Thursday, June 12, 2014

The path to hell is paved with good intentions.

I am not sure I have any good way to say what I am about to say. And in fact, I am so trepidatious that I have to couch my commentary in verbiage subterfuge. I am not spineless, but just don’t want to create a bunch of enemies with my cohort. So here goes. I am certain you will get my point even if I hide the true identities of the offending parties to protect the innocent and/or guilty.
Assume for a moment that an international information association, decided that the industry and more specifically companies needed a way to assess if they had a mature information management program.  So the organization got a bunch of their folks together to develop criteria by which they should evaluate if their program was good enough to pass muster. And let’s say after much talking and thinking they settled on an information management Maturity Model and related criteria.

Recently, a client of ours had us look at their self-assessment of their information management program using one such Maturity Model Best Practice self-assessment tool. (The client is now considering having us perform a new Gap Assessment).  It is one of my favorite clients and it’s a great company that does so much right. So when I reviewed their self-assessment, I was stupefied. They used the information management’s organizations Maturity Model criteria and concluded they were seriously substandard. I totally disagreed with most of the conclusions of the assessment. I am not going to lay out why I think the various criteria are flawed in total, but let me give you an example to make my point. One of the criteria by which this company evaluated itself according to the self-assessment was information “integrity”. Based upon how the assessment MADE the client answer the questions, they got a flunking grade.  I told my client given what I knew about their business processes and IT framework, that on the information integrity scale I would give them a Rhodes Scholar type grade—at least an “A”.  SO why such a disconnect?
I get the whole thing about “one man’s hot is another man’s cold” but this is not about perception. It is about the criteria and maturing the process and still utterly failing even if what you have done is at least good enough.  From my humble perspective, the evaluative criteria are aspirational, not functionally helpful, impracticable and may sell your company unfairly down the river. BOOM! I believe it sets up companies to fail that use the self-assessment, on criteria that are not really central to success. Every organization would be flagging miserably if put under the assessment’s microscope. And that’s just not the way it should be.

Which bring me to the PG&E San Bruno disaster and how industry “best practices” evaluations can be helpful at fixing failings and can also provide the basis for regulators to whack companies for failing to properly manage records, among other things. The tragedy was horrible. The loss of life and property is unthinkable. And the company may have had records management failings. But look close enough at any company and most organizations fail miserably. See the report at the following link.

There are lots of information management industry standards, best practices, evaluations from all sorts of organizations. There is some terrific guidance and there are some downright damaging unattainable “best practices”. I’m sure all comes into being with great intentions. But massaged, manipulated and maneuvered by lawyers and a good company begins to smell dirty. 

We developed a methodology called “Information Management Compliance” for evaluating the “goodness” of your Information Governance Program which has been used by so many companies.  I borrowed the criteria from the Federal Sentencing Guidelines, which help judges evaluate what is good corporate behavior. I figured if the court will evaluate your company by the criteria, that you should build your program according to the criteria. (This is also the topic of “Information Nation-Seven Keys to Information Management Compliance”, See also

Look close enough at any company’s information management practices and you will find flaws. Lawyers are in the business of exploiting flaws. I don’t need to give them material to work with that isn’t even real. So companies, evaluate carefully, document thoughtfully and pick criteria by which you evaluate circumspectly. Just saying.

Randolph Kahn, ESQ.

Wednesday, January 22, 2014

Data is the Target

When your logo is a red bullseye and you’re in the retail business, I guess you should expect to be a target.

We are learning that more people were affected by the data breach at Target. We are learning that the breach was likely perpetrated by Eastern European cyber thugs and that tens of millions of Americans may be impacted to the tune of billions.  What we haven’t seemed to learn is that no matter how vigilant and how much is spent seeking to protect the information Crown Jewels, that nothing can protect information completely from the criminals. There will be hacks and data will be stolen. But for the average person, while scary, what it tells them is that they need to take action to protect themselves. Perhaps that means getting identity theft insurance or some protection from cyber crime.  

However, more importantly what does this mean for business? What can be done to mitigate the harm and risk? Insurance shifts the risk and is a good thing but it doesn't solve the underlying problem. More IT security is useful but how many more IT experts can be retained and will that solve the problem? I think not.

While I don’t have all the answers, I do want to share a story that makes the point that process and technology can help minimize the harm.

A few years ago, I was speaking in Southern France to a bunch of Hungarian bankers. They recounted how they were dealing with cyber theft which was a big issue in Hungary especially those people making credit card purchases. To combat theft of credit card info, the Hungarian banks implemented a simple and seemingly inexpensive system whereby every credit card holder got immediate and real time notice of any and all impending transactions on their cards. If the transaction was bogus, a text message could be instantly sent back to the bank to shut down the account and terminate the criminal transaction.

Well maybe the text notification system is not the right or only answer, but it seems like coming up with ways to make the theft less valuable by minimizing the transactions amounts or frequency will take a bite out of crime.

If you can’t undo all criminals hellbent on cyber crime, perhaps we can get creative and interactive to diminish the economic harm.

I’m interested in what you would do about cyber theft.  Email me your ideas at