Technology such as mobility and cloud computing have caused dramatic changes to how companies approach many businesses processes -- records and information management included. These multipronged data sources make it difficult to track and monitor information for effective e-discovery, data security and compliance.
The first step to smart information management is company-wide data profiling to determine exactly what information the organization has and, most importantly, the value of that data, said Barry Murphy, principle analyst and co-founder of eDJ Group Inc. In this SearchCompliance video Q&A from the ARMA 2013 International Conference and Expo in Las Vegas, Murphy discusses why data profiling is key to a successful information management strategy.
How have technologies like mobility and cloud computing made records management more critical for organizations?
Barry Murphy: I think information's more ubiquitous now, and it's out of the direct control of organizations. For example, in the cloud you still have to be able to govern and classify information and make sure it's accessible to you, even though it's outside your four walls. It's forced the organizations to step up and say, 'Hey, we haven't done a great job of this, but now we need to do it outside of our four walls, so let's get better at doing it in both places.' It's the same with mobility.
Information is everywhere now, so we've got to protect the end points. And to protect the end points, I've got to know, in a central way, what's out there, what it is and how long I have to keep it.
How have those technology trends made records management more complex?
Murphy: Because data repositories continue to increase in number and in size, and the number of records may or may not be increasing. It's more complex because you just have more places to look at and manage, and you have more holes in your records and information management processes. It's forcing organizations to be a lot more thorough, and to do that from some sort of central mechanism, like a RIM [records and information management] team. You have to apply policy and procedure across all these additional data sources. That's what makes it more complex, when it's hard enough to do it even if it is centralized.
What are some common mistakes that companies make with modern information management strategy?
Murphy: There are a lot of common mistakes. One of the more frequent ones is overlooking the importance of records management, and not giving it enough visibility. The organizations that we work with that are successful at records and information management strategy have a C-suite-level sponsor. It sounds really trite, but that's the key to success.
I think the other piece is looking at records as just a small subset of information. It's a common problem because you start to forget about all that other information. Anything you know of that might not be a transactional record is something that needs to be managed because it's discoverable. It could come up in a lawsuit, a client's investigation; it could have private data in it; it could be a security breach. That's the other common mistake: just thinking of records management as a big subset, as opposed to something that needs to be targeted throughout the whole organization.
What are a few tactics that companies can use to address information management strategy challenges?
Murphy: I think you look at the business value, and you say, 'I want to do a data profiling project, because I want to understand what I have out there.' That project is going to tell me I have a lot of a certain type of data, which may indicate that, from a business perspective, we probably need a system to manage that type of data because our employees find it important.
More from ARMA 2013
Projects like that -- data profiling, legal-hold management -- are little wins without trying to do too much. What we see a lot of organizations do is take steps backwards when they've deployed enterprise content management because they're not ready for it. They can't get the full value out of it, and they spend too much money. Little projects around information governance and information management tend to be the best way to get going. Get little wins and show some business value -- that's how you get the C-suite involved. If I saved a million dollars in legal costs, suddenly I get the budget for other things.
Is technology only part of the answer to the problem of policing records management? How do business processes or other factors play into that?
Murphy: I think technology's the third leg of the stool. Policy is the first one, and I think policy and controls have to be mapped out by the organization. The other piece is processes, so you know how a record gets declared a record. How does something get put on legal hold -- what's the process for that?
The technology supports the two other pieces. One example where technology may be able to enable the other two goes back to that data profiling example. I can't create my policies until I know what I have, so I use technology so I can go out and crawl my systems to get a sense of what information is there. Are there a lot of contracts? Are there a lot of image files? From there, I can go back and say, 'I need a policy that shows what I do with these marketing contracts that I have.'
Then I can go create a retention policy for those, and I can apply that policy. So, technology's critical to supporting the controls and the processes and the policies, but it shouldn't necessarily be the end-all be-all. There are still a lot of people that need to be part of the process.