Does your content management strategy put you at risk?
For several years, Delphi Group has been cautioning organizations about the danger of innocently assuming that their content is in any deep sense "secured" simply because they have an enterprise content management (ECM) solution in place.
With the volume of content and the speed of business today, it's unreasonable to expect workers to be the watchful eye and point of enforcement, ensuring that information that should be kept private and/or protected remains in a secured state. Many organizations still have no way of differentiating between accidental content exposure (e.g. e-mailing private information to the wrong person--Joe Smith outside of the company rather than the Joe Smith inside), and the purposeful content leakage (e.g., selling credit reporting information to collections agencies), or for that matter, knowing that either scenario has occurred until well after the incident. The problem of "who is watching the watchers" is one of many that develop when the responsibility for content security is pushed down to individual workers. Scalability, simple awareness and enforceability of security policies are just not reliable through a purely human effort.
With the flurry of news stories about identity theft, lost records and lawsuits revolving around the inappropriate handling of e-mail, Delphi Group wanted to quantify how organizations are securing their online content, and whether their existing policies and systems are serving them adequately. Therefore, we conducted a survey in which 458 individual companies responded to 22 questions. The results were astounding. When asked if corporate content was subject to intentional or unintentional unauthorized usage, 40 percent of respondents admitted they had no idea. Forty-one percent of respondents acknowledged that internal, external or both internal and external parties had accessed content without authorization. As many classic surveys (such as the oft-cited CSI/FBI surveys) have revealed over the years, the "insider threat" is cited twice as often (14 percent) as external threats (7 percent) from hackers or crackers.
In total, 81 percent of the survey respondents admitted to incidents of information leakage/exposure. Companies that had not experienced an incident acknowledged having reason to be concerned, simply because they have no idea of their level of exposure to a threat, nor confidence in their ability to prevent, detect or react if one should occur. Clearly there is much work to be done.
If that news weren't dire enough, the vast majority of respondents (63 percent) admitted they had no appreciation of the dollar value risk they faced from potential threats. How could they? Most had no compliance mandate or other external requirement to address the area of risk, and those who did saw compliance as an isolated issue. Indeed, it is difficult to balance return on investment (ROI) against the range of possibilities of zero risk to infinite risk. Risk management (risk identification and quantification being the first steps to managing risk) continues to play a fairly low role in organizations, judging from practical experience with clients and from the survey group's point of view.
As a result, there is confusion in the marketplace over how to secure online information. Half (47 percent) of the survey respondents claimed they are directly addressing content security in their organizations. Half (a full 45 percent) reported that their implementation timeline for a strategy to secure business content is undermined at this time. Those seemingly diametrically opposed findings illustrate the confusion within client organizations today.
How does an organization begin to resolve that risky issue? When is such an investment justified? The best approach is to develop a specific strategy that looks at needs across all user types, content types and business drivers. When that is done, an investment made in one area can be highly leveraged across other areas, and that generates a powerful and responsible ROI. For example, solution components used to meet compliance issues are leveraged into new business opportunities, which in turn stimulate the capture and sharing of internal knowledge. If on the other hand, an organization addresses security of content strictly as a compliance issue, the solution cost may indeed be smaller, but the solution will be siloed and the ROI will be more difficult to obtain, and in some cases, impossible. By addressing security of content as a silo, the potential for redundant efforts and holes in the content control between separate systems becomes a real threat.
It is far more effective to address content security holistically. Delphi Group calls that approach dynamic information access control. Policy-driven and implemented using a combination of multiple point technologies in tandem, dynamic information access control provides more than just a single business solution and more than just security of content. It is a life cycle approach that protects information (content or data) as it maximizes the value derived from that content. In doing so, the enterprise is able to extend the investment in technology across multiple business settings.
The approach begins with a diligent needs assessment across all sources of content enterprisewide. Each content source must be evaluated for the degree of risk it poses to the organization if it is inappropriately accessed, and/or made available without qualification and tracking. Consider whether the threat is well articulated and understood, and whether the current approach to managing the threat is valid. The potential risk posed by access to specific content also needs to be factored against the cost and validity of the approach to security and the cost to inhibiting access.
It is important that both security spending and the degree of security are balanced against the ability of the business to function. Tightening security too much merely threatens workers. The pressure to "get the job done" stimulates enterprising workers to find creative workarounds to overly zealous security. Ideally, security should transparently support both the worker and the organization, in accordance with its overall governing principles.
No single technology
Today, there is no single source solution to the issue from a technology standpoint. Indeed, when asked to identify the technologies targeted for securing content, survey participants offered a broad range of options, from user authentication to enterprise rights management. Delphi Group's definition of dynamic information access control depends on multiple technologies including:
- document management (DM),
- Web content management, (WCM)
- business process management (BPM),
- enterprise and/or digital rights management (DRM),
- identity management (IdM),
- content authentication (CA),
- contextual information filtering (CIF).
It is the integrated total of those individual solutions that make dynamic information access control successful. The enterprise ensures the trustworthiness of content via content authentication, as it ensures that employees are operating from the latest version (DM) and not an expired copy (RM) of company policies. It is always possible to find the original author or owner of the content (IdM), as well as the process (WF and BPM) in which the content is involved. In customer-facing applications, having content publishing processes that certify the authenticity of content (tracing the chain of authorship and approval) prevents faulty content from ever being seen by customers, side-stepping the mess that several airlines recently encountered by inadvertently offering airfares for far less than operating costs. Content authentication coupled with suitably intelligent publishing rules (e.g. flights should cost no less than $x) would prevent such embarrassing mistakes.
Orchestration of those technologies into a cohesive dynamic information access control solution requires the support of the enterprise through policies, procedures and disciplines. The application of business rules on and within content provides intelligent assistance so employees automatically "do the right thing" (auto-correction or prevention as warranted). Or, employees are informed of corrective actions to safely create, use, disseminate, modify or destroy content in their business setting. While it is possible to buy/obtain generic "compliance policies" for many current regulatory concerns, organizations should be wary of simply consuming those rule sets whole. It is important to take the time to make certain that the technical interpretation of the rules agrees with your organization's legal interpretation. Otherwise, you may just be automating your way into legal snafus.
Corporate governance
The real power behind dynamic information access control is a clear set of corporate policies and procedures that are augmented and enforced by specific and calculated deployment of appropriate technology. Take the time to develop a corporate information management governance document to be signed by each employee. That acknowledges awareness and compliance of all. The governance document needs to clearly spell out which forms of content are covered by the governance model, the approaches taken for each form of content (authoring, sharing, destruction), search and discovery models, approaches to rights management, filters that are used, standards enforced, responsible parties for each facet of the governance and the ramifications of any violation of the governance model. If the suggested tone of the governance document sounds most serious and foundational--it should.
The coming of age of electronic communication and documentation in the business environment has morphed the world in many ways. Those changes have ushered in a new set of opportunities and challenges. One of the largest is applying new approaches to managing and securing business content and communications in a way that fosters business opportunity but does not leave the individual or the organization vulnerable to theft, fraud and government-imposed penalties. The vigilant and responsible business leader will address the securing of business content head on, embracing the tenets of dynamic information access control. By doing so, he or she turns security from a control issue into a catalyst to leverage, share and increase opportunities through effective electronic communication and processes, in a protected environment.
Carl Frappaolo is a co-founder and head of consulting for Delphi Group (delphigroup.com, a Perot Systems Company), e-mail cf@delphigroup.com.