Thursday, October 20, 2016

ATR: The Death of Email

Mark Twain was famously reported to have once said, "The reports of my death are greatly exaggerated." For a while, now, various pundits have been proclaiming that the use of email was in decline and email would be passed by for other communications technology. Millennials didn't use (or want to use) email, etc. Sitting in a large corporation, I was in the Mark Twain camp, with regard to email. If anything, the volumes were increasing.

I have to wonder, however, if the adventure of Hillary Clinton's email server and the recent series of Wikileaks releases of hacked email accounts will begin to put a stake in the heart of email. Email is a tool that has been around for about twenty to twenty-five years in business. That means that workers who are under 45 or so have never worked in a place where email was not the primary means of textual communication. And those same workers have likely never been without a mobile phone as a means of voice communications. Young people coming into the workplace not only have never known life without the Internet, email, or mobile phones, but they have likely never owned a mobile phone that couldn't get to the Internet or send email.

I've said for a while that I felt something of a sea change in the use of email over the past ten years. One of my biggest pet peeves was what I call "ping-pong email" -- email messages that are brief and go back and forth between people when a phone call or instant message would be a better means of communication. I'd noticed in my workplace that as instant messaging became more ubiquitous, those messages went away. I also noticed the "Let's go to lunch" email was extinct. The business messages that I was getting were more substantial. Email was becoming more formal in the workplace. People were tending to think about what they were writing. Cringe-worthy email was rapidly disappearing. The message that you should think about what you were typing seemingly had gotten through to a lot of people. And we noticed this in our investigations as well. While there are always outliers, the days where people were circulating chain emails, recipes, and racy pictures in business email systems was diminishing. Undoubtedly, a lot of this was changing due to the growth of Facebook, Twitter, Snapchat, and similar social media tools, but I also believe that people started to understand that email isn't very private and tends to hang around for a while.

So if all of that is accurate, why was my Inbox so full? My sense is that email became an asynchronous conference call. Let's unpack that. A face to face conversation or a phone call is generally considered synchronous communication. You're talking to another person in real time. A conference call is generally synchronous communication. Voicemail moves the synchronous conversation to asynchronous by allowing a recording to be retained and listened to later on. A written letter on paper is an asynchronous communication. Instant messaging is intended to be synchronous, but is often asynchronous. Email is something of a hybrid. It behaves asynchronously, but in those "ping-pong" email situations, effectively becomes synchronous. That's all well and good, but I still have a full Inbox. Why?

In a global organization (or even in any organization with team members spread across multiple locations), getting a team together for a meeting or conference call is an arduous task. Someone always can't fit the meeting into their calendar, particularly on short notice. An email is drafted and circulated for comment -- thus, the asynchronous conference call. If the topic seems to require lots of comments, "Reply to All" then fills up the Inbox. Compound this by including extraneous people on a "CC:" or "BCC:" list, and the number of email messages increases almost exponentially. That didn't happen in paper communications days. Certainly, some letters or memos might be circulated to a number of folks, but it was pretty rare for all of those folks to reply to the entire distribution list. With email, one click and everyone gets your thoughts. One more click and you can send the message thread on to people who were never part of the original distribution.

The ease of circulation of an email communication is, in my opinion, what people are becoming aware of. I think everyone has had the experience of finding out that an email that was believed to be private was suddenly being circulated to places never imaged -- often with unfortunate results. Now couple in the recent exposure of political email messages. Messages once thought private are posted for all to see on the Internet. Messages that are, perhaps, less circumspect than the author would be in a public forum. "Missing" messages are found in other email accounts, backups, and archives. Huge message volumes are easily searched. Single messages are taken out of context, "tone" is interpreted differently than intended. I've said for a long time that I dread the day where I have to testify about an email message and try to interpret the meaning of an emoticon or someone else's "LOL". (Thankfully, there will likely be a whole new realm of attorney objections to that.)

But let's go back to the top. Is email dead? I'd suggest that we will see considerable change in how people use email over the next few years. Stronger and more user friendly encryption, not only of the communication in transit, but while at rest, will become commonplace. People who do not want their communications read by others will simply stop using email. New technology to deal with "asynchronous conference calls" (think tools like Slack) will come into more common use. I also suspect that email may revert to status as an "envelope" which carries either a formal attached message (likely encrypted) or a link to content that requires authentication to view. This will enable sensitive information to be protected and access controlled, with the additional ability to ensure retention periods.

As with many things, a long, slow evolution, coupled with revolutionary change in response to perceived threats and unintended consequences.

Friday, April 1, 2016

ATR: On Associations and Information Governance

I imagine that I'll tick off more than a few people with this post, but my blog, so my opinion.

Don Lueders recently posted An Open Letter to ARMA on his blog. I'm not going to work through it point by point, but I would like to add my voice to a seeming cacophony of voices on AIIM and ARMA and the profession that I've grown up in.


Both of the major information management professional associations, ARMA and AIIM, are being disrupted. As someone who spent most of my career volunteering for one thing or another for ARMA (and I still do a few things), it's painful to see. There are many factors at play here and the disruption certainly isn't unique to these associations. I don't think it's fair to say that membership declines are solely due to young people wanting to network in different ways. It's about time and value. Let's face it, going to your employer and getting money to belong to a professional association isn't as easy as it once was. Getting funding for monthly meetings or an annual conference is also quite difficult. Travel and education budgets are usually the first victims of corporate cost cutting. Many companies put it kind of bluntly -- "There are 20 of you who want to go to conferences, belong to associations and go to various meetings. We figure that costs us about four grand a nose. If you want us to continue doing that, who doesn't want to be here next year?" That's a pretty brutal summary, but for many of us, it is the calculus in play. So that means the employee needs to think very carefully about the value of his or her own money going to these activities and for many people, that's not in the family budget, either.

The other big factor is time. Few of us work "just" a 40 hour week. We're tethered to email; we journey to the cloud from home computers to crank out a bit more work in the evening; We're doing the work that several people would have done in years past. And at home, our kids are overscheduled, we have to work out, or we need to binge watch that great show that we didn't have time to watch in real time. When I was a kid, I can remember my Dad having time to join a bowling league, go to the Moose Lodge, and make a Holy Name Society meeting from time to time. (And, by the way, those organizations are probably struggling as much as, or more, than professional associations.) Going to a monthly association meeting means taking three hours out of the office -- which will have to be made up somewhere. And that becomes another value calculation.

"Value", it was once said to me, "is getting more from something than what you put in." So if you're the sort of person who goes to a conference and comes back with a raft of business cases that immediately generate savings far in excess of the cost of the conference, I can pretty well guarantee that you'll be going to that conference in the future. If you're paying for a meeting out of your own pocket and going to the meeting yields a business contact that becomes a mentor to you, you might just keep going to those meetings. If you're a vendor and the conference booth yields sales that profit far in excess of the cost of the booth, you're going to keep buying booth space.

For professional associations to grow and prosper, they have to add value for members, their employers, and the vendor / sponsor communities.

I have opinions about ARMA and AIIM and where they fall short for me. I don't want to bash these organizations. They have hard-working, earnest employees, and many, many dedicated volunteers. But they aren't adding enough value.


(Most of you know that I'm a Fellow of ARMA and a former International Treasurer. I've been a fairly frequent speaker at the ARMA Conference and Chapter meetings. I have a long list of volunteer activities with ARMA, so I have some insights and biases. )

ARMA's struggles come, in my opinion, from having to serve three constituencies: 1) The Old Guard. These are the bulk of members who "grew up" in records management and remember the days when the records manager's goal was to have the million dollar budget and 40 staff members. A high school diploma and some basic management training was enough to advance you up the career ladder. Paper is still king and this technology stuff can be managed just like paper, but nobody listens. 2) The Masters. They've broken through the cardboard ceiling, have all the certifications, make the "big bucks", get decent visibility, and understand technology, but desperately need more than ARMA offers. They're bored with ARMA but come to Conference to see their friends and network in the hallways and bars. They want to give back to the profession, but get frustrated a lot.  3) The Solutions Seekers. They got stuck with an assignment to "fix" records management, but come from other disciplines. They want a solution so they can be a hero and move on to the next challenge. They are befuddled by the secret societies and cliques within ARMA. They can't find a good guidebook or recipe. They drift over to consultants to fix the problem. They'll be gone in a couple years and someone else may or may not take their place.

The big problem with ARMA is that no one ever took the time to develop a standard body of knowledge about records management. Sure, there are standards out there, bust most deal with some small sliver of the profession. ISO 15489 has no teeth. There's no COBIT, no ISO 17001. The CRM lacks a Body of Knowledge similar to the CISSP. So we point to the ARMA Bookstore, which contains a lot of good information, but it is often dated, or conflicts, or isn't relevant. So we muddle around. "How long do you keep email?" is the question -- and fistfights break out. "How do you manage records in a database?" and shoulders get shrugged.  No standard or requirement says that when you build an application, you must build in retention and disposition. Everyone invents a solution for their situation. Or not. We fussed over The Principles, created a great foundation, and saw them land with a dull thud that was then savaged by folks who further fussed over how they came to be and whether or not they had any validity. So the really hard work of building controls and standards on top of The Principles never happened. The organization latched on to Information Governance, but never really set a definition of the space. The IGP is about building a vague program and not much about what the components of the program should be -- or what actual subject matter knowledge is required. Oh, it's there to some extent, but it's not leading the definition of the profession. So many of us are left to our own devices.


I'll admit that AIIM and I have never seen eye to eye, outside of a brief period when I needed to understand imaging in a hurry. AIIM, in my opinion and perception, has two problems. 1) It is driven by vendors. That's not a horrible thing, but it hurts the organization. While the vendor members leading AIIM have always had a decent business sense and a good nose for new opportunities, they have tended to force the organization to chase trends. The dominance of vendors led to the practice of using educational sessions as sales opportunities.  2) It chases buzzwords. To an outsider, it always seemed like AIIM was reinventing itself as the flavor of the month and I couldn't expect to find solid ground or a consistent direction of travel. Once the microfilm industry started to crash, AIIM had a major problem. It rightly shifted to imaging, but as the Internet took off and the need to convert paper to electronic images began to fade, it had to latch on to something new. I forget all the buzzwords. Then it became a certificate factory. Then it dabbled in a certification, but never put much effort into it. AIIM's strength was in generating true industry standards, but that seems to have fallen by the wayside. Granted, some of those standards were to the benefit of the vendor members, but they made the effort to actually output real standards.

When I've gone to AIIM events, I knew that sales calls would dog me for the next several months, whether or not I ever talked to an exhibitor. I reminded myself that "when AIIM offers a free lunch, you're the main course". That approach -- and very naked sales pitches in AIIM conference sessions (that I paid to attend) drove me away.

I'm not sure if I really know what either organization wants to stand for. Right now, I know they both share one goal -- survival. ARMA has always had a strong chapter network, but the chapters suffer from leadership burnout and little direction from ARMA HQ on topics of interest to the membership and truly competent speakers. They also lack shared technology to reach members who don't want to travel to meetings -- or technology to enable multiple chapters to share speakers by video or audio conference. Few chapters use social media effectively. They struggle to find good venues at low cost. AIIM's chapters are fewer and suffer the same problems. The leadership of both organizations face declining revenues, declining conference attendance, and member ambivalence. That's a potential (and probable) death spiral.

Both organizations are run by association professionals. I would expect they have plenty of options to consider to rebuild their organizations -- but what both need is clear identity and mission. That can only come from the people who choose to belong. Fistfights be darned.

Enter Information Governance

If you browse back through Above The RIM, you'll see that I've been using the term "Information Governance" to describe the scope of what I do for some time. (I had a brief flirtation with "Information Overlord" on my business card at one time and I am very glad I didn't follow that impulse.) Anyway, I have poked at the various definitions that are out there in Gartner, the newly sprouted IG organizations, and even Wikipedia, but nothing quite matched what I do and what I define as my space. A couple years ago, I had the opportunity to keynote a lawyer's conference on e-discovery and information governance and I decided to throw my own definition into the ring. It goes like this:

Information Governance​
A system of policies, controls, procedures, and tools governing the lifecycle of an organization’s data that matters. This system ensures appropriate ease of access to data when needed and defensible disposition of data when no longer needed. This system limits business disruption, while maintaining appropriate security, within an auditable framework in line with the organization’s risk appetite and regulatory environment.​
It's not a far stretch from historical understandings of records management. But it encompasses a lot more -- e-discovery, data privacy, risk, audits, security, and so on. The core is "data that matters". While I recognize that some might see this as a fancy way to say "records" in the technology age, I think it is broader than "records", yet narrower than "information".

Foundationally, you better understand the basics of records management. Knowing what data is in the organization -- and whether or not (and how) it matters -- is critical.  And this definition presupposes knowledge of how risk-adverse an organization might be and what legal guardrails constrain the organization. It further expects that the data is maintained securely and that everything can be subject to real audits.

A proper IG team encompasses a variety of professionals. My team holds -- or has held -- the following certifications: CISSP, CISM, CISA, CRISC, CRM, CIPP, CIP, CGEIT, EnCE, PMP, among others. The six members of my team also all hold Master's degrees. I even have one staff person who sought out a paralegal certificate. They represent professional competencies in IT Risk, Data Privacy, IT Audit, Business Continuity, E-discovery, and yes, Records Management. In the past, I have had computer forensics experts as part of my team.

Where I'm going with this is that Information Governance is a whole lot more than Records Management 2.0 or 3.0 or whatever. The various disciplines that work together all have their own professional organizations and certifying bodies. IG is not just a rebranding of records management. It's more powerful than that. Parallel to my organization is an IT Architecture team that drives data management -- the platforms for our IT systems, the underlying technology, the means of storage, and the connections to the users. There are some people who might think this should be in scope for Information Governance -- some call it "Data Governance". Arguably, with the right leadership, the two areas could come together, but IT Architecture has far different skillsets. So I don't worry about the technology how -- I worry about how long data gets retained, what regulatory standards need to be met, the risks incurred, the mitigations required, and how we ensure that standards, regulations and controls are being met. And we adapt as the organization evolves.

Where Do We Go from Here?

What I would call for is that ARMA extends and expands The Principles into a Body of Knowledge that truly couples with the ICRM to ensure that there is a consistent foundation for records management. If ARMA (or AIIM, for that matter) wants to truly define the Information Governance space, then the organization has to understand that it can't define the space in a vacuum. It has to partner with other professional and certifying organizations to integrate a consistent and defined space that is Information Governance, then cooperatively build an ecosystem that supports knowledge sharing and networking.