A CISO, GC, and Records Manager walk into a bar.
The CISO says, “Can you believe a guy just tried to sell me a tool that can guarantee when intellectual property is about to leave my network?”
The GC says, “That’s hilarious, I just talked with a man who told me his software can tell me exactly where the smoking guns are amongst my entire corpus of data.”
The Records Manager says, “That’s odd because I just read about a solution claiming it can scan all my files and classify records according to my file plan.”
The trio quickly realized they were all talking about the same solution. Of course, such “all in one” claims will cause many of us to drop to the floor, rolling with laughter. Yet, the statement above - while not remotely imaginable even a few years ago - today, is not that far off.
CISO have no problem getting attention. Every hour, each day is another headline that keeps them up at night. Most recently, Goldman Sachs accidentally sent highly confidential information about its brokerage clients to a Google account, immediately going into damage control, requesting Google to block access to the email and to delete it. This type of exposure will continue to increase as the amount of sensitive information increases; as the number of locations sensitive information is stored in increases, and as the number of channels through which sensitive information can be passed increases.
Breaches are happening every day around the world.
GC’s have a sleep schedule similar to the CISO. However, their greatest challenge is identifying, controlling, and sifting through gigabytes of business documents typically associated with eDiscovery and large scale investigations. Doing so with a defensible process only adds to the Sominex bill.
The sheep counting culprit is not only the amount of unstructured corporate information, (growing by at least 60% per year per IDG by 800% over the next 5 years per Gartner), but that information increasingly exists in new, often unmanaged data types such as social media, IM, and mobile.
Records managers face a more insidious threat in that co-workers often choose the path of least resistance when it comes to records management, and this means any remotely complex policy will be casually ignored or circumvented. The consequences are tangible and often quantifiable when the company is in a regulated industry such as healthcare.
Speaking to Jason R. Baron, former law of records management Jedi of NARA and now Of Counsel at Drinker Biddle & Reath LLP, he described the solution (and problem) of records management, in the most elegant fashion. Paraphrasing, there are two requirements for records management to work: 1) Simpler policies, 2) Machine assistance.
While Jason is doing great work in helping firms simplify policies, it will be up to technology firms to ante up with usable, workable, and scalable machine assisted technologies to address the second requirement.
Considering Jason’s points and listening to customers talk about their concerns around security, privacy, compliance, and records, it’s clear to me that there is an Informational Convergence taking place where corporate information, regardless of its business use or risk profile, is increasingly in need of a common, firm wide classification. This means centralized classification that can be shared across all groups, stakeholders, or leaders; be they CISOs, GCs, or records managers.
Impossible? Conventional wisdom divides departments into distinct groups possessing their unique view of information and what it means. The joke works because CISOs think differently from GCs who in turn differ from records managers. Or do they? The tenth time I heard a CISO ask if our DLP technology could be used to help their current records classification efforts I raised an eyebrow. Once ten records managers asked about the possibility of flagging records for security violations, I realized that the market is ignoring conventional thinking.
The Informational Convergence of Information Governance (IG) provides a holistic view across every information-driven department. Each department is asking for the same thing in their own way and soon companies will realize this. As thought leading technology firms, we need to enable them.
An equally important side effect to Informational Convergence is the need for IG platforms to support more sophisticated and cloudy ecosystems. Business relevant, cloud-based repositories are also corporate content containers and exposure points. Their rising popularity demands that the most advanced IG platforms support them as well as conventional repositories. Solutions like Box, Dropbox, or OneDrive, contain records, legal content, and represent risk like any other repository.
There are actually several punch lines to this joke. The saddest version is that no one knows what the records manager thinks about the solution because they forgot to invite him to the meeting. As noted above, this only makes everyone’s job harder because proper records management helps everyone in the end.
I’ll also note that some to whom I’ve told this story have immediately declared it a lie. That it’s all just a dream. Not because the notion of Informational Convergence is too complex to conceive. No. It’s because no one would ever believe these three individuals would be caught socializing.
- Stephen Chan
Stephen leads products for the Information Governance team at Proofpoint. Successfully merging 15 years of expertise in the areas of e-discovery, compliance, and records management together with their most relevant technologies, Stephen drives thought leadership in the industry and has advised the SEC and Global 1,000 organizations. Prior to Proofpoint, Stephen was co-founder of several enterprise and consumer software firms, served as primary investigator on two government funded research projects, and has been published in over twenty magazines and books. Stephen is a graduate of the University of California at Davis and Harvard University.