Every so often, an idea comes along that stops you in your tracks.
Innovation is happening at the speed of light all around us but most of of the time it consists only of incremental, evolutionary thinking, which takes us a little bit further in the same direction we were going all along. We have become fairly blazé about innovation.
And then you spot something that makes you sit up, pay attention, change direction, and re-think everything. I had one of these moments a few weeks back.
The name “EpyDoc” will probably mean nothing to most of you. Even looking at their existing website I would have dismissed it as a second or third-rate Document Management wannabe. Yet, EpyDoc is launching a new concept in April, that potentially re-defines the whole Data / Content / Information / Process Management industry, as we know it today. You know what happens when you mix comets and dinosaurs? It is that revolutionary.
I have lost track of the number of times over the years that I’ve moaned about the constraints that our current infrastructure is imposing on us:
- The arbitrary segregation of structured and unstructured information [here]
- The inherent synergy of Content and Process management [here]
- The content granularity that stops at the file level [here]
- The security models that protect the container rather than the information [here]
- The lack of governance and lifecycle management of all information, not just records [here]
- The impossibility of defining and predicting information value [here]
…etc. The list goes on. EpyDoc’s “Information Operating System” (a grand, but totally appropriate title), seeks to remove all of these barriers by re-thinking the way we manage information today. Not in small incremental steps, but in a giant leap.
Their approach is so fundamentally different, that I would not do it credit by trying to summarise it here. And if I’m honest, I am still discovering more details behind it. But if you are interested in having a taste on what the future of information management might look like in 5-10 years, I would urge you to read this 10-segment blog set which sets the scene, and let me know your thoughts.
And if, while you are reading through, you are, like me, sceptical about the applicability or commercial viability of this approach, I will leave you with a quote that I saw this morning on the tube:
“The horse is here to stay but the automobile is only a novelty – a fad”
(President of the Michigan Savings Bank, 1903)
P.S. Before my pedant friends start correcting me: I know that dinosaurs became extinct at the end of the Cretaceous period, not the Jurassic… 😉
I haven’t written much about cloud because, frankly, I don’t think its as revolutionary as people think and because the demand for it has been largely vendor induced. Whatever you think about cloud however, it is here, it is a driving force, and it will continue to be a conversation topic for a while.
I wrote on a previous article (Cloud and SaaS for dummies), that cloud is like a train: Someone else has to maintain it and make sure it it there on time, all you have to do is buy a single ticket and hop on it when you need it. At least that’s the oversimplified theory… For Content Management however, the reality is a bit different: When you get on the train, you don’t carry your bookcase, your briefcase and your children’s photo albums with you, and you certainly don’t leave them there expecting them to be available and in tact next time you hop on the train. You take the train to go from A to B, and you keep your personal belongings with you.
The train analogy works well for Software as a Service (SaaS) cloud models, but not for Content.
The financial argument of SaaS is compelling: Buying software capabilities on demand moves the financial needle from CapEx to OpEx; the total cost of ownership reduces, as support costs & administration skills burden the provider; technology refresh secures ubiquitous access; and economies of scale dramatically reduce infrastructure costs.
Microsoft, Google, Apple, Box, Dropbox and every other ECM and Collaboration vendor, are offering content storage in the cloud – often free – to entice you to move your content off your premises, or off your personal laptop, to a happier, more abundant and more resilient place, which is all good and worthwhile. What isn’t good, is the assumption that providing storage in the cloud (or as I’ve seen it incorrectly mentioned recently “CaaS – Content as a Service”), is the same as providing Content Management in the cloud. It is not!
We (the ECM industry) have fought for years to establish the idea that managing content goes a lot further than just storing documents in a file system. It requires control: Security, versions, asynchronous editing, metadata, taxonomies, retention, integration, immutable flags, workflow, etc. etc. Unfortunately the new fad of EFSS (Enterprise File Synching and Sharing) systems, is turning the clock back: Standalone EFSS environments, are just another way for users to bypass IT and Security controls (Chris Walker articulates this very well in his article You’re out of your mind).
Now, before you jump on my throat and tell me that EFSS came about exactly because of the straitjacket that compliance, governance and ECM have put organisations in, let me say, “I know!”. I’ve lived and breathed this industry since it was born, so I understand the issues. However, we (ECM and IG practitioners) risk throwing out the baby with the bathwater: Ignoring EFSS and all other file external sharing mechanisms is dangerous, at best. Blocking them is impractical and unenforceable. Institutionalizing them (as Chris suggests) adds a layer of governance over them, but it does not solve the conflict with the need for secure internal repositories and regulatory control.
So, what if you could have your cake and eat it too? Instead of accepting EFSS as an externally imposed inevitability, why not embrace EFSS within the ECM environment? Here’s a revolutionary idea: Why not have an ECM environment that incorporates EFSS capabilities, instead of fighting against them? An ECM repository that provides the full ECM control environment we know and love, as well as keeping content synchronised across all your mobile and desktop devices, so that you can work
I try to stay impartial on my blog and refrain from plugging IBM products, but in this case I cannot avoid the inevitable: IBM Content Navigator offers this today (I don’t doubt that other ECM vendors are or will be offering it soon).
What we are starting to see, is the evolution of proper “Content Management as a Service – CMaaS”: Not only storing content in a cloud and retrieving it or sharing it, but offering the complete ECM capability, including sync & share, offered as a cloud-based, on-demand, scalable and secure service.
Why should organisations settle for either an on-premise heavy-weight ECM platform, or a light-weight low-compliance cloud-based sharing platform, when they can combine both?
Some concepts are extremely difficult to articulate succinctly. Not because we don’t understand them, but because they are just too complex. I believe H.L. Mencken said: “For every problem, there is a solution that is simple, elegant and wrong”.
Take the example of Enterprise Content Management. A 25-year old industry and a multi-million software market. Every few months, we will invariably have another debate on what the correct definition should be, what it encompasses, if the name should be changed, how it overlaps with other terms, etc. etc. Yet, most people understand pretty well what it is.
Enter… Information Governance
If you haven’t yet, please read Barclay T. Blair’s ebook: “Making the Case for Information Governance”. It is an excellent summary of some of the reasons why Information Governance (IG) is important to an organisation. The ebook focuses more on the rationale behind its existence, and much less on its structure and scope. The ebook also reviews some of the existing definitions of IG, by The Economist and by AIIM and proceeds to explain their salient points.
More recently however, BTB presented IG Initiative’s attempt to create a simpler definition, validated by a popularity poll and summarized in an attractive infographic:
Information Governance is: The activities and technologies that organizations employ to maximize the value of their information while minimizing associated risks and costs.
I have to be honest and say that I don’t like that definition. 99% of people would agree that “Fruit is nutritional, affordable and refreshing, and reduces health risks”. That may be a true statement, but it does not make it a good definition of what a fruit is! Ok, I am being facetious, but my point is: The broader the definition the less accurate it is and the less value it adds. The IG Initiative definition above, is both too wide (e.g. analytics and collaboration are used to maximise information value, but they are not in themselves IG tools), and incomplete (e.g. governance involves the people, not just activities and technologies; compliance is another key driver, alongside cost and risk). In my view, this definition, by itself, falls short.
I have to mention that several other people have attempted definitions of IG, and each one has its merits. The one offered by Wikipedia is not too bad, and there are others by Debra Logan at Gartner, IBM, and many other vendors.
Personally, I would err on the side of a slightly longer but more comprehensive definition, that combines the ones mentioned in the ebook and the new one by IG Initiative. Here is my offer:
Information Governance is a framework of people, principles, processes and tools, that defines why, when and how information is managed within an organisation, in order to maximise its value, fulfil obligations, reduce costs and reduce risk.
I would be very interested to hear your feedback on this.
Whichever definition you choose to use however, BTB makes a very valid point in his blog: “…the definition you use is less important than having a common understanding among your IG team”. And you will probably need a lot more than 145 characters to achieve that!
A debate is a blogger’s ultimate reward
Judging by the sheer number of retweets, favorites and comments that I had as a response, I seem to have hit a raw nerve with my last posting on the relationship between Information Governance (IG) and Records Management (RM). Feedback is a great source of knowledge for me. Debate is always good for our industry.
Laurence Hart (@piewords to his friends) was kind enough to specifically comment on my article in his blog. I have a lot respect for Laurence’s opinion and always enjoy reading his views, even if we don’t always agree. As it turns out, in this instance, we agree more than we disagree.
There are a few things on my original article that I’d like to clarify though, just to avoid ambiguity, and in the process address some of the points that Laurence makes:
“IG is a discipline, not a tool”, I wrote…
A few people took exception to that. Nobody disputed the fact, but they assumed that I somehow implied that RM is not a discipline, only a tool: something I never said! I take it for granted that everyone, at least everyone reading these discussions, knows that RM is a discipline too. The point I wanted (and obviously failed) to make was very different: The term Information Governance has been hijacked by a large number of vendors (ECM, eDiscovery, Storage, Security, Big Data, etc.) to peddle their wares. I have seen an inordinate amount of marketing atrocities being perpetrated in the name of Information Governance. My point is that the tools will not sort out the IG problem, it requires a different way of thinking. With hindsight, I can see why people misread what I wrote though.
Divorce Information Governance from the discussion of how it is going to be done
This seems to be Laurence’s main contention with my views. Interestingly, I don’t think I said that anywhere in my article either, but it must have been implied somehow. Laurence is right: the WHY and the HOW of IG cannot be divorced, of course, otherwise IG will always remain an academic exercise. The point I was making is that IG needs to have a coherent, consistent and complete overview of the principles behind all information management within the organisation. It is the decision making hub. Underneath that hub there are a number of spoke mechanisms that manage different aspects: RM is just one of them; eDiscovery, Classification, Legal Holds, Privacy & Security, Archiving, Application decommissioning, Storage tiering, Location management, etc., are various others. These should all be driven from a single, unified, coherent and authoritative decision making framework, which is what I see as the role of IG.
Of governments and armies…
Laurence, inadvertently perhaps, came up with a much better analogy of the distance between IG and RM. I created a metaphor liking them to Government and school governors, but Laurence compared them to Government and the Military. A much better analogy! The Military has a very specific and defined jurisdiction for enforcing Government policy and law. It has ultimate planning and execution responsibility for military personnel, but it cannot enforce law on civilians (at least not in most democracies, anyhow…). The Government has responsibility for every law in the country, regardless if it applies to civilians or military. Just as IG has responsibility for all decision making for Information Management, RM has responsibility for enforcing some of the functions on some of the overall Information estate.
“That which we call a rose, by any other name would smell as sweet”
I am not interested in the semantics of where IG definitions overlap with IM or RM, or the delineation between the policies (WHY), the practices (HOW) or the tools (WHAT WITH). My point is that IG and RM are two different, if overlapping, disciplines and that the functions that I defined in my 8 points in the earlier article, must be addressed by a coherent information governance framework which, historically, has not been an area where traditional RM excels. If you prefer to call that evolving business function a “Holistic RM”, “RM Continuum” or “Super RM” or whatever else, I’m not worried about the nomenclature as long as we agree that it needs doing, and that it needs doing properly.
How the other half live…
There was something very paradoxical about the comments on my original article, by the RM community: Inevitably, the experienced, established and professional Records Managers, will object to my simplified definition of RM. They know how much bigger the problem is and most of them have extended their reach and responsibilities to address some of the IG issues within their organisations. Kudos and respect to them. But they see the RM world through rose tinted glasses, because it is the world they have created and influenced.
I, however, am not a Records Manager. I have seen and talked to a lot of organizations where their RM program either does not exist, or is extremely narrow, or very badly implemented, or lives on a folder on a shelf, or a PDF file on the intranet, or manages a spreadsheet fileplan, mapped to a folder structure on a shared drive. Most of these organizations, have an even bigger IG problem: No information disposition program, no unified classification, no automation of anything, no association between security policy and security reality, no mechanisms to address Data Protection, an un-managed email archive that grows exponentially, scores of network drives with debris and “just in case” copies of data, and many many many other issues. These organizations do not have the luxury of a well-established Holistic RM program, or the time to implement one. They have a very real IG itch that needs scratching… And a lot of vendors are quick to exploit that.
In my view, RM will always be a subset of IG. If you understand the bigger scope of IG, and you are already addressing it under an RM moniker, or any other name, then pat yourself on the back. But on the other hand, if you are a CIO looking at IG issues, do not assume that it is RM’s problem to sort out. And if you are a records manager, don’t assume for a minute that your RM world will not go through a radical transformation, if you try to take on the IG requirements, on top of RM.
Information Governance has been all the rage in the ECM world in the last year. Chris Walker, Laurence Hart, James Lappin, John Mancini, Barclay T. Blair and many other writers whose opinions I respect, are all writing about it.
That, in itself, is a good thing: I’ve been an advocate of Information Governance for a while now [Data Governance is not about Data] and it’s good to see it taking a prominent (and permanent) position in IT dialogue.
As with any other IT topic however, the more we talk about it, the more vague it becomes, and the more confusing and overlapping the definitions get. One of the latest symptoms of this, is the recent dialogue (read these posts by James and Laurence) discussing where Information Governance (IG) sits with Records Management (RM).
The points they are making are valid, but I believe that the premise behind these conversation is fundamentally misplaced, and here’s why:
1) Information Governance is a discipline, not a tool. The purpose of IG is to define all aspects of how information is being managed. The purpose of RM is to do the managing of some of that information.
2) According to Corporate Governance and Oversight Council, the information kept under RM’s control represents less than 20% of the total information managed by an organisation. IG has responsibility for 100%, including the 20% managed by RM.
3) RM is typically focused on the lifecycle management and protection of unstructured information, mostly documents. IG creates common policies that apply to both structured and unstructured information.
4) RM works with a defined and agreed taxonomy and schedule. IG is perpetually juggling with overlapping policies, laws, cases, security, legal holds, costs and business demands.
5) IG scope includes all information sources: The RM repositories, the other ECM repositories that are not RM platforms, all the SharePoint instances, the live email server(s), the email archive(s), the shared network drives, the personal network drives, the PST files, the data archive system, the notebook C: drives, the cloud drives, the detachable storage drives, those servers that came with the last acquisition and nobody quite knows what is on them, Jim’s old desktop, etc., etc.
6) RM tends to accumulate all the information it manages in a centralised, controlled environment. IG does not have that luxury: It needs to assume that most information will be managed in its native environment (unless of course it’s information that should explicitly be moved to RM’s control).
7) RM has a well defined function: store, classify, protect, secure and dispose of business records. IG has the function of telling RM what should and should not be protected, as well as determining security policies, disposition schedules, data protection risks, storage tier management, archive policies, data ownership, etc., for all other enterprise information.
8) RM stakeholders are mostly records managers and/or compliance managers. IG answers to Compliance, Audit, Security, Legal, IT, Finance and Business Operations – a very different audience with often conflicting interests.
Trying to compare IG and RM is a bit like trying to compare Central Government (or Federal for my US friends) with a local school’s governing body. Both have something to govern, one takes direction from the other and… there the similarity ends. Neither one is a replacement for the other.
And I’ll finish on a separate but related bug bear of mine: Governance is about taking ownership, making decisions and setting rules. Management is about acting on the decisions, executing the policies and enforcing the rules. Therefore, Information Governance and Information Management are not the same thing and the two terms should not be used interchangeably!
Update: Read the follow up article to this, with some more detailed explanations and comments [Part 2]
On-premise/Licensed: You buy a car and you drive it to work whenever you want. You pay for Insurance, Service, MOT, tyres and petrol. You can tweak it or add “go faster” stipes if you like. If it breaks down, you pay to have it fixed.
Cloud: The government buys a train and pays for its maintenance. You hop on it when you need it, and pay a ticket. If you are going to use it regularly, you buy an annual pass. If the train breaks down, the company sends another one to pick you up and they refund your ticket.
Hybrid: You drive your own car to the station and then take a train to work.
I’ve been wanting to write this article for a while, but I thought it would be best to wait for the deluge of 2014 New Year predictions to settle down, before I try and look a little bit further in the horizon.
The six predictions I discuss here are personal, do not have a specific timescale, and are certainly not based on any scientific method. What they are based on, is a strong gut feel and thirty years of observing change in the Information Management industry.
Some of these predictions are more fundamental than others. Some will have immediate impact (1-3 years), some will have longer term repercussions (10+ years). In the past, I have been very good at predicting what is going to happen, but really bad at estimating when it’s going to happen. I tend to overestimate the speed at which our market moves. So here goes…
Behaviour is the new currency
Forget what you’ve heard about “information being the new currency”, that is old hat. We have been trading in information, in its raw form, for years. Extracting meaningful value however from this information has always been hard, repetitive, expensive and most often a hit-or-miss operation. I predict that with the advance of analytics capabilities (see Watson Cognitive), raw information will have little trading value. Information will be traded already analysed, and nowhere more so than in the area of customer behaviour. Understanding of lifestyle-models, spending-patterns and decision-making behaviour, will become the new currency exchanged between suppliers. Not the basic high-level, over-simplified, demographic segmentation that we use today, but a deep behavioural understanding of individual consumers that will allow real-time, predictive and personal targeting. Most of the information is already being captured today, so it’s a question of refining the psychological, sociological and commercial models around it. Think of it this way: How come Google and Amazon know (instantly!) more about my on-line interactions with a particular retailer, than the retailer’s own customer service call centre? Does the frequency of logging into online banking indicate that I am very diligent in managing my finances, or that I am in financial trouble? Does my facebook status reflect my frustration with my job, or my euphoric pride in my daughter’s achievement? How will that determine if I decide to buy that other lens I have been looking at for my camera, or not? Scary as the prospect may be, from a personal privacy perspective, most of that information is in the public domain already. What is the digested form of that information, worth to a retailer?
Security models will turn inside out
Today most security systems, algorithms and analysis, are focused on the device and its environments. Be it the network, the laptop, the smartphone or the ECM system, security models are there to protect the container, not the content. This has not only become a cat-and-mouse game between fraudsters and security vendors, but it is also becoming virtually impossible to enforce at enterprise IT level. With BYOD, a proliferation of passwords and authentication systems, cloud file-sharing, and social media, users are opening up security holes faster than the IT department can close. Information leakage is an inevitable consequence. I can foresee the whole information security model turning on its head: If the appropriate security becomes deeply embedded inside the information (down to the file, paragraph or even individual word level), we will start seeing self-describing and self-protecting granular information that will only be accessible to an authenticated individual, regardless if that information is in a repository, on a file-system, on the cloud, at rest or in transit. Security protection will become device-agnostic and infrastructure-agnostic. It will become a negotiating handshake between the information itself and the individual accessing that information, at a particular point in time.
Oh, and while we are assigning security at this granular self-contained level, we might as well transfer retention and classification to the same level as well.
The File is dead
In a way, this prediction follows on from the previous one and it’s also a prerequisite for it. It is also a topic I have discussed before [Is it a record, who cares?]. Information Management, and in particular Content Management, has long been constrained by the notion of the digital file. The file has always been the singular granular entity, at which security, classification, version control, transportation, retention and all other governance stops. Even relational databases ultimately live in files, because that’s what Operating Systems have to manage. However, information granularity does not stop at the file level. There is structure within files, and a lot of information that lives outside the realm of files (particularly in social media and streams). If Information Management is a living organism (and I believe it is), then files are its organs. But each organ has cells, each cell has molecules, and there are atoms within those molecules. I believe that innovation in Information Management will grow exponentially the moment that we stop looking at managing files and start looking at elementary information entities or segments at a much more granular level. That will allow security to be embedded at a logical information level; value to grow exponentially through intelligent re-use; storage costs to be reduced dramatically through entity-level de-duplication; and analytics to explode through much faster and more intelligent classification. File is an arbitrary container that creates bottlenecks, unnecessary restrictions and a very coarse level of granularity. Death to the file!
BYOD is just a temporary aberration
BYOD is just a transitional phase we’re going through today. The notion of bringing ANY device to work is already becoming outdated. “Bring Work to Your Device” would have been a more appropriate phrase, but then BWYD is a really terrible acronym. Today, I can access most of the information I need for my work, through mobile apps and web browsers. That means I can potentially use smart phones, tablets, the browser on my smart television, or the Wii console at home, or my son’s PSP game device to access work information. As soon as I buy a new camera with Android on it, I will also be able to access work on my camera. Or my car’s GPS screen. Or my fridge. Are IT organisations going to provide BYOD policies for all these devices where I will have to commit, for example, that “if I am using that device for work I shall not allow any other person, including family members, to access that device”? I don’t think so. The notion of BYOD is already becoming irrelevant. It is time to accept that work is no longer tied to ANY device and that work could potentially be accessed on EVERY device. And that is another reason, why information security and governance should be applied to the information, not to the device. The form of the device is irrelevant, and there will never be a 1:1 relationship between work and devices again.
It’s not your cloud, it’s everyone’s cloud
Cloud storage is a reality, but sharing cloud-level resources is yet to come. All we have achieved is to move the information storage outside the data centre. Think of this very simple example: Let’s say I subscribe to Gartner, or AIIM and I have just downloaded a new report or white paper to read. I find it interesting and I share it with some colleagues, and (if I have the right to) with some customers through email. There is every probability that I have created a dozen instances of that report, most of which will end up being stored or backed up in a cloud service somewhere. Quite likely on the same infrastructure where I downloaded the original paper from. And so will do many others that have downloaded the same paper. This is madness! Yes, it’s true that I should have been sending out the link to that paper to everyone else, but frankly that would force everyone to have to create accounts, etc. etc. and it’s so much easier to attach it to an email, and I’m too busy. Now, turn this scenario on its head: What if the cloud infrastructure itself could recognise that the original of that white paper is already available on the cloud, and transparently maintain the referential integrity, security, and audit trail, of a link to the original? This is effectively cloud-level, internet-wide de-duplication. Resource sharing. Combine this with the information granularity mentioned above, and you have massive storage reduction, cloud capacity increase, simpler big-data analytics and an enormous amount of statistical audit-trail material available, to analyse user behaviour and information value.
The IT organisation becomes irrelevant
The IT organisation as we know it today, is arguably the most critical function and the single largest investment drain in most organisations. You don’t have to go far to see examples of the criticality of the IT function and the dependency of an organisation to IT service levels. Just look at the recent impact that simple IT malfunctions have had to banking operations in the UK [Lloyds Group apologies for IT glitch]. My prediction however, is that this mega-critical organisation called IT, will collapse in the next few years. A large IT group – as a function, whether it’s oursourced or not – is becoming an irrelevant anachronism, and here’s why: 1) IT no longer controls the end-user infrastructure, that battle is already lost to BYOD. The procurement, deployment and disposition of user assets is no longer an IT function, it has moved to the individual users who have become a lot more tech-savy and self-reliant than they were 10 or 20 years ago. 2) IT no longer controls the server infrastructure: With the move to cloud and SaaS (or its many variants: IaaS, PaaS, etc.), keeping the lights on, the servers cool, the backups running and the cables networked will soon cease to be a function of the IT organisation too. 3) IT no longer controls the application infrastructure: Business functions are buying capabilities directly at the solution level, often as apps, and these departments are maintaining their own relationships with IT vendors. CMOs, CHROs, CSOs, etc. are the new IT buyers. So, what’s left for the traditional IT organisation to do? Very little else. I can foresee that IT will become an ancillary coordinating function and a governance body. Its role will be to advise the business and define policy, and maybe manage some of the vendor relationships. Very much like the role that the Compliance department, or Procurement has today, and certainly not wielding the power and the budget that it currently holds. That, is actually good news for Information Management! Not because IT is an inhibitor today, but because the responsibility for Information Management will finally move to the business, where it always belonged. That move, in turn, will fuel new IT innovation that is driven directly by business need, without the interim “filter” that IT groups inevitably create today. It will also have a significant impact to the operational side of the business, since groups will have a more immediate and agile access to new IT capabilities that will enable them to service new business models much faster than they can today.
Personally, I would like all of these predictions to come true today. I don’t have a magic wand, and therefore they won’t. But I do believe that some, if not all, of these are inevitable and it’s only a question of time and priority before the landscape of Information Management, as we know today, is fundamentally transformed. And I believe that this inevitable transformation will help to accelerate both innovation and value.
I’m curious to know your views on this. Do you think these predictions are reasonable, or not? Or, perhaps they are a lot of wishful thinking. If you agree with me, how soon do you think they can become a reality? What would stop them? And, what other fundamental changes could be triggered, as a result of these?
I’m looking forward to the debate!