In a post-Snowden world: 3 questions CIOs must consider when deploying an email system


For most employees, email is second nature for business communications. Employees email from their phones, laptops, tablets and desktops around the clock, using it to send everything from quick updates to highly important files. It’s simple, easy and fast – but is it safe?

All it takes is one email leak to cause some serious damage to an organisation’s credibility. Osterman Research estimates that approximately 75% of an organisation’s intellectual property and information can be found in an email or attachment – which means that an information leak could potentially expose the bulk of your company’s confidential data.

Additionally, research from Dell showed that approximately 75% of businesses had some type of security failure within the last year. To keep confidential information secure when implementing an email system, businesses consider three questions.

1. Is it on-premises or in the cloud?

Deciding where to host email operations isn’t always cut and dry. While hosting out of an internal data centre gives complete power over email security, that power comes with great responsibility and at great cost.

Being in control of security means the company is culpable if something goes wrong. Plus, if the business isn’t prepared to expend the time, money and effort to oversee keeping the system private and secure, on-premises probably isn’t the way to go.

>See also: Email and mobility leave UK workers overworked but unproductive, survey reveals

That said, cloud-based solutions force organisations to place trust in other companies. Though they are often lower in cost than on-premises platforms, using a cloud provider for email operations means it could be another potential source of breach.

To select the right cloud provider to ensure security of an organisation’s email, ask the provider how it values security, and what it does to ensure that information remains private. If the cloud looks appealing, consider a company that’s known to specialise in security.

2. Does it support third-party security solutions?

After deciding between an on-premises or cloud-based solution, CIOs should research the security and privacy implications of the option they chose, as well as look into the add-ons that are available. Choosing an on-premises versus cloud-based solution will impact this step.

If the company is handling email security internally, the most important thing to look into is how the platform will work with its own third-party security solutions. For full-spectrum security, any solution that the business adopts needs to have the capability to integrate with outside antispam, antivirus and email encryption services. Deciding on a well-known, well-respected security partner does the company no good if the email solution can’t work with it, so CIOs should look at integrations before making any final decisions.

If a CIO goes the cloud-based route, the location of your provider may be more important than they know. The data is subject to the regulations of the country in which the provider is headquartered, not those of the country where the organisation or its data is stored in.

That could potentially work in the organisation’s favour if the privacy laws are tightly written, or it could go drastically wrong if it isn’t familiar with or accepting of the foreign laws. The safest route is to go with what the CIO knows and choose a provider based in a country with familiar security laws. for many businesses as they choose their email providers.

Aside from that, CIOs should look into how their cloud-based provider handles encryption, which is a security measure that converts plain text into ciphertext to prevent outside sources from reading it. It’s a great way to maintain privacy, but it’s not foolproof.

If an outside provider holds the business’s encryption keys, the provider can decrypt content at will. That puts the business at risk for its information being released for use in marketing activity or being handed over as a result of government subpoenas, which may defeat the purpose of investing in security in the first place. If CIOs are leaning toward a cloud-based system, they should weigh the risk-reward benefit and consider holding encryption keys internally.

3. Is it a proprietary solution or open-source based?

After deciding between an internal or external platform, CIOs need to consider whether they’d like to work with an open source or proprietary vendor. Although both options have their pros and cons, open source does come with one major benefit: disclosure.

Open source platforms’ information is readily available; businesses can get so deep as to see the code for themselves and even bring in their own security experts to test out its capabilities.

Conversely, proprietary solutions, true to their name, keep information about functioning processes hidden. Additionally, open-source solutions tend to be less expensive, since they provide free access to features such as desktop clients and outside services. While it’s hard to put a monetary value on a business’s security, the cost difference is something to be aware of if it is keeping a close eye on budget. 

While somewhat nontransparent, proprietary solutions are not necessarily a mistake. If it’s a vendor the CIO knows and trusts fully, there’s nothing wrong with a proprietary product. If they have any doubts at all, however, using an open source product may put their mind at ease, since they can verify security processes and ensure they fit with their company’s needs.

>See also: "No email" policies will not last, says Gartner

Whether or not they were email-based, large corporations’ data breaches are hitting the headlines with frightening regularity. If anything, those stories should illustrate just how important it is to keep a company’s information secure, starting with a safe email system implementation.

Doing so can be an overwhelming process, but by following these three steps and completing research, CIOs can avoid the operational and reputational damages that accompany a breach.


Sourced from Brent Rhymes, president of worldwide field operations at Zimbra

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...