E-mail systems haven’t really changed all that much in the last 10 years. Sure, spam became a real problem, and the threat of virus attacks is virtually as old as e-mail itself. But today, the e-mail landscape is experiencing a dramatic shift as virtually every aspect of how we use, manage and protect e-mail is undergoing rapid transformation.

As little as 18 months ago, phishing was something done on weekends with your kids, and if someone mentioned SOX you checked your feet to make sure the colors matched. Today we’re not only concerned with Sarbanes-Oxley, but with HIPAA, GLBA, Sec Rule 17a-4, inbound content control, information leakage, acceptable use policies, compliance-based archiving, corporate risk management and liability mitigation. E-mail management is now a vastly different and very confusing task.

E-mail: The Second Wave

The first wave of the e-mail evolution addressed what we now call "inbound content control." This provides protection against external threats like viruses, spam, and other e-mail-borne malware designed to exploit mail server or network security vulnerabilities. The plethora of anti-spam and anti-virus programs with which we’ve all become familiar represents this first wave.

The second wave in the e-mail evolution is where we are now. It is focused on providing outbound content control and is driven by:

• Recognition of the threats that come not from external sources, but typically from inside the organization;
• The realization that serious damage can be inflicted upon the enterprise not just by malicious attacks in the traditional sense, but by actions or omissions that result in significant corporate exposure, risk and liability;
• An onslaught of increasingly stringent regulatory compliance obligations and a good dose of fear instilled by several high profile examples of the cost of non-compliance, such as the $8.25 million fine levied against five brokerage firms for e-mail non-compliance.

Compliance has quickly become the new corporate mantra. Information leakage detection and prevention, e-mail archiving, and regulatory compliance management, have become the new requirements of the second wave.

The Current Turmoil

The issues driving the second wave are all very real concerns, but there has been a knee-jerk response by both customers and vendors alike. Many incumbent inbound scanning vendors encountered serious delays and technical obstacles in rolling this outbound functionality into their legacy products. Seeing a major void in a rapidly growing, highly hyped market, an onslaught of new vendors rushed in to fill the gap. Unfortunately, in the rush to market, future needs were overlooked and many products focused exclusively on outbound content control requirements. The result is a whole new generation of products engineered as "point solutions" without regard to past, present or future investment protection.

Simultaneously, many enterprises faced with regulatory deadlines could not afford to wait and rushed headlong into new product decisions and ended up implementing relatively unknown products. With the Board breathing down their necks to "get compliant" the rulebook was simply tossed.

The downside of this push for compliance is that network and e-mail administration, support and maintenance, training and ongoing operational costs are all escalating. Complexity and duplication from having a legacy anti-spam product, another anti-virus product, a product for email archiving and yet another product for outbound content control is surfacing as the single biggest obstacle to a unified solution and attaining solid ROI.