The most popular topic for Doomsayers lately seems to be data privacy, and this concern is not completely without merit. The proliferation of information breaches and hacks paints the picture of a sky slowly falling in an increasingly digital world, and recent large-scale breaches such as Yahoo! or JP Morgan do nothing to quell a sense of panic.
Although I’m not one for hysterics, it’s clear that it’s no easy task to ensure privacy on a massive (sometimes global) scale. Security at the individual level is a matter of discipline and some attention to detail doesn’t hurt either. Security at the enterprise level is an entirely different ball game, with its own set of issues.
When it comes to enterprise security, companies generally use a two-pronged approach; improving firewalls and expanding IT capabilities. While these are probably the most popular, they are far from the entire picture.
The records and legal departments each play a pivotal role for enterprise security beyond the firewalls. Setting privileges, managing retention, identifying junk data, and implementing legal holds all fall under the records/legal umbrella. And while these responsibilities all contribute mightily to enterprise security, but generally fall outside of the realm of IT.
This means that security requires cooperation throughout the organization. And this works well on a small scale, but when the scale grows to billions of documents and emails, it seems to be an impossible task for just a few departments.
This is why in most large companies, the employees outside of information management become crucial. The “end-users” of email platforms and collaboration tools are often asked to categorize their own information, and determine the retention of their information because the amount of information has outgrown the capabilities of the management groups.
Although this user-centric approach works well in theory, organizations have struggled to have end-users reliably follow procedures and apply the proper policies.
This disconnect becomes the bane of any RIM professional’s work life. Because, simply put, end-users do not really care about classification. It’s an understandable apathy on some level, as end-users perceive classification as outside of their responsibilities.
This reluctance from end-users leaves organizations with little choice. They need to automate their classification process and keep decisions about information security, deletion, privileges, and tracking in the hands of the experts in those fields. Instead of crossing your fingers with end-users, empower the information professionals to determine the importance of all content.
RIM professionals already have detailed taxonomies put in place in the hopes that end-users follow. Information management would become much easier if the end-user’s task did not exist. Replace manual work with automated taxonomies to avoid the negligence.
Human error in end user classification is the underlying threat to information security. Excluding human thought from the process should be the top risk mitigating priority for every organization. It is up to the information managers- RIM, Legal, and IT- to understand what is possible and where they fall short.