GlassIG at ARMA Spring Seminar

GlassIG sponsored this year’s Spring Seminar of the ARMA Golden Gate Chapter. As luck would have it, the event was held commensurate with (and just down the street from) the Annual RSA CyberSecurity Conference, meaning most attendees and presenters found time and bandwidth to attend both. 

Don’t let that statement fly under your radar, you heard me right: Records Managers and Cyber Security specialists were under the same roof. 

We at GlassIG have been saying for some time… 7 years and counting, in fact… that all information management policies should be centralized. Historically, companies had one spreadsheet for retention, another for legal citations, another for security classifications, maybe another for metadata, or file plans, or… you get the picture. In fact, if you are reading this, you have probably lived this reality. When GlassIG first emerged into the market in 2010, it was the first technology to provide a collaboration environment for centralizing all information lifecycle policies, and bringing together the various stakeholders and constituencies that had always worked independently on these kinds of policies. 

So on the one hand, it was pleasing, even validating, to see Security as the main theme for an ARMA Spring Seminar. On the other hand, it was also a bit painful. Malcom Palmore did an overview of the Cyber Security Threat landscape… Nithan Sannappa presented some case studies from the FTC. To put it bluntly… we, Information Professionals, are late to the party. Those who would seek to misuse our sensitive information (miscreants, let’s call them) got a head start on us, and we have found ourselves responding to threats rather than addressing them proactively and systematically. We’ve played our own game of Whack-A-Mole, reacting to one threat or intrusion only to see another arise elsewhere. 

But I am encouraged: the boundaries between Cyber Security and Records Management (and Legal, Risk, Compliance, etc.) are beginning to blur, and this is good for all of us! We at GlassIG are seeing more and more projects initiated by IT and Security teams, people who would never have been interested in governance principles 5 years ago. And Records Managers who embrace these new responsibilities, who lead the convergence of roles… these are the RM’s who will find themselves increasingly relevant and useful within their organizations.

Challenges of Information Governance: the daily reality! 2 of 3

The pace of digital innovation

Technological innovation is permanent and irreversible. In today’s competitive landscape, businesses are leveraging each new technology to improve their time to market, enhance their customer services and expand their channels of distribution; or, alternatively, to reduce their costs with fewer points of sale and with optimized processes. This transformation has created the “digital universe” we know today where the quantity and the variety of information produced and consumed is exploding, year after year.

Organizations are now facing new challenges: moving into this digital universe means that manual processes related to organizing and managing information are no longer viable. A global information management strategy requires flexibility in order to facilitate the integration of each new service deployed, and each new department or acquisition. Such a strategy also needs to give end users an opportunity to be involved digital transformation and provide platforms for them to collaborate from day one.

Moving to cloud-based services

One important part of digital transformation is the transition from traditional server room software licensing arrangements to cloud-based services. Here we find a good example of what for many organizations is an increasingly urgent consideration. Cloud service models require no hardware purchases or deployment costs and can usually be brought online in mere hours. Often, up-front licensing costs are small or non-existent and the service adopts a pay-per-use mode. Not only that but cloud services are available from everywhere, facilitating a mobile workforce and work from home arrangements.

Cloud-based services have many great advantages. Nothing is easier for any department such as marketing or customer services, to deploy and use a new service with a simple credit card. However, because they are simple and easy to initiate by anyone in any department, they are often implemented outside of any information management or IT control, and information created and manipulated by these services is not accounted for by traditional records management, and avoids governance by information policies, the information lifecycle, retention schedules and disposition.

Cloud services therefore introduce a new complexity and represent a clear challenge for an information governance program. It simply won’t work if a company defines a set of global information policies but is unable to apply them to corporate systems and services in the cloud. Information policies must be enforced on any information wherever it resides and whatever the application that has created it, otherwise the organization cannot meet its compliance goals.

One particular cloud-based service, so-called cloud drives or cloud boxes contribute significantly to these challenges. Their deployment, in personal apps, exploded with the BYOD wave some years ago. This effectively provided an opportunity for any employee to access and sync all of their professional documents and files from their work computer or laptop onto a personal device such as a tablet, outside the control of the IT department. At the time this represented a big breach in information risk management and compliance.

Roll forward a few years, and we find that the cloud box suppliers have developed professional editions, that can be set up for an entire department in a couple of clicks. These business editions provide a new and easy file sharing system, with key collaboration features and basic lifecycle management functions, that can replace and bring many benefits over traditional local area network shared drives. But here again, these cloud boxes are not under the radar scope of records managers, and global information policies are not enforced on the documents they store. The breach in compliance is still there, and content consolidation in one place to facilitate its management is not a solution. Management has to be done in-place in every cloud-based service that the organization subscribes to.

Are records managers Information Governance managers?

This question is one that we have been commonly asked over the last few years. The answer remains open. From what we have learned (see the previous post LINK) and from the technology challenge discussed previously, it seems that record managers are challenged as well in their daily life. They fight to get their existing information policies understood and applied. But often in the digital world, their processes and workflows have too many analogies with physical records management. This may have worked when electronic records were first introduced, but many employees nowadays have never worked in environments where they needed to manage a paper workflow. These employees have come straight from school or college where there assignments are submitted electronically, and where the most popular device is their smartphone or their tablet.

It is increasingly tougher for traditional Records Managers as they try to balance their own priorities, preserving the long archive heritage of physical records, increase their collaboration skills across multiple departments, and to digest the new and permanent workplace technologies like cloud boxes and other new services. And, of course, they are also expected to define the strategies that need to be in place for implementing future Information Governance programs and initiatives. If new technologies allow end users to collaborate, find what they need, and improve the organization’s time to market, it is a clear indication that we need technologies that can answer the Records Manager’s challenges as well. If the relationship between Record Managers and the IT department haven’t been always good, at least this should provide an opportunity to reconcile their objectives.

Aren’t we too ambitious?

Many companies have perceived the Information Governance program as a global one. And only as a global one. Executives think that because Information Governance deals with risk management, the perimeter of the project has to be global. Some very specialized vendors have demonstrated that Information Governance could be similar to a journey. This means starting small, and following an iterative process, enlarging the program step-by-step, and adding functions or departments one-by-one.

Trying to introduce Information Governance guidelines into the mindset of any business manager or information owner and change organizational culture and behavior is inevitably a long process. The best chance of success is to start by looking for those areas of the organization where an Information Governance program will make the biggest impact, and the biggest value.

It is also critical to have metrics in place to objectively measure the program’s efficiency. These need to be set around the three key objectives: Minimizing Risk, Minimizing Cost and Optimizing Value. Organizations have found that defining a broad ROI for Information Governance has not been an easy thing to do. By focusing on these objectives the question, “Are we being too ambitious?” can be replaced with “Where can I find a flexible and innovative solution that can fit a progressive and flexible approach to my Information Governance program?”

Compliance and Governance

The interaction between the two concepts of compliance and governance is a key aspect of an Information Governance program. As described earlier, information policy related laws and regulations are increasing across all industries and in all countries. Today’s organizations need to protect themselves from any non-compliance. They are also looking for multi-jurisdictional capabilities as they provide their products and services all over the world through their website or on mobile apps. Often they have defined some information management policies in regards to their own internal processes, but they need to extend their policies by adding those relevant to their business in the countries where they operate. More than this, a multi-jurisdictional approach is now a must. Most countries have local adds-on to international regulations and must comply with laws that are defined at different levels. Examples of multi-jurisdictional legislation include the European GDPR (General Data Protection Regulation), the EU-US Privacy Shield, etc. Organizations need to stay on top of these emerging regulations.

For organizations where a changing information policy landscape is a permanent condition, any Information Governance solution that can evolve with customer requirements and offer a flexible value proposition is sorely needed. It is time to redefine Information Governance.

 

To find out more, read part 3.

The secret sauce of Information Governance: Education

Education

The root of the verb to “educate” is the Latin word “educare” which means to “lead out” (for example, to educate children is to lead them out of childhood or, as we would be more likely to say, to “raise them”). The word “educare” in turn comes from a conjunction of two other Latin words, “ex” meaning “out” and “ducare” meaning to “lead”.

The reason for this diversion is to point out that right from the very origin of the word itself, a great deal of the meaning of “education” revolves around leading and leadership. This still applies today to all forms of education including education in Information Governance.

Cultural shift

To change an organization’s culture requires more than simply adopting new tools and technologies. In many ways, adopting an Information Governance solution such as GlassIG is the easy part of implementing an IG program (and we are committed with each new release to continue to make it easier and easier). However, not even GlassIG can help an organization to add a governance layer to its information if staff remain unwilling or unable to adapt their habits and behaviors.

Cultural change is therefore necessary but not guaranteed as part of an Information Governance rollout. It will require change management and in particular a program of education. In other words, the organization must be led out of its former state where unmanaged information use was the norm, and everyone arranged their information to fit themselves, into a new state where information is governed for the benefit of all.

There are lots of educational and change management resources available out there, so instead of attempting to give all of the possible ways in which you could approach and adopt education in Information Governance, we would like to challenge you to think about new and different ways in which you can educate others in Information Governance. Here is an example that we came up with:

Gamification

For the organization’s Information Governance program to succeed, staff must be committed to putting it into practice. This means that they must not only see the benefits and advantages it brings to the organization, but also the benefits and advantages it brings to themselves and their careers. Think about how to motivate staff to better adopt Information Governance through rewards based schemes – even, if possible, through gamification.

More and more, gamification is being used to motivate people to keep their email inboxes clear, reach fitness and health goals, and to complete tasks and challenges. Why can’t the same techniques work with Information Governance? We have never seen end-of-year bonuses of company employees linked to how well they have managed their information and filed their documents throughout the year, but why shouldn’t it be? When a staff member adopts good Information Governance hygiene then it is for the benefit of all, not just themselves. What about putting up a picture in your entrance foyer of “The Information Governance Employee of the Month” and seeing if this attracts attention and interest to your IG program?

Back to leadership

If education is about leadership then that means the organization’s Information Governance officers and its Information Governance team must become leaders ready to lead the organization forward into the future – a different future to the one that the organization faces today. This is a serious undertaking. If you are reading this and you are a Records Manager, Information Officer, or other information professional then do you have the leadership qualities you need to be a leader in your organization?

Are you prepared and able to empower staff to work towards your Information Governance vision? Are you prepared to fight for the resources you need to put in place an Information Governance strategy? Are you able to put together a strong business case to successfully bid for a budget to undertake an Information Governance program to put that strategy into practice? And are you ready for the hard slog of implementing that program, if necessary over multiple years, and educating, educating, educating until Information Governance is accepted and adopted across the whole organization from the executive level to the back office?

The rise and rise of Information Governance

In the beginning

Was there really a beginning for Information Governance? If we are talking about Information Governance as a term, then yes it was coined and came into popular use as recently as in the last ten years. If, however, we are talking about the concepts behind Information Governance then they are lost in the mists of time. Surely as long ago as there was recorded information there was also someone trying to manage it, store it, and restrict access to it.

Definitions

As a discipline, Information Governance is closely related to information management and records management. In fact, some would say that Information Governance represents a superset of traditional records management that wholly incorporates RM as well as a number of related information activities, such as ediscovery. But, this simplistic definition needs a little unpicking.

The relationship between information and records

ISO 15489 defines a record as, “information created, received, and maintained as evidence and information by an organization or person, in pursuance of legal obligations or in the transaction of business”. This definition narrows the idea of a record from all information to a specific set of information, specifically an item of information that is related to a legal requirement or business transaction. Many organizations have information and data, important and otherwise, that may fall outside such a narrow definition but is still significant to the organization.

This broader definition of an organization’s information as opposed to only its formal records has been more generally recognized over the last two decades since the original publication of ISO 15489. In the 2000s, Records Management professionals and their professional associations started changing their titles from “RM” to “RIM”, meaning “Records AND Information Management”.

Within the information management community, practitioners also looked beyond the records repository and started seriously talking about what to do with the insubstantial information at the other end of the spectrum from the formal record: namely ROT (the “Redundant, Obsolete and Trivial” information – the sort that fills up our shared drives, Sharepoint sites and email inboxes). In the paper days of yore, this information would find its way to the shredder or the bin under the desk. In today’s digital world it hangs around forever, as no one is brave enough to destroy it, “just in case we need it”.

Information Governance then, is built on this broader definition of information. It deals with all of the information within an organization and all of the many uses and directional flows of that information. As a consequence, the brief of today’s Information Governance Officer can range far more widely than that of the Records Managers that came before.

Governance versus management

If the term Information Governance is broader in scope than that of records management, then it is narrower in respect to the whole field of information management. This is because information can be managed on any basis and for any purpose. Information Governance, by contrast, refers only to information that is “governed”, where governance refers to a highly specific management process.

When information is “governed” then it is managed so as to comply with a specific information policy. That is how one governs whether it be people or entities: by establishing a policy covering a particular case and then ensuring that where that policy applies, the entities under governance are so directed as to comply with it. Organizations that practice Information Governance therefore, must do four things:

  • first establish their information policies
  • then apply or associate those policies with their information assets
  • enforce those policies
  • and finally, check the outcome and adjust as necessary the policy

The last step is essential to good governance: a governing regime cannot simply issue policy edits, it must implement some kind of feedback loop to ensure that its underlying intentions in imposing a particular policy are actually being met.

If this process is not at the heart of your Information Governance practices then what you are practicing is not really Information Governance at all but just another form of information management.

Information Governance is here to stay

Here at GlassIG we believe that Information Governance is here to stay. There are many reasons for this and implementing an Information Governance program for your organization will provide you with many important benefits. But, the main driver for the rise and rise of Information Governance is that it provides exceptional accountability.

Because information must be managed in accordance with an information policy, odd and erratic information management activities are eradicated. Each policy is developed and checked and approved before it is implemented. Each policy can be traced back to one or more policy objectives, for example, to comply with a particular law or regulation, or a specific company directive.

This accountability makes Information Governance activities “defensible”. Each of the steps of policy development and enforcement can be challenged and tested. We can answer important questions such as, why a particular item of information was destroyed, or indeed, why a particular item of information was not destroyed.

Automation

But there is more. Another argument for the future growth of Information Governance lies in the field of automation. There is little doubt that many tasks that were previously performed manually, by humans, will increasingly in the future be performed by automated processes. This is as true for the field of information management as for any other field of human endeavor related to information technology.

Because Information Governance involves the management of information through the setting of well defined information policies it can be seen as an excellent candidate for full or partial automation in the future. In fact this is already being done to some extent in Information Governance solutions today, including in GlassIG.

In part this is because automation technologies and algorithms continue to improve, but it is also made necessary because of the exponential growth in the amount of information produced and consumed by modern organizations. Manual processes, staffed by humans, simply can no longer do the work necessary to directly manage an organization’s information assets. This can be readily seen in the many organizations that are struggling to maintain control over their digital information, and the several who have lost control altogether.

Fortunately, through the implementation of an effective Information Governance program this control can be regained. An Information Governance program, combined with intelligent automation, enables the modern organization to work smarter rather than harder.

What have we learned about Information Governance? 1 of 3

Information Governance Objectives

Information Governance, even if still not recognized as an official discipline by key market analysts, is nevertheless winning a huge battle: to be recognized and adopted as a key corporate program by top level management and information managers. There are different approaches to building an Information Governance program, but the good news is that there is a clear consensus around its objectives:

  • Minimize Risk,
  • Minimize Cost, and
  • Optimize Value.

These three indicators all need to be set and evaluated by organizations engaged in an Information Governance program, based on their expectations and requirements, and included as part of their program scorecard.

The technologies around Information Governance that exist today, allow organizations to assess quite effectively cost and risk factors. But there is still a long road to travel before we see accurate and easy valuations of an organizaton’s information assets. We are waiting for new approaches and models such as Infonomics to emerge.

Information Governance is not a short-term initiative, but a long-term program

Top level management need to take into consideration that the introduction of an Information Governance program is not a quick fix to the organization’s information and compliance ills. Once introduced and Information Governance program will remain with the organization for life. An Information Governance program should be compared to the organization’s corporate governance program or its health and safety program; as something permanent that the organization will always have. This means the establishment and operation of an Information Governance program needs a strong commitment from the executive suite and drive from key sponsors to make it happen, and make it continue. Selected departments from Legal to IT, and from Finance to key Business Units, must commit to the program and must collaborate to make it a success.

Who drives the Information Governance program?

Because Information Governance needs to be owned and driven by a program manager with strong collaborative skills and information management competencies, it is often thought of as something only large organizations can invest in; organizations with the necessary resources such as the Records Managers.

However, small and medium businesses also have compliance issues to manage. They also operate under regulatory scrutiny and they also want to maximize the value of their information. An Information Governance program for these businesses is therefore just as important, but their requirements may differ. For example, small to medium business often take faster decisions, as their time-to-market is their unique opportunity for growth. These businesses will need a solution able to support their requirements and their limited information management and IT resources.

Today, who drives the Information Governance program is not an easy decision to make. Information management professionals are fighting to get a seat in the boardroom, and to have their role in the organization valued and recognized, while information owners and content owners in Business Units or Functional Divisions are struggling to understand key concepts of Information Governance, such as information lifecycles and retention schedules. There is still a long way to go!

Where is the value?

From analysts’ reports and customer surveys, we know that there is a clear need for a new way of managing information. Information is everywhere and organizations are still fighting to extract quantifiable value from it that can add to their bottom line. Worse than this, organizations often don’t even realize how their legacy information may expose them to risks, and the dangers of non-compliance. As a result many organizations, underestimate the opportunity for an Information Governance program to transform their compliance concerns into a proactive approach.

Growth in the number and extent of laws and regulations forces companies to be more vigilant or face expensive penalties. It is important that they are able to interpret and apply these laws and regulations with the same efficacy and transparency as they do their internal information policies.

Conclusions

Information Governance is still an emerging discipline, and still very broad in terms of the technologies available. Many suppliers from software to service vendors try to sell their products by positioning them under the Information Governance umbrella. Once example is the attempt to widen the appeal of eDiscovery tools and services. Law firms and software vendors from that market are trying to enter the Information Governance landscape, but with a more complex message and a temptation to consider only the risk management component that should be part of a more comprehensive Information Governance program. That doesn’t help organization’s to benefit from one unified view on Information Governance.

That is why we need to redefine Information Governance, to bring it back to basics and focus on what organizations really need.

 

To find out more, read part 2.

2016 will be a tipping point in the Information Governance Space

2015 was the year in which Information Governance became mainstream. Data hacks / breaches are now so common, we shrug them off. (Most recent example here: 191 Million US Voter Registration Records Leaked). Facebook privacy settings, “The Cloud”, and ownership of corporate / government email records are now acceptable terms and topics in general parlance. People CARE when their personal information goes to places where it shouldn’t.

What does that mean for 2016 in the Information Governance and Records Management spaces?

Decentralization of Content Management Systems and Programs

For upwards of 20 years, ECM has been promising to centralize our information. Keep it in one place, apply a single set of policies to that information, and trust the system to manage content access and life cycles. And for 20 years, information produces and consumers have found their requirements were not met. Need more evidence? EMC was talking about killing Documentum, and replacing it with a set of content management applications. Then Dell bought EMC, and has yet to express any interest in remaining in the ECM space. (A nice summary, here: The Fate of Documentum.) As a result, large companies have found themselves maintaining dozens of departmental-level content systems, each thinking it was the King of its own domain.

I have always likened those who create and use content to water: both will find their way, both will choose the easiest path, and most importantly, both ALWAYS win, in the end. They will not be denied. In 2015, users learned that the easiest path went to the Cloud. Dozens of RSD customers maintain content in public or private clouds. In some cases, this was a corporate-sponsored initiative; in others, it just… sort of… happened. Either way, the result is now the newest buzzword in our space: Hybrid. Here’s a challenge for you. Research what Microsoft says about SharePoint 2016, and see how long it takes for them to say or write “Hybrid”. I’ll wait. It won’t take long.

Companies have content sitting inside and outside of their infrastructure, in shared environments, and in data centers over which they have absolutely no control. This trend is not reversing itself. On premise systems have embedded themselves, and they will not be quickly displaced. The adoption of Cloud-based systems is increasing. In 2016, information will, more than ever, be everywhere.

The question we must answer then, is this: how do Information Governance programs evolve to accommodate an increasing diversity of content systems?

Policy to Enforcement

It used to be said that companies were better off having NO policy (no retention schedule, no formal information management practices) than having a policy that was not adhered to. The natural conclusion, then, was unsaid: “Don’t have a policy unless you were willing to enforce it.” While it might seem strange to us as RM professionals, many companies chose precisely that path. They did not hire RM or IG expertise, and chose willful ignorance as the least costly, most easily implemented approach. They were wrong. We saw a shocking number of such companies come to us for assistance in developing IG policies, or revamping information classifications and retention schedules that had been defined a decade ago (and largely ignored since). This is progress.

The pain has been felt, the remedy prescribed. The trend in 2016, then, will be in the direction of actually, actively, even pro-actively enforcing the policy.

Large, Centralized Information Governance Projects

I’ll wrap up with a mental exercise for you: meld these two challenges in your mind. Decentralization of content and content management practices, overlaid against increased attention on enforcing policy. How do companies manage both?

In the past, our answer was to undertake a centrally sponsored (and therefore funded) corporate-wide Information Governance initiative, whose end result was to place all corporate data under governance. This is ambitious, and without the right level of sponsorship, virtually impossible. Our analyst friends at Gartner and Forrester keep telling us they are still waiting for their first case study.

In 2016, we see a new trend emerging: just as the content management systems and practices become decentralized, so do governance projects. In the past, this was impossible, with governance platforms aimed at the corporate-level (and priced accordingly). We see a trend towards reducing the barrier to adoption, allowing department-level records management teams to undertake these projects at a much smaller scope (and, naturally, budget).

What will this look like? We believe that over the long-term, Information Governance will become a service to be subscribed to, like Security / Directory Services or other SaaS offerings.

2016 – A Tipping Point for Information Governance

If 2015 was the year in which IG concepts became mainstream, then 2016 will be the year in which IG projects themselves become equally commonplace. Consider: over Thanksgiving, I explained the concept of “metadata” to my father, who is now 82 years old. I cannot imagine having that conversation with him when I first joined RSD in 2010. And yet, the ubiquity of IG failures has brought a new awareness to what we do, and what we’re about. We (RSD and our industry at large) must be primed to meet these demands. We have some exciting developments to share with you in the coming weeks and months, which will enable our customers to get and remain ahead of these challenges, not just in 2016, in the years and decades to come.