OK, we all know e-mail can be an incredible compliance hassle. As IT Business Edge's Lora Bentley wrote about a month ago, employees can thwart e-mail management and retention policies, either through willful disregard or (as in the case cited in her post) simple misunderstanding.
Web 2.0 technologies in the workplace will be even worse, right? I think that's the perception, based on surveys like this one from last year in which 76 percent of companies cited security concerns as a barrier to Web 2.0 adoption.
But does perception match up with reality? (Writing that takes me back to my college philosophy class.) Maybe not.
On CIO Insight, Brian Watson shares some snippets of an interview with Andrew McAfee, the smart Harvard professor who coined the term "Enterprise 2.0" and just wrote a book with that phrase as its title. Based on his conversation with the CIO of an investment bank, McAfee thinks such technologies may actually aid compliance efforts. He told Watson:
He said all these Web 2.0 technologies were his best defense, because all the contributions to them are very widely visible, essentially public, and attributed back to the people that made them. That means that the instant there's any flavor of infraction, the community will help him figure out what happened, how bad it is, who did it, and then he can show any regulator or authority when the problem occurred, when his company became aware of it, what action it took and how quickly it was removed.
In contrast, said McAfee, infractions are more easily hidden in e-mail because it's an essentially private channel. I seemed to remember writing about a similar point made by McAfee and was able to track it down in the IT Business Edge archives.
In a blog post from early 2007, McAfee suggested companies spent too much time fretting about the risks of blogs and wikis when widely accepted tools like e-mail were far riskier. Problematic behaviors like disclosure of company secrets, sexually suggestive or other unacceptable remarks and lost productivity were more likely to occur in private forums rather than public ones, he pointed out.
IT Business Edge blogger Ralph DeFrangesco asked a related question in late 2008: Are security concerns and regulations stifling innovation? What companies need, he wrote, is "a balance of innovation, regulation, risks and costs." Federal CIO Vivek Kundra, speaking to a Senate panel last week, said cumbersome compliance processes are hurting, rather than helping, government agencies' efforts to improve cyber security. Interesting.
The ostensible purpose of most compliance requirements is to add transparency to business processes in an effort to prevent abuses. Could more open communications channels help?