Thursday, October 20, 2016

ATR: The Death of Email

Mark Twain was famously reported to have once said, "The reports of my death are greatly exaggerated." For a while, now, various pundits have been proclaiming that the use of email was in decline and email would be passed by for other communications technology. Millennials didn't use (or want to use) email, etc. Sitting in a large corporation, I was in the Mark Twain camp, with regard to email. If anything, the volumes were increasing.

I have to wonder, however, if the adventure of Hillary Clinton's email server and the recent series of Wikileaks releases of hacked email accounts will begin to put a stake in the heart of email. Email is a tool that has been around for about twenty to twenty-five years in business. That means that workers who are under 45 or so have never worked in a place where email was not the primary means of textual communication. And those same workers have likely never been without a mobile phone as a means of voice communications. Young people coming into the workplace not only have never known life without the Internet, email, or mobile phones, but they have likely never owned a mobile phone that couldn't get to the Internet or send email.

I've said for a while that I felt something of a sea change in the use of email over the past ten years. One of my biggest pet peeves was what I call "ping-pong email" -- email messages that are brief and go back and forth between people when a phone call or instant message would be a better means of communication. I'd noticed in my workplace that as instant messaging became more ubiquitous, those messages went away. I also noticed the "Let's go to lunch" email was extinct. The business messages that I was getting were more substantial. Email was becoming more formal in the workplace. People were tending to think about what they were writing. Cringe-worthy email was rapidly disappearing. The message that you should think about what you were typing seemingly had gotten through to a lot of people. And we noticed this in our investigations as well. While there are always outliers, the days where people were circulating chain emails, recipes, and racy pictures in business email systems was diminishing. Undoubtedly, a lot of this was changing due to the growth of Facebook, Twitter, Snapchat, and similar social media tools, but I also believe that people started to understand that email isn't very private and tends to hang around for a while.

So if all of that is accurate, why was my Inbox so full? My sense is that email became an asynchronous conference call. Let's unpack that. A face to face conversation or a phone call is generally considered synchronous communication. You're talking to another person in real time. A conference call is generally synchronous communication. Voicemail moves the synchronous conversation to asynchronous by allowing a recording to be retained and listened to later on. A written letter on paper is an asynchronous communication. Instant messaging is intended to be synchronous, but is often asynchronous. Email is something of a hybrid. It behaves asynchronously, but in those "ping-pong" email situations, effectively becomes synchronous. That's all well and good, but I still have a full Inbox. Why?

In a global organization (or even in any organization with team members spread across multiple locations), getting a team together for a meeting or conference call is an arduous task. Someone always can't fit the meeting into their calendar, particularly on short notice. An email is drafted and circulated for comment -- thus, the asynchronous conference call. If the topic seems to require lots of comments, "Reply to All" then fills up the Inbox. Compound this by including extraneous people on a "CC:" or "BCC:" list, and the number of email messages increases almost exponentially. That didn't happen in paper communications days. Certainly, some letters or memos might be circulated to a number of folks, but it was pretty rare for all of those folks to reply to the entire distribution list. With email, one click and everyone gets your thoughts. One more click and you can send the message thread on to people who were never part of the original distribution.

The ease of circulation of an email communication is, in my opinion, what people are becoming aware of. I think everyone has had the experience of finding out that an email that was believed to be private was suddenly being circulated to places never imaged -- often with unfortunate results. Now couple in the recent exposure of political email messages. Messages once thought private are posted for all to see on the Internet. Messages that are, perhaps, less circumspect than the author would be in a public forum. "Missing" messages are found in other email accounts, backups, and archives. Huge message volumes are easily searched. Single messages are taken out of context, "tone" is interpreted differently than intended. I've said for a long time that I dread the day where I have to testify about an email message and try to interpret the meaning of an emoticon or someone else's "LOL". (Thankfully, there will likely be a whole new realm of attorney objections to that.)

But let's go back to the top. Is email dead? I'd suggest that we will see considerable change in how people use email over the next few years. Stronger and more user friendly encryption, not only of the communication in transit, but while at rest, will become commonplace. People who do not want their communications read by others will simply stop using email. New technology to deal with "asynchronous conference calls" (think tools like Slack) will come into more common use. I also suspect that email may revert to status as an "envelope" which carries either a formal attached message (likely encrypted) or a link to content that requires authentication to view. This will enable sensitive information to be protected and access controlled, with the additional ability to ensure retention periods.

As with many things, a long, slow evolution, coupled with revolutionary change in response to perceived threats and unintended consequences.

Friday, April 1, 2016

ATR: On Associations and Information Governance

I imagine that I'll tick off more than a few people with this post, but my blog, so my opinion.

Don Lueders recently posted An Open Letter to ARMA on his blog. I'm not going to work through it point by point, but I would like to add my voice to a seeming cacophony of voices on AIIM and ARMA and the profession that I've grown up in.

Associations

Both of the major information management professional associations, ARMA and AIIM, are being disrupted. As someone who spent most of my career volunteering for one thing or another for ARMA (and I still do a few things), it's painful to see. There are many factors at play here and the disruption certainly isn't unique to these associations. I don't think it's fair to say that membership declines are solely due to young people wanting to network in different ways. It's about time and value. Let's face it, going to your employer and getting money to belong to a professional association isn't as easy as it once was. Getting funding for monthly meetings or an annual conference is also quite difficult. Travel and education budgets are usually the first victims of corporate cost cutting. Many companies put it kind of bluntly -- "There are 20 of you who want to go to conferences, belong to associations and go to various meetings. We figure that costs us about four grand a nose. If you want us to continue doing that, who doesn't want to be here next year?" That's a pretty brutal summary, but for many of us, it is the calculus in play. So that means the employee needs to think very carefully about the value of his or her own money going to these activities and for many people, that's not in the family budget, either.

The other big factor is time. Few of us work "just" a 40 hour week. We're tethered to email; we journey to the cloud from home computers to crank out a bit more work in the evening; We're doing the work that several people would have done in years past. And at home, our kids are overscheduled, we have to work out, or we need to binge watch that great show that we didn't have time to watch in real time. When I was a kid, I can remember my Dad having time to join a bowling league, go to the Moose Lodge, and make a Holy Name Society meeting from time to time. (And, by the way, those organizations are probably struggling as much as, or more, than professional associations.) Going to a monthly association meeting means taking three hours out of the office -- which will have to be made up somewhere. And that becomes another value calculation.

"Value", it was once said to me, "is getting more from something than what you put in." So if you're the sort of person who goes to a conference and comes back with a raft of business cases that immediately generate savings far in excess of the cost of the conference, I can pretty well guarantee that you'll be going to that conference in the future. If you're paying for a meeting out of your own pocket and going to the meeting yields a business contact that becomes a mentor to you, you might just keep going to those meetings. If you're a vendor and the conference booth yields sales that profit far in excess of the cost of the booth, you're going to keep buying booth space.

For professional associations to grow and prosper, they have to add value for members, their employers, and the vendor / sponsor communities.

I have opinions about ARMA and AIIM and where they fall short for me. I don't want to bash these organizations. They have hard-working, earnest employees, and many, many dedicated volunteers. But they aren't adding enough value.

ARMA

(Most of you know that I'm a Fellow of ARMA and a former International Treasurer. I've been a fairly frequent speaker at the ARMA Conference and Chapter meetings. I have a long list of volunteer activities with ARMA, so I have some insights and biases. )

ARMA's struggles come, in my opinion, from having to serve three constituencies: 1) The Old Guard. These are the bulk of members who "grew up" in records management and remember the days when the records manager's goal was to have the million dollar budget and 40 staff members. A high school diploma and some basic management training was enough to advance you up the career ladder. Paper is still king and this technology stuff can be managed just like paper, but nobody listens. 2) The Masters. They've broken through the cardboard ceiling, have all the certifications, make the "big bucks", get decent visibility, and understand technology, but desperately need more than ARMA offers. They're bored with ARMA but come to Conference to see their friends and network in the hallways and bars. They want to give back to the profession, but get frustrated a lot.  3) The Solutions Seekers. They got stuck with an assignment to "fix" records management, but come from other disciplines. They want a solution so they can be a hero and move on to the next challenge. They are befuddled by the secret societies and cliques within ARMA. They can't find a good guidebook or recipe. They drift over to consultants to fix the problem. They'll be gone in a couple years and someone else may or may not take their place.

The big problem with ARMA is that no one ever took the time to develop a standard body of knowledge about records management. Sure, there are standards out there, bust most deal with some small sliver of the profession. ISO 15489 has no teeth. There's no COBIT, no ISO 17001. The CRM lacks a Body of Knowledge similar to the CISSP. So we point to the ARMA Bookstore, which contains a lot of good information, but it is often dated, or conflicts, or isn't relevant. So we muddle around. "How long do you keep email?" is the question -- and fistfights break out. "How do you manage records in a database?" and shoulders get shrugged.  No standard or requirement says that when you build an application, you must build in retention and disposition. Everyone invents a solution for their situation. Or not. We fussed over The Principles, created a great foundation, and saw them land with a dull thud that was then savaged by folks who further fussed over how they came to be and whether or not they had any validity. So the really hard work of building controls and standards on top of The Principles never happened. The organization latched on to Information Governance, but never really set a definition of the space. The IGP is about building a vague program and not much about what the components of the program should be -- or what actual subject matter knowledge is required. Oh, it's there to some extent, but it's not leading the definition of the profession. So many of us are left to our own devices.

AIIM

I'll admit that AIIM and I have never seen eye to eye, outside of a brief period when I needed to understand imaging in a hurry. AIIM, in my opinion and perception, has two problems. 1) It is driven by vendors. That's not a horrible thing, but it hurts the organization. While the vendor members leading AIIM have always had a decent business sense and a good nose for new opportunities, they have tended to force the organization to chase trends. The dominance of vendors led to the practice of using educational sessions as sales opportunities.  2) It chases buzzwords. To an outsider, it always seemed like AIIM was reinventing itself as the flavor of the month and I couldn't expect to find solid ground or a consistent direction of travel. Once the microfilm industry started to crash, AIIM had a major problem. It rightly shifted to imaging, but as the Internet took off and the need to convert paper to electronic images began to fade, it had to latch on to something new. I forget all the buzzwords. Then it became a certificate factory. Then it dabbled in a certification, but never put much effort into it. AIIM's strength was in generating true industry standards, but that seems to have fallen by the wayside. Granted, some of those standards were to the benefit of the vendor members, but they made the effort to actually output real standards.

When I've gone to AIIM events, I knew that sales calls would dog me for the next several months, whether or not I ever talked to an exhibitor. I reminded myself that "when AIIM offers a free lunch, you're the main course". That approach -- and very naked sales pitches in AIIM conference sessions (that I paid to attend) drove me away.

I'm not sure if I really know what either organization wants to stand for. Right now, I know they both share one goal -- survival. ARMA has always had a strong chapter network, but the chapters suffer from leadership burnout and little direction from ARMA HQ on topics of interest to the membership and truly competent speakers. They also lack shared technology to reach members who don't want to travel to meetings -- or technology to enable multiple chapters to share speakers by video or audio conference. Few chapters use social media effectively. They struggle to find good venues at low cost. AIIM's chapters are fewer and suffer the same problems. The leadership of both organizations face declining revenues, declining conference attendance, and member ambivalence. That's a potential (and probable) death spiral.

Both organizations are run by association professionals. I would expect they have plenty of options to consider to rebuild their organizations -- but what both need is clear identity and mission. That can only come from the people who choose to belong. Fistfights be darned.


Enter Information Governance

If you browse back through Above The RIM, you'll see that I've been using the term "Information Governance" to describe the scope of what I do for some time. (I had a brief flirtation with "Information Overlord" on my business card at one time and I am very glad I didn't follow that impulse.) Anyway, I have poked at the various definitions that are out there in Gartner, the newly sprouted IG organizations, and even Wikipedia, but nothing quite matched what I do and what I define as my space. A couple years ago, I had the opportunity to keynote a lawyer's conference on e-discovery and information governance and I decided to throw my own definition into the ring. It goes like this:

Information Governance​
A system of policies, controls, procedures, and tools governing the lifecycle of an organization’s data that matters. This system ensures appropriate ease of access to data when needed and defensible disposition of data when no longer needed. This system limits business disruption, while maintaining appropriate security, within an auditable framework in line with the organization’s risk appetite and regulatory environment.​
It's not a far stretch from historical understandings of records management. But it encompasses a lot more -- e-discovery, data privacy, risk, audits, security, and so on. The core is "data that matters". While I recognize that some might see this as a fancy way to say "records" in the technology age, I think it is broader than "records", yet narrower than "information".

Foundationally, you better understand the basics of records management. Knowing what data is in the organization -- and whether or not (and how) it matters -- is critical.  And this definition presupposes knowledge of how risk-adverse an organization might be and what legal guardrails constrain the organization. It further expects that the data is maintained securely and that everything can be subject to real audits.

A proper IG team encompasses a variety of professionals. My team holds -- or has held -- the following certifications: CISSP, CISM, CISA, CRISC, CRM, CIPP, CIP, CGEIT, EnCE, PMP, among others. The six members of my team also all hold Master's degrees. I even have one staff person who sought out a paralegal certificate. They represent professional competencies in IT Risk, Data Privacy, IT Audit, Business Continuity, E-discovery, and yes, Records Management. In the past, I have had computer forensics experts as part of my team.

Where I'm going with this is that Information Governance is a whole lot more than Records Management 2.0 or 3.0 or whatever. The various disciplines that work together all have their own professional organizations and certifying bodies. IG is not just a rebranding of records management. It's more powerful than that. Parallel to my organization is an IT Architecture team that drives data management -- the platforms for our IT systems, the underlying technology, the means of storage, and the connections to the users. There are some people who might think this should be in scope for Information Governance -- some call it "Data Governance". Arguably, with the right leadership, the two areas could come together, but IT Architecture has far different skillsets. So I don't worry about the technology how -- I worry about how long data gets retained, what regulatory standards need to be met, the risks incurred, the mitigations required, and how we ensure that standards, regulations and controls are being met. And we adapt as the organization evolves.


Where Do We Go from Here?

What I would call for is that ARMA extends and expands The Principles into a Body of Knowledge that truly couples with the ICRM to ensure that there is a consistent foundation for records management. If ARMA (or AIIM, for that matter) wants to truly define the Information Governance space, then the organization has to understand that it can't define the space in a vacuum. It has to partner with other professional and certifying organizations to integrate a consistent and defined space that is Information Governance, then cooperatively build an ecosystem that supports knowledge sharing and networking.




Tuesday, March 10, 2015

ATR: Thoughts on Email

The media is abuzz with stories about a certain former US Secretary of State using her own email server to send and receive official email related to her office. There is certainly plenty of fodder here for political accusations at each party and I'd rather not get into that here. My focus is on information governance and records management, so let's focus there.

From the time that I was but a wee little records manager, I learned that the basic definition of a "record" included language akin to "...recorded information, regardless of physical form or characteristics...". In slightly later days, the litany of types of records included as examples of records was amended to include "machine readable" or "electronic" records. The foundation for this definition has historically been the United States Code and the Code of Federal Regulations. This is not something new. The laws and regulations have been on the books for decades. They were purposely written to ensure that the advancement of technology did not negate the effect of the law or rule.

Part of the problem over the past 20 years is that the pace of technology has outstripped the ability to manage the information created by technology. Whether in the public sector or in the private sector, email volumes have grown exponentially. The US Federal government, particularly as embodied by the National Archives, has been stymied in efforts to manage electronic records. I can recall efforts from the mid-1990's to get a handle on electronic records in the US government.

The Code of Federal Regulations (36 CFR 1220 et seq.) has been quite clear that a Federal Agency is responsible for managing its records. There's no provision for storing paper records in your basement or electronic records on a server that you built in your garage. While certain agency policies have been cited relative to third parties hosting email, I don't think that was ever intended to allow a government employee to deploy file or email servers. I would expect that the intent of those allowances was for services hosted by Microsoft or Google or some other appropriately contracted and vetted service provider.

A variety of state and Federal officials have been dragged into this frenzy because it became known that they had personal email accounts during their terms of office. From my reading, it appears that some of them have admitted to using personal email accounts for official business. Importantly, though, this usage has not been exclusive and has not been on email servers that they housed in their residence or under their direct control. I can certainly understand that a politician may want to use a third party email system for purely political or personal purposes. They may also take great pains to keep that information apart from their official actions. So from that standpoint, I don't fault the former Secretary's interest in keeping her personal (and political) email separate from her official email. In that regard, she was well within the provisions of US law and regulations. But by mixing her official correspondence with personal correspondence on a server that she (and her apparently personal staffers) controlled, I'd suggest that the law was broken with regard to maintaining official government records in accord with 36 CR 1220.32, "Agencies must create and maintain authentic, reliable, and usable records and ensure that they remain so for the length of their authorized retention period." By removing the email from the server and printing it out -- and not maintaining a full audit trail of what was deleted (although interestingly, there seems to be knowledge of the number of emails deleted), I would suggest that it is very difficult to prove the authenticity or reliability or any of the emails produced in paper form.

Now let's turn to information security. It's safe to say that every Federal agency head and Cabinet-level appointee is a likely target of nation-state-sponsored hackers. Most historians are quite familiar with the Zimmermann Telegram, which is one of the earliest examples of "hacking" electronic communications by a nation-state. The former Secretary stated that the email server was secure because her home was protected by the US Secret Service. Well, that may have protected the server from a physical attack, but it stands to reason that there were plenty of hackers who could have had an interest in that server and "owned" it quite easily. After all, the State Department's own network had been successfully penetrated. We'll take the former Secretary's word that she was cautious about not transmitting Classified information with her email, but suffice to say that her communications with other officials likely contained strategic direction and discussions based upon Classified intelligence. If nothing else, a hacker would have been likely to easily collect foreign policy decisions ahead of their release as well as insider discussions and debates about foreign policy. As we have seen with other emails released by hackers, email exchanges between ranking government officials can be quite direct and revealing when no one appears to be watching. It may be many years before we know what access hackers had and what secrets they had access to.

While the violation of various elements of the US Code and the Code of Federal Regulations is bad enough (as well as the likely sanitizing of the historical record), the bigger issue is the breach of security. I would hope that someone with access to the highest levels of the US government; who likely had access to the most highly classified information; who should have been briefed on the ongoing threats to national security by nation-state-sponsored hackers, would have (or certainly should have) known that she was a high value target and acted accordingly. Even if the minion who set up her email assured her that it was properly protected, it seems reasonable that a thinking person would have had second thoughts about her own cyber security when she learned about successful state-sponsored APT attacks against some of the country's most protected government agencies and private companies.

Saturday, May 10, 2014

OTR: Trains, Planes, Fire Trucks and Computers

It's likely no surprise to my friends that I like all of the things that I mention in the headline of this post. If the mailman pays attention to what he puts in my mailbox, I imagine he must wonder about what I do. There's Airways Magazine, Air & Space, Aviation Week and Space Technology, Trains, the Rail & Wire, Fire Apparatus Journal, some security magazines, and a handful of business magazines.

I suppose that when it comes to these things, I've never quite grown up. I didn't get the "car guy" gene that my brother has, or the boat-owner gene that my father had.

I've been a member of the Illinois Railway Museum for a few years now. I go out there a few times every summer, ride the trains, take some pictures, and get my train geek on. I haven't volunteered out there up to now because, quite honestly, I'm not that handy and taking up welding at my advanced age might be a little beyond me. Besides, I'm pretty sure the family won't let me out of the house wearing striped bib overalls. Nonetheless, I'm heading out there in the morning to see if I can lend some of my knowledge, and perhaps some of my writing ability, to the Museum.

I've observed some challenges, and I think I could help, but I need to see where they want help and how that matches with my time and ability. I get the distinct impression that the long term members value sweat equity over intellectual contributions as the true measure of the volunteer.

I think this is my favorite locomotive out at the Museum. When I was a kid, I had a Tyco HO railroad layout and the train set's engine was in the same colors.