Professional Documents
Culture Documents
Understanding Information Technology
Understanding Information Technology
February, 2011
This ESG White Paper was commissioned by StoredIQ and is distributed under license from ESG.
2011, Enterprise Strategy Group, Inc. All Rights Reserved
Contents
Executive Summary ...................................................................................................................................... 3 The Information Balancing Act ..................................................................................................................... 4
External Influences ................................................................................................................................................... 4 Discerning the Value ................................................................................................................................................. 5 The Real Cost ............................................................................................................................................................ 5
All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of the Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at (508) 482-0188.
Executive Summary
Many organizations continue to stockpile information, hanging on to it as if it would someday run out. Although this seems like an absurd theory, it sums up a significant portion of information management strategies employed today: save all data forever. Yes, some information is retained as a strategic asset for business intelligence and decision support. Other content is kept for legal, compliance, or corporate governance purposes. But information with extremely low business value is also being hoarded for no real reason. Most information as a business asset discussions tend to focus on structured data sources referencing traditional business applications like data analytics and business intelligence systems. But the rapid explosion of unstructured content (e-mails, blogs, wikis, spreadsheets, web pages, videos, etc.) creates even more opportunities to use information more strategically. The challenge for most is figuring out how to better understand all of the data and then design business processes to extract value. The great news is that most organizations have plenty of unstructured information to begin opportunistically leveraging. However, there are tradeoffs that must be measured against the potential benefits of using this data. Until a few years ago, the biggest downside of having all this information has been IT-related: generating additional expenses for storage, servers, and other resources to maintain it. It still seemed less risky and labor-intensive for many organizations to blindly retain data indefinitely, rather than trying to understand and manage it proactively. The downside has now become much more significant in terms of hard dollar costs, opportunity costs, and risk. Increased electronic discovery and investigations in recent years combined with data growth means higher expenses to retrieve and produce information in response to legal or regulatory requestsas well as the risk of unknown unknowns lurking in those unmanaged terabytes. Compliance requirements for the privacy and security of specialized information dictate stricter security, too, and potential for significant liability for failure to enforce it. As supported by ESGs 2011 IT spending trends research, balancing the opportunities to be gained by using information in existing or new business processes with the cost and risk of keeping it is top of mind. The top five business initiatives (see Figure 1) that will impact IT spending can be directly associated with managing information to achieve the appropriate balance. 1 Figure 1. Top Five Business Initiatives Impacting IT Spending Priorities Over the Next 12-18 Months Which of the following business initiatives do you believe will have the greatest impact on your organizations IT spending decisions over the next 12-18 months? (Percent of respondents, N=611, three responses accepted)
Cost reduction initiatives Business process improvement initiatives Security, risk management initiatives Regulatory compliance Improved business intelligence, realtime information delivery
0% 10% 20%
In order to actually leverage information as an asset while preventing it from becoming a liability, the first step is to figure out whats there. How can one improve records management to address a compliance and legal need if no one knows where all the electronic records are? How can a company design a repeatable privacy audit process if it does not know how to quickly scan data sources to seek out confidential data? After obtaining a deeper understanding of what information exists, the next logical task would be to start managing this information more discretely via policies such as applying a retention policy to business records or moving business records to a centralized system deployed to automate records management. The list of opportunities to improve management is endless when organizations actually know what information they have. New business processes can be designed around specific types of information or existing processes can be augmented to include unstructured data. This paper describes why organizations should strive for better information intelligence strategies and the benefits that can result from more detailed management and augmentation or creation of business processes that include ever-expanding amounts of unstructured information.
Improved accessibility vs. enhanced security Long-term retention vs. storage and other related IT infrastructure costs Consistent data expiration/deletion vs. legal risk management
There are several other examples, but it is safe to assume that no information management decision is simple, creating the need to examine both sides of any given equation and take into account variables such as external influences, the perceived and real value of information, and actual management (securing, sharing, integrating, retaining, etc.) costs.
External Influences
Most companies are aware of the stricter influences on information management strategies such a record retention and privacy compliance, electronic discovery procedures, and corporate governance mandates. These factors force or strongly guide how certain data has to be managed. For example, for those companies that capture credit card information, their data is subject to the Payment Card Industry (PCI) Standard. Any organization going through a litigation matter involving Microsoft Office documents, e-mail, and other electronically stored information (ESI) know that preserving relevant data (not allowing deletion or modification) is imperative. Companies have little choice in following these requirements as the penalties can be severe in terms of fines, unfavorable legal outcomes, and irreparable brand damage. Examining the privacy risk and costs, recent estimates suggest the average cost of a data breach in the United States increased by 48% between 2005 and 2009 with the overall cost per breach across the globe exceeding $3.4M in 2009. 2 On the more positive side, companies are increasing technology investments that support information-centric business processes such as knowledge management and workforce collaboration. These efforts are designed to improve expansion into new markets, reduce internal travel expenses, and minimize hiring and training costs. A critical success factor for these business processes is ensuring that all relevant information is located and incorporated into the systems.
http://www.databreaches.net/?p=11421, http://privacylaw.proskauer.com/2010/01/articles/data-breaches/2009-ponemon-institute-costof-a-data-breach-study-released/
Figure 2. 12-18 Month Information Management Investment Plans With regards to specific spending plans for information management solutions, in which of the following areas will your organization make the most significant investments over the next 12-18 months? (Percent of respondents, N=186, three responses accepted
Content management / document management Collaboration platforms and tools (e.g., Microsoft SharePoint, etc.) Data integration solutions (i.e., connecting and merging multiple data sources) Information archive and retrieval Knowledge management solutions Electronic data discovery / litigation support Enterprise search
0% 5%
Storage capital and operating expenses prevent companies from saving all information forever. Data has different requirements for timely accessibility, particularly for litigation or regulatory requests. Encrypting all possible sensitive and confidential information will significantly hamper access, potentially impact system performance, and dis-incent employees to use more data during the normal course of business. Legal and IT teams do not want to collect, preserve, review, or produce more information than necessary for e-discovery and regulatory requests because of the costs and risks associated. Data subject to preservation for legal proceedings must by law be secured, often beyond normal records management retention and deletion schedules.
Precision is Better
The alternative is policy-based management where management rules such as retention, disposition, storage location, and access permissions are determined by content, its relevancy and value, and potential risk and cost to the company. This is not as far-stretched as it may sound: most companies already have systems and business processes in place to execute some management tasks. As an example, an organization may already have a records management system to assist with compliance or an identity and access management software package to facilitate security across an entire enterprise application portfolio. In these systems, rules are establishedhow long to keep a file generated by a certain department, who has permission to read and modify contracts, etc. The real questions are these: Is all of the information that should be in these systems actually there (and is this regularly verified)? What happens to the data companies do not want to put in these systems despite putting some form of policybased controls in place around it? The missing ingredient is the ability to actually understand content in a comprehensive and unified manner across multiple systems, organizing or categorizing it so it can be managed according to more specific policies and put to the best business utility.
3
Source: ESG Research Report, E-mail Archiving Market Trends, May 2010; ESG Research Report, Microsoft SharePoint Adoption, Market Drivers, & IT Impact, March 2009.
Taking another perspective, the more intelligence that can actually be gained from content such as related concepts, the greater the potential for more specific policy development and accurate enforcement. This flexibility is ideal for companies facing significant external factors such as frequent electronic discovery events that impact information management policies. As an example, if an organization is asked to preserve any documents related to a real-estate project in New York City, some of the content may have concepts that infer the location (such as The Big Apple). Preserving data based on a keyword of New York City will omit the ones containing The Big Apple, creating a situation where it appears a company is hiding, intentionally or unintentionally, relevant information.
It is Feasible Today
Technology is available to provide much sought after intelligence by scanning sources and building an index of metadata as well as the contents of a file. This index provides the foundation for understanding more about corporate data sources. Rather than querying data sources one by one to see if certain files meet specific policy criteria, a query can be run against the index representing all information originally scanned. Some companies could set up pre-defined queries which are repeated to see if newly indexed content needs to be managed or controlled. The index enables an organization to gather intelligence without centralizing unstructured data sources something that will never be done because too much information is dispersed in different locations. Organizations can begin reporting on information that meets specific criteria, moving the data from its original source to a location where policies can be enforced (such as a secure file server or content management system). Audits can be completed to prove that confidential information has been removed from unsecure locations and data that is not subject to legal or regulatory-related management policies can be expired. If information isnt valuable but does need to be retained for compliance reasons, IT could investigate moving the data to lowest cost storage device to minimize infrastructure costs. All of these actions can be taken against the right data, not all data, because companies have the intelligence to make more precise management decisions.
executive summary: lower costs and improved business processes focused on improved compliance, security, and risk management. Business leaders also have the opportunity to develop and enhance data analytics, reporting, and decision support functions based on unstructured information. ESG believes that information intelligence allows:
CISOs to institute regular procedures to identify sensitive and confidential information and move to a secure system. Having a more consistent process to locate unstructured data subject to privacy mandates mitigates risk and represents a control process that most companies do not have in place today. Records managers to implement comprehensive retention and disposition strategies across the organization. Most records managers rely on employees to designate certain content as a business record and place it into an existing system for proper management. While this trusted method may work for some business records, it is likely that more vital business content is stored outside the defined system, increasing the risk of non-compliance. Corporate counsel to access organized information in real time, enabling discovery processes to commence immediately after receiving a request. This capability facilitates more timely case strategy development, reduces the amount of data to be reviewed by attorneys, and minimizes the risk of spoliation. All of these directly reduce cost and risk in the discovery process. Knowledge management/business intelligence leaders to bring information to where they can work with it most effectively by moving dispersed content into an existing knowledge management or collaboration platform. CIOs to make more information available to the right people and control storage costs. Identifying dispersed information and bringing it into collaboration and knowledge management platforms improves productivity. Alternatively, if information is not valuable and isnt needed for compliance and legal reasons, it can be deleted to reduce storage as well other IT infrastructure and operating costs.
Connect to all relevant data sources. Business users cannot afford to miss any information. Unidentified content could result in legal consequences, fines, and other damages. Operate at scale. Any delays resulting from scanning, indexing, or categorizing file systems can slow down the audit or discovery processes. Timeliness could mean settling a case faster or satisfying a compliance inquiry within a given deadline. Support in-place data management. Attorneys and compliance officers are likely going to want to manage (i.e., search, preserve, tag, encrypt, etc.) information as they move through their respective business processes from as early a stage as possible. Rather than using disparate tools to do so, some of this could be executed directly from within the information intelligence platform to potentially limit downstream costs for review and production of the data.
Support concept, entity, text pattern, and other sophisticated indexing techniques. This allows for more detailed and accurate information categorization. Compliance officers worried about credit card numbers can set criteria to look for and segregate any files with 16 digits followed by a month and a year numerical valuethe cards full number and expiration date.
Information intelligence is a critical component for companies to shift from broad-based information management strategies to ones based on more precise policies. It can also define an application to support information-intensive processes where polices must be constantly updated based on external requirements. Lastly, companies can create information-centric business processes to help departments currently in need of better ways to optimize and control unstructured data.