Proponents of workplace mobility and cloud use tout its significant cost savings and the convenience it offers employees. The benefits of mobility, however, are often complicated by newfound data management headaches that could require a sea of change in an organization's information governance strategy.
Jeffrey Ritter, an attorney and technology law expert, said companies simply need to rethink data management processes when incorporating cloud and mobility use. In this excerpt from a Q&A with SearchCompliance.com editor Ben Cole, Ritter provided advice on how companies can protect their sensitive information and still take advantage of increased workplace mobility.
How does mobilization in the workplace influence data management processes?
Jeffrey Ritter: In the 21st century, mobile devices are an essential, indispensable and inherent part of how we're going to do work. Mobile devices are convenient, [and] they are useful -- but they should not be where we are trying to maintain and preserve information that is subject to the governance policy.
We have to think of the devices as convenience tools, and not as locations where information can be stored for any period of time.
attorney and technology law expert
Therefore, I think one of the key pieces of the strategy for mobilization is to have as close to continuous archiving as you can possibly achieve: pulling that data off of the devices so that the official records of the information are under centralized control, capable of being backed up, supported by enforcement of controls. If we can centralize that information and basically sweep it off the mobile devices, then we have the ability to preserve the information, collect it, [and] protect it against destruction by the employees themselves. If the company can centralize that control, they can protect that information and deal with it in a realistic fashion. If there was misconduct, at least they have control of the evidence and are not facing further sanctions. I think mobilization is here to stay, and it's going to get more diverse. But we have to think of the devices as convenience tools and not as locations where information can be stored for any period of time.
Is there anything records managers can do to protect themselves from the risks involved with mobile device use? Are there any specific data management processes that have proven effective to do so?
Ritter: This is a real open question in information governance. Records are records -- they have legal or historical or functional value to the business. But what about the rest of the information assets? Information governance is all about authoring and executing rules -- who takes responsibility to ensure the rules are being executed with regards to the information assets that are on the mobile devices? This is the challenge, and I think that the first task for the records manager to be successful is to negotiate and to find clearly where that accountability and responsibility and control rests.
Records managers, with the experience they've had over the last 50 years in evolving through different iterations of technology, are in my opinion best suited to be responsible for the information assets on mobile devices. But in many organizations, that's a question they are struggling with. As companies continue to look at mobile devices, not having the records managers at the table is probably the biggest risk for the company itself. The requirements, the rules, the means of measuring performance of those rules -- that's what records managers are good at. They have to bring that experience.
As more companies move operations to the cloud, how does using cloud service providers influence information governance processes?
Ritter: There are a lot of companies that are not moving to the cloud because of this issue. They look at the cloud service providers as a part of infrastructure, but a part of infrastructure that they can't govern. As a result, they are resistant to moving to the cloud. Those companies that are looking at the cloud, however, are realizing an important perspective: It saves money. Information governance is part of the strategy for creating and preserving wealth within a company. The cost efficiencies that cloud service providers can offer are significant. But there's a balancing act: We have to look at the challenge of extending our governance mechanisms to embrace and align to the services the cloud provider is delivering.
More on data management processes
Constructing a top-down information governance strategy
Podcast: Using metrics to prove information management ROI
When we are writing rules within an organization for information governance, I always counsel our clients to write the rules with the expectation that they will be performed either by a fulltime employee or associate of the company, or by a service provider or contractor. When we take that approach, and write the rules so that we can substitute in the actor to be any one of a different variety, then we have a much more resilient and agile governance structure. For that, the contract is critical. I don't think using a cloud provider is an obstacle to information governance, but it requires us to think differently about what it means to have a governance process. The 21st century is all about the porous perimeter: interactivity, staying connected, on demand. It requires a reality check from within the organization that they are not authoring their rules of information governance solely focusing on fulltime employees, but focusing on whoever is the custodian of the information.
When using a cloud provider, is information security and risk management the provider's responsibility, or is it the company's?
Ritter: The answer is yes. Signing a contract with a service provider should not eliminate a company's concern with regard to the integrity and safety of the security process. In the first generations of cloud services, where business processes or storage were being outsourced, many of the services providers resisted addressing security and argued it was the responsibility of the customer. But what we've seen is an evolution with some very positive bright lights at the end of the tunnel.
The Cloud Security Alliance has been active about formulating best practices for addressing security management in the cloud. They have something called the Star Registry -- a means by which the service provider actually publishes with the Cloud Security Alliance what its cloud security practices are. There's disclosure. There's transparency. There's accountability. This kind of transparency is critical to the 21st century business model of intraoperative, porous perimeters in business. In order for two companies to transfer control of information, there has to be trust; they have to confidence in the integrity and reliability with which their information is going to be maintained. This kind of openness is going to be vital to the continued realization of efficiencies that the cloud provides.