|
Q: Based on your research, what are the major issues facing companies in relation to electronic communications (email and IM)?
A: This varies by industry. For financial services firms (especially broker-dealers), a key issue is compliance, particularly SEC 17a-3 and 17a-4. Although email has traditionally been a key requirement for management in the context of financial services archiving, IM must also be archived as of June 2003. For public companies, a key concern is Sarbanes-Oxley, which is still relatively new and therefore subject to a great deal of change as cases make their way through the courts. Healthcare firms are particularly concerned about HIPAA, which is also relatively new.
Any organization that handles consumer information needs to be focused on GLBA and SB1386, not to mention things like the UK Data Protection Act.
Across the board, however, storage management is a key problem for organizations of all sizes and in all industries. Message stores continue to grow at 30+% annually, attachments are used more, critical business information is stored in messaging systems, etc., so managing all of this is becoming increasingly problematic.
As for IM, the number of IM-related threats is increasing significantly and so organizations are starting to pay much more attention to managing IM.
Most IM use in the workplace still consists of consumer-grade clients, which creates significant security problems in the context of viruses/worms/Trojan horses, namespace control and auditing/logging/archiving.
Q: How are companies dealing with those issues? What do you recommend companies do to deal with those issues?
A: Companies are increasingly looking at archiving solutions, although I think that long term the focus of archiving will shift to storage management instead of compliance. Because most organizations don't run the risk of having a regulator knock on their door for compliance violations, storage management will become a more compelling argument. I believe that vendors will start to market their archiving products more as storage management solutions, much as is the case in Europe.
IM management is being solved a) through the application of management tools that provide enterprise-grade functions on top of a consumer-grade infrastructure (e.g., products from FaceTime, IMlogic, Akonix, et al) or b) deployment of enterprise-grade systems (e.g., Microsoft LCS, Lotus Workplace, etc.).
Q: Are you seeing any trends with electronic communications policies? Do most companies have one and do you have any recommendations around policy best practices?
A: Not enough companies have electronic communications policies, although these will become the norm, I believe, within about three years. In terms of best practices, I would recommend that companies implement a policy based on advice from their legal counsel. Also, it's critical to implement outbound content scanning to prevent policy violations in outbound email. When a company conducts an audit of its outbound email, it will often find numerous policy violations, from employees sending out Social Security numbers to employees running private businesses out of their cubicles.
Q: Who do you think should be ultimately accountable for compliance with electronic communications policy and implementation?
A: I think it has to be a combination of all major functions within an
organization: HR, legal, marketing, senior management, finance, etc. IT should be the prime mover in making this happen, since they have to deploy the technology that enables compliance, but non-IT functions are really the drivers for compliance. I would recommend that companies implement an IT-led task force to focus on compliance that includes representatives from all the major functions within the company. This will enable buy-in to the policies instead of having them imposed by a CIO or IT manager without input from other departments.
Q: Are you seeing trends in IM usage? Is it increasing? Do you have any recommendations on how companies should manage IM usage with regard to compliance?
A: IM usage is definitely increasing. Right now, IM can be found in about 90% of organizations in North America and it's used by about 25% of email users.Most use is of consumer-oriented clients, which creates lots of problems, as noted above. Companies should focus seriously on IM, since consumer clients can bypass all of the firewalls and other defenses that companies deploy.
The first step is to conduct an audit by placing a sniffer on the network to determine how much IM traffic is really passing over the corporate network.
The next step is to determine what you're going to do with IM: block it, allow it, allow it only at certain times, allow only certain clients to be used, etc. Next, it's important to deploy technology that will provide enterprise-grade security and other functions on top of the consumer-grade infrastructure or to deploy any of the many enterprise-grade systems in place. It's important not to just prevent IM use, since employees often start using it for business applications once it has been in place for awhile.
Q: Where do you see electronic communications going in the future? Do you foresee growth in regulatory compliance rules? If so, how can companies prepare for this?
A:
I think that electronic communications will morph into unified communications, where email, presence, VoIP, real-time collaboration and other functions will meld into a single communications architecture. This will take some to occur, but will happen in a widespread way at some point during the next four years. I also believe that archiving will become more or less widespread by the end of 2008, focused more on storage management and knowledge management than compliance. I think that the growth in regulatory compliance rules will plateau to some extent, although courts'
interpretations of Sarbanes-Oxley, HIPAA and the like will increase the clarity of these regulations and might lead to additional rules.
|
