Living on the Sharpest Edge Of The Cloud
"Policy comes first. And then the technology—and IT—can decide how to review and apply automation based on the various tags, etc., that the business side has applied. But the business decision should come first, not the technology."
Whether it's a business or a technology decision, the end game is still the same. "Evaluating technologies and evaluating business requirements go hand in hand," said Mary Leigh. "If certain systems don't meet the appropriate business requirements, companies may look to third-party add-ons that help them get there... that extra 20%." But many companies don't make that effort to swallow that last 20%. Many are happy with SharePoint out of the box, and call it good enough. That's the reality for the SharePoint ecosystem.
Making Policy Work
Waiting patiently in the corner is the 800 lb. gorilla glaring at the business community: Security. "Governance is important, but it is there only to mitigate risk. You'll never completely get rid of risk," insisted Mary Leigh. "What organizations need to do, using tools or a combination of solutions, is to get that risk as low as possible." But she admitted that it's an imperfect situation. "There's always a trade-off. You can have a perfect system, but it would cost way too much money. You may be willing to introduce a certain amount of risk in exchange for spending less money," she said. "There's always that balancing act. That's why people are willing to settle for a ‘good enough' solution. I can have information management all over my SharePoint environment that prevents employees from saving, or printing, or downloading a document. But what's to stop them from taking a picture of that document while it's up on the screen with a personal device and sending it to someone else? There's always a workaround for the rules."
Policy enforcement is only getting harder. Personal devices, social collaboration for business purposes, SharePoint and the rest require new tools to identify where all that content resides. "Those tools are becoming much more critical," agreed Mary Leigh. "Ideally, if you put a document on DropBox, or a SharePoint site, the employee should tag it in such a way that it can be easily acted upon. But some organizations don't trust their employees to do that." (Probably with some justification, I think.) "So there is a movement toward automating the tagging and identifying information upon upload. The technology basically says: If this, then what?"
And simply having the automated tools to support governance is not enough. You have to prove you do. "Yep. Not only do you have to take steps to adhere to the policy, but you also need to show HOW you're taking steps to adhere to the policy. You have to be able to audit the administrative actions that are taken. For example, I have to be able to say that all site collections are created with rules governing them, and only certain collections are available to certain people for download. And only certain types of content can be stored in those site collections. Then I need to be able to show that I have those polices in place. But the enforcement of those policies can be through an automated approach, as long as you can demonstrate the rules applied to those collections, the business reason for it and the steps you've taken to enforce them," she explained. "Then you can show you've done everything in your power to protect it."
It's tempting to say that the whole thing sounds paranoid. Who wants to live in fear of their employees "going off the reservation" and doing harm to the company's reputation and legal standing? Well, it turns out that disgruntled employees are not the primary fear.
"There's plenty of evidence that companies are less worried about malicious breaches and leaks of information than accidental ones," Mary Leigh explained. "An example is an email that I'm trying to send to Heather inside the organization, but Outlook autofills it to the Heather outside my organization, and I press send. Oops!" said Mary Leigh.
The chain of custody is another sticky problem. "There may be a site collection of sensitive financial information that only the CFO, COO and CEO are allowed to have access to," said Mary Leigh. "But there's probably a site collection administrator who is none of those people. Technically, they have access to the information, or can give permission to someone else. So it's not foolproof. That's the nature of SharePoint; administrators have the ability to grant access, and that can be done deliberately or accidentally. In addition, documents can be placed in document libraries where they can be returned as search results. A person may not have access to see it, but they can know it exists, which in certain circumstances can be just as bad."
She went on. "There's also the issue, that many governmental agencies face, known as ‘transparency versus policy.' Government is supposed to be very open about the way it does what it does." (Supposed to be is the right term, I think.)
"But it's not that simple. For example, sometimes it's not just the item of information that goes to someone that you need to be worried about. It's that item of information in context with another item of information that, taken together, reveals TOO much and can create a risky situation by inadvertently giving people more information than they are supposed to have access to."
It gets murky. There's not a single thing you should be doing. Your governance plan is made up of multiple governance plans. There are, of course, ecosystem third-party companies (ahem) that have governance tools to put the proper controls in place to avoid these scenarios. There are also ECM providers that can add value to the enormous volume and variety of business information. But the point is: collaboration environments can have their ups and their downs.
On the following pages you'll learn a lot more about that. Several members of the ECM vendor community spell out their approaches to managing, controlling and—probably most importantly—creating business value from enterprise content. As Mary Leigh pointed out, there can be "gotchas" along the way, but there's also great benefit to be derived. I'd focus on the second thing, if I were you.