As I dimly recall – thanks to education received in another century altogether – there’s an edict (ethos?) in science that “no proof exists without remaining doubt.” Maybe this is partly due to the fact that there are always those willing to take up the cause for an opposing viewpoint. Or, some data doesn’t align correctly to the larger norm. Or, sometimes events or eras just seem to champion ignorance itself. Therefore, on the continuum of certainty, there’s always room for a little Squeak from the voice of the illogical. That Squeak has been the sole remaining reason that IRM technology can largely be considered a failure in legal and corporate markets. Yet, if I am to judge from recent events, the moment for celebrating Squeak’s extinction is near.
Here’s why: according to news reports, NSA officials say Edward Snowden downloaded and removed about 1.7 million documents from computer networks at an NSA listening post in Hawaii where he worked until June. Sounds like a large number, doesn’t it? It’s not, really. According to my back-of-the-napkin calculations in the restaurant where I mistakenly left my laptop last night just after beginning this post, I had 56,320 items in the documents folders alone. Among those items were 11 .PST files (which constitute archived mailboxes) containing approximately 54,000 emails (and attachments) apiece. Granted, not every file could be considered a ‘document’ – unless defined as “a written or printed instrument that conveys information.” Well, then. This is a description that many (if not most or all) of them fit. At last count – on said cocktail napkin factoring documents stored a single machine – I left 650,312 of them for whoever buys my stolen Dell Latitude on Craigslist for $150 in Denver. But a more enterprising thief could do much better. Especially if he can target the right documents to the right buyers.
Confidential Documents and their Proposed Price on the Open Market
Patent Submissions $2M
Client Lists $1M
Business Plans $1M
Product Plans $1M
(factor in the fact that once pricing/discounts are known, they stay
below the published value for a long while)
Bug Lists $1M
Competitive Matrices $150K
(in pure staff time; value to new entrant in the market is substantially higher)
Employee Evaluations $250K
Sales Forecasts $250K
Internal Strategy Presentations $250K
Salary/Option Letters $250K
Internal Contacts List (home address, etc.) $250K
Internal Communications (Board) $150K
The key difference between Toby Bell and Edward Snowden may be more than the negligible math separating the size of my document store from his. It’s the potential for catastrophe that their exposure can cause. But even this is partly fallacy. On the right day to the right audience for the right reasons, my documents could prove to be (in some ways) as damaging as his. Suspicions cast, jobs lost, competitors propped up, partners outraged, regulators engaged, audits invoked, hair pulled, teeth gnashed. And that’s just the appetizer from the feast of woes my laptop lost at the dinner table could inspire. You don’t have to believe this – only my boss does. Because the buying argument for IRM usually loses support at the top. Building a business case for IRM is easy. Defending against perceived risks expressed by leadership about historically poorly managed implementations is harder. Either way, it’s a matter of trust. Lately, as business trust of IT has continued to erode, IRM is merely one casualty.
Yet, there’s never been stronger evidence to support it: more users conducting business remotely; more content stored/shared in the cloud; more content on portable and often stolen devices (14% of reported crime in New York City is ‘apple picking’ – theft of smartphones); casual attitudes toward content sharing generally; and misunderstanding about other protections like PDF. Thus, because the risk is obvious and technology has finally outpaced outdated criticisms, the time to decide to provide better control of content access and custody is now. Now. Swaying business leadership to this point of view shouldn’t be hard, right? Wrong. It’s an uphill battle. Because the Squeak usually makes itself known after about 10 questions – or twenty-four floors. Here’s a typical elevator-ride Q&A involving an IT Infrastructure Leader and her CEO while moving from the basement to the boardroom:
IT: “Hello, Mr. Johnson. Good to see you. How’s that new iPad working for you?”
CEO: “Uh… fine. Jean, is it?”
IT: “No, it’s Joan. Don’t worry – people get that wrong all the time.”
CEO: “So… Did we ever get that Y2K thing sorted out?”
IT: “Uh… yeah. Listen, Mr. Jones. I’d like to propose a very slight budget increase for 2014. We’d like to implement Intelligent Rights Management.”
CEO: “Sounds great. What’s in it for me?”
IT: “It protects the company from the likeliest source of damage to our reputation: lost, misused, misunderstood, or stolen information gleaned from office documents.”
CEO: “So, this fits higher on the risk list than executive mayhem? Good to know. How does it work?”
IT: “Basically it’s a wrapper that secures any content – whether at rest or in motion – from unauthorized access or use. It’s easy to use and easy to manage.”
CEO: “Sort of a “Harry Potter’s Invisibility Cloak” for contracts, financials, and leadership memos?”
IT: “Not really. More futuristic. More like an on-board content computer that is self-guided and self-healing along with a remote control to change policies on the fly.”
CEO: “I loved Harry Potter. I just downloaded a couple of his movies on my iPad.”
IT: “Nice. One of the reasons IRM is becoming a critical issue is due to file-sharing sites and unauthorized use of proliferating creative content.”
CEO: “Huh. So, who gets to fly the documents? Everybody?”
IT: “Anyone who creates a file can do it. At the moment of creation it’s self-guided by corporate policy, but we also have the option for manual overrides. One of the cool features of the latest IRM software – like the kind Litéra is delivering – is that you can alter the permissions after the fact. That way, if a contract expiration date has passed and the document could no longer be opened and signed by our supplier, we could update the policy if procurement agreed to allow it in special cases. In effect, every document ‘calls home’ for policy instructions whenever it gets touched.”
CEO: “Wouldn’t we have to install software or something like that on every machine that would come into contact with the file?”
IT: “Typically, the software installs on servers. There can also be plug-ins to make it easier for end-users to set their own policies as they create files. But they won’t need training or change management to benefit. And, people who are authorized to use the files need nothing – no need for our suppliers or outside counsel or regulators to download anything.”
CEO: “How will this change the way we share information and collaborate? Does this mean our people can just run amuck with company communications and files?”
IT: “Just the opposite, though in fact people are running amuck right now. We’d have a measure of control and confidence that can even become a competitive advantage.”
CEO: “Could an administrative or IT security breach of IRM potentially lead to my organization losing access to every single piece of content that has been protected?” <SQUEAK>
IT: “It could happen in theory. (CEO stops listening here). But there are safeguards and redundancies to prevent lost access or changed policy. Blah, blah, blah.”
CEO Has left the elevator.
It isn’t that we don’t have other options for creating and storing critical documents than my C Drive. Cloud-alone content strategies are appropriate for small businesses and those with limited risk of exposure. Hybrid content architectures with both a private Cloud for collaboration and an on-premise regulated repository for records management are proving their worth and becoming common. Many mobile devices are more like content carriers than creators – but this doesn’t reduce risk enough to let CEOs sleep at night. People are much less careful with other people’s documents than they would be with those for which they are directly, explicitly responsible. Making the documents more self-aware is an evolution that has taken too long. Automating policy throughout their life cycle isn’t onerous – it’s actually easy.
Bottom line: it’s sometimes hard to distinguish what’s mine versus what’s my company’s. According to me. But the legal fact is that the computer is a company asset and all files thereon are subject to its control. So, stand down, CEO. Shareholders, board members, industry associations, industry watchdogs, regulators, partners, and outside counsel would be outraged at the failure to protect your company IP – especially if the argument against it seems so perilously personal. Sure, my lost laptop contains a plethora of risky files – but only if they can be opened. Which they can’t – all permissions have been cancelled. Imagine how Edward Snowden would have felt to discover that the files he forwarded to global news agencies were similarly encrypted. Edward Who?
How do you feel about IRM’s chances for adoption given today’s frequently mobile collaborative processes? Are you using it? Any other thoughts about protections?