Some information governance programs are focused on command and control. Thou shalt do this or that. Thou will not do something else. And while, on the surface, these tactics seem to work, they drive behaviors underground and expose information to more risks and simultaneously reduce productivity. While, on the surface, control looks like a good solution, it typically fails in the end.
Pressure vessels are a marvel of the modern world. We can compress a gas and keep it contained. The release of pressure is what drove the industrial age through steam engines that increased in pressure and drove us forward. The problem is that pressure vessels fail. Early in the Industrial Age, there were numerous deaths due to the spontaneous destruction of a pressure vessel. Steam engine boiler tanks burst and killed people.
Every pressure vessel that we create has a point at which it can no longer contain the pressure and fails. The problem is not so much that there is a point of failure. The problem is that, when there is a failure, it’s unpredictable and so destructive. That’s why applying too much pressure in your information governance program in the form of control can lead to some disastrous consequences.
Information Governance Pressure
How, one might ask, does information governance apply pressure to an organization? The answer lies in the pressure that is exerted between the normal and desired behaviors and the behaviors that the governance plan tries to enforce. Like a dam holding back water, there is pressure against the policies to allow the individual and the organization to do their normal work. Like a dam, these policies hold back the normal flow, which may cause useful reservoirs, but those dams have limits.
We’ve seen stunning examples of dam failures. One moment, everything seems fine. The next moment, there’s a wall of water flowing down. In most failures, the problems start well before the final moment of failure. There’s some erosion in an earthen dam. Water slowly seeps through and erodes the base that the dam needs until it fails, and that failure causes the remainder – or a substantial portion – of the dam to fail.
Information governance programs do need to shape the flow of the information in an organization, but to do so without recognizing the limits is inviting people to subvert the official processes and do something less secure.
Like water finding its way to and through weak spots in a dam, so, too, will users find ways to do their jobs even when the information governance program prevents such activities directly.
Consider password rules. NIST (The National Institute of Standards and Technology) has changed their guidance on passwords, because the degree of complexity in managing passwords necessitated that people start writing them down and storing them in places that made them less secure than simply having a single password that never changes – or a password that never changes plus a second factor authentication. There’s the tacit acknowledgement that the password complexity rules and change frequency forced people into behaviors that actually reduced rather than increased security.
What about sharing rules? Organizations want their workers to collaborate with external partners and consultants, but when users are prohibited from sharing the documents directly, they place corporate information in personal cloud storage and share with third parties from those locations. Not only does this break the intent of the guidance but it also removes corporate information from the boundaries of the corporation, so it’s not available for others to search and may be lost when the person leaves the organization.
Some organizations have approached these problems with more aggressive controls that block access to private file sites – which only causes users to start saving copies of their files in their emails and making it more difficult to manage the information.
Much like water will always find a way to get lower eventually, even the craftiest of strategies to block users from doing bad behaviors will fail if you don’t design in a way for them to get their work done.