Wednesday, December 10, 2014

Another Sad Hacking Story: What Can We Learn From Sony


Sony hacked. Data stolen. Personal lives exposed. Interested in Judd Apatow’s social security number? Blah, Blah, Blah.

“The hack and subsequent posting…illustrate the risks large companies like Sony take by amassing years of digital records on employees and customers on machines connected to the Internet. Much of the data analyzed…was stored in Microsoft Excel files without password protection.” Wall Street Journal December 5, 2014

After the hundredth major information hack, you start to become immune or may be underwhelmed by the magnitude. “So what if another 47,000 personal identities got swiped.”  “So they know the personal info of Sylvester Stallone, no big deal.” 

What can we learn from our world where there is more information than ever before,  that is more connected than ever before and as a result more vulnerable to information theft than ever before? 

So here are a few truisms about the hacking reality in these times:

1.   Security breaches will happen no matter how much effort is made to ensure they don’t.
2.   Information matters. That is why criminal groups, across the globe seek to steal as much information as possible. Its business.

3.   More businesses are being more proactive as reputations hinge upon it. Information security has become central to fiscal health. Just ask Target how impactful a serious hack can be.
4.   We will become more immune to “hacking” stories, which is, in some ways good and in some ways bad.                
a.  Good, because we are not worried that the sky is failing and organizations can focus on the real business of knowing where its data resides and can lock it down better.
b.  Bad, because ignoring the huge impact that some of these hacks create maybe portend lethargy or helplessness.
5.   Security is a process not a project.  It is a marathon, not a sprint.  It is an organizational activity that requires vigilance and persistence over time.  Getting lazy means more bad results.  From a corporate governance perspective, it is like any activity that is important enough to bake into the business processes.
6.   Smart organizations continually augment the ways they manage privacy, information security, corporate trade secrets and IP.  That is because technology changes. Actions taken by criminals change. And the problem evolves, so your response needs to continually evolve to meet the new challenge.
7.   Smart organizations take action for two reasons—one, to mitigate the risk and address the harm, and two, to insulate the company from the harm caused by the attacks that get through. In other words, the good things your organization does to prevent a hack, may be used to support your company and mitigate the downside if and when your information crowned jewels are hacked.

And that brings me to Information Nation- Seven Keys to Information Management Compliance and the importance of a process to better management which serves both purposes described in paragraph 7.  Compliance methodology can save your company and act as insurance or insulation. This is why, “A corporation can act through natural persons, and it is therefore held responsible for the acts of such persons…on the other hand in certain circumstances, it may not be appropriate to impose liability upon a corporation, particularly one with a compliance program…
U.S. Dept. of Justice”  



Here are a few simple rules to help guide you:

a.    Vigilance comes from having a process, so build it or augment the existing process.
b.    Information Management Compliance is our compliance methodology that we built on the Federal Sentencing Guidelines which is the basis for most US compliance programs. Compliance methodology demonstrates what good corporate citizens do and can act to mitigate harm or insulate all together.
c.     Good corporations need to protect their reputation now more than ever by having working security programs.
d.    Combining a compliance methodology with security initiatives is something to seriously consider. That way your security program can better confront the hacking your organization most assuredly will be confronted with, as well as mitigate the damage if and when something slips through the cracks
e.    Finally, getting your company better buttoned up and protected begins with knowing where your information lives, knowing who has access to it and coding and securing it according to its value.  


The Sony hack is another wake up call. Even though, I am not sure if Sony could have stopped the intrusion no matter what security it had in place given the complexity of the hacking. But I am sure we will have many governmental organizations seeking to answer that question.  One thing I am sure of already, is that when personal information or company secrets are amassed and not locked down, they will get exposed. It’s just a matter of how often and how much impact it will have.  When PII of Hollywood figures is replicated numerous times in the data pool, perhaps without business justification, someone should be asking why so many instances of the same information and why are they not locked down? Did Sony do anything to mitigate information security risks by keeping as little as possible for as short as possible and properly locking it up?  These questions too will be addressed in due time, which most assuredly will have further impact on Sony. But for today, purposeful vigilance with a plan is the rallying cry.  Know your information, know where it resides and lock it down. Your existence may depend on it.

Thursday, December 4, 2014

Making Peace with Too Much Information, the Holiday Season and Big Ten Football

I got a late start this year. So yesterday I sent a box request to Steel Hill, our off-site storage vendor, to get my box of holiday paraphernalia.  I celebrate Christmas, I mean Hanukah, I mean Kwanza, I mean Unique Snowflake Fest. Anyway, I wanted to get my box so I can adorn my office. And that got me thinking that if everyone in my company did what I do, we would be spending loads of unnecessary dough on storing crud. And that got me thinking about how much money we could save getting rid of crud. And that got me thinking about what crud really is? And well, that got me thinking that I forgot to wish you a happy holidays. But let me come back to that in a minute.

Shockingly, this past year we were engaged many times to deal with cleaning up the boxes of crud at off-site storage vendors for big company clients.  That is significant for a few reasons. One, because companies now understand keeping unneeded information carries with it real costs. Two, even boxes of paper have become the target to save money (given that most info costs are related to electronic stuff). Three, we have been in a nearly all-electronic business world for years now, so dealing with paper now seems odd. Four, companies seemingly forgot about the boxes, but hopefully now are getting reacquainted as they get their annual bill and are asking why store crud? Five, getting rid of boxes of paper carries with it a cost which may be higher than the annual cost to keep the boxes and that reality may impact clean-up efforts.

Oh, Happy Holidays-whatever it is that you celebrate. Be safe, healthy and live joyously.  

And all that holiday sweet talk got me thinking about New Years. And that got me thinking about chicken wings. Don’t ask. And that got me thinking about New Year’s resolutions, which by the way I’m generally not a fan of. But as the old adage goes, “do as I say, not as I do”.  So please take to heart my sincere request to: Save a Tree; Go Green; Live Simply; and Create a smaller carbon footprint. Help your company clean up its crud this year. Take on the personal drives, email system, or even the boxes of curd ready for disposition.  Tis the season to “Rightsize Your Information Footprint”.  And that means get rid of your crud.  And that got me thinking about chicken wings. And that got me thinking about what cute sweater I was going to wear to the Unique Snowflake Fest party this weekend. And because my sweater is red, that got me thinking about the Wisconsin Badgers beating Ohio State this weekend.  Jump Around!


Friday, November 21, 2014

Building an Information Factory



Years ago, email burst onto the business scene to become the premier business productivity tool used at work. Not surprising, the post office immediately started to witness the precipitous decline in the number of first class business letters being sent. Revenue from first-class mail in 2000 was $91 Billion, and according to the US GAO it’s projected to be $39 Billion in 2020. Email was a game changer for which the post office didn’t have an immediate answer. The United States Post Office (USPO) tried staying open later and also tried selling non-mail related products. The USPO even allowed customized stamps to be printed at home. But in the end, the only way the USPO was going to replace the revenue lost due in large part to email use, which replaced the first class letter was with truly transformative change.  In fact, maybe there wasn’t really a viable answer. But whatever was tried was incremental in nature and insufficient to stem the bleeding that was catastrophic to the letter mailing business.

Steal this Song

Some kid had the bright idea that he could build an online network for people to share music for free, over the internet (otherwise known as Napster). Wonderful idea, unless of course you are the artists who created the music or the music companies that sell it. In either case, both the artist and music company will be directly and substantially impacted.  The music industry was ill prepared for this transformational change and started to flail immediately trying to seize control of the problem. Whether you embrace change or fight it when confronted with transformational changes will in part dictate your future. But we will come back to that in a minute.
First the Recording Industry Association (RIA) sued the creators of the various music sharing environments. Then the RIA sued select “borrowers” of the online “free” music to send a message to the rest of the snot nosed kids.  This approach didn’t address the heart of the issue and instead made the industry look like bullies. While they were trying to stop transformational change with ineffective incremental baby steps, the winners, the ones building transformational solutions, were creating new ways to build value and business around a new reality-- that music could flow fast and freely across the web.
For Apple, which figured out how to deliver and sell the music, they have been handsomely rewarded. Many artists now sell their music one song at a time through the Apple music ecosystem or elsewhere or even sell it directly to listeners from their own websites. For companies like Sony and their famed (tape-based) Walkman, the story of their decline is well documented and painful to revisit. 

The Changing Information Landscape

But this is not an article about business transformation generally. Rather, it’s an article about how global business is going to deal with an information landscape that is rapidly evolving and morphing in unpredictable ways. It’s about companies being overwhelmed by a tsunami of data routinely negatively impacting IT frameworks, storage networks, servers and employees. It’s also about more opposing laws and rules that can’t be applied or followed at the document or file level. It’s about big data demanding more information to crawl through while the corporate privacy officer is pushing for the company to keep less information to reduce overall risk.
If, in another world, information grew at 2 or 3% per year, then maybe employees could manage privacy, protect company trade secrets and handle the task of records management. But most organizations’ information footprints are growing at 25-50% per year, and that is not the only challenge they face. More company information exists outside the company firewall (or in unmanaged repositories) than ever before, making control and access a new costly complexity. There has been a proliferation of new laws and regulations dictating how organizations deal with litigation response, manage company IP, lock down personally identifiable information (PII) or personal health information (PHI), or classify records.

Dealing with the Perfect Information Storm

How does a company deal with this “Perfect Information Storm” where massive volume meets massive management complexities, which collides with burgeoning laws, all of which can result in existential consequences from mismanagement?
Every day Bob goes to work and like the day before, does exactly what he has done every other day. The products that are created look and function exactly like the ones produced yesterday, most likely boring for Bob, but predictable for the company and the factory in which Bob works. That is because the process by which the products were created was a process meant to predictably create the widget the same way, day in and day out (think Henry Ford). Behind the factory processes is the concept that building a good and repeatable manufacturing process in turn ensures that the widget or whatever is built predictably good enough, every time. The whole idea is that once the factory itself is built well there is no need to rethink the manufacturing process every time another widget is made. If I focus on making each widget by hand when I need to make scads of them, then I am committing to a process that is wrong for the task. On the other hand, if I wanted to craft a fine painting, the factory-based manufacturing process is not right for the task.

One Man’s Record is another Man’s Junk

Contrary to popular belief, information is not so unique that it requires the master artisan’s touch to manage it properly.  Even if that were true, and it’s not, that is simply no longer doable as we have too much information volume and it continues to grow. Even more importantly, if you asked 10 employees their opinion on the business value of a document, they would likely have several different CORRECT ways to manage or classify it.  It’s something like - one man’s record is another man’s junk.  Or better stated, everyone, no matter how much training they have, evaluates information differently. Not all the time, but a lot. That is because where you sit in an organization, your individual educational background, risk tolerance, understanding of the content, etc. all impact how you evaluate whether or not it’s a record, if its private, if it’s a trade secret, etc.
Compliance with laws won’t get any easier, the places data is parked won’t get fewer, and volume of information won’t get less voluminous.  Each one of those statements is game changing yet folks still wear their incremental (paper-based) information management hat limping along trying to solve a transformative problem with the wrong set of tools - Much like trying to eat an ocean sized pot of soup with a spoon.  Transformational change needs transformation solutions, not incremental ones.

So what to do?

Build an Information Management Factory.  You need to solve the problem from the top down. Looking at the individual file when there are hundreds of millions or billions of them can’t possibly work, in other words think reproducible. Think massive. Think through-put. Think practical. Think transformational.
Can or should a company even contemplate managing hundreds of millions of files with rules built for a time when there were no computers and a few dozen paper record types? The information management space is trying to solve a transformational change issue with wimpy incremental ideas whose days were numbered decades ago. Get a clue and get on the transformation bus. Employees couldn’t manage company records 10 years ago when the company information footprint was 1/100th its current size (or less). The key take-away - Rethink and rework everything.

10 Things You Must do Now to get Information Management Right?

     1.     Throw out old thinking, old policies, old ideas and tired information workers.
     2.      Hire a new IM factory “Owner.”
     3.      Build a multi-disciplinary IM Factory team.
     4.      Develop the factory build out strategy and agenda for the next 3 years.
     5.      Build an IM Factory.
     6.      Simplify rules so that all rules can be applied without much or any employee intervention.
     7.      Use automation and applications to do the “heavy lifting.”
     8.      Make certain environments “non-records” locations so that all content goes away after a couple of years no matter what.
     9.     Develop rules for every new information source upfront so end of life is predictable and contemplated.
    10.   Apply simpler rules to all environments with a specific focus on storage hogs.

Don’t forget to buy some robots.  Robots are good for everything.

Whether you embrace change or fight it, when confronted with today’s information realities, what is clear is that the problem isn’t getting any easier to solve. What is equally as clear is that you and your colleagues have not been very successful at solving it either. The reason is clear, minor incremental changes won’t solve the information management problem any more than a spoon can be used to serve up the ocean.
When faced with an exponential information growth problem, responding with incremental fixes won’t address the real issue. In other words, managing information in the current environment is unlike anything ever before as there is so much more content in so many more places which the company doesn’t have control over. It’s time for a whole new way to manage information. It is time for information management professionals to take the lead in guiding the factory in managing information.  Employees can’t and shouldn’t be expected to manage stuff anymore, they are bad at it, they don’t have time for it, and there is too much of it to meaningfully attack the issue.  Instead, build an information factory, automate as much as possible, and manage whole environments as one. Time changes and you need to revisit and rework your thinking about what works on a regular basis.

I heard a funny joke:

“How many Canadian post office employees does it take to deliver a letter?” Answer—“None as they are phasing out of home delivery because they are bleeding money”.  Ka-Boom.

Epilogue


Kahn Consulting has spent the last few years building IM factories. It’s both doable and needed. If we can do it, so can you. Get busy.

Thursday, October 30, 2014

Big Data v. Godzilla

Who Wins the Battle For The Right to Use or Kill Information


Com·pe·ti·tion: the act or process of trying to get or win something (such as a prize or a higher level of success) that someone else is also trying to get or win: the act or process of competing (Merriam Webster)

Steven Wright mused that “you can't have everything, where would you put it?” But there are many in the IT world that think otherwise. Larger companies this year will grow their Information Footprint by 25-50% on average, which is about how much their data store grew last year and the year before that. Smart business people believe this path of keeping all their information is a good thing. Some even go farther, believing that all their information is essential to effectively use analytics technology (referred to as Big Data) to connect the dots to solve business problems. That is because not only does Big Data crave, well, big data, but also because answers to important business questions may dwell within the deep recesses of unstructured data piles that may seem unimportant to the casual or even the sophisticated observer. In other words, within all sorts of Information Parking Lots dwell all sorts of valuable information nuggets that only technology can harness. Getting rid of any information is tantamount to ridding the company of a competitive advantage that comes from harvesting the business answers.

The Information Competition Becomes a Conflict

But there is a whole different group of smart business folks that look at Big Data as a big risk and liability. Sure there may be value in finding the needle in the massive information haystack, but at what costs? These people seemingly take the exact opposite position, that more is not merrier and that at some point information which is “valueless” must be disposed. Defensible Disposition or “Rightsizing Your Information Footprint” is needed for risk reduction and reducing costs. The more information the company retains, the greater the likelihood that personal customer data may be compromised or someone will successfully hack our corporate information Crowned Jewels. Or the more information the larger the e-discovery headache. Or keeping everything forever undermines the records management program. Indeed, Privacy Officers generally think the right answer is for companies to keep less information for shorter periods of time. While Big Daters think about keeping more information longer periods of time.  Core to Records Management is that records go away at the end of its period of retention no matter what, unless it’s needed as evidence in a lawsuit of investigation.  More ill managed IP means more risk of losing company trade secrets.
And the “information use” battle waging is not limited to companies trying to predict the colors customers will want next season based on past buying habits. In an October 16, 2014 Wall Street Journal Story, entitled “FBI Chief Warns Against Phone Encryption,” it makes clear that the conflict over who gets to decide how information is managed is a real life and death situation pitting privacy advocates against the government. While government uses Big Data tools to crawl and unearth terrorists, privacy advocates and some phone companies want phone data encrypted. Similarly in an article entitled, “Privacy in the Internet of Things era: Will the NSA know what’s in your fridge,” Wojtek Borowicz, points out that “we’ve already entered the Internet of Things: a world where everything is connected, with billions of devices storing and exchanging data about each other and about their users – i.e. us. As it matures, it’s going to be hugely convenient, not only to the average Joe, whose smart home will always remember to lock the door and switch the lights off, but also to huge organizations. However, one of the main concerns associated with it is the security of IoT platforms and devices. But it’s not only preventing hackers from accessing these systems we should be discussing: What about privacy, government surveillance and the creepy vision of Big Brother hiding in my smart fridge?”  http://thenextweb.com/dd/2014/10/18/privacy-internet-things-era-will-nsa-know-whats-fridge/

So Who Wins and Who Loses in This Conflict?

We find ourselves in an information Olympics where the best of the best of every information use and misuse is congregating to duke it out, though they may not even know it. The Big Data team is trying to tie together disparate chunks of information to answer business questions, while the storage guy screams, “No Mas”.  I think the business people win. I think Big Data wins where it adds value. But that said, I believe that maybe making the seemingly divergent interests of information use can be accommodated. Either way, we will see soon enough. But for now, conflict or competition, information is being used for different purposes by different sides of the company and this new reality needs management attention ASAP.


Tuesday, October 7, 2014

Kahn's 8 Steps to Defensible Disposition Nirvana





1. Define a reasonable diligence process to assess the business needs and legal requirements for continued information retention and/or preservation, based on the information at issue.
2. Select a practical information assessment and/or classification approach, given information volumes, available resources, and risk profile.
3. Develop and document the essential aspects of the disposition program to ensure quality, efficacy, repeatability, auditability, and integrity.
4. Develop a mechanism to modify, alter, or terminate components of the disposition process when required for business or legal reasons.
5. Assess content for eligibility for disposition, based on business need, record retention requirements, and/or legal preservation obligations.
6. Test, validate, and refine as necessary the efficacy of content assessment and disposition capability methods with actual data until desired results have been attained.
7. Apply disposition methodology to content as necessary, understanding that some content can be disposed with sufficient diligence without classification.
8. On an ongoing basis, verify and document the efficacy and results of the disposition program and modify and/or augment the process as necessary.

Thursday, June 12, 2014

The path to hell is paved with good intentions.

I am not sure I have any good way to say what I am about to say. And in fact, I am so trepidatious that I have to couch my commentary in verbiage subterfuge. I am not spineless, but just don’t want to create a bunch of enemies with my cohort. So here goes. I am certain you will get my point even if I hide the true identities of the offending parties to protect the innocent and/or guilty.
Assume for a moment that an international information association, decided that the industry and more specifically companies needed a way to assess if they had a mature information management program.  So the organization got a bunch of their folks together to develop criteria by which they should evaluate if their program was good enough to pass muster. And let’s say after much talking and thinking they settled on an information management Maturity Model and related criteria.

Recently, a client of ours had us look at their self-assessment of their information management program using one such Maturity Model Best Practice self-assessment tool. (The client is now considering having us perform a new Gap Assessment).  It is one of my favorite clients and it’s a great company that does so much right. So when I reviewed their self-assessment, I was stupefied. They used the information management’s organizations Maturity Model criteria and concluded they were seriously substandard. I totally disagreed with most of the conclusions of the assessment. I am not going to lay out why I think the various criteria are flawed in total, but let me give you an example to make my point. One of the criteria by which this company evaluated itself according to the self-assessment was information “integrity”. Based upon how the assessment MADE the client answer the questions, they got a flunking grade.  I told my client given what I knew about their business processes and IT framework, that on the information integrity scale I would give them a Rhodes Scholar type grade—at least an “A”.  SO why such a disconnect?
I get the whole thing about “one man’s hot is another man’s cold” but this is not about perception. It is about the criteria and maturing the process and still utterly failing even if what you have done is at least good enough.  From my humble perspective, the evaluative criteria are aspirational, not functionally helpful, impracticable and may sell your company unfairly down the river. BOOM! I believe it sets up companies to fail that use the self-assessment, on criteria that are not really central to success. Every organization would be flagging miserably if put under the assessment’s microscope. And that’s just not the way it should be.

Which bring me to the PG&E San Bruno disaster and how industry “best practices” evaluations can be helpful at fixing failings and can also provide the basis for regulators to whack companies for failing to properly manage records, among other things. The tragedy was horrible. The loss of life and property is unthinkable. And the company may have had records management failings. But look close enough at any company and most organizations fail miserably. See the report at the following link. http://www.cpuc.ca.gov/NR/rdonlyres/23513DF5-28CB-425B-BAE4-0151981F0779/0/CPSD_Recordkeeping_OII_Report_Final.PDF

There are lots of information management industry standards, best practices, evaluations from all sorts of organizations. There is some terrific guidance and there are some downright damaging unattainable “best practices”. I’m sure all comes into being with great intentions. But massaged, manipulated and maneuvered by lawyers and a good company begins to smell dirty. 

We developed a methodology called “Information Management Compliance” for evaluating the “goodness” of your Information Governance Program which has been used by so many companies.  I borrowed the criteria from the Federal Sentencing Guidelines, which help judges evaluate what is good corporate behavior. I figured if the court will evaluate your company by the criteria, that you should build your program according to the criteria. (This is also the topic of “Information Nation-Seven Keys to Information Management Compliance”, See also http://www.arma.org/bookstore/files/Kahn.pdf.

Look close enough at any company’s information management practices and you will find flaws. Lawyers are in the business of exploiting flaws. I don’t need to give them material to work with that isn’t even real. So companies, evaluate carefully, document thoughtfully and pick criteria by which you evaluate circumspectly. Just saying.


Randolph Kahn, ESQ.

Wednesday, February 5, 2014

10 Leaps of Change



10 Leaps of Change

There is an expression (probably in every language) that says something to the affect that if you try something and it hasn’t worked in the past and you continue to do it, that you are a knucklehead. Ok, I may be paraphrasing a little.  But in any event, this adage seems to apply to business as it does in life generally.  When you take a path in business that hasn’t worked in the past and nothing has changed to increase the likelihood of success this time around, then choosing that same path is bad business.

Employees are bad at records management.  Never will the run of the mill employee wake up saying, “Yikes, I really miss classifying information for retention purposes.” And if they do, you don’t want them working at your company anyway. Having employees do the heavy lifting when it comes to managing information is a bad use of their time; they are really bad at it and they fail way too often.

Recently, I was talking to a big financial services client who was having us react to a new policy initiative. At its center of the policy was the employee who would either make it a success or utter failure. I voted for failure the second I saw it. After all, the same kind of policy failed last year in a similar task.  Employees scoffed at the last policy directive and didn’t care, why would this time be different?  

But actually, it’s way worse than you think. That is because businesses continue to ask of its employees the same tasks that haven’t worked well in the past. But now two things are different that make making employee center stage in the Information Management Compliance business that much stupider.

Each year the Information Footprint is increasing at between 25-50%. So if records management was hard last year this year it’s AT LEAST 25-50% harder. If your employees couldn’t get through classifying the pile last year, this year they have last year’s left over info to deal with and this year’s pile which is 25-50% larger.

I say AT LEAST because there is another important reality—employees are increasingly asked to do more with less. How often do you hear a worker say that this year they had less work responsibilities? If they did, perhaps they were unemployed. Everyone working the last few years especially in the downturned economy had more work responsibilities, not less.

My point is simple, using the some old solution that didn’t work in the past has no chance now where employees have more stuff to deal with and less time.

So what to do?

10 Leaps of Change (LOC)--It’s like a Leap of Faith, but with less fairies involved and more action.

1.      Stop thinking your employees can make information management happen, those days past decades ago. Take them out of any heavy lifting.
2.      Applying multiple business rules to each chunk of content is not going to happen. Too much stuff in too many places.
3.      Change the paradigm from records live everywhere to records live only in sanctioned and designated repositories.
4.      Thereafter, develop plans to apply straight retention to the vast storage locations that house non-records.
5.      Start applying retention rules to structured records as they are a storage hog and can save the company a boat-load of money by being properly disposed.
6.      Revisit email policy rules and develop a plan to reduce the time email is being kept.
7.      Try to come up with ways that email can be managed without evaluating the content of each message—not practical and not happening.
8.      Take on old repositories and old back up media to get rid of the stuff you no longer need. After all, you want to thin out your Information Footprint.
9.      Every time a new location to park info is created, develop rules for the info disposition event and make it happen automatically downstream.
10.   Stop tilting at windmills, stop believing in fairies (except perhaps the Tooth Fairy as she is as real as Chicago is cold), and stop believing that things that have failed in the past so many times may work this time.

You can Fly if you Believe Wendy.