The balance of power in enterprise content management (ECM) is shifting away from IT and records management and toward information security.
Information security makes for a far better owner of ECM than records, IT, or legal — all of which have been the owners du jour among talking heads like me over the last 15 years. Each of them failed to gain the organizational support needed to institute the meaningful organizational change that allows ECM to flourish.
The Business Case is Already Made
Without executive support and funding, ECM perennially seems to land as the Number 3 enterprise priority—except that every year, Numbers 1 and 2 change, without ECM ever moving up (or getting done). There are a lot of reasons for this, not the least of which is that most people have no idea what ECM is.
But in my opinion, ECM has trouble gaining funding and support because IT and RM haven’t built compelling enough business cases for it. Worst case, they rely on fuzzy things like time saved searching for and working with documents, often using very generic and amorphous terms that executives don’t buy. Or in the best case, they tie ECM’s value to tangible business improvements, but scare execs with the complexity of the organizational change required. Execs would much rather fund more straightforward initiatives that “do more of what we already do” than undertake anything requiring a big transformation.
At most large organizations, CISOs already have funding and support—and this funding and support is earmarked for managing information to keep it secure. Traditionally this meant building a better moat to keep bad actors out and more effective monitoring to keep the crown jewels inside the firewall. But over the last 12 to 18 months, I’ve seen CISOs shift to include managing information more effectively to reduce the severity and impact of breaches when they do happen. More on this in a minute.
Orange Jumpsuits, Pink Slips
The other reason why the CISO is a better owner for ECM than IT or RM is that their success (or failure) can determine whether the CEO will be wearing an orange jumpsuit … or at least be handed a pink slip.
No CEO ever went to jail or got fired because people spent too much time searching for documents. And so when the CISO tells their CXO peers that something needs to be done, it has a much higher likelihood of getting done than when Records Management does. And even though IT has the CIO or CTO at the top, at most organizations, it’s a struggle to get the CIO/CTO to understand ECM, let alone get them to stick their neck out with the rest of the C-Suite to get it funding and support. Which is why it’s perennially a Number 3 priority.
The Rubber Hits the Road
There’s been some vigorous debate about the CISO’s role in ECM, so I know people may be wondering what a CISO-owned ECM would look like. To give you a better idea, let’s walk through some of the core scenarios in how a CISO would address ECM.
Let’s assume this is a F1000 organization that has sensitive data (PHI, PII, intellectual property, etc.). Any CISO worth their salt no longer believes that they can prevent all breaches; in fact, most will tell you that it’s not a matter of if, but when—and that they’re likely being breached even as we speak, but just don’t know it yet. Instead, their effort to protect corporate information has two prongs: 1) defend (build better walls, moat) and 2) minimize impact. It’s the latter that has the significant overlap with traditional ECM, because the best way to minimize the impact of a breach is to retain less of that sensitive data in the first place (and to know what you have and where so you can understand the extent and potential impact of the breach quickly).
Given this, the CISO will be concerned to determine where sensitive data is stored, so that they can: 1) manage it better where it is, or 2) move it somewhere where it can be better managed. In the process, they also want to remove redundant, obsolete, and transitory (ROT) information because it makes their job of managing sensitive content harder. Managing sensitive data better has typically meant ensuring access rights are aligned with policy, applying information rights management (IRM) or data loss prevention (DLP) to prevent end point breaches, but it can also include giving users a better interface with more robust capabilities so that they use the proper system rather than resorting to workarounds.
In addition, the CISO will be concerned with making sure their organization has a rationalized portfolio of applications, because the more systems you have, the more risk you carry.
Picture the typical F500 P&C insurer or financial services organization, where you are likely to find at least 500 to 1,000 enterprise applications in place (in some organizations this number will be much, much higher). A significant portion of these are aging, homegrown dinosaurs which, even if we could render them secure by today’s standards, would require a tremendous amount of effort to do so. And beyond the effort to secure them, having this many applications in play increases the difficulty of detecting breaches, because you have so many systems accessing data on a regular basis, it’s harder to determine when one of them has been hijacked by a bad actor than if you had a more rationalized portfolio.
The Final Word
More debate is needed about whether the CISO is the right owner for ECM. But what’s clear to me now is that ECM, as it’s traditionally been done by IT and Records Management, can make a huge impact to the CISO’s efforts to minimize the impact of breaches by helping them manage information more effectively. And the CISO, unlike IT and Records Management, often has the organizational support and funding to get things done. This could explain why I’m seeing more ECM projects happening with the CISO as sponsor or key stakeholder. To me, this makes the case for CISO ownership of ECM a case worth making.