Interview with Cydni Tetro of NextPage (www.nextpage.com) on their Document Retention application, and an attack on Records Management issues from a project basis rather than enterprise-wide. Covering a bit of ground on agile development again, and focusing on solving customer/user needs, and failing/succeeding fast, rather than "build it and they will come" development/delivery.
MP3 File
Complete Transcription Follows:
Dan Keldsen: This is Dan Keldsen of the Delphi Group in Boston, www.DelphiGroup.com and today I'm speaking with Cydni Tetro, V.P. of marketing for NextPage which is www.NextPage.com. Today we are talking about Document Retention and Project-based Records Management.
Cydni, kick it off. If you could just give us a quick dose of document retention - which is a service that's on top of a platform. Before we get to the service we lay the foundation so people will understand what the platform is.
Cydni Tetro: Absolutely, so at NextPage we've been really focused on solving the problem of all these documents that reside on the desktop. For us that means what we usually find happens is, there are so many versions that happen to get stored on hard drives or as e-mail attachments or on key drives or servers and there has been no way to actually track those documents or know what's happening with those.
When we think about document retention or even document collaboration, we think of it specifically from the side of the desktop. How do we bring the desktop back into the enterprise?
We have this unique technology that actually tracks documents and all derivatives of those. Then it provides you insight into those and we actually overlay the applications on top of those so document retention becomes specifically about allowing you to not only see the auto trail of all documents, but purge working copies ensure that appropriate copies are stored on a centralized server and have basically a clean record of where all versions exist no matter their locations.
Dan: Okay, and so there is a mapping component?
Cydni: Yes, in the collaboration applications, specifically the interface shows that version map which becomes the left to right flow diagram of the document and how it has been created.
Dan: Is there an equivalent on the document retention side?
Cydni: Yes, on the document retention side, based on working with our customers, what the interface actually looks like, is more of a tabular format of rows and columns. Then you can drill into detail on any given one of those.
Dan: Okay, and that's the version map for you. I think it is pretty interesting because it gives a much better sense of what the reality of how documents move around. I think it's a very slick way to show that. It makes it much more obvious. That whole phenomenon of floating e-mails around gets out of hand after a little bit.
Cydni: Exactly, I love that interface also because it shows you exactly how everything is related to each other, which document is a derivative of which document and how they relate and what we need to do next.
Dan: Right.
Cydni: It's a very powerful interface and eventually we would see that actually becomes part of the retention application but in the initial interface, it was more important to be able to show number of copies, location of those copies and in a really tight interface so that as you go to clean up you know how to do that also.
Dan: Right. What came to mind when I first heard about this is, so if this is records management but on a project scale do the customers that you have already or have seen the beta prior to the product launch - do they already have bigger, better, more expensive file management solutions?
Cydni: That's a good question. What we have typically found is that the place that most of these companies are at is that they've implemented some kind of centralized back end document system and they are faced with this great challenge of getting documents into the system so that they can actually apply the policy to them.
Dan: Sure.
Cydni: In the records management sphere they've got this repository with no information and usually a written policy around records management but they have yet to really formally rule something out to the entire organization. They are just trying to figure out how does e-mail archiving fall into that?
Dan: Sure.
Cydni: What do they need to do about the desktop? What about a centralized location and how do we apply the written policy? A lot of the professional services companies that we've worked with have said our users are professionals, and they want to follow this policy, but it's really hard because they don't actually have any tools that enable them to actually know what information they need to get rid of and where that information sits in any easy way. That's where the risk comes and in those organizations where they are getting subpoenas every week. It's a lot of risk for them.
Dan: Right. Why don't you walk us through how a customer would actually use this?
Cydni: I should mention right now, because as you kind of mentioned in the product intro, that we've really been developing a product with customers in the kind of verticals of either management consulting, the tax and audit guys or financial services. It's a lot of investment banks. They kind of conceptually think about what they work on in the context of projects.
Dan: Yep.
Cydni: What happens typically is when you very first create your first document there is a client component of the software that gets installed on all of the desktops. There is actually a server-side global service that we host that helps tie together across those distributed infrastructures - how the documents fit together.
As a user, the very first time you go to work on a document and you say that you get prompted to add a little tiny, tiny piece of Metadata which is basically the product identifier or the category.
Dan: Sure.
Cydni: You hit save and then you do whatever you normally do. You make changes to that. You send it to other people. You put it on a key drive. You save it to your shared drive and the service behind the scenes is just automatically tracking all locations of that document.
We've specifically had the goal of having really a zero impact on the user's experience. We've tried very hard to really build it into the user's normal workflow. The users just save that document, work on it.
At the end of the project when they need to go through and clean up they can go into the retention interface and it will automatically show them all the documents they worked on as part of that project, how many copies they have on their hard drive and e-mail, on removable key drives and how many copies that other people on the team have of the same.
They immediately have this view of all of those and if I'm the project manager or responsible for clean up, I can say, "Great, let's go ahead and send a purge request out to everyone," which is basically an e-mail that lists, that will provide access to the interface and all the specific documents they need to clean up.
Users can then right from there go ahead and say upload the right ones, purge the other ones and they are automatically deleted from those locations and the users don't have to do anything else.
Dan: Okay. It's sort of early so you launched this last week, right?
Cydni: Yes, we launched last Monday (May 22, 2006). That was our first talk about desktop policy outside. We've had about 20 companies that have been actually co-developing the product with us over the last 8 months.
Dan: Okay.
Cydni: Those guys have been every stage of design review and security review etc. and now are rolling out those pilots into their various environments.
Dan: And so how has it panned out so far in the whole process? Are people being good at closing out their projects and cleaning up? I think when you gave me the initial briefing we talked about exception handing. What if somebody really does need to keep a copy of a document or a handful of document on a project?
Cydni: Two things, one is I would say obviously we are in the very beginning stages of getting all those pilots ruled out. I don't think we have all of the complete feedback on the end process. I suspect over the next three or four months as the longevity of projects increases and they are in the real life environment we'll get more feedback on that and then make appropriate modifications.
Then as you mentioned there is some exception handling and that will even get more robust over time where you can mark those. Let's say there is an important document that you think you need to keep a copy of and someone asks you to purge. You don't have to delete that and if you choose not to delete that document it is still in the audit trail.
Everyone still knows that Cydni has a copy of this document. It happens to be saved on her hard drive so that at any point in time if we need to know where that version of a document is or know that I actually have a copy of that you know exactly where it is.
If I happen to send it to someone else or someone else for some reason resurrects an old copy that also gets noted in the interface. You always know exactly how many versions are out there, if they happen to come up again or what the state is and then you can take appropriate action based on your policies.
Dan: Right, okay. So there is the client side which installs on the client itself and you host a Global Web Service and that's it, as far as the footprint, right?
Cydni: Yeah, as far as the footprint, now this is one additional thing for those scenarios. We do have specific data services for the back end repository.
Dan: Okay. Such as?
Cydni: To date, we've written ones for Lotus Notes database and for shared drives and then future ones we have on the roadmap include Share Point and Documentum.
Dan: Okay.
Cydni: Basically what those are is, inside of the interface itself, if there are versions you want to upload or make sure you preserve, all the user has to do is click a button. It has a kind of smart save feature where it knows the locations of documents for a given project. You just hit upload.
You can see the location, save those documents up there and not even have to worry about making sure there is a copy up there. The interface will tell you if there is a copy of that version on the centralized location.
Dan: It knows where the products live and it puts it there. You don't have to remember which layer, 10, 20, 12 folders down it might have to go?
Cydni: Exactly, it will just remember that for you and make sure that you preserve a copy like you want to.
Dan: Okay, interesting. Did you call those plug ins?
Cydni: Yeah, we call them data services.
Dan: Data services. Now, does that also talk to tying into any other bigger, badder records management solution?
Cydni: Basically the road map for those is you go to the various customers and whatever their needs are, that's how we are taking those down.
Dan: Okay, so right now it is product based records management and if they are going to do something with it beyond that then that's up to them at this point. As you get further feedback you will connect those out.
Cydni: That's right. We've got, based on last week and a number of other activities, a pipeline of getting outside professional services which will take us to more general category type things outside of just the product base.
Dan: Okay.
Cydni: It's not actually a really big change for us. It's really terminology change and the interface for how you want to label information and then how you actually display that. It's really nice. It's just an interface change based on how they talk about information.
Dan: Okay, and I'm curious. It sounds like you work very closely with your customers or potential customers in trying to solve specific needs and drive that home. Do you term that as customer centered development or user experience or agile development or how do you talk about that internally to NextPage?
Cydni: Our conversation around it has been making customer development parallel with product development. From the very beginning we have tried to be really diligent about saying, "Okay, we've got a product idea and what we need to do is validate and make sure there is a market out there."
We actually, from the very beginning of that phase where we have a concept we go out and schedule somewhere between 20 and 40 meetings with prospect customers that we basically just cold call. We go sit down with the people who would be the technical influencers, the buyers and the users and we actually do a full meeting with them where we talk about the value statement of the product.
We show a mock up of how it would work and we have a procurement conversation so we actually understand how many users they buy, what they would be willing to pay so that we can then say, "Oh, there is enough money to be made here." We actually had some previous products that we had worked on a number of years ago that based on that methodology we actually took no further than that because the feedback that we got couldn't justify our building a product line.
Dan: Right. That's interesting.
Cydni: That basically lets us take all the risk up front and say, "Okay, we would rather sell fast and know that we can make money at this or not and then from there bring those people." Then that also gives you customers and the pipeline end of that are beginning to validate. We have the company sending us our test equipment, we have validated testing modules and the security infrastructure and you just get to talk to all of those various people and validate what you are building.
Hopefully at the end of it you are building the right thing and it actually works like they want it to work and you are basically just hopefully taking as much risk out of it as possible. When the product comes out we can actually sell it, make money and we know what the business model looks like for it.
Dan: Right, that's interesting and it's been something I've been researching. Agile Development and user centered practices… it's interesting to me, and I guess it's because of a need to sell product that technology solution riders such as NextPage as others are honing in on this as a way to operate.
Any time that I've talked to an enterprise customer, a buyer of technology they are almost universally not going down this path and not trying to fail fast and start small and scope out what are the real issues that can be solved. They go through the standard enterprise software, deployment integration product that takes at least six months to a year, two, three, five years and lots of money and lots of people. By the time it's done, 80% of those products are probably cancelled.
Cydni: Yeah.
Dan: By the time it's been determined it's too late and of the ones that are actually delivered it's still too late and probably went way over budget. I'm just wondering what is it we can do to spread the gospel just a little bit more.
(laughter)
Cydni: That's a good question. That is a really interesting observation. One of my theories on that would be that as a start up company or a company building product lines where every day we are evaluating the risk trade off and what it's going to take to actually sell the product and then become profitable and grow revenue.
Dan: Right.
Cydni: That's a really big driver and the enterprise your driver is a little bit different when you are in the IT organization or underneath the CIO.
Dan: Sure.
Cydni: You don't necessarily have those same issues. It just makes so much sense after you're here and you think about it you go, "Okay, why would you ever do it any other way? Why would you go build stuff that no one is ever going to use?"
Dan: No, right, yeah. I'm always fascinated by the psychology of buying, and selling for that matter, and I just wonder what can be proposed as a reasonable carrot and sticks for an enterprise crowd to get it going. I think it's a benefit to everybody.
Cydni: Yep.
Dan: It's far less of a threat than it might be perceived from IT.
Cydni: It just optimizes the organization and actually you end up delivering stuff that people actually use and that are viable and that enhance the business. That's ultimately what we should all be about.
Dan: No, right, it seems obvious to me.
(laughter)
Cydni: I'm with you.
(laughter)
Dan: Well, that's two of us. Now if we can work on to the other couple of million.
Cydni: Right, we will spread the word.
Dan: Okay, can you give a little hint - You have already dropped a few, about what does the near term road map look like, that we can safely say over the air here?
Cydni: I have a couple of the categories of stuff that are on the road map, not necessarily committed but that would be kind of the next logical steps. One of them is all of the time we are getting requests about how to handle requests for how to handle legal holds.
Dan: Yeah.
Cydni: So, how do you handle that? We get the subpoena or we are going into discovery. How do we freeze all that information? That will be one area where we know that demand is driving us to focus.
Whether we take all the assets and bring them to a location where they are frozen or we freeze them on those remote entities, one of those will probably end up as the solution. Then the other thing becomes, so in our solution typically that there is a centralized system where they are creating actual policy for life cycle management.
Dan: Sure.
Cydni: But we find there is still this area where you need some desktop policy management.
Dan: Yep.
Cydni: I've got an HR document from an interview and I'm supposed to keep that for a year. I don't necessarily file this, as a lot of times it's actually okay if it's on the desktop as long as it's actually kept for a year.
Dan: Sure.
Cydni: How do I just apply a policy that says, "Hey, at the end of the year for all documents that are categorized under HR interviews go ahead and delete them." Those kind of light-weight policy things are also something that we get asked a lot about.
Then obviously one other category, I should have said three, is the reporting side of that. We will be spending quite a bit of effort on our global service side.
We will provide a reporting interface into that so you want to write a report see how many projects have been cleaned up, how many users have responded, kind of any way you want to slice the data. You'll be able to run reports and save those over time for the organization.
Dan: Okay, that sounds like a fairly full plate.
Cydni: Yeah.
(laughter)
Exactly. We will be prioritizing and taking those down.
Dan: Right.
(laughter)
Okay. Alright. Well, I think that will do for now but thank you very much for your time.
Cydni: I appreciate it. Thank you for taking your time.
Dan: Again, this is Dan Keldsen from the Delphi Group in Boston, www.DelphiGroup.com and I'm speaking with Cydni Tetro, V.P. of marketing for NextPage, which is www.NextPage.com. Thanks.
Cydni: Thank you.
There is another company that is doing something very similar that you may want to look at. Trusted Edge says this on the home page: Trusted Edge Software is dedicated to the real time capture and classification of relevant business information created on corporate Desktops. Through the collection of Meta-Data, today's organizations can bring visibility and control to the chaos of Unstructured Information.
They also digitally shred documents that are not in the repository through Rights Management technology.
http://www.trustededge.com/
Posted by: russ stalters | June 22, 2006 at 06:27 PM
Thanks Russ, vaguely aware of Trusted Edge, but have not had a formal (or heck, informal) briefing. Will look into it.
Posted by: Dan Keldsen | June 27, 2006 at 03:40 PM
Curious to know how the desktop document retention system would work if a copy of the document has been forwarded to a non-Nextpage user or just stored on a system which does not have Nextpage installed and running - my guess is that the system would fail...the potential leakage points are far too many to make this approach useful from a retention perspective...
Posted by: Sceptic | July 06, 2006 at 06:24 AM
Great question, and one that I had asked myself, in a separate conversation.
NextPage are (currently) by no means a Digital (or Enterprise) Rights Management system, and so don't restrict the access and distribution of content as a DRM/ERM solution would. I have not yet spoken with Trusted Edge, but if that's the angle of concern for you, that may be a worthy choice, or Liquid Machines, and various partners of Adobe and Microsoft. Of course if you follow the thinking of Bruce Schneier, you may believe that Rights Management isn't possible, realistically, either.
To your concern - It helps to keep in mind what problem they are addressing, which Cydni mentioned in the interview. The target audience is for working teams within professional services firms (they may be auditors, consultants, marketing teams, etc.) who are hired out to do work for various clients, and need some way to organize and capture the information they've used on a particular job - largely for a knowledge capture effort, not for an 'iron-clad retention' system (which is, in the end, impossible in any case - any system that can be accessed at all, by someone, can always be subverted - just a matter of effort, time, money, skill - and frequently, not much at that). In the hayday of Lotus Notes, these teams may have attempted to capture all of this information in a Notes database that they could just archive after the job was done. However, Notes has been on the wane, and e-mail and 'regular' desktop tools (MS Office) have shot up in more rampant adoption. So this solution from NextPage is about throwing a lasso around otherwise 'un-managed' content for these projects, and gathering back for future re-use and reference, not to provide 100% perfect eradication of any stray content, although of systems that are under control by their software, they can auto-delete content that is out of policy.
Rant follows:
I used to be a much more paranoid person than I am now, and have gone fairly deeply into traditional Information Security (InfoSec). Like many others in the InfoSec field, I would laugh at the minimal (to non-existent) efforts that most companies would take to 'secure' their information, but even with significant efforts spent on securing information and systems, there always points of weakness that can be pointed to, social engineering being one of the most effective (Kevin Mitnick's first book is a great read, BTW).
But... nothing can ever be 'fully secured' - it's an impossible state, and the real mission of any organization is not to have unbreakable security (does Oracle still claim that? What a silly campaign that was), but to have reasonable security for the situation at hand. InfoSec professionals tend to want to go the extra mile to 'be secure' - which is not bad in itself, except that it is so very easy to lose sight of why we bother with any of this in the first place and aim for the holy grail of 'perfect security.'
It would help if people were willing to really think through what the value is of the people, services, information, data, etc. is that is being protected, what the cost would be to lose control of any of this, and the costs to remediate and/or insure against. However, almost nobody actually does that, as security is the last thing on most people's minds. And in truth, it should be - if security were made to be transparent to the legitimate users of systems, easily managed by admins, then it would be more readily adopted, and we would start eradicating the low hanging fruit of security holes, while moving the overall level of security up and out of the muck we've been stuck in for decades now.
If we can make security a constant, (mostly) invisible process, that is simply wrapped around our normal work without creating an undue burden, and that prods us in the direction to always be doing 'the right thing,' we would finally be heading in the right direction, IMHO. Those security solution providers who are currently thriving, have actually heard that message, and partly due to a hurting economy, where dollars are held ever tighter, companies are beginning to vote with their money that usability actually does matter in security, not just 'security for security's sake.' Secret command line flags, obtuse terminology, and 'security at any cost' just does not hold water for most businesses, and it is not all that difficult to argue that prior security solutions were more of a problem than a solution, by making security so hard to really execute, that people outright refused to use it, or would subvert the system in other ways (sharing passwords, taping them to their desk, etc.).
Happy to talk about this more - online or off. I'm always evaluating the information I have vs. the incoming stream, and modify my position accordingly. Healthy skepticism is certainly a good idea, and thanks for your comments.
What is your experience with other retention systems?
Posted by: Dan Keldsen | July 06, 2006 at 11:39 AM
While your points about document security are well-made, I guess they are, at best, tangential to the original post about an effective document retention solution - perhaps by serendipity more than design, DRM/ERM is a better way to ensure document retention that NextPage's metadata tagging technique. Even if ERM is not a 100% failproof system, it would ensure that shared documents would follow policy precepts without any action mandated from the end-users (as in NextPage's system which requires each user to individually purge his copies). NextPage is an elegant visual reporting model for document version control but the attempt to extend this to document retention seems to be a bit of force-fit...
The larger point is that to date, the potential of ERM has been woefully underestimated with the focus being purely on security while the core technology can facilitate a far broader range of value propositions and use cases (document retention being just one among many)...
Posted by: Sumanth | July 07, 2006 at 03:28 AM
Sumanth - I'm not sure we're using the same terminology, so perhaps that's part of the confusion. DRM/ERM to me is normally Digital Rights Management and Enterprise Rights Management - as in, policy that lives IN a document and can be used to self-destruct, self-lock, prevent printing, copying, etc..
e-RM is more typically what I would use to abbreviate Electronic Records Management - which handles disposition of content that is a 'business record.' Most e-RM is manually accomplished these days, although automatic classification is certainly on the rise.
In any case, NextPage's system does not require users to purge their individual copies, that's just what their users are doing thus far, as their is a trust factor in allowing machines to obliterate content automatically.
I agree with you that there are a wide variety of use cases for the same underlying technology, and in this case, with NextPage, that's exactly why they have built a core platform and have been deploying purpose-built solutions or applications on top of that. The end use case is what's driving them, not 'build it and then let them built it again on top' - so to speak.
Sidebar: We should talk directly about what you are working on, looks as though you have some interesting solutions to collaboration that could be of interest to our clients as well.
Posted by: Dan Keldsen | July 14, 2006 at 12:25 PM
Dan,
Thank you for the response...I would be glad to talk to you directly - in particular, there is a new offering that we are launching shortly that I am sure will be of interest.
If you could share you e-mail address with me, I will duly follow up offline.
Posted by: Sumanth | July 16, 2006 at 01:36 AM