and security managers have found themselves increasingly needing to better understand the world of digital forensics. This world has become more important as the probability of being breached continues to approach near-certainty, and as organizations need to better prepare themselves for legal actions and other post-breach consequences.

In this post for CSOonline, I describe the basics behind digital forensics, the kinds of specialized tools that are required, links to appropriate resources to learn more and a checklist of various decisions that you will need to consider if you are going to be more involved in this field. It is not just about understanding the legal consequences of a breach, but also in being properly prepared before a breach occurs. And something that you need to get your head around: lawyers can be your friends in these circumstances.

CSOonline: Top application security tools for 2019

The 2018 Verizon Data Breach Investigations Report says most hacks still happen through breaches of web applications. For this reason, testing and securing applications (from my CSOonline article last month) has become a priority for many organizations. That job is made easier by a growing selection of application security tools. I put together a list of 13 of the best ones available, with descriptions of the situations where they can be most effective. I highlight both commercial and free products. The commercial products very rarely provide list prices and are often bundled with other tools from the vendor with volume or longer-term licensing discounts. Some of the free tools, such as Burp Suite, also have fee-based versions that offer more features. You can review my list in CSOonline here.