violetkaipa - Fotolia
Against an already challenging backdrop of emerging and evolving compliance mandates and cybersecurity threats, enterprise technology governance teams must now consider the information governance implications of consumer-centric devices.
Mobile devices, cloud-based SaaS applications and wearable tech such as Google Glass are easy to immediately use and ramp up data footprints on these technologies, representing a shift in how information must be managed and technology deployed.
Impact on governance
In the past, introducing the use of a new piece of technology -- such as a new business application -- might move relatively slowly. Perhaps it required new hardware on which to run, or a new virtual machine to operate inside of or required legal review of the contract to secure funding.
This slow-moving type of technology deployment gave governance processes some breathing room. The organization had an opportunity to learn about -- and subsequently control -- a new technology deployment before there was too much traction. For example, the IT department might choose to build a "gate" into the approval process, such as requiring vendors to go through a pre-engagement vetting process before the purchase order is issued. Even in situations where stopgaps weren't directly integrated into the procurement process, governance teams had ample opportunity to learn about the initiative because rollout tended to take some time. By learning about the technology being deployed and its benefits through the business team, legal, marketing, IT or other partners, it allowed time to figure out exactly where the deployment was happening, who the players were and the most effective engagement strategies.
In fact, many formalized IT governance models (e.g. COBIT and ITIL) leverage these truisms about the deployment process and allow organizations to build in those strategies as new technologies are rolled out.
Consumer-centric technology doesn't necessarily go through the same processes or allow for such breathing room during technology deployment. This presents a quandary for information governance professionals. Because the technology deployments may not be centralized and deployments occur much faster, solid governance of the new technology is more important than ever. These technologies, however, are working their way into company processes in a way that is hard to track. This can lead to a host of possibly negative consequences, such as sub-optimal pricing, potential regulatory compliance violations and data security risks.
The question for organizations is: How do you rethink information governance processes to account for these rogue technology deployment scenarios, which are likely to become even more common in the future?
One short-term strategy is for those in information governance oversight positions to maintain a situational awareness of new, emerging and popular technologies that are likely to influence their company and to have a fairly rich knowledge about how they will impact line-of-business areas. Having an ear to the ground about new technologies through peer networking and keeping up with the industry press helps those in these positions recognize signs that indicate broad adoption trends.
This at least helps ensure governance processes can be implemented before the horse is too far out of the gate. Likewise, keeping a solid line of communication open with business teams and their activities helps make sure the use of any new technology within a specific business team is communicated so security measures can be implemented quickly.
Those are short-term steps, however. Obviously, no one person, or even a team, can stay on top of every new technological trend coming down the pike. Moreover, most businesses are complex enough that keeping apprised of every change that every business team might make is a tall order. As a result, adapting governance processes to account for decentralized deployment requires some data management and security retooling. Formalized governance models such as COBIT and ITIL can provide an assist: Walk through IT governance processes based on these models and discuss with stakeholders how the company's data management strategy can accommodate new technology deployment. This can be an excellent starting point for discussion and further planning.
Of course, the specifics of exactly what changes to make to those processes will depend largely on a number of factors unique to the business. For example, an update to corporate policy might be sufficient for one organization, while a partnership with technical teams to ensure a secure rollout of new tech might work better for another. The point is to think it through now and come up with a strategy that's right for you before the influx of new consumer-centric innovations. It will be time well spent to ensure security of your information governance strategy.
About the author:
Ed Moyle is director of emerging business and technology at ISACA. He previously worked as a senior security strategist at Savvis and a senior manager at CTG. Before that, he served as a vice president and information security officer at Merrill Lynch Investment Managers.