You are not logged in. Please log in or become a member to unlock your benefits.

Information Coalition Community Blog

Information Coalition: Resources For Your Enterprise Information Success.

Reimagining Information Governance with Blockchain

A Discussion Paper

Authors: Alan Pelz-Sharpe (Deep Analysis) & Steve Weissman (Holly Group)

Statement of Purpose

This discussion paper provides an overview of how future information governance (IG) platforms may be envisaged and built utilizing blockchain – perhaps the key point being that all the technologies necessary to do so are already available.

Though blockchain is flying well under the radar in this context, it is not too early to begin postulating how it can be used to build a secure information governance management platform. Our hope is that this paper can become a starting point for information management and governance professionals to discuss its potential, as well as some of the challenges to be stared down before it becomes a practical reality.


The questions 'what is a record?' or 'is that the original?' are asked multiple times daily in commercial and legal situations around the world. Absolute, incontrovertible proof of the veracity of a transaction, activity, file, or document is difficult to come by and often form the basis for disputes. Over the decades, as information has become more and more digitized, providing that absolute proof has in parallel become ever more difficult. Yet a technology today does exist to provide a level of absolute trust and indisputable evidence every single time, that technology is called blockchain. Though best known for its pioneering use in financial transactions via Bitcoin, the underlying platform and structure of blockchain (a distributed ledger) has huge potential beyond financial services, including (and especially) in the worlds of document, records, and asset management.

A New Model for Information Governance

Below (Figure 1) is a proposed simplified framework architecture for Information Governance. The framework leverages existing P2P blockchain public ledgers and proposes that information governance applications can be built atop this in decentralized manner.

Figure 1 Proposed Information Governance Model

Each element of this model is explained below.

Unified Rules & AI-Driven Content Lifecycle Management Application – Today, this layer consists of multiple information silos and applications – they could be ECM repositories or CRM systems or email systems – wherever content is created, managed, and/or stored. Here, though, it is depicted as a single unit, proposing a possible future unified platform. Today, enterprise information is disjointed and held in multiple unintegrated silos and repositories. That is unlikely to change in the foreseeable future, but new approaches to information management are on the way.

APIs – APIs (Application Programming Interfaces) are the connectors that provide integration points between the content applications and the governance protocol layer. Again, as above, in this diagram we have depicted a single API though in reality there would likely be multiple APIs.

Decentralized Information Governance Protocol Layer – This layer of the stack provides the rules and analytics that drive governance. To the best of our knowledge, no firm has yet built such a layer to drive governance to the blockchain. Technology vendors have, though, built similar platforms to apply governance to content and drive that content to their own repositories. A good example of such a platform/application is Microsoft Office 365 Advanced Data Governance, which leverages artificial intelligence (AI) to predict and and make recommendations on how certain files or sets of data should be managed.

The Blockchain – Blockchain provides a non-repudiable, irreversible, cryptographically secure block to the chain of custody every time a bit of critical information is touched. Fundamentally a distributed ledger technology, it decentralizes control and verification of the custody chain. This, plus the presence of hashing at its core, eliminates the ability for something to ever be tampered with without first being detected.

A Simplified Process

In practical terms, the model described above would work in the following manner (see Figure 2):

Figure 2 Simplified information governance blockchain process

For example:

A contract is created to detail an agreement to acquire a custom piece of engineering for an offshore oil platform. In reality, that "contract" consists of a number of documents, drawings, and data sheets. Each element has been created by different people, in different departments, different organizations, in different locations. As the contract as a whole goes through a number of revisions, so does each individual component of the contract also go through a number revisions and reviews.

At a future date, there may be a legal dispute regarding the contract details between supplier and buyer. The audit trail of both the contract and its individual components is critical to resolving the dispute. By reason, no individual of the various parties can either be responsible for nor necessarily trusted to confirm the validity of every component (record) element.

Using blockchain to "lock" every component creates a shared distributed ledger into which all of the records are written, with each record and every transaction (change0 accompanied by a timestamp and proof of origin. In essence, this builds a verified and indisputable shared record, whilst preventing any individual participant from corrupting it.


Promising though blockchain is as an IG tool, there are a number of challenges to be overcome before it can become a practical reality:

Cost – Though open and decentralized, the fact is that people perceive blockchain to be expensive to run. It takes a huge amount of processing power to run transactions, and intermediaries to the blockchain want to charge a percentage of each transaction they handle. But for managing a finite number of files costs should not be a real factor.

Forking – In theory there should be one global blockchain. In practice, though, there is one dominant global blockchain (bitcoin). Other proprietary blockchain instances are being created.

Bitcoin – The concept of blockchain is so closely linked to bitcoin that it can be hard for many in the industry to recognize that it has a role and function beyond that.

Mindset – Information management system builders have traditionally had a repository-centric view of the world. Moving to an open and decentralized perspective of information thus will be a philosophically difficult shift to make, and may hinder blockchain's rollout in such contexts.


The most telling takeaway from this short paper may well be that all of the elements described in our proposed framework exist and are running openly today. There is no new technology as such in this framework – only existing technology that could be configured in a manner to challenge and cause a rethink of today's often limited approaches to information governance and management.

The model we propose may have a limited appeal or application for many use cases today. In some situations, even where it has a strong appeal, the cost and complexity of adopting such a framework might be prohibitive or unrealistic to address. There are, though, situations such as medical records, digital evidence, high value media, and transportation and logistics where such a framework would be not only highly relevant, but also effective in bringing about much needed business improvements.

Consider the potential power blockchain has to upend the way:

  • transportation companies document the content and ownership of that content in their container ships, oil tankers and 18-wheelers
  • law firms ensure the integrity of depositions, courtroom transcripts, and client case files
  • hospitals and medical practices share and secure patient records
  • owners of high-value IP (e.g., unreleased films and music) approach digital rights management
  • public companies administer shareholder voting

Today, blockchain for information Governance is more of a discussion than a reality. Even so, there are a number of pilots underway and startup's building applications to meet the challenges and opportunities described in this paper. For sure, blockchain is not for everyone; it's complicated, new, and costly. But we believe there are business cases where its use would be appropriate. Moreover, as the body of learning and expertise grows, more opportunities will arise, and costs will likely fall lowering the bar to adoption.


Records Management is "[the] field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use and disposition of records, including the processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records". Source ISO 15489-1: 2001

Enterprise Content Management (ECM) is the strategies, methods, and tools used to capture, manage, store, preserve, and deliver content and documents related to organizational processes. ECM covers the management of information within the entire scope of an enterprise whether that information is in the form of a paper document, an electronic file, a database print stream, or even an email. Source

Information Governance (IG or infogov) is bringing order and discipline to the use and protection of business-critical information, so the most value possible can be derived from information assets. Source Holly Group


Steve Weissman, The Info Gov Guy™ | 617-383-4655 • | Principal Consultant, Holly Group • Co-Founder, Information Coalition | Member, AIIM Company of Fellows

Rate this blog entry:

Records Disrupted: Blockchain as a Transformative Force

Authors: Alan Pelz-Sharpe (Deep Analysis) & Steve Weissman (Holly Group)

If records and content management issues such as security, privacy, and compliance seem everlasting, that's because they are! What aren't everlasting though, are the so-called information governance "technologies" we use to bring these matters to heel.

In recent decades, we have cycled through imaging, document management, records management, content management, and endless combinations of the above – only to learn that these, really, are business disciplines, not technical tools.

We have also learned that the effectiveness of these disciplines depend entirely upon best-practices that are so extraordinarily similar as to be essentially identical (e.g., approaches to meta-tagging, etc.). So you would think, that at some point, some new technology would emerge that would enable us to bring these solution stacks together and help us unify our information strategies.

Well guess what? That day is … tomorrow!

Next-Gen Governance, Thy Name is Blockchain

The new technology in question is called blockchain, which actually does exist today and is best known as the engine powering the alternative digital currency Bitcoin. Tomorrow, though, it is likely to utterly transform the way that we approach information security, privacy, compliance, and many of our other infogov bugaboos.

In simple terms, blockchain adds a new, non-repudiable, irreversible, cryptographically-secure block to the chain of custody every time a bit of critical information is touched. (See figure below.)

Fundamentally a peer-to-peer technology, blockchain decentralizes control and verification of the custody chain. This, plus the presence of hashing at its core, eliminates the ability for something to ever be tampered with without being detected.

The Game Will Be Changed – Forever

To be sure, the description presented above is a gross simplification of what blockchain is and how it works. And that's OK, because the point of this piece isn't to dissect the underlying technology, but rather to alert you to the potential it has to disrupt our current methods of protecting, updating, auditing, and reporting on information.

Consider the power blockchain has to upend the way:

  • transportation companies document the content and ownership of that content in their container ships and oil tankers and 18-wheelers
  • law firms ensure the integrity of depositions, courtroom transcripts, and client case files
  • hospitals and medical practices to share and secure patient records
  • public companies to administer shareholder voting

It's true that at least some of these organizations are handling these functions just fine at present, but you can't tell me that they wouldn't jump at the chance to bolster their records management to a level approaching inviolable if given the chance.

Maybe …

And maybe that's the question we should leave off with right now: just how near or far is that chance from where we are today? At present, no one knows, and it will be some time before the eternal issues of economics, technology, and risk are understood well enough to prompt forward motion.

One thing is very clear, however: blockchain is real, it is here to stay, and it will disrupt records and information management as we know them. It may not be for everyone, but how will you know it's not for you if you don't start paying it some attention?

Rate this blog entry:

Debate Over “Content Services vs. ECM” Misses the PointTemplate for Event

"ECM is dead." "Content Services are the next generation." "I've got a brand-new pair of roller skates."

If you think that last quote is a non sequitur, you're right! But so, I'd argue, are the other two, because neither speaks directly to what both really are all about:

Improving the "care and feeding" of your business-critical information.

You know what else? I bet a large majority of organizations wrestling with information management issues today haven't even heard of content services – and most of these probably aren't familiar with ECM either.

This is not a criticism; if anything, it's a compliment because they're probably wrapped up in their day-to-day and don't have time to be distracted by such things.

It is a caution of sorts, though, for some in the professional market-watching game – and their devoted followers – who think what things are called, and how things are grouped and counted, is more important than how to use those things to solve business problems.

To be fair, these items probably are more important to folks like that because categorizing and quantifying market segments is what they do for a living. But for customers, the point is and must be something quite different, namely to bring order and discipline to the way their information is protected and used.

This is why the debate over content services vs. ECM misses the point. Both should be part of the discussion since both can be significant pieces in the overall puzzle, the latter most properly as a business practice and the former as an enabling technology set. But neither is The Answer unto itself, so it's not an either/or proposition.

So sayeth me. What sayeth you?

Steve Weissman,
The Info Gov Guy™| 617-383-4655 •
Principal Consultant, Holly Group • Co-Founder, Information Coalition
Member, AIIM Company of Fellows

Rate this blog entry:

Information Management: It’s Safe to Go in the Water




Quotes from a movie poster? A book jacket? A Congressional hearing? No, merely a summary of my latest People's Take* on the state of information management today.

From one: "All I want to do is scan stuff into my system, but they keep shoving content management at me. Except now it's not that, but 'content services.' What the heck is THAT?"

From another: "I'm just trying to shorten my billing cycle, but every conference I go to is full of sessions about the cloud and analytics. Do I need to care about these?"

From a third: "Information governance, big data, business intelligence … it all sounds so impressive. But I'm not sure how they relate to me. And what happens if I pick the wrong one?"

First of all, there isn't a "wrong one" per se since each of these disciplines involve essentially the same best-practices when it comes to the "care and feeding" of your business-critical information. There are differences in the details, but you'll be find if you do your homework properly.

Second, you need to care about them all, but the lens through which you view them has to be the business problem you're trying to solve. You'll find much of the confusion and obfuscation disappears when you ask your questions in the context of your specific need. So don't worry about what the technology is called; concentrate instead on what it can do.

Third, don't wait to figure it all out before taking steps to improve your situation. There's a cost to continuing to do things the way you do now, and there's always something new coming over the horizon. Delaying until you know everything about everything will only push your action off for months more.

  • You can begin categorizing your paper documents today to prepare to scan and store them.
  • You can map your billing process today to identify choke-points and quantify throughput goals.
  • You can start articulating your information-related pain-points today to identify which specific discipline(s) / technology(ies) you should investigate.

Dale Carnegie said, "If you want to conquer fear, don't sit home and think about it. Go out and get busy." I say, be like Dale, and dive right in!

*My "People's Take" is a regular bit of informal research conducted to gauge customers' thinking regarding the "latest and greatest" concepts and technologies. Turns out they're usually more in tune with their thoughts than anyone else!

Steve Weissman, The Info Gov Guy™||Principal Consultant, Holly Group•Co-Founder, Information Coalition|Member, AIIM Company of Fellows

Rate this blog entry:

Malware attacking your computer

If you input in your browser, that may redirect you to a strange page. You will see something that looks like a Facebook page. It features a YouTube video and may display extra URL: The address varies from case to case.

Do not click the video. Clicking the link launches the installation of a critical virus. It may affect Facebook and overall computer settings.

If you still proceed with the above dialogue, the page will invite you to download some freeware. It may call it VideoCovertor. The naming does not correspond to the item actually available.If you go that far, do not download anything. The download contains a virus. Leave the tricky page and restart your browser. Apply free scan solution, preferably the one available herewith.

Startgo123 is a browser hijacker. It affects a range of browser adjustments. On the surface, you will experience redirects to annoying ads; your new tab, default search, and similar preferences willchange as ordered by the malicious invader.

IT security has notified the Internet community of this risk. However, it tends to ignore the viral background ofthe adware.Unlike most of the advertising apps, Startgo123 does not just generate web-traffic. The above facebook example indicates the rogue may drop a critical malware. Removal of Startgo123 hijacker is thus a matter of overall system security.

The infection harnesses a range of routines to get into target computers. The most common infection vector resorts to a bundled download scheme.The latter implies the victims download something attractive from the web. For instance, you may want to download a video converter. There are hundreds of options, most of them free. There's no such thing as a free lunch. As you grab warez or freeware or such like free unverified contents, beware of the concealed items attached to the target. That is to say, a free video converter installation includes the adware introduction without adequate notification of the user concerned.

The bundling infiltration prevails but does not exclude other options. In general, poor security performance, failure to update software enable alternate infecting scenarios.

Adware like the one described above is nasty but not as dangerous as the Crypt0L0cker virus. It is a file encrypting ransomware that locks all your data and demands ransomware payment to decrypt it. It uses very strong encryption techniques and cannot be decrypted. Only hackers who have the private decryption key may unlock your files. To stay safe and you should make regular backups of your files and system

Rate this blog entry:

Information Quality: One Goal, Two Meanings

England and America are two countries separated by the same language – George Bernard Shaw

In the same way, businesspeople and ITers often are separated by a single phrase: "information quality."

Both cite it as a prime information governance objective, but when you get right down to it, they don't always use it to mean the same thing.

For the business set, "quality" is typically defined in terms of accuracy – as in, is the data before me factually correct?

For the technology-minded, "quality" is generally defined in terms of integrity – as in, is the data I'm working with secure and unaltered?

The distinction here may seem subtle, but it's actually quite critical because it's entirely possible – and often extant – to have well-protected information that is just flat-out wrong.

Case in point: a machine shop fabricates 2-inch pipes per a carefully-managed internal work order, but the construction crew later discovers the original contractor-created design called for 2-inch tubes (the difference being inside vs. outside diameter). At that point, the difference between "accuracy" and "integrity" becomes stark indeed as the parts simply won't fit and the crew has to stand around, awaiting instructions.

So the question is: what does "information quality" mean to you, and does it mean the same thing to anyone else in your organization?

Rate this blog entry:

Fax & InfoGov: An Older Medium at Large

I went back to the Major National Bank yesterday to complete some parents'-estate-related account-opening tasks, and couldn't believe the gal helping me was told by some back-office document people to send a specifically-worded note to them – not by email but by fax.

The surprise wasn't that the bank still relies on this older medium from time to time – I've been writing about this for quite a long while (see this post from 2012, and this one from earlier this year). Rather, I was stunned to learn that the bank requires fax for some of its internal communications.

You would think that email would be the preferred medium to use in such a case given the end-to-end control the bank has over its infrastructure and the protection thereof. OK, maybe the faxing takes place over an internal VoIP connection and is similarly well secured. Why then give up the down-the-road process efficiencies associated with a "born digital" document?

I don't have a good answer for this, and the people yesterday were neither the right people to ask about it nor paying clients, so I simply went along. And in the end, the process worked, and I got done what I needed to do.

But I can't help but think this accomplishment was achieved in spite of some of the information governance decisions the bank made, not because of them.

What say you?

Rate this blog entry:

Rock, Paper, Scissors – IG Style

In the world of information governance:

  • People … defeat Policies
  • Policies … defeat Litigation
  • Litigation … defeats People

And you can quote me on that!

Rate this blog entry:

Understanding The Information Strategist

Understanding The Information Strategist
The world of associations and groups that serve the enterprise information sector currently looks something like this:

Each association and group has a body of knowledge and a specific profession, that leverages enterprise information, and focuses on that specific profession (e.g. Records Managers are served by ARMA, ECM is served by AIIM, Privacy Professionals by IAPP, etc.). The Information Coalition serves a gap in this structure that isn't quite visible in our typical understanding of associations and groups, let me show it to you...

You can find the gap with me by asking some very simple questions:

  • Which group sets organizational policy?
  • Which group is "in charge" of information?
  • Who coordinates between the various roles?

Who is it that does that cross functional work that aligns enterprise information policy and structure across disciplines? In some companies it's the CIO, in others it's the CTO, in many others (I daresay most), it's no one at all. There's the huge gap. We call the people that fill that gap, whatever their official title, an information strategist.

It's the information strategist, and the people that are de facto Information Strategists, that the Information Coalition serves, and we believe that the real picture of where things are going is something akin to this:

We believe that the information strategist's role is incredibly challenging and incredibly important, whatever their official title may be (CIO, CTO, CIGO, Information Manager, Records Manager, Privacy Director, etc.).

The deep knowledge of the associations and groups that cover our broad sector should be cherished and honored; but let's be clear - we aren't that. The information strategist needs to have knowledge across disciplines, a bit of everything. The information strategist needs to have knowledge about how to align the various disciplines. This is where we serve and it shows in how we operate.

What many don't know is that we invite as many of the groups you see above to speak, present, and display at The Information Governance Conference. A few have taken us up on that offer (ARMA has in the past, the ICRM board has joined us, and IAPP and the PDF Association will be joining us this year).

Unfortunately, some have decided to not take us up on our offer, viewing us instead as competition. We'd like to clear the air and help everyone better understand our positioning, so that we can all move forward, together, and help our various professions advance, together. Consider this an open and public call to any and all of the aforementioned groups (and any we might have missed) to come and join us this year. We are paying for the costs of their registration and their tables (which we are charged for by the convention center) ourselves, that's how deep our commitment to this cross-functional work is.

As for the Information Coalition, we're continuing to gain momentum and are growing at a breakneck pace, not because we are fighting against the disciplinary focused associations. We're growing because we are enhancing their offerings, providing guidance on how to move from the tactical roles of a specific discipline into the broad role of an information strategist. If you're seeing your role shift towards the role of an "information strategist", join us, our basic membership is free (and we're committed to your success) and ALSO join the association that serves your specific domain of knowledge, we all have a role to play in the future of our professions.

Rate this blog entry:

Cyber Crime: Investigating Bitcoin Transactions

First of all, this article assumes the reader has a basic understanding of the innovative technology called blockchain (​Editor's Note: If you do not, check out this article from O'Reilly, "Understanding the Blockchain"). You just need to realize the blockchain is a sequence of data records maintained as a distributed database. It is a peer-to-peer system. Nobody has exclusive permission to add or remove records thereto, yet anybody can do that. Any entries must satisfy strict rules. It is a public, open-access list of data blocks. However, it is not available for revision and tampering.

The technology is capable of accommodating a number of inventions. Bitcoin is but a first breakthrough. One can compare it to the beginning of the world wide web era. For the time being, any of the search providers, social networks, accommodation and travel websites had not yet developed a worldwide recognized business. Would anyone expect Google to become a global corporation with a budget exceeding that of many world's countries?

The blockchain today makes its first steps like the web 30 years ago. Public opinion tends to associate it with Bitcoin while sees the latter as a nursery for a black hat hacker's transactions. True, before we unleash the white power of the chain, its black power needs to be oppressed. Given the current development of cyber technology, the law enforcement and businesses enjoy a unique opportunity to explore the blockchain. It is a fast, safe and stable financial tool.

Meanwhile, the cryptocurrency poses a range of challenges to the public security, for example when dealing with ransomware. To start with, a Bitcoin wallet does not necessarily refer to a particular person. Any kinds of virtual money are hard to trace back to a specific person or company. International law enforcement agencies follow quite different regulations in tracking virtual currencies.

Again, these are the issues inherent in any online transactions. On the other hand, the blockchain features a number of exclusive benefits in terms of public disclosure, stability and traceability.

The first one is really stunning for a newbie. It may dramatically change public opinion regarding the subject matter.

Rumors have it the Bitcoin ensures complete anonymity of the parties. That is not quite true. Anybody using Bitcoin must have a unique address. In case it is possible to link that address to a specific person, you are able to track down and all the transactions in which that person has taken part utilizing that address.

A Bitcoin user may try all sorts of tricks to cheat the system and remain anonymous. For such cases, a number of counter-measures are available. But blockchain provides a more sophisticated option for the crime investigators. Investigating Bitcoin transactions differs greatly from the old-school online transactions.

The exchanged Bitcoin data remains intact as long the blockchain exists. In other words, the data logs are always available. It can be used at any time any case filed to the Court may reasonably need it. The design of the public ledger implies its data, once deposited, is to be retained forever.

Quite in contrary, using traditional bank accounts and switching providers from different countries the cyber criminals manage to bewilder the law enforcement. The investigators often apply enormous effort to find to the final mediator and eventually put their hands on the hacker's keyboard. When they are about to reach the target, it escapes as the finance institution just does not retain the records long enough.

Third party issues. In the case of online bank transactions, there is a concept of a Third Party Doctrine. It basically declares that, once you have exposed your data to your bank or similar entity, you are aware of the risk that other parties may reach it. It is the above doctrine that the authorities use to obtain logs relevant to the suspect's cell phone or account number without going through the complex system for obtaining relevant permits.

The doctrine still requires the law enforcement to get a subpoena. Besides, the court, governmental, public, and research bodies keep on discussing the viability of the doctrine.

If you need to trace a blockchain transaction, it remains forever and is available to anyone. Any search warrants or subpoena do not apply as such.

The bitcoin knows no borders. Indeed, cybercrimes committed overseas are harder to investigate. With traditional online currencies, one would need to go through a troublesome MLAT (Mutual Legal Assistance Treaty) routine to get the foreign authority to assist you in the investigation by disclosing the data available within their jurisdiction. Bitcoin is beyond any governmental system. You can get the data whenever you reside. All you need is an Internet connection.

Rate this blog entry:

Meet Zepto, a new ransom Trojan in the Locky family

Enter yourIt has been a month since a tangible decline in the spreading of the Locky ransomware occurred. Back then, experts discovered that a supporting botnet stopped functioning, which explains why the number of infection incidents dropped dramatically. The comeback of both the botnet and the crypto malware in question, therefore, isn't accidental. The new iteration reportedly uses the same data encryption technique but differs from the forerunner in several ways.

First off, the ransomware now appends the .zepto extension to files instead of the previous .locky one. Secondly, the names of files holding the ransom instructions have altered, with the _HELP_instructions.html and _HELP_instructions.bmp combo being dropped on victims' machines. The format of tweaked filenames proper underwent a modification as well. While the preceding variant replaced the names with uninterrupted strings consisting of victim ID and 16 hexadecimal characters, the new one uses five blocks of symbols separated by hyphens.

The distribution of the Zepto version rests upon large volumes of spam. By leveraging the automated botnet, the ransomware operators are able to generate thousands of contagious messages sent to potential victims around the globe. These are emails pretending to be tax reports, invoices or CVs. The attached ZIP or Microsoft Office files are programmed to execute Zepto as soon as the users open them.

The infection encourages victims to visit the Locky Decrypter Page, which contains tips on how to purchase Bitcoins and a Bitcoin address to send the ransom of 0.5 BTC. After the payment has been confirmed, the service will allegedly provide a link to download the decrypt solution. Just like in the average ransomware breach scenario, paying up is the last resort. Before doing so, users should try to recover their data using an alternative methodology based on forensic tools and the built-in Windows backup features.

Rate this blog entry:

For ECM Solutions it’s Configuration versus Customization

For years I've been in discussions where the conversation bounced between "build" versus "buy: decisions for a ECM (Enterprise Content Management). Before 2000, managing any large collection of documents, either to a specific business case or all documents, meant building your own document management system or buying an existing document management system. Over the years, the conversation has moved away from the generic managing a large collection of documents to managing specific types of document collections; accounting, compliance, legal, personnel, etc. Some vendors still want to talk about build versus buy.

I think we can all agree that building an ECM platform from scratch, with all the proprietary and open-source solutions out there, is a wasted effort. Solving content problems has become about the "last mile." It's not "Build versus Buy" but "Configuration versus Customization."

ECM Is a Platform

So let's start by looking at two definitions from Gartner:

A solution is an implementation of people, processes, information and technologies in a distinct system to support a set of business or technical capabilities that solve one or more business problems.Enterprise content management (ECM) is used to create, store, distribute, discover, archive and manage unstructured content (such as scanned documents, email, reports, medical images and office documents), and ultimately analyze usage to enable organizations to deliver relevant content to users where and when they need it.

For years, I have seen end customers looking to manage specific business documents. It was IT that recognized they needed to solve these separate business problems with a single platform. This created the IT goal for a single ECM a platform. Without visibility of existing business solutions, IT usually won the decision. Today, business solutions and their capabilities are becoming more visible.

Now let's look at how far we get after spending $100,000 on an ECM platform or a business solution to solve a specific business problem.

Customization (The ECM Platform Story)

Suppose you've spent your $100k on an ECM platform. Now it's time to get started building your solution. The versatility of most platforms means that the options are endless. You can manage large complex problems like managing new drug submissions to managing employees' personnel documents.

Without a preconfigured solution, the discovery is up to the deployment team. The solution needs to have roles created, document type defined, document keyword identified, and workflows need to be created. Ahead are weeks to months of discovery to define your solution.

The Software to Services ratio or Services vs. Solutions ratio comes to play. This ratio states that for every $1 a customer spends on software they will spend an exponential value of dollars to get the solution they need. In the early days of ECM/ EDMS, this ratio was roughly $6 to $8 in services for every $1. Today, vendors are trying to get to $1 to $1. In reality, most deployments are between $4 and $2 in services for every $1 in software.

Even this number gets skewed if the focus is on rate cards rather than skill sets. Cheaper rates aren't always better. The service dollars used in the comparison needs to look at the team's experience in both the platform being used and the solution being developed. Finding someone that understands both the technology and the business problem is worth the potentially higher hourly rates.

Configuration (The Business Solution Story)

Now suppose you've spent your $100k on a business solution. Now it's time to configure your solution. The solution is already focused on the specific business platforms. The most common roles, document type, keyword, and workflows have already been identified and created based on best practices from several other customers. Your specific deployment may need some configuration but most of these solutions are ready for this.

These configurable or low-code solutions get much closer to a $1 to $1 services vs. solutions ratio. The services team already understands not only the technology but the business problem as well. The consultant joins your configuration workshops not only understanding what the different configurations are but often what those changes will mean to the business.

The real challenge here is making sure that the configurable solution is really configurable. That a solution already exists and that's it's not just a collection of "best practices from prior engagements." An early stage strawman proof of concept should be an easy effort with a configurable solution.

The New Content Solution Reality

With a little digging, customers looking to manage business problems can find solutions that are already to meet those business challenges. A few of these options come from ECM platform vendors themselves. Some others come from the ECM vendor's partners. Many more solutions come from the business user ecosystems. For instance, here's what I found in Legal Contract Management. The decisions to solving content challenges can include less custom code and more configuration.

In the long run, I believe that the business solutions vendors and ECM platforms will come together through partnerships and mergers. Just look at Records Management and Imaging Solutions which were once separate solutions and are now part of the ECM platform. Or look at Oracle, which offers both a relational database to solve any data problem and specific business solutions like E Business Suite or PeopleSoft.


Marko Sillanpaa

Rate this blog entry:

3 Truths to Work With (or Against) When You Have to Change Minds

If you've been paying any attention to my posts, columns, and presentations, then you know just how important I believe – nay, I know – managing change is to the success of any information venture. So it won't surprise you to learn that I resonated like a tuning fork to a few of the concepts published yesterday in Fast Company that had nothing overtly to do with information governance.

1. "Many people form their opinions, at least in part, based on whether they think others share those opinions."

The need to "fit in" is hardwired into the human psyche, no doubt because, millennia ago, being outcast from your tribe likely meant your early demise. Today, the risks usually are much less dire, but the instinct to conform persists nonetheless. (Watch this social experiment for a light-hearted look.)

This reflex reaction can be harnessed to your advantage by gathering together like-minded individuals and utilizing that old sales technique in which you ask questions to which you know the answer will be "yes": "Don't you want to be able to find information faster than you do now? Don't you want access to the information you need regardless of which system it lives in? Don't you want to use a technology that lets you work the way you always have?" Properly orchestrated, people's opinions will become self-reinforcing in the direction you desire, and the first part of the battle will be won.

2. "The more frequently you encounter a piece of information, the more favorably disposed you are toward it."

Long substantiated by professional political panderers, this particular principle maps precisely to my time-honored catchphrase "change management = marketing" because it's all about repeating your message, to all of your intended audiences, as often as you can get away with. (This is the underpinning of the marketing Rule of 7, which posits that people need to see a message at least seven times before they will consider taking action.)

In enterprise information terms, this means constantly and creatively promoting the tangible business benefits of the work you are doing (or wanting to do). It means repeatedly distilling those benefits into definitive answers to users' critical question, "what's in it for me?!" It means not talking about "SharePoint" even if that's what you're using, but referring to something more generic so as not to worry the technophobes in the crowd. And it means staying away from uneducated guesstimates like the one made famous in the 1983 movie Mr. Mom: "Yeah, 220, 221. Whatever it takes."

3. "Thanks to handy 'unfollow' and 'mute' buttons, we get to choose what bits of information to attend to."

This may be the toughest nut to crack because we can't control what information people choose to actively filter out. Someone who really doesn't want to accept your new way of organizing information, engaging in a business process, or participating in some other data-based activity will simply delete your emails, block your social media memos, or ignore you at the water cooler.

The trick is to couch your message of change in terms of some other communication that he or she may very well want to hear. Just as we wrap doggie medicine inside a yummy treat, so we need to embed our new best-practices in something alluring – perhaps an invitation to a company-sponsored special event (a ballgame, a show, a trip) that is open only to those who, say, tag/move/manage some significant percentage of their emails by a certain date.

At the end of the day, what you're after is an organization full of people who are receptive – or at least not openly hostile – to the changes you are trying to make. The good news is that human psychology in this regard is fairly well understood. The bad news is that it can be quite challenging to work with and work around. Hopefully the 3 Truths adapted here will help ease your way.

What other techniques have you used to change minds and behaviors in your organization? What worked? What didn't? Let's talk about it.

Steve Weissman | 617-383-4655
- The Info Gov Guy™
- Member, AIIM Company of Fellows
- Co-Founder,
Information Coalition
- Follow me on Twitter! @steveweissman

Rate this blog entry:
Recent Comments
Julie Hudak
Real change happens most effectively when people see the WIFM benefits and go through the change with someone holding their hands ... Read More
Thursday, 09 June 2016 20:19
Steve Weissman
You are so right, Julie! I'd even go as far as to suggest that focusing on the people aspect of change is not just a huge benefit ... Read More
Friday, 10 June 2016 13:52

Amazon Users Hit with Fake Emails Distributing Ransomware

Yet another ransomware strike focusing on Amazon customers was discovered last week utilizing a fake sender address. Funny enough, the attack has started just when the new study indicates that the majority of computer users are unaware of ransomware threats and how to handle them.

Security researches inform of phishing email messages which have been delivered to customers presumably originating from Amazon official website and the sender email looking like

Supposedly, you will not find any single word in the body of the message, just the subject line which reads: "Your order has dispatched." The elements that cuase the problems are the actually the attachments, that look like MS Word files.

At the time the files were examined, it was discovered there was no content inside, just macros. Email recipients are triggered to allow the the material inside the attachment and so the macro codes are executed.

In particular, the malicious payload happens to be the Locky ransomware, which targets and locks all types of user documents. The original data files are wiped and swapped over by the encrypted documents renamed and the .locky extension added. New encrypted files are all stored in the same folders just like the original documents. Needless to say, people are later requested to pay out the ransom to obtain their files back and recovered.

The new report from Kaspersky Lab, shows that 43% of computer users have no idea what ransomware is, in spite of its present-day excessive distribution. A comparable group of users (44%) stated they didn't realize what information or data may be damaged during a ransomware assault.

Furthermore, it's not a strong concern for tech-savvy population born after 2000. Only 13% of Millennials stated they were concerned about ransomware plague on the whole.

Additionally, a lot of respondents do not understand how to act during a ransom attack. The study discovered that 16% of North Americans believe unplugging the PC or turning off the smart phone might put an end to ransomware. And a tiny quantity actually hoping negotiating with the hacker is a good approach to eliminate the problem.

Rate this blog entry:

The Human Face of InfoGov

Solution marketeers and alarmist analysts love to flash the red lights of litigation support and audit compliance when making the case for information governance. But the problem with this is that neither of these reasons speak to the one Really Important Motive that lies at the end of the infogov path:

To better serve/enable/empower people, be they customers, prospects, employees, or other interested parties.

Cases in Point

This point was sadly and forcibly driven home to me in recent months as I cared for two terminally-ill family members. I've already touched on a couple of examples (see When Paper Is The Best Technology and Just the Fax, Ma'am), and here a couple more:

  • The funeral home that couldn't find the pre-paid paperwork and, after being provided with my carbon copy, defended itself by saying, "oh, that was done under the old owners." As if that justified the days-long halt they called to making the final arrangements.
  • The same funeral home that couldn't find another client's file folder and sent two staffers on an obvious office search, during which they loudly asked within earshot of everybody present, "has anyone seen the [family name] file?" Privacy? We don't need no stinking privacy.
  • The hospital ICU nurse who missed a critical bit of medical information because it was recorded on a piece of paper "that is a different size and color than I've ever seen before." Apparently reading is not fundamental.
  • The rehab facility whose blood-testing machine returned a result so far from normal that the technician thought the patient must be dying or dead – only to discover that he was exhibiting no symptoms at all. Couldn't be that there was something wrong with the machine, could it? Nah – better to rush the tube-fed, dialysis patient to the emergency room instead.

I could go on, but I won't for fear of offending more sensibilities than just my own. Suffice to say that these infogov-related incidents were painful for the family and disruptive to the institutions involved, which then had to spend time and effort addressing what went wrong.

Oh the Humanity!

I'd like to say that this story has a happy ending, that the funeral home, the hospital, the rehab facility learned their lesson, but they didn't. It's clear to me that the powers-that-be in each of these places – as is the case in so many – are more concerned with being right than with doing the right thing. The shame of it is that they could make some relatively small changes in their information-handling and make life better for both themselves and their constituents. But I'm sure they won't.

And that's a shame, because, to me, THAT is what infogov is really all about.

Steve Weissman | 617-383-4655
- The Info Gov Guy™
- Member, AIIM Company of Fellows
- Co-Founder,
Information Coalition
- Follow me on Twitter! @steveweissman

Rate this blog entry: