Securing Enterprise Content Management’s Future

By Joe Shepley

This post originally appeared on CMSWire.

The doomsayers have been predicting the end of enterprise content management (ECM) for a while now. Whether that end comes at the hands of big data, enterprise file sync and share (EFSS), enterprise social collaboration, or any other myriad of disrupters, for at least the last 5 years you would think that ECM had one foot in the grave, from the way people spoke about it.

A Rose by Any Other Name

I've had a hard time believing this. Managing content is something we have done and will always do at organizations. Will we always call it “content”? No. Have we always called it “content”? No. Now it’s information and data; it used to be documents or records; we'll be calling it something else in 5 or 10 years. But whatever we call it, the stuff we’re trying to label is the same and is still important. So no matter how the terms change, we’re still trying to accomplish the same thing.

What has shifted significantly over the years is the organizational “center” of efforts to manage documents/records/information/data/etc. more effectively. From IT to records management to legal to lines of business — the owners of this very real, very important business problem have changed over the last 25 years.

And right now, for a variety of reasons, the center of efforts to manage content is shifting (and in many industries, has already shifted) to another location: information security.

ECM Is Information Security

What we’re seeing in the marketplace over the last year or so is that, more often than not, the responsibility for managing content is falling to the chief information security officer (CISO) rather than to the general counsel (GC), CIO, or CTO.

Traditionally, the CISO’s scope of responsibility was concerned with preventing bad actors from gaining access to company systems and preventing egress of sensitive data by bad actors inside the company. But with the increased sophistication of hackers (if Target, Home Depot and CHS got breached, you will get breached, full stop), CISOs are focusing on how they can minimize the impact of the inevitable breach, when it happens.

This means having only as much protected health information and personally identifiable information as is absolutely necessary (i.e. as the law, regulation, and business need require), and no more. After all, when a breach happens, do you want it to hit 20 years’ worth of billing data (because you never purged data) or 3 years? The answer is clearly the latter, because that extra 17 years of sensitive data magnifies the impact of the breach immensely. Now multiply that across hundreds or thousands of structured applications, and you have a risk that far outweighs anything that Records or IT could bring to bear previously on the business case for ECM.

On top of this, for most large organizations in regulated industries, audit findings or actual breaches drive information security. In the former case, upper management is forced to close the gaps and fund the projects to do so; in the latter, they are personally motivated to do so, because they don’t want to be in the spotlight trying to explain why they handled customer data so poorly—again.

Given all this, we’ve experienced a shift over the last 12 months. An increased number of our ECM consulting engagements were delivered at the behest of the CISO, rather than more traditional stakeholders like IT, Legal, or Records Management.

This is an encouraging trend and very good for the future of ECM. The problems and drivers for the CISO explored above are not going anywhere any time soon.

So if we, as ECM practitioners, can find ways to deliver value to the CISO on solving ECM problems, ECM will continue to be relevant. And hopefully, as a result, it will receive sustained organizational attention year over year and get closer to solving those problems than it’s gotten at the hands of IT, Legal, and Records Management.


Rich Medina
Joe Shepley
I’m VP and Practice Lead, focusing on developing Doculabs’ InfoSec practice and its applications in a wide range of industries.