The doomsayers have been predicting the end of enterprise content management (ECM) for a while now. Whether that end comes at the hands of big data, enterprise file sync and share (EFSS), enterprise social collaboration, or any other myriad of disrupters, for at least the last five years you would think that ECM had one foot in the grave from the way people spoke about it.
A Rose By Any Other Name
I've had a hard time believing this. Managing content is something we have done and will always do at organizations. Will we always call it “content”? No. Have we always called it “content”? No. Now it’s information and data; it used to be documents or records; we'll be calling it something else in five or 10 years. But whatever we call it, the stuff we’re trying to label is the same and is still important. So no matter how the terms change, we’re still trying to accomplish the same thing.
What has shifted significantly over the years is the organizational “center” of efforts to manage documents/records/information/data/etc. more effectively. From IT, to records management, to legal, to lines of business — the owners of this very real, very important business problem have changed over the last 25 years.
And right now, for a variety of reasons, the center of efforts to manage content is shifting (and in many industries, has already shifted) to another location: information security.
ECM Is Information Security
What we’re seeing in the marketplace over the last year or so is that, more often than not, the responsibility for managing content is falling to the chief information security officer (CISO) rather than general counsel (GC), CIO or CTO.
Traditionally, the CISO’s scope of responsibility was concerned with preventing bad actors from gaining access to company systems and preventing egress of sensitive data by bad actors inside the company. But with the increased sophistication of hackers (if Target, Home Depot and CHS got breached, you will get breached, full stop), CISOs are focusing on how they can minimize the impact of the inevitable breach, when it happens.
This means having only as much protected health information and personally identifiable information as is absolutely necessary (i.e., as the law, regulation, and business need require), and no more. After all, when a breach happens, do you want 20 years of billing data (because you never purged data) or three year’s? The answer is clearly three, because that extra 17 years of sensitive data magnifies the impact of the breach immensely. Now multiply that across hundreds or thousands of structured applications, and you have a risk that far outweighs anything records or IT could bring to bear previously on the business case for ECM.
On top of this, for most large organizations in regulated industries, audit findings or actual breaches drive information security. In the former case, upper management is forced to close the gaps and fund the projects to do so; in the latter, they are personally motivated to do so, because they don’t want to be in the spotlight trying to explain why they handled customer data so poorly again.
Given all this, we’ve experienced a shift over the last 12 months. An increased number of ECM engagements were delivered at the behest of the CISO, rather than more traditional stakeholders like IT, legal or records management.
This is an encouraging trend and very good for the future of ECM. The problems and drivers for the CISO explored above are not going anywhere any time soon.
So if we, as ECM practitioners, can find ways to deliver value to the CISO on solving ECM problems, ECM will continue to be relevant. And hopefully, as a result, will receive sustained organizational attention year over year and get closer to solving than it has been at the hands of IT, legal and records management.
Title image by Caleb George