Monday, March 6, 2017

OTR: Thoughts on Searching for a Job

Last Summer I began an involuntary sabbatical that ended up lasting about five months. I'm happy to say that I landed a new opportunity with a great company and I'm quite happy. I only wish I'd known that the "sabbatical" would end as it did and when it did. I would have enjoyed it more. I'd like to reflect on the time I had away from work and offer some things that I've learned along the way.

Whatever the reason for your separation from your prior employer, let it go.  That's hard. If the event was a surprise, you're likely replaying what happened like a traffic accident, wondering what you could have done to avoid it. Sure, there are some lessons to be learned, but it's important not to wallow in self-pity or anger. Move on as best you can.

Take some time for yourself. Regardless of the circumstances, take some time to relax. Take a vacation if you can; a staycation if you can't. Go somewhere -- even to a park or the local zoo. Do something that you wouldn't otherwise do during the workweek. Sleep in. Stay up late. Work out. Play video games. Binge watch that program you've been meaning to see. In all likelihood, your final days, weeks, months (or even years) with your former employer have been stressful. You need and deserve a break.

Once you've caught your breath, decide what your next role will be. You may want to step up a notch; you may want to step down a notch. Maybe you want to do something entirely different. Write down the skillsets that you have and what you want to emphasize to a potential employer. Think about location. Do you want to stay where you are or are you interested in relocating? What areas are out of the question? If you think you want to relocate, do some research. What is the cost of living in that area? Will you need a higher salary? Could you take a pay cut without losing ground? You're going to need to do this no matter what. What is the minimum that you'll work for? What about bonuses, profit-sharing, stock? What industries interest you? Where are your strengths? Do you want to try something new?

Dust off the resume. 

The resume that has always worked for you in the past may not work today. If you're like me, you've used essentially the same format for your entire working life. It is likely time to start over with a blank piece of paper. If you have outplacement services as part of your separation package, run, don't walk, your resume to them for a refresh. The most important lesson that I learned from this process (and I stubbornly waited a couple months) is that you need a list of results, not a list of activities. I know that I got wrapped up in laundry lists of all the things I was doing on my prior roles. The coaching that I got said that I should have a list of skills separate from the particular roles, because odds are, you pretty much do many of the same things at every job in your field. So when you describe each particular role, focus on what is unique and what you delivered. If you are well-experienced in your field, you need not list every job you've had back to the beginning of time. First, that will date you and that could be a negative to some employers. Second, most of those early jobs may not be relevant to where you are today. The exception to that might be (and the emphasis is on "might") when you're returning to a career field from early in your working life or you want to emphasize an industry where you have experience. But be very judicious about that. You can always address those things in a cover letter.

A tip that I learned from the resume writer was to leave off your graduation dates, unless you recently received a degree. It is quite easy to calculate someone's age from when they graduated college, so limit the temptation of a prospective employer to discriminate by taking away that bit of math.

You also want to update your LinkedIn profile. Again, watch our for age giveaways, don't list every job you've ever had, and put in a professional photograph. LinkedIn is social media, but it's not Facebook. A remarkable number of recruiters use LinkedIn to find candidates and you want to present yourself well there. At the same time, be judicious in who you connect with. LinkedIn isn't a game to see how many connections you can get. Watch your privacy settings as well. LinkedIn is a great source of information for social engineering and phishing attacks.

Where are the jobs? 

The first place to start is with professional associations in your field. If they have job boards, sign up and do some mining. If they allow you to post your resume as a job-seeker, do so. If you know of some headhunters in your profession (think about people who may have reached out to you with a request to let them know if you know anyone interested in a particular job), let them know that you're in the market. Next, work your network of friends and colleagues. Let people know that you're looking. Then broaden the search. Here are the sites that have borne the most fruit for me:

Indeed.com: Indeed is an aggregator. While they do source some of their own jobs, they do a really good job of combing various job boards and employer career sites. The search engine can be a little goofy sometimes, but you can get a pretty good set of results sent to you every day in email. Be careful with geographic restrictions, particularly in large areas, because the results may omit positions just outside of the area. I also noticed that Indeed would periodically send me some stale results (jobs several weeks old). I'm not certain if that is because the employer reposted a role or if the search engine just missed it when it was first posted.

Glassdoor.com: Glassdoor is very interesting. I had always thought of it as a place for people to go and complain about their current employer, but it has clearly evolved. It has a decent search capability and you can limit the search to jobs in particular geographies, but again, be very careful in limiting the geography because you will miss some opportunities. Once you identify an opportunity, you can take a look at what people think about the company and also get an idea of the salary range for a particular role. Keep in mind a couple things, however. First, people who are unhappy tend to post to these sites more than people who are happy. Second, pay is also self-reported and a small sample size may not be accurate. But it may give you an idea of what to expect. But I found the jobs that I found on Glassdoor were generally high quality and relevant.

LinkedIn.com: LinkedIn is the most valuable site you'll use. You want a good profile and you want to aim for a "Profile Strength" of "All Star". Like your resume, use results-oriented language and be cautious in announcing your age. Have a professional photo and connect to people judiciously. LinkedIn is not a contest. Your goal is to have connections that you know, not simply a lot of connections. LinkedIn also has job postings and these are also quite good. You can also limit searches by "Experience Level", but I recommend that you play with that a bit to understand how LinkedIn rates job postings. The nice thing about LinkedIn is that it will highlight people in your network who work for a company that you're considering. That's a good way to get an inside track to, and view of, an opportunity.

Beyond those sources, I had very mixed results. Careerbuilder generated a ton of spammy offers from recruiters from franchise companies and insurance companies looking for agents. Ladders doesn't seem to offer much unless you pay them. Experteer is similar to Ladders -- they like to show you some potential jobs, but then want you to pay them to see the details.

In my case, I had either missed the ad for the job I ended up getting or skipped it because of the location when it first came up. I saw it pop up later in a more broad search, then used my network to reach out to someone I knew who let people know that I was interested. So the search tools helped me know there was an opportunity, but someone I knew opened the door. Having someone on the inside is not a guarantee that you'll get a look, but it doesn't hurt.

Set goals. Do your homework.

I set a goal that I would get two or three applications out per week. That doesn't sound like much, but this is a marathon, not a sprint. You don't want to shotgun out 50 applications a week unless you're willing to take just about any job that comes along. Set a focus and look for opportunities that are right for you. I can't say this enough. When you see a match in your job search results, look beyond the job description. Do some research. What are the key products or services? How are their finances? What news is in the media? Is this an organization that I really want to work for? Is the business something that will cause me personal conflict? (As an aside, years and years ago, I interviewed with a tobacco company. I'm not a smoker and my mother died of lung cancer. I had justified the application because the company also owned a food company and I hoped to end up there. As I sat in a conference room waiting for the next interviewer, I had to push aside an overflowing ash tray. The next interviewer asked if I minded if he lit up. At that point, I decided that perhaps I should have never applied.) If you can't align yourself with an organization's mission, it will be an unhappy experience, so make sure you understand what the organization is about.

Pay attention to the companies that pop up regularly in your search. Are they simply on a hiring binge or is there a lot of churn in positions in your field? Seeing the same jobs for the same companies could be a red flag.

When you apply for a position, print off the job description. Once you have ten or so applications out there, you're going to forget what you applied for. It's also important to review the job description when you're interviewing.

Open a file for each application that you make. Have the job description in there, along with any other research you've done. When you speak to someone at the company, keep track of who you talked to and when that happened.

Echo the Requirements.

Many companies use automation to weed through applicants. Take a close look at what the job requires and make sure that your resume and cover letter are echoing the terms and themes that you find. You may find that you have to adjust your resume a few times to create the right "match". That doesn't mean that you should lie or exaggerate -- but you should make sure that you can bring focus to why you are a fit.

Proofread and then Proofread Again.

Ugh. There's nothing like punching the Submit button and realizing that your cover letter contains the name of a different potential employer. If you plan to cut and paste cover letters, make sure you take the time to make them perfect. Get someone to look at your resume for errors. Read a cover letter backwards to look for spelling mistakes. Take a deep breath and do it again.

They said there would be no math.

One company was quite unique in the application / interview process. I did all the usual form filling out in the online application. After I submitted that, at the point where you normally get the Veterans' status / disability / EEOC questions, it popped up what amounted to a curious combination of behavioral multiple choice test and algebra exam. So after a set of, "When it comes to conflict in the workplace, I describe myself as a person who: a) embraces conflict b) runs away from conflict c) tries to find some way to diffuse conflict..." questions, they would throw in one that involved trains, speed, departure times, mileage and what time Bob gets home for dinner. A couple of those hurt my head. I'm still not sure what that was all about. It did get me a couple phone interviews, so I guess I did ok.

Don't Get Discouraged.

Again, this is a marathon. When you look for a job when you have a job, you likely aren't keeping a clock. You don't realize that you've been poking at position postings for a year or 18 months when the new opportunity finally lands. Sometimes that perfect job just happens to land in your lap and you feel like you got hired with little or no effort. When you can hear the clock ticking, the wait for a reply can be excruciating. Keep your network alive. Check in with people that you think might be able to help.

Titles.

I had a fairly senior title for my last role. When I interviewed for positions with what seemed to be a lesser title, I was invariably asked if I was ok "only being a XXX". Have a good answer for that question. My answer was that I was interested in what the job was going to do, not what the business card said. My ego wasn't tied into the title. Another interviewer asked me if I would feel constrained by not being part of the leadership team -- I answered that being a leader is not about your title, but how you lead and that leaders can be found at all levels of the organization. (That might not work with every organization, but it got a good head nod for me.)

The Interview(s).

It seems that the typical approach for most organizations is that you get a screening call with the recruiter, then the hiring manager calls you, then you come in for interviews with three to five people, and maybe you go another round with more senior people if they can't make up their mind.

Again, do your homework. Go to the organization's website. Learn about what they do, what the products or services are, and who the key leaders are. Used LinkedIn to take a look at the people who will interview you -- see who they know that you know, where they went to school, who else they have worked for. Read the Annual Report of a public company. Search for news articles. Know who the competition is. See if you can understand their culture and strategy. Learn their history if that's available. See what current employees have to say about the company in GlassDoor. Take a balanced approach. You want to show that you've made an investment in knowing about the company, what it does, and the people that you're meeting with. It also allows you to ask some smart questions.

Interviews were all over the place. I tended to find that most hiring managers had some very specific topics to cover -- they were looking for certain skillsets. One wanted to know if I had worked with zero-base budgeting. Another wanted a detailed accounting of document management system implementation. The other folks doing interviewing tended to ask softer, more culture-fit questions. Then there were the companies that did "behavioral interviewing". Those questions always start, "Tell me about a time when..." Generally, they have to get to how you handle certain kinds of events, so what sort of behaviors do you own.

I had one company have me do a video interview. That was interesting. After a short talk with the recruiter, she sent me a link to a website. I needed to have a webcam and microphone on my computer. The technology took control of those devices and I watched a video of the recruiter. The recruiter would then ask a question and a timer would start. You had a minute (unless you wanted to respond sooner) to consider an answer, then the app would start recording you. You had two minutes to answer the question. This went back and forth for about ten or so questions. The app then closed and fired off your recording. It was a bit awkward because, even though I speak in public a lot, I hate being filmed. I forget my own name when I see the red light. I also have my webcam set up for videoconferencing and it sits on top of my screen, so I have to look up to look into the camera. It wasn't an outstanding performance.

Follow Up.

I wasn't very good at this and in retrospect, it was a mistake. I didn't want to seem over-eager or desperate, and I suspect that I may have come across less interested in some opportunities than I really was. Try to get a business card from everyone you talk to. Thank then in writing afterwards. Highlight takeaways from your conversation. Ask the recruiter or the hiring manager when they will make a decision and when (or if) you should follow up with them (as well as who your contact should be).

The Offer.

Contrary to conventional wisdom, you're probably going to talk about money sooner than you think you should. In some respects, that's good. You do want to screen out the roles that aren't going to pay and honestly, those employers don't want to insult you or waste their time with a recruitment process that will disappoint everyone. It can be a bit of a two-edged sword, however, because you might be excluded from an opportunity that would have more value in professional growth and / or you might walk away from an opportunity that could allow you fairly rapid advancement.

Hopefully, you've taken the time to decide how you want to speak about compensation and what the bottom line is for your requirements. They will flat out want to know what your pay is now. Depending on where you are in your career, the answer to this varies. As I was working my way up the ladder, I was advised to put a number on the table that I aspired to be paid, then expect an offer somewhat above that. As your pay increases, that is not an optimal strategy if you think you might be above the market for the role. I had one recruiter advise me not to settle on pay or sell myself short. The challenge is trying to figure out what the role will pay. At the end of the day, you need to put a number on the table that you're comfortable with. If you lowball things, you may end up frustrated that you're not being paid what you think you should be. My emphasis was always on base pay. Bonuses and stock and so forth are variable pay. If you rely on bonuses and stock to get by every day, then you really should add those numbers in to your base and put that down as your line in the sand.

Be prepared to speak to bonuses, variable pay, and stock (options and/or restricted stock). When the offer comes, look at it closely. Understand all the elements. If there is a relocation package, what is covered and how long is there an obligation to stay with the company? (Some companies require that you pay back a pro-rated portion of the relo package if you leave their employment within a fixed period of time.) Is vacation / PTO negotiable? (Generally, no, in most large companies.) What are the actual costs for benefits? This is an interesting factor to consider because it does have a direct bearing on what you take home. I saw a significant difference in costs per paycheck between my prior and current employers for effectively the same coverages. If the organization offers deferred compensation (usually a 401(k) plan), is there a company match? How much is that match? Does the company put funds into Health Savings Plans? Is there a pension? (Yes, there are organizations that still offer pensions.) That overall benefit package may have a significant bearing on the weight you put on take home pay. Even something simple like a subsidized cafeteria could be worth better than $1000 a year against fast food or an unsubsidized cafeteria.

And for your final bit of calculation, think about commuting costs. How far will you drive? Are you taking public transportation? What about tolls? What about parking? These costs might be quite a bit different than your prior job, so you need to account for them, better or worse. Adding $300 a month of commuter parking and train tickets to your life when you had a short drive and free parking could add up in a hurry -- but what if you walk to the train and get rid of your car (car payment, insurance, and maintenance)?

When that first offer comes to you, you also have to take a step back. If you are in a situation like I was, you have the sound of a clock ticking echoing in your head. You probably are in different stages of interviews with other organizations. Perhaps you've gotten yet another, "We've chosen a candidate more in alignment with our requirements" letter. Perhaps you just applied to a position that feels like a perfect match with a great company. Now you have the "bird in the hand" dilemma. Are you going to jump at the opportunity that will get you back on payroll in a couple weeks, in a role that you're interested in, but not thrilled about, working for an organization that's just ok? The answer to that will depend a lot on your personal situation and your personal risk tolerance. I suppose that, in this day and age, there is no shame in walking away from a company that you just joined, but honestly, that doesn't feel right to me. Certainly, if you find yourself in a truly horrible situation, you may want to run away quickly, but if you signed up with an organization in good faith, I think you have to have some commitment. It's not an easy decision, but I think the guiding principle is not just to grab on to the first job that makes you an offer, just because it is an offer -- and honestly, as you go about your search, you shouldn't be shotgunning applications to every organization that has an opportunity that you could have an interest in. If the company is not that interesting to you, the job is very likely going to be a problem for you as well.

Consider Alternatives.

One hiring manager asked me if I would be interested in a 90 day "try it before you buy it" contract. I was caught flat-footed by the question and, frankly, felt insulted. I declined that opportunity. I didn't want to lose 90 days of a job search and I didn't have a clear plan or set of expectations around such an offer. Interestingly, I recently heard from a colleague who is also in the market for an opportunity and she received a similar offer. The commonality was that both she and I got these offers from companies that were in industries outside of our core strength, so it seems logical that the hiring manager might want to assess the candidate's learning agility and pace of learning uptake. If you think about a short term contract, think about what you need in compensation, but also think about how you define "success". You want some very clear measurables in the contract so you don't find yourself giving away discounted knowledge to an employer that wasn't really interested in committing to you.

In a similar vein, I see a lot of contract employees at my new job. In speaking to some folks in these roles, many find the contract work path very refreshing. They actually get paid fairly well and in IT at least, find themselves getting new assignments regularly, particularly if they perform well. It is sort of like being a consultant, but without the sales overhead. Some convert to regular employees over time and many stay on the contract employee track because they like it, not because it is necessary. The downside is that you don't get benefits in most cases and you aren't eligible for bonuses, stock, and other employee perks. Still, it might be an opportunity for some folks. I'll probably write more on that as I learn about it.


No matter what your situation, I wish you good hunting in finding that next opportunity. They are out there and you'll find it.

Thursday, October 20, 2016

ATR: The Death of Email

Mark Twain was famously reported to have once said, "The reports of my death are greatly exaggerated." For a while, now, various pundits have been proclaiming that the use of email was in decline and email would be passed by for other communications technology. Millennials didn't use (or want to use) email, etc. Sitting in a large corporation, I was in the Mark Twain camp, with regard to email. If anything, the volumes were increasing.

I have to wonder, however, if the adventure of Hillary Clinton's email server and the recent series of Wikileaks releases of hacked email accounts will begin to put a stake in the heart of email. Email is a tool that has been around for about twenty to twenty-five years in business. That means that workers who are under 45 or so have never worked in a place where email was not the primary means of textual communication. And those same workers have likely never been without a mobile phone as a means of voice communications. Young people coming into the workplace not only have never known life without the Internet, email, or mobile phones, but they have likely never owned a mobile phone that couldn't get to the Internet or send email.

I've said for a while that I felt something of a sea change in the use of email over the past ten years. One of my biggest pet peeves was what I call "ping-pong email" -- email messages that are brief and go back and forth between people when a phone call or instant message would be a better means of communication. I'd noticed in my workplace that as instant messaging became more ubiquitous, those messages went away. I also noticed the "Let's go to lunch" email was extinct. The business messages that I was getting were more substantial. Email was becoming more formal in the workplace. People were tending to think about what they were writing. Cringe-worthy email was rapidly disappearing. The message that you should think about what you were typing seemingly had gotten through to a lot of people. And we noticed this in our investigations as well. While there are always outliers, the days where people were circulating chain emails, recipes, and racy pictures in business email systems was diminishing. Undoubtedly, a lot of this was changing due to the growth of Facebook, Twitter, Snapchat, and similar social media tools, but I also believe that people started to understand that email isn't very private and tends to hang around for a while.

So if all of that is accurate, why was my Inbox so full? My sense is that email became an asynchronous conference call. Let's unpack that. A face to face conversation or a phone call is generally considered synchronous communication. You're talking to another person in real time. A conference call is generally synchronous communication. Voicemail moves the synchronous conversation to asynchronous by allowing a recording to be retained and listened to later on. A written letter on paper is an asynchronous communication. Instant messaging is intended to be synchronous, but is often asynchronous. Email is something of a hybrid. It behaves asynchronously, but in those "ping-pong" email situations, effectively becomes synchronous. That's all well and good, but I still have a full Inbox. Why?

In a global organization (or even in any organization with team members spread across multiple locations), getting a team together for a meeting or conference call is an arduous task. Someone always can't fit the meeting into their calendar, particularly on short notice. An email is drafted and circulated for comment -- thus, the asynchronous conference call. If the topic seems to require lots of comments, "Reply to All" then fills up the Inbox. Compound this by including extraneous people on a "CC:" or "BCC:" list, and the number of email messages increases almost exponentially. That didn't happen in paper communications days. Certainly, some letters or memos might be circulated to a number of folks, but it was pretty rare for all of those folks to reply to the entire distribution list. With email, one click and everyone gets your thoughts. One more click and you can send the message thread on to people who were never part of the original distribution.

The ease of circulation of an email communication is, in my opinion, what people are becoming aware of. I think everyone has had the experience of finding out that an email that was believed to be private was suddenly being circulated to places never imaged -- often with unfortunate results. Now couple in the recent exposure of political email messages. Messages once thought private are posted for all to see on the Internet. Messages that are, perhaps, less circumspect than the author would be in a public forum. "Missing" messages are found in other email accounts, backups, and archives. Huge message volumes are easily searched. Single messages are taken out of context, "tone" is interpreted differently than intended. I've said for a long time that I dread the day where I have to testify about an email message and try to interpret the meaning of an emoticon or someone else's "LOL". (Thankfully, there will likely be a whole new realm of attorney objections to that.)

But let's go back to the top. Is email dead? I'd suggest that we will see considerable change in how people use email over the next few years. Stronger and more user friendly encryption, not only of the communication in transit, but while at rest, will become commonplace. People who do not want their communications read by others will simply stop using email. New technology to deal with "asynchronous conference calls" (think tools like Slack) will come into more common use. I also suspect that email may revert to status as an "envelope" which carries either a formal attached message (likely encrypted) or a link to content that requires authentication to view. This will enable sensitive information to be protected and access controlled, with the additional ability to ensure retention periods.

As with many things, a long, slow evolution, coupled with revolutionary change in response to perceived threats and unintended consequences.

Friday, April 1, 2016

ATR: On Associations and Information Governance

I imagine that I'll tick off more than a few people with this post, but my blog, so my opinion.

Don Lueders recently posted An Open Letter to ARMA on his blog. I'm not going to work through it point by point, but I would like to add my voice to a seeming cacophony of voices on AIIM and ARMA and the profession that I've grown up in.

Associations

Both of the major information management professional associations, ARMA and AIIM, are being disrupted. As someone who spent most of my career volunteering for one thing or another for ARMA (and I still do a few things), it's painful to see. There are many factors at play here and the disruption certainly isn't unique to these associations. I don't think it's fair to say that membership declines are solely due to young people wanting to network in different ways. It's about time and value. Let's face it, going to your employer and getting money to belong to a professional association isn't as easy as it once was. Getting funding for monthly meetings or an annual conference is also quite difficult. Travel and education budgets are usually the first victims of corporate cost cutting. Many companies put it kind of bluntly -- "There are 20 of you who want to go to conferences, belong to associations and go to various meetings. We figure that costs us about four grand a nose. If you want us to continue doing that, who doesn't want to be here next year?" That's a pretty brutal summary, but for many of us, it is the calculus in play. So that means the employee needs to think very carefully about the value of his or her own money going to these activities and for many people, that's not in the family budget, either.

The other big factor is time. Few of us work "just" a 40 hour week. We're tethered to email; we journey to the cloud from home computers to crank out a bit more work in the evening; We're doing the work that several people would have done in years past. And at home, our kids are overscheduled, we have to work out, or we need to binge watch that great show that we didn't have time to watch in real time. When I was a kid, I can remember my Dad having time to join a bowling league, go to the Moose Lodge, and make a Holy Name Society meeting from time to time. (And, by the way, those organizations are probably struggling as much as, or more, than professional associations.) Going to a monthly association meeting means taking three hours out of the office -- which will have to be made up somewhere. And that becomes another value calculation.

"Value", it was once said to me, "is getting more from something than what you put in." So if you're the sort of person who goes to a conference and comes back with a raft of business cases that immediately generate savings far in excess of the cost of the conference, I can pretty well guarantee that you'll be going to that conference in the future. If you're paying for a meeting out of your own pocket and going to the meeting yields a business contact that becomes a mentor to you, you might just keep going to those meetings. If you're a vendor and the conference booth yields sales that profit far in excess of the cost of the booth, you're going to keep buying booth space.

For professional associations to grow and prosper, they have to add value for members, their employers, and the vendor / sponsor communities.

I have opinions about ARMA and AIIM and where they fall short for me. I don't want to bash these organizations. They have hard-working, earnest employees, and many, many dedicated volunteers. But they aren't adding enough value.

ARMA

(Most of you know that I'm a Fellow of ARMA and a former International Treasurer. I've been a fairly frequent speaker at the ARMA Conference and Chapter meetings. I have a long list of volunteer activities with ARMA, so I have some insights and biases. )

ARMA's struggles come, in my opinion, from having to serve three constituencies: 1) The Old Guard. These are the bulk of members who "grew up" in records management and remember the days when the records manager's goal was to have the million dollar budget and 40 staff members. A high school diploma and some basic management training was enough to advance you up the career ladder. Paper is still king and this technology stuff can be managed just like paper, but nobody listens. 2) The Masters. They've broken through the cardboard ceiling, have all the certifications, make the "big bucks", get decent visibility, and understand technology, but desperately need more than ARMA offers. They're bored with ARMA but come to Conference to see their friends and network in the hallways and bars. They want to give back to the profession, but get frustrated a lot.  3) The Solutions Seekers. They got stuck with an assignment to "fix" records management, but come from other disciplines. They want a solution so they can be a hero and move on to the next challenge. They are befuddled by the secret societies and cliques within ARMA. They can't find a good guidebook or recipe. They drift over to consultants to fix the problem. They'll be gone in a couple years and someone else may or may not take their place.

The big problem with ARMA is that no one ever took the time to develop a standard body of knowledge about records management. Sure, there are standards out there, bust most deal with some small sliver of the profession. ISO 15489 has no teeth. There's no COBIT, no ISO 17001. The CRM lacks a Body of Knowledge similar to the CISSP. So we point to the ARMA Bookstore, which contains a lot of good information, but it is often dated, or conflicts, or isn't relevant. So we muddle around. "How long do you keep email?" is the question -- and fistfights break out. "How do you manage records in a database?" and shoulders get shrugged.  No standard or requirement says that when you build an application, you must build in retention and disposition. Everyone invents a solution for their situation. Or not. We fussed over The Principles, created a great foundation, and saw them land with a dull thud that was then savaged by folks who further fussed over how they came to be and whether or not they had any validity. So the really hard work of building controls and standards on top of The Principles never happened. The organization latched on to Information Governance, but never really set a definition of the space. The IGP is about building a vague program and not much about what the components of the program should be -- or what actual subject matter knowledge is required. Oh, it's there to some extent, but it's not leading the definition of the profession. So many of us are left to our own devices.

AIIM

I'll admit that AIIM and I have never seen eye to eye, outside of a brief period when I needed to understand imaging in a hurry. AIIM, in my opinion and perception, has two problems. 1) It is driven by vendors. That's not a horrible thing, but it hurts the organization. While the vendor members leading AIIM have always had a decent business sense and a good nose for new opportunities, they have tended to force the organization to chase trends. The dominance of vendors led to the practice of using educational sessions as sales opportunities.  2) It chases buzzwords. To an outsider, it always seemed like AIIM was reinventing itself as the flavor of the month and I couldn't expect to find solid ground or a consistent direction of travel. Once the microfilm industry started to crash, AIIM had a major problem. It rightly shifted to imaging, but as the Internet took off and the need to convert paper to electronic images began to fade, it had to latch on to something new. I forget all the buzzwords. Then it became a certificate factory. Then it dabbled in a certification, but never put much effort into it. AIIM's strength was in generating true industry standards, but that seems to have fallen by the wayside. Granted, some of those standards were to the benefit of the vendor members, but they made the effort to actually output real standards.

When I've gone to AIIM events, I knew that sales calls would dog me for the next several months, whether or not I ever talked to an exhibitor. I reminded myself that "when AIIM offers a free lunch, you're the main course". That approach -- and very naked sales pitches in AIIM conference sessions (that I paid to attend) drove me away.

I'm not sure if I really know what either organization wants to stand for. Right now, I know they both share one goal -- survival. ARMA has always had a strong chapter network, but the chapters suffer from leadership burnout and little direction from ARMA HQ on topics of interest to the membership and truly competent speakers. They also lack shared technology to reach members who don't want to travel to meetings -- or technology to enable multiple chapters to share speakers by video or audio conference. Few chapters use social media effectively. They struggle to find good venues at low cost. AIIM's chapters are fewer and suffer the same problems. The leadership of both organizations face declining revenues, declining conference attendance, and member ambivalence. That's a potential (and probable) death spiral.

Both organizations are run by association professionals. I would expect they have plenty of options to consider to rebuild their organizations -- but what both need is clear identity and mission. That can only come from the people who choose to belong. Fistfights be darned.


Enter Information Governance

If you browse back through Above The RIM, you'll see that I've been using the term "Information Governance" to describe the scope of what I do for some time. (I had a brief flirtation with "Information Overlord" on my business card at one time and I am very glad I didn't follow that impulse.) Anyway, I have poked at the various definitions that are out there in Gartner, the newly sprouted IG organizations, and even Wikipedia, but nothing quite matched what I do and what I define as my space. A couple years ago, I had the opportunity to keynote a lawyer's conference on e-discovery and information governance and I decided to throw my own definition into the ring. It goes like this:

Information Governance​
A system of policies, controls, procedures, and tools governing the lifecycle of an organization’s data that matters. This system ensures appropriate ease of access to data when needed and defensible disposition of data when no longer needed. This system limits business disruption, while maintaining appropriate security, within an auditable framework in line with the organization’s risk appetite and regulatory environment.​
It's not a far stretch from historical understandings of records management. But it encompasses a lot more -- e-discovery, data privacy, risk, audits, security, and so on. The core is "data that matters". While I recognize that some might see this as a fancy way to say "records" in the technology age, I think it is broader than "records", yet narrower than "information".

Foundationally, you better understand the basics of records management. Knowing what data is in the organization -- and whether or not (and how) it matters -- is critical.  And this definition presupposes knowledge of how risk-adverse an organization might be and what legal guardrails constrain the organization. It further expects that the data is maintained securely and that everything can be subject to real audits.

A proper IG team encompasses a variety of professionals. My team holds -- or has held -- the following certifications: CISSP, CISM, CISA, CRISC, CRM, CIPP, CIP, CGEIT, EnCE, PMP, among others. The six members of my team also all hold Master's degrees. I even have one staff person who sought out a paralegal certificate. They represent professional competencies in IT Risk, Data Privacy, IT Audit, Business Continuity, E-discovery, and yes, Records Management. In the past, I have had computer forensics experts as part of my team.

Where I'm going with this is that Information Governance is a whole lot more than Records Management 2.0 or 3.0 or whatever. The various disciplines that work together all have their own professional organizations and certifying bodies. IG is not just a rebranding of records management. It's more powerful than that. Parallel to my organization is an IT Architecture team that drives data management -- the platforms for our IT systems, the underlying technology, the means of storage, and the connections to the users. There are some people who might think this should be in scope for Information Governance -- some call it "Data Governance". Arguably, with the right leadership, the two areas could come together, but IT Architecture has far different skillsets. So I don't worry about the technology how -- I worry about how long data gets retained, what regulatory standards need to be met, the risks incurred, the mitigations required, and how we ensure that standards, regulations and controls are being met. And we adapt as the organization evolves.


Where Do We Go from Here?

What I would call for is that ARMA extends and expands The Principles into a Body of Knowledge that truly couples with the ICRM to ensure that there is a consistent foundation for records management. If ARMA (or AIIM, for that matter) wants to truly define the Information Governance space, then the organization has to understand that it can't define the space in a vacuum. It has to partner with other professional and certifying organizations to integrate a consistent and defined space that is Information Governance, then cooperatively build an ecosystem that supports knowledge sharing and networking.




Tuesday, March 10, 2015

ATR: Thoughts on Email

The media is abuzz with stories about a certain former US Secretary of State using her own email server to send and receive official email related to her office. There is certainly plenty of fodder here for political accusations at each party and I'd rather not get into that here. My focus is on information governance and records management, so let's focus there.

From the time that I was but a wee little records manager, I learned that the basic definition of a "record" included language akin to "...recorded information, regardless of physical form or characteristics...". In slightly later days, the litany of types of records included as examples of records was amended to include "machine readable" or "electronic" records. The foundation for this definition has historically been the United States Code and the Code of Federal Regulations. This is not something new. The laws and regulations have been on the books for decades. They were purposely written to ensure that the advancement of technology did not negate the effect of the law or rule.

Part of the problem over the past 20 years is that the pace of technology has outstripped the ability to manage the information created by technology. Whether in the public sector or in the private sector, email volumes have grown exponentially. The US Federal government, particularly as embodied by the National Archives, has been stymied in efforts to manage electronic records. I can recall efforts from the mid-1990's to get a handle on electronic records in the US government.

The Code of Federal Regulations (36 CFR 1220 et seq.) has been quite clear that a Federal Agency is responsible for managing its records. There's no provision for storing paper records in your basement or electronic records on a server that you built in your garage. While certain agency policies have been cited relative to third parties hosting email, I don't think that was ever intended to allow a government employee to deploy file or email servers. I would expect that the intent of those allowances was for services hosted by Microsoft or Google or some other appropriately contracted and vetted service provider.

A variety of state and Federal officials have been dragged into this frenzy because it became known that they had personal email accounts during their terms of office. From my reading, it appears that some of them have admitted to using personal email accounts for official business. Importantly, though, this usage has not been exclusive and has not been on email servers that they housed in their residence or under their direct control. I can certainly understand that a politician may want to use a third party email system for purely political or personal purposes. They may also take great pains to keep that information apart from their official actions. So from that standpoint, I don't fault the former Secretary's interest in keeping her personal (and political) email separate from her official email. In that regard, she was well within the provisions of US law and regulations. But by mixing her official correspondence with personal correspondence on a server that she (and her apparently personal staffers) controlled, I'd suggest that the law was broken with regard to maintaining official government records in accord with 36 CR 1220.32, "Agencies must create and maintain authentic, reliable, and usable records and ensure that they remain so for the length of their authorized retention period." By removing the email from the server and printing it out -- and not maintaining a full audit trail of what was deleted (although interestingly, there seems to be knowledge of the number of emails deleted), I would suggest that it is very difficult to prove the authenticity or reliability or any of the emails produced in paper form.

Now let's turn to information security. It's safe to say that every Federal agency head and Cabinet-level appointee is a likely target of nation-state-sponsored hackers. Most historians are quite familiar with the Zimmermann Telegram, which is one of the earliest examples of "hacking" electronic communications by a nation-state. The former Secretary stated that the email server was secure because her home was protected by the US Secret Service. Well, that may have protected the server from a physical attack, but it stands to reason that there were plenty of hackers who could have had an interest in that server and "owned" it quite easily. After all, the State Department's own network had been successfully penetrated. We'll take the former Secretary's word that she was cautious about not transmitting Classified information with her email, but suffice to say that her communications with other officials likely contained strategic direction and discussions based upon Classified intelligence. If nothing else, a hacker would have been likely to easily collect foreign policy decisions ahead of their release as well as insider discussions and debates about foreign policy. As we have seen with other emails released by hackers, email exchanges between ranking government officials can be quite direct and revealing when no one appears to be watching. It may be many years before we know what access hackers had and what secrets they had access to.

While the violation of various elements of the US Code and the Code of Federal Regulations is bad enough (as well as the likely sanitizing of the historical record), the bigger issue is the breach of security. I would hope that someone with access to the highest levels of the US government; who likely had access to the most highly classified information; who should have been briefed on the ongoing threats to national security by nation-state-sponsored hackers, would have (or certainly should have) known that she was a high value target and acted accordingly. Even if the minion who set up her email assured her that it was properly protected, it seems reasonable that a thinking person would have had second thoughts about her own cyber security when she learned about successful state-sponsored APT attacks against some of the country's most protected government agencies and private companies.