Red Teaming Your Information Governance Program

July 13th, 2017

George Despres, CRM
Program Director for University Records Management, Brandeis University

(The content in this blog reflects the opinions of the author, and not of Brandeis University.)

About Red Teaming

Have you deliberately challenged your own program plans and procedures recently? With a book on the topic, Bryce Hoffman defines red teaming as:

“ a… way to stress-test strategies, flush out unseen threats and missed opportunities, and execute more successfully…. [by] making critical and contrarian thinking part of the planning process.”

Red teaming (RT), with origins in the military, involves thinking differently and more objectively about your program, looking under rocks, and grasping alternative views of the way things are. “Murder boarding,” or grilling an idea or presenter before actual product delivery, is a similar approach to cleaning up planning and execution. However, RT acts upon live environments, not just rehearsals. And while Six Sigma identifies errors and deviations in programs, RT goes beyond this by also surfacing alternative and novel ideas, observations, and ways for improving things.

Our mission is greatly challenged by the dynamics of info generation and by rapid changes to info environments. Faced with these challenges, it is easy to fall into real-time, project-to-project, status quo thinking without thoroughly questioning where we are and where we are going. Program successes can render us dangerously comfortable. Professional or departmental groupthink can likewise soften our ability to evolve in changing environments. We must beware subtle complacency by stopping and kicking the tires in order to harden our programs.

RT philosophy is familiar to the cyber security community, which employs penetration (pen) testing and white hat, self-hacking activities. However, RT has applications across the IG spectrum, beyond info security. The following focuses on applying RT to these other areas of IG.

 

The Psychology of It All, or the “I’m Objective” Fallacy

Drawing on decision psychology research, Hoffman outlines categories of bias and natural thinking frameworks that can impede our view of actual situations, including:

  • Confirmation bias, where we give greater credibility to info that supports what we already believe (think politics).
  • Anchoring bias, where an initial value or offer ($50,000) narrows the range of possibilities (think Shark Tank).
  • Automation bias, where we fail to question automated system output after relying on it–this threat increases in our data analytics world.
  • Outcome bias, where we assume a positive outcome resulted from the right decision rather than from luck and other factors.
  • Status quo bias, which shouldn’t need any explanation here.

There are other types of bias, and RT brings a rigor and detached analysis that helps us to overcome them.

 

Executing Red Team Lite, or Lean Red Teaming

How do we apply RT to our programs? The solutions depend upon our resources, and I’ll assume that most of us don’t have much. Hoffman notes a range of possibilities, from hiring consultant teams or RT facilitators, to dedicated executive or rotating teams, to ad hoc RT using bits of red team philosophy. Participant selection should balance the needs of impartiality with enterprise and industry savvy. While whole standing teams are ideal, I’d suggest that “RT lite” or “lean RT” may be more realistically employed with scant resources. This can be performed through devil’s advocacy.

Devil’s advocates have long been paired with RT exercises. In his book Originals, Adam Grant shows that effective devil’s advocates need to be legitimate and sincere in their assessment of, or opposition to, the status quo–they shouldn’t be phony role players. The good news: most of us are armed with legitimate devil’s advocacy. How? By using the pushback that our programs actually face from naysayers and outright opponents within our organizations. The pains in our behinds–our biggest detractors–are actually doing us a favor and feeding us RT ammo.

The following are pushback comments that I and some of my colleagues have actually been confronted with. You will recognize them. Think up some of your own and add them to the list.

  • Digital storage is cheap. We’re good.
  • Why should we invest so much money in e-discovery preparedness when our business only takes one or two cases to trial per year?
  • Big data can make all sorts of correlations that we can’t imagine today. We need to keep all of our data lake content to be able to harness its potential value. Data that looks useless now could be critical in the future and pay off big time. There’s a baby in the bathwater.
  • [Senior executive:] You can’t expect me not to use WhatsApp when I’m doing business on the road.
  • We have plenty of locked basement spaces on our corporate campus. Why do we need to pay more for offsite vendor storage?
  • So you’ve published the retention schedule. Is everyone really implementing its policies consistently?
  • [IT manager:] We don’t need your input on the new ERP system. This is a technology solution.
  • My department’s (generic) file share is much easier to use than the document management system, which I hate.
  • We have cyber security in place. Why should we worry about other info management functions? Sounds like a “nice to have” that we can’t afford.

Now, take some time with smart colleagues and respond to each of these with respect to your IG or RIM program. Capture your responses, state each problem, brainstorm alternative possibilities, and thoroughly review them with your group. Draw up and assign actions based on this review.

Hopefully, this serves as a modest starting point for you to apply more red team thought and approaches to your specific program. There’s further RT reading, such as Hoffman’s book (never met him) and http://redteamjournal.com/, that can help you to apply it in a more thorough manner if resources allow. At the very least, question your IG program, belief system, and biases often. This will reduce the possibility of getting blindsided. The passive perish and the complacent crumble.


The Power of the Record

March 18th, 2017

Despres

George Despres, CRM
Program Director for University Records Management, Brandeis University

(The content in this blog reflects the opinions of the author, and not of Brandeis University.)

After some recent gloom and doom posts about future challenges to the profession and fact denial and fake news, it’s probably time to take a slightly more glass half-full perspective of our job. People in our line of work can always use a boost. And there is power in the record that can be promoted more aggressively. This may be an exercise in preaching to the RM/IG choir, but here goes….

Records and Records Management Needs Are Everywhere

Records stories permeate the daily news: the recent front page-headlining gaffe at the Oscars awards was a good (bad?) old fashioned RM error. The wrong envelope was delivered to the presenters of the most important award in the program. Shock, confusion, embarrassment, and possible disciplinary action at PWC ensued. This was one of the few instances this year when a non-political (records!) incident upstaged politics in the headlines. Speaking of politics, the last U.S. presidential election–regardless of your party affiliation or non-affiliation–was affected by the status of records; email records, in private vs. official places, and by hacking and claims of hacking, all for a lack of the information management controls that we promote in our organizations. Records are front, center, and everywhere.

Two other recent headlines within a few weeks of each other caught my eye. In February, authorities built a DNA profile of a person of interest related to the slaying of a New York City woman running near her mother’s Massachusetts home last summer. That same month, DNA evidence from another victim’s fingernails led to the arrest of a man charged with murdering her as she ran near her parent’s home in New York last year. One only needs to watch a Forensic Files rerun to appreciate the impact of records on catching bad guys. Powerful stuff. But we in the profession (other than lawyers) may forget the impact of the record on criminal justice and forensics when focused on enterprise administrative records.

In our “Is not!” “Is, too!” times–what Robert Samuelson calls the “age of disbelief”–the power harvested from records takes on added viability. Facebook recently added “disputed” tags to bogus social media news that users flag, or that sniff test sites like snopes.com debunk. While Facebook’s move will be viewed by some as hyper-editorialized, anti-free speech material, our culture (at least in the West) is in desperate need of claiming the power and clarity of the record, probably more so than ever. These days enable us to take stock of our own importance as the profession of the record, to set things straight.

The individual can take solace in the record, to an extreme. Dale Carnegie wrote about how the record, precedent, and laws of probability have been used to combat humans’ greatest fears and worries. He relays the story of Frederick Mahlstedt, who became paralyzed by fear in a trench near Omaha Beach during World War II. With German bombers dropping payloads all around him each night, Mahlstedt became increasingly gripped by dread. By the fifth night, he realized he had to do something, psychologically, before losing his mind. So he reminded himself that five nights had passed, and that he and every man in his unit were still alive. He recovered to the extent that he eventually slept through some of the bombing raids. Similar observations have been made regarding the resolve of many British citizens during the Blitz in WWII. The “record” of survival equates with a sense of security among the most dangerous conditions. The record of not having died or been seriously injured among chaos fortifies human posture. Pretty powerful stuff.

The range of what records can be and how they can be used is powerful. A 59-year old man was indicted after a house fire in Ohio last year. He was the homeowner. Though he claimed to have accomplished several frantic tasks during the blaze, investigators and a cardiologist showed that his pacemaker data told another story. While there’s also a Fifth Amendment discussion here, “pacemaker-data-as-record” doesn’t come to mind every day. And while pacemakers have been around for awhile, a whole relatively new and future breed of IoT objects and wearables promises to proliferate records everywhere – more power. Amazon and Google home voice assistants, always listening by default, mean still more records and record implications.

Beyond the Walls of Our Profession

Records Management in partnership with Knowledge Management can be powerful across the organization. Five years ago, Lucinda Duranti and Sherry Xie made this point and noted the absence of RM-KM relationships in the literature. There hasn’t been a notable change on this matter, as far as I can see. But harnessing the power of knowledge as record and getting intrinsic knowledge into record form should be in the interest of the records manager. We need to harvest a better and more thorough KM relationship.

More broadly, our profession, IMO, needs to integrate more and better than we have with other related and “nearby” disciplines, like KM. Each year, we have excellent conferences–ARMA, AIIM, MER–I’ve attended them all multiple times, and they can be counted on for great sessions, engaging vendor floors, insights, leading edge case studies, keynote inspiration, and collegiality. But at each of these conferences, our RM/IG visionaries are essentially preaching to the converted, as I pretty much am with this blog posting.

We need to break out of our professional ranks and communicate our message in spaces like KM, libraries, information ethics, and others, as we have done to an extent with info security, legal, and historical archives. For example, I’ll be presenting on The Principles (can I still say “GARP”?) and the ethical implications of info mismanagement at the Info Ethics Roundtable next month. That my RM session can come to an info ethics audience as a novel topic, somewhat out of the blue, is inexcusable. The power of the ethical implications of RM/IG must be promoted more. Likewise, in a prior talk, I was stunned by how unfamiliar my audience of academic librarians was with RM: among about 200 people, two hands went up in a sea of blank faces when I asked them if they were familiar with our discipline or knew of RM programs at their institutions. While preparing to post this, I came across an excellent piece by Gordy Hoke, similarly calling for more integration with legal and IT, whom we should already be in bed with.

We should seek forums, conferences, and publications outside of our profession in which to spread our mission and build partnerships under the big tent. I’m not suggesting that this isn’t happening at all, but rather that it isn’t happening enough, since most people outside of our profession still don’t seem to get us-including those who should, and those who could be valuable visibility partners. Rather than just crafting RM within our vertical industries, we should take RM out to the verticals. This doesn’t mean that we can’t still focus on our current jobs and institutions. Just a matter of upping our efforts. We have a genie in a bottle: the power of the record will never be fully realized until we manage to socialize it outside of our own ranks. We can be bigger than we are. We may envision this as a glass ceiling to the RM/IG purpose.

Let’s win one for the Gipper. Onward, upward, and outward.

 


Fact Denial and the Record Under Threat

December 21st, 2016

Despres

George Despres, CRM
Program Director for University Records Management, Brandeis University

(The content in this blog reflects the opinions of the author, and not of Brandeis University.)

As if we don’t have enough challenges, controlling information today. Part of our culture, at least here in the U.S., has embraced the acceptance of non-truths and the repudiation of facts in the record. It has also embraced the pseudo-record and fake news. Most of us, at least in this profession, know that we need to question all sources of information. There are also healthy debates around interpretation of evidence, and this is a good thing. But when the dominant conversation becomes an impossible stalemate based on spin, then the output value of information is neutralized. If we can’t ascertain some facts in consensus, then the record is mute. While those in our profession should be equipped to identify and segregate responsible journalism and authentic records, we live in a bigger world.

This world is convoluted by noise from bogus, malicious, and third-rate sources. Cranks with nothing better to do (or looking for a buck) post and masquerade screeds based on very little information, often supported with doctored images. Holocaust- and moon landing-denial hopefully provide two clear and non-partisan examples. There are many others that I refrain from posting in the hope of keeping this conversation above board. This shady content, further encouraged as click-bait, is no longer limited to Star and Enquirer front pages at the grocery store check out. Its prevalence is unprecedented given the channels that feed it. Freedom of expression is a core Western value. But next thing you know, we’ll be chasing down Sasquatch, mystical unicorns, and space zombies in earnest.

The rise of anti-intellectualism in our culture also undermines our professional values. A revolt against the “fancy, book-larnin’ types,” who have admittedly failed miserably in seeing and appreciating the big cultural picture recently, suggests that one doesn’t need to consult authentic records and record sources when gut feelings and “what cousin Joe said” will do. Real intellect and knowledge are derived from a true, authoritative record base. And they are in tough times.

Journalist Charles Taylor recently made the distinction between not knowing and not wanting to know. Initially stating that we can’t blame people for the former, as an educator, he rethinks this contention. Why? Because:

“Too many students [are] unaware of anything before they were born: creative-writing students who have never heard of Edith Wharton or Ralph Ellison; journalism students who can’t identify the attorney general; students who don’t know what the NAACP or the Geneva Convention are. A teacher’s job is to teach, not shame. But how do you teach when, even when they reach college, students are not expected to have basic knowledge of our history, our culture, our government?”

Our Principle of Integrity – “An information governance program will be constructed so the information generated by or managed for the organization has a reasonable and suitable guarantee of authenticity and reliability” –  is threatened at the societal level by the fake news and fact denial phenomenon. Both fake news and purportedly fake news have also been so highly politicized on both sides of the spectrum that consensus as to the real record in these cases seems hopelessly mired in partisanship. In other words, if you look at something hard and long enough, you just might see what you want to see.

One can argue that the Principle of Integrity covers organizational records and not society’s. But what prevents a society that embraces such confusion and fact rejection from filtering into the organizational culture? And how do we as keepers of the record foster and champion fact integrity in our broader culture? Do we take a position on this issue as a profession? Or is that not our concern? I think that we should care about this.

Happy holiday and New Year wishes to my friends and colleagues.

 


Protected by Akismet
Blog with WordPress

Welcome Guest | Login (Brandeis Members Only)