What we need, suggests Brenda Zimmerman, a professor at Schulich School of Business in Ontario, is a distinction between the complicated and the complex. It’s complicated, she says, to send a rocket to the moon — it requires blueprints, math and a lot of carefully calibrated hardware and expertly written software. Raising a child, on the other hand, is complex. It is an enormous challenge, but math and blueprints won’t help. Performing hip replacement surgery, she says, is complicated. It takes well-trained personnel, precision and carefully calibrated equipment. Running a health care system, on the other hand, is complex. It’s filled with thousands of parts and players, all of whom must act within a fluid, unpredictable environment.
My wife is a contemporary artist (let’s leave aside the painful discussion of what “contemporary,” and “art” mean), so I spend quite a bit of time in the art world. An article today about FaceBook initially banning – then allowing – a nude drawing from an academic life drawing class caught my eye. I find it nicely ironic that the New York Academy of Art successfully used social media to make the social media giant to squirm. I also think the FaceBook’s rationalization is pretty entertaining. To summarize: “We ban nude photographs, not drawings. But, the the drawing was so lifelike, our reviewer thought it was a photograph, so he banned it. So, take our banning as a compliment.”
Get that guy a job in PR! Oh, wait, he already has one.
In any case, this little story is a perfect representation of why creating and enforcing IG policy is complex. Many suffer from an oversimplification fallacy when it comes to IG. I don’t blame them, its a perfectly reasonable defense mechanism against the true complexity of IG (parts of it are merely complicated; see above). In other words, there is a strong temptation – when faced with the complexity of IG causes and solutions, to claim that there is a single cause, or a single solution. There isn’t.
Further, IG is a moving target, and the problems only get more difficult as an organization grows and matures. This is the problem that FaceBook is, uh, facing. You start off with a simple policy – no nudity on FaceBook – but then one day you wake up and a NY art school is berating your art-hating, censorious ways. Now, like any other organization (company, government, country), FaceBook – as a result of its success – requires a more mature, fine-grained, sophisticated and gasp . . . complicated approach to the issue.
The same thing happens with IG. For example, we typically start off with no email policy. That’s a disaster, so we impose mailbox size restrictions. That’s a farce, so we impose a 90 day deletion policy. That breaks, because now we have PST files growing across the company like black mold and orange ooze, so we turn off PSTs. That breaks, so we get email archiving and turn on unlimited email storage space. That breaks, so we apply our retention schedule in the archive. Etc. etc. etc. Each of these approaches may have worked for a time, but as the company grew, the volume of mail grew, the operating environment got more complex, and a more sophisticated approach was needed.
Maturity models are one way through this – helping us decide how much governance we need, and when we need it. There are plenty of them in the IG space, including ARMA’s, MIKE’s, and several from vendors, so take a look at those. But realize that success and growth will inevitably make your IG environment more complicated. I’m willing to bet that you are already behind – the complexity of your information environment outstripping your ability to manage it. Also, remember that forces outside your control are also conspiring to make the problem more complicated: with more regulation, increasing information volume, and growing complexity in the IT environment a few of those factors.
Now, I don’t want to leave you with the impression that the solution to complexity is more complexity. Some believe that complexity reaches a threshold where the only possible solution is a set of simple, high-level principles (or Checklists). For example, the paragraph I quoted above finishes with, “It takes a set of simple principles that guide and shape the system. For instance: Teach everyone the best practices of doctors who are really good at hip replacement surgery.”
This may be true. But, it still leaves the complicated problem of ensuring that these principles are actually implemented in our technology and human environment.
I recently spoke with a Department of Defense contact about the internal battle currently being waged at DoD over the use of social networking. Sites like FaceBook have become a critical way for warfighters to stay in touch with friends and family, but of course the only way for soldiers to use such services in many theaters (including Afghanistan and Iraq) is through networks provided by their employers. And, some of their employers are not fans of FaceBook.
The battle he described (and as described in published reports – I’m not revealing anything secret here) sounds like the same battle occurring inside corporate America. The “old guard” takes a hard line, saying “we’re fighting a g*damned war here, these kids don’t need to be on the Internet,” and the “new guard” says, “hey this is the new reality, suck it up” (it seems like the Chairman of the Joint Chiefs of Staff is part of the new guard). Both are right, in their own way, which is why the middle ground must be fought for.
After all, here are the facts:
- Most organizations ask a lot of employees, i.e., working long hours, traveling for business, and being constantly available.
- Employees need to have personal lives, or they will no longer be our employees (or at least, not happy, productive ones-especially millennials).
- Communication with friends and family is essential to having a personal life.
- We don’t block all non-work telephone calls, or (in most cases) prevent our employees from having personal cellphones.
- Yesterday’s telephone is today’s social networking tool.
- Organizations are generally liable for their employee’s use or misuse of their assets, i.e., everything from company cars to the company’s computer networks.
- This liability and risk extends to information technology, including social networks.
- If we allow social networking tools, we must identify and manage that risk.
- Social networking tools ARE different than the telephone, in that all communications are inherently recorded. So, we have to deal with this recorded information.
The worst of all worlds is that we turn a blind eye to social networking and allow employees to do whatever they want. One the one hand, this fails to maximize the potential benefit of the technology by not encouraging and facilitating its use, and on the other hand, buys all the liability and risk.
There are only two options.
One, don’t use it at all. Ban it, control it, shut it down.
Two, legitimize its use through policies, training, and technical controls to minimize the downside, and then encourage and incorporate its use to maximize its benefit.
Apathy is no excuse, and hope is not a strategy. Get on top of it today. Hmmn, how many more clichés can I leave you with?
UPDATE: The DoD has releases a policy regarding secure use of social media. Excellent coverage here.