Tagged: Social Media

Updating Our Information Governance Survey

Building off of the Information Governance survey we did last year, eDJ Group and my firm, ViaLumina, are conducting another survey on Information Governance, and we would really appreciate your participation. This survey should take 5 minutes or less. As a thank you for participating, you will be entered into a drawing for a $250 gift card.As a reminder, I have included below some of the most interesting infographics that we generated based on our last survey – please feel free to steal them and use them in your presentations (with proper attribution of course) as you build your case for Information Governance.

Defining Information Governance

Is Autoclassification the Future of Information Governance

Growing Pains in Information Governance

What we need, suggests Brenda Zimmerman, a professor at Schulich School of Business in Ontario, is a distinction between the complicated and the complex. It’s complicated, she says, to send a rocket to the moon — it requires blueprints, math and a lot of carefully calibrated hardware and expertly written software. Raising a child, on the other hand, is complex. It is an enormous challenge, but math and blueprints won’t help. Performing hip replacement surgery, she says, is complicated. It takes well-trained personnel, precision and carefully calibrated equipment. Running a health care system, on the other hand, is complex. It’s filled with thousands of parts and players, all of whom must act within a fluid, unpredictable environment.

It’s Complicated: Making Sense of Complexity, New York Times, May 1, 2010.

My wife is a contemporary artist (let’s leave aside the painful discussion of what “contemporary,” and “art” mean), so I spend quite a bit of time in the art world. An article today about FaceBook initially banning –  then allowing – a nude drawing from an academic life drawing class caught my eye. I find it nicely ironic that the New York Academy of Art successfully used social media to make the social media giant to squirm. I also think the FaceBook’s rationalization is pretty entertaining. To summarize: “We ban nude photographs, not drawings. But, the the drawing was so lifelike, our reviewer thought it was a photograph, so he banned it. So, take our banning as a compliment.”

Get that guy a job in PR! Oh, wait, he already has one.

In any case, this little story is a perfect representation of why creating and enforcing IG policy is complex. Many suffer from an oversimplification fallacy when it comes to IG. I don’t blame them, its a perfectly reasonable defense mechanism against the true complexity of IG (parts of it are merely complicated; see above). In other words, there is a strong temptation – when faced with the complexity of IG causes and solutions, to claim that there is a single cause, or a single solution. There isn’t.

Further, IG is a moving target, and the problems only get more difficult as an organization grows and matures. This is the problem that FaceBook is, uh, facing. You start off with a simple policy – no nudity on FaceBook – but then one day you wake up and a NY art school is berating your art-hating, censorious ways. Now, like any other organization (company, government, country), FaceBook –  as a result of its success –  requires a more mature, fine-grained, sophisticated and gasp . . . complicated approach to the issue.

The same thing happens with IG. For example, we typically start off with no email policy. That’s a disaster, so we impose mailbox size restrictions. That’s a farce, so we impose a 90 day deletion policy. That breaks, because now we have PST files growing across the company like black mold and orange ooze, so we turn off PSTs. That breaks, so we get email archiving and turn on unlimited email storage space. That breaks, so we apply our retention schedule in the archive. Etc. etc. etc. Each of these approaches may have worked for a time, but as the company grew, the volume of mail grew, the operating environment got more complex, and a more sophisticated approach was needed.

Maturity models are one way through this – helping us decide how much governance we need, and when we need it. There are plenty of them in the IG space, including ARMA’s, MIKE’s, and several from vendors, so take a look at those. But realize that success and growth will inevitably make your IG environment more complicated. I’m willing to bet that you are already behind –  the complexity of your information environment outstripping your ability to manage it. Also, remember that forces outside your control are also conspiring to make the problem more complicated: with more regulation, increasing information volume, and growing complexity in the IT environment a few of those factors.

Now, I don’t want to leave you with the impression that the solution to complexity is more complexity. Some believe that complexity reaches a threshold where the only possible solution is a set of simple, high-level principles (or Checklists). For example, the paragraph I quoted above finishes with, “It takes a set of simple principles that guide and shape the system. For instance: Teach everyone the best practices of doctors who are really good at hip replacement surgery.”

This may be true. But, it still leaves the complicated problem of ensuring that these principles are actually implemented in our technology and  human environment.

A Stench Gas Warning System for Information Governance?

“The most commonly used fire warning system in underground metal and nonmetal mines is the stench system. It employs the injection of a stench into the ventilation system or compressed air lines for carrying the fire warning signal to the underground miner.”

One-Way Fire Warning Alarm System for Underground Mines, Kenneth E. Hjelmstad, Mark A. Ackerson, U.S. Bureau of Mines. (pdf)

I took a little vacation time last week and ended up in the interior of British Columbia near a small resort town. Outside the town is a former lead and zinc mine – formerly one of the world’s largest (earning over $60 billion in revenue over 100 years). They have done a nice job of setting up a mine tour using the former crew train to transport you inside the mine and ex-miners as guides.

We hadn’t intended to go, but the train cleverly departs close to the town center, and as soon as our 3 year old son saw it, we “were done fer.” It was a good experience, and we learned some interesting things. Like, for example, although the mine focused on zinc and lead, it also produced silver – every ounce of which was bought by Kodak for producing film. According to the guide, these ancillary sales of silver entirely covered the cost of operating the mine – the rest was gravy.

But, the most interesting thing I learned was about the “stench gas warning system” – a system used for warning miners f there was a fire in the mine. This is a simple but effective system that has been used for decades: when there is a fire, Ethyl Mercaptan is released into the mine’s air supply system. The rotten egg smell pervades the entire mine within minutes (depending on the size and shape of the mine and the way it is ventilated), and upon smelling the stench, miners head to refuge areas, as they have been trained to do.

I thought this was a fascinating, low-tech way to transmit a message. Newer wireless technology that uses repeaters through the mine, low-frequency communications that travel through rock, and other systems have been developed to enable communication throughout the mine, but the stench gas system continues to be used, at least as a backup.

This, of course, got me thinking about information governance (hey, the fun never stops, even on vacation).

Like these mines, our businesses have a stench warning system for information governance. These are the events and situations that tell us that something is seriously wrong with the way we are managing our information, and that disaster is impending. However, unlike miners, we haven’t been trained on how to react properly when we smell the stench of poor information governance.

What are the stench warning systems for information governance? Here are some that come to mind:

  • Your shared drives are full of unclassified, unmanaged, duplicate, and unnecessary information
  • You have little or no governance on your SharePoint sites, allowing anyone to create a site without any rules about provisioning, sun-setting, classification, or retention of content
  • You allow “Shadow IT” to flourish, turning a blind eye to consumer-grade technology in your enterprise without any consideration of its risks and rewards. After all, the employees like it.
  • You have no idea how much really spend on litigation and e-discovery
  • You have no idea how many ongoing lawsuits you currently have
  • You think that IT is taking care of the information problem, but IT thinks that information is each department’s problem
  • Your solution to “email management” has been to enact blanket mailbox size restrictions

What do you think? Does the metaphor hold, or did I spend too much time down in the low oxygen environment of that mine?

Social Media in the Military: What Can It Teach Us?

I recently spoke with a Department of Defense contact about the internal battle currently being waged at DoD over the use of social networking. Sites like FaceBook have become a critical way for warfighters to stay in touch with friends and family, but of course the only way for soldiers to use such services in many theaters (including Afghanistan and Iraq) is through networks provided by their employers. And, some of their employers are not fans of FaceBook.

The battle he described (and as described in published reports – I’m not revealing anything secret here) sounds like the same battle occurring inside corporate America. The “old guard” takes a hard line, saying “we’re fighting a g*damned war here, these kids don’t need to be on the Internet,” and the “new guard” says, “hey this is the new reality, suck it up” (it seems like the Chairman of the Joint Chiefs of Staff is part of the new guard). Both are right, in their own way, which is why the middle ground must be fought for.

After all, here are the facts:

  1. Most organizations ask a lot of employees, i.e., working long hours, traveling for business, and being constantly available.
  2. Employees need to have personal lives, or they will no longer be our employees (or at least, not happy, productive ones-especially millennials).
  3. Communication with friends and family is essential to having a personal life.
  4. We don’t block all non-work telephone calls, or (in most cases) prevent our employees from having personal cellphones.
  5. Yesterday’s telephone is today’s social networking tool.


  1. Organizations are generally liable for their employee’s use or misuse of their assets, i.e., everything from company cars to the company’s computer networks.
  2. This liability and risk extends to information technology, including social networks.
  3. If we allow social networking tools, we must identify and manage that risk.
  4. Social networking tools ARE different than the telephone, in that all communications are inherently recorded. So, we have to deal with this recorded information.

The worst of all  worlds is that we turn a blind eye to social networking and allow employees to do whatever they want. One the one hand, this fails to maximize the potential benefit of the technology by not encouraging and facilitating its use, and on the other hand, buys all the liability and risk.

There are only two options.

One, don’t use it at all. Ban it, control it, shut it down.

Two, legitimize its use through policies, training, and technical controls to minimize the downside, and then encourage and incorporate its use to maximize its benefit.

Apathy is no excuse, and hope is not a strategy. Get on top of it today. Hmmn, how many more clichés can I leave you with?

UPDATE: The DoD has releases a policy regarding secure use of social media. Excellent coverage here.

More on Blogging Disclosures

Following up on this post about new FTC guidelines affecting the disclosures that bloggers may need to make.

A new post on blogcatalog provides some useful insight:

As of December 1, 2009, new FTC guidelines went into effect requiring bloggers to disclose any time they are compensated for endorsing or reviewing products or services. Bloggers should now be disclosing any time they receive payment, free products or services, or perks in return for a post on their blogs. Also any relationship with a company or organization that can be viewed as creating a conflict of interest should be disclosed. It is also a good idea to add disclosures to any past posts that still receive a decent amount of traffic.

The post also points to a website that apparently provides ready-made disclosure language.

War in Cyberspace is Real

Conference badge

Some eye-opening stuff from presenters at the Raytheon Cyberstrategies seminar that I spoke at today. Richard Stiennon was impressive with his personal stories about some of the most notable “cyber warfare” events of the past couple of years, including the debacles in Georgia and Estonia, and of course the latest developments in the Google/China story. One of the minor points of Richard’s presentation (but one I found fascinating) was that cyber warfare is “asymetrical,” i.e., the cost of mounting an attack is trivial whereas the cost of defending against an attack is monumental. The term asymetrical warfare entered most people’s vocabularies (including mine) post 9-11 to describe terrorist vs. military conflict, but I had never connected the dots from the physical to the virtual world.

Mike Theis gave one of the more insightful presentations I have seen around security pitfalls and strategies for social networking tools. Although the temptation for many organizations – especially those that are the most security sensitive – may be strong to simply block these technologies, they are missing out on the tremendous value they can provide. Mike pointed to three fundamentals for tackling this issue: 1) getting better at judging trustworthiness in the digital world 2) making sure that the controls we have over information access are properly tuned and tailored, and 3) ensuring that we have the ability to adequately monitor what is happening inside our own institutions.

I think my presentation was a good fit. I focused on how we can create and manage information in a trustworthy way. I talked about some recent developments that demonstrate that this challenge is only getting more difficult and complex, and laid out my thinking on a strategy for tackling this problem.

I don’t use PPT slides as a teleprompter, so I’m not really sure that the slides have much value without the audio, but perhaps you might find some value in them. I’ve embedded it below.