January 13, 2020

    Creating a Mindful Information Culture

    Randolph A. Kahn, James Beckmann

    In Brief

    • Businesses should expect that bad actors will continue to find and exploit weaknesses in its information culture.
    • A company must have a “mindful information culture” to mitigate the risks.
    • What are the elements a company should undertake in building a more mindful information culture?

    Acme’s cloud storage provider just got hacked. Private information was exposed. Acme’s customers who lost information in the hack are angry and don’t care that it was a third party that failed to secure the information or that some maleficent hacker from across the globe got into their system. Likewise, their customers don’t care how difficult it is for Acme to migrate data, or how they retain and store their records, or what regulations govern each part of Acme’s business. Acme’s customers care only about their information, their data, and whether Acme performs for them.

    This story could be any company’s story. The problems afflicting Acme could be one of a number of information-management issues that confound most businesses. In 2020, you should expect that bad actors will seek to break into your information trove and find and exploit any weakness in your information culture. Expect they will try regularly—they are trying right now, in fact. Expect that customers will become ever more aware of “their” private information, and when (not if) that information is exposed, it may impact your relationship with your customers, vendors, and the public. Expect that confidential information may fly across the ether unprotected, and that sensitive information may fall into the wrong hands. Expect that records may be kept for too long or not long enough, and that discovery for a lawsuit may be inexplicably gone, precipitating a claim for spoliation.

    If every worst-case scenario is not only possible, but likely at some point, then now what? Take a deep breath and read on because there is a path forward. As you reflect on how to change the course of, or mitigate the fallout from, some future event, you could find help in building a mindful information culture at your company. Building a more mindful information culture has several distinct and critical elements:

    • Who Is the Organization’s “Champion”? Every major project or initiative requires a champion possessing a combination of institutional knowledge and political savvy to help make the journey more productive and less painful. It is critical that the face of the journey to build a mindful information culture has the right temperament and skill set. In order to establish and properly incubate this shift, your champion must demonstrate three essential qualities: the ability to clearly communicate, a balance of business and technology acumen, and knowledge of the organization. Properly selecting the right champion will enable the new culture to grow and flourish, whereas failing to select the right champion will likely doom it to failure.
    • Relying on the Right Support to Do the Heavy Hauling and Deliver Guidance. Every programmatic trek also needs the right supporting cast that represents the essential parts of your organization. Without the right supporting team members to haul each segment of the organization forward, the initiative will likely experience headwinds and hurdles (which might happen anyway). For every information project, there must at a minimum be business, IT, and legal executive involvement, and do not minimize the need for excellent project-management skills, too. Getting the right executive’s imprimaturs will be essential in getting the employees’ behind the initiative.
    • Assessing Where You Are in the Fog. The only way you know where you are is by looking. The only way you know what needs fixing is by assessing “the good, the bad, and the ugly.” Knowing what is “good enough” and what needs fixing is an essential part of the project, and it should happen early in the process. Additionally, when you have several issues that must be addressed, each issue must be evaluated based on risk to the organization. In other words, the issues that create the greatest risk, and the issues that can be addressed fairly easily, should be tackled first. Until you assess, you cannot address, but only after identifying your organization’s problems can you begin to change your information culture.
    • Building a Plan to Get to Information Nirvana. Having the right remediation path and taking the right action steps to triage and fix any information problem requires a plan. Ensuring your organization provides long-term solutions to address company and employee needs for information similarly requires a plan, and likely new technology to ensure information accessibility.

      So, what should your organization’s plan look like? You have done your triage and know that immediate litigation response requirements likely take precedence over longer-term records retention fixes. Likewise, managing private information that is sitting unprotected on a server likely takes precedence over training on information classification. However, the plan must be more than just triaging emergencies. The tyranny of the immediate cannot derail you from your long-term goals. Your organization can implement tactical fixes at the same time that it fleshes out the strategic initiatives. You simply must manage resources to maximize effectiveness and not overwhelm a particular business unit or individual.

      Part of the path forward also requires that your plan consider your organization’s existing information culture. What is your work force’s openness to change? Are they technologically sophisticated? Centralized? Are business units autonomous? Does your company vet and buy applications for the entire company? How big is the problem? Who is required to fund and fix it? Are employees going to balk if you change e-mail retention, for example? The bottom line is to be ambitious but take the time to build a plan that includes the needed expertise from across the organization, and be realistic about what can get done given the company information culture, resource constraints, and other projects impacting employee availability.
    • Messaging as the Information Mantra. Moving your team, department, or organization to change is not easy. It will be effective only if the key leaders properly message the change. Mid-level management typically does not steer the ship; redirection is done by the people at the top.

      For example, when moving to a new collaboration environment or migrating to O365, your workforce’s needs and concerns should be anticipated and managed, otherwise the project will likely get derailed. Providing the necessary information to the proper people and giving them the opportunity to ease into change and readjust their way of operating will be necessary for your plan to succeed.

      People default to what is simple and what they know. Therefore, the messaging surrounding building an information culture is critical. It must be clear, consistent, and anchored to a “why” that resonates with your employees and makes their life better (not just simpler, but better). This will allow them to move past the “but this is how we have always done it” response toward becoming mindful stewards of your organization’s information. Mindful employees are essential to building a great information culture.
    • Achieving a Mindful Information Culture Requires Processes and Repetition. Achieving any organizational goal, let alone building a mindful information culture, requires the right processes and directives that can become muscle memory—implementable, repeatable, and followed over time. Diligence must become your organization’s state of being. Persistence must be how the champion and executive team manages any information-related initiative and program. A mature information culture is a state of being, like a never-ending marathon. Culture is not a “sometimes thing,” it is an “all the time thing.” If your company is able to wrangle its information security risks, it is because information security mindfulness was made part of the fabric of your organization. If your organization right-sizes its information footprint annually, it is because minimizing cost and mitigating the risk of keeping unneeded data has also been woven into the fabric of your company. It takes a person doing something correctly 14 times in a row to make it a habit, and achieving information nirvana is no different. Building a mindful information culture can be achieved only by implementing a consistent, persistent, evolving cycle to assess, plan, implement, communicate, monitor, resolve, and repeat. This is the way to truly effectuate cultural change.
    • Information Mindfulness. All organizations care about profits and costs, yours included. Harvesting and harnessing information can promote both. To be a truly information-mindful organization, your company must use information as a differentiator. Information can promote employee satisfaction and provide a more valuable workplace. Information can advance your customers’ needs and create a deeper customer experience, which translates into a deeper customer connection, which translates into greater sales. Information mindfulness is about using information as the currency that makes business better and the glue that connects people in various ways with your company.
    • Finding Easy Places to Focus. Your organization should focus its efforts on the most critical gaps first while finding some low-hanging fruit to bolster the credibility of project champion. Once you solve a few of the less complex issues impeding your organization, you can move on to the tougher issues, having acquired wins under your belt and hopefully having banked goodwill and support from management. When employees see the changes to your information culture helping their work day, they will almost certainly climb aboard.

    Conclusion

    A leader’s obligation is to be constant in principle but flexible in approach—to change just before change is necessary. Specifically, once the pillars are poured, you and your champions must find a new way to look at and think about the enterprise’s information culture, whether a new angle or new focus, a new way forward, or simply to decide to do what you are already doing, just more efficiently. The bad actors never rest and are always reinventing themselves. Without that same dedication to diligence as a way of corporate life, your information culture will stagnate, issues will appear, and you will likely feel the pain that is exacted on the nonvigilant.

    For more business law content, visit businesslawtoday.org.

    Randolph A. Kahn

    Founder, Kahn Consulting Inc.

    Randolph Kahn and his firm, Kahn Consulting Inc. (www.KahnConsultingInc.com), are recognized across the globe as leaders in information governance. Mr. Kahn has advised the U.S. and foreign governments, courts systems, and major multinational corporations on a wide variety of information issues, including e-communications strategies, privacy, social media policy, information security, electronic signatures, records-management programs implementation, and litigation-response processes. Mr. Kahn has been an expert witness in major court cases. He is a highly regarded speaker and a two-time recipient of the Britt Literary Award. He has written numerous published works, including Chucking Daisies, Email Rules, Information Nation: Seven Keys to Information Management Compliance, Information Nation Warrior, and Privacy Nation. Mr. Kahn teaches Law and Policy of Electronic Information at Washington University School of Law and The Politics of Information at the University of Wisconsin-Madison. He is currently working on a new book entitled, The Executive’s Guide to Navigating the Information Universe.

    James Beckmann

    Assistant General Counse, Boys Town

    James Beckmann, Esq., is assistant general counsel for Boys Town.

    Entity:
    Topic:

    BLT: January 2020

    Business & Corporate & more

    Kisor v. Wilkie: A New Limit on Agency Deference and Its Implications for Banking Organizations

    Business & Corporate & more

    Common-Law Drafting in Civil-Law Jurisdictions

    Business & Corporate & more

    Border Control: The Enforceability of Contractual Restraints on Bankruptcy Filings, Part 2
    Back To - BLT: January 2020