setting information free€¦ · are immediate, interactive, able to support multimedia and more...

IN ASSOCIATION WITH:

SETTING INFORMATION FREEH OW C LO U D - B A S E D C O L L A B O R AT I O N I S E R A D I C AT I N G DATA S I LO S

2 | SETTING INFORMATION FREE: HOW CLOUD-BASED COLLABORATION IS ERADICATING DATA SILOS COPYRIGHT © 2016 FORBES INSIGHTS

CONTENTS

Next-Generation Collaboration .................................................................................................... 3

Breaking Down Silos ........................................................................................................................ 3

Melding Agility and Governance ................................................................................................... 4

Case Studies in Security ................................................................................................................. 5

The Role of Controls ........................................................................................................................ 6

APIs and Ecosystems ...................................................................................................................... 7

Choosing a Provider ........................................................................................................................ 8

Conclusion: Enablement, not Command and Control .......................................................... 9

A Checklist for Secure Collaboration .......................................................................................... 9

Collaboration Continues to Evolve ............................................................................................10

Acknowledgments .........................................................................................................................10


Collaborative, information-sharing platforms are changing the ways people work. Consider a marketing team needing to develop visuals for a new campaign to engage customers with image-heavy websites, colorful printed brochures and attention-grabbing streaming video. The goal: create a distinctive look that will make the company’s key messages stand out from competing promotions.

A traditional approach would have the team uploading a flurry of file attachments to email messages. Team members would next have to sift through dozens of discrete documents and images, review each and bring their reactions to the next group meeting. The process is labor intensive, repetitive, subject to bottlenecks,

lacking in transparency and prone to error.

But collaboration built around cloud-hosted file-sharing platforms offers a modern alternative—creating work hubs that are immediate, interactive, able to support multimedia and more conducive to generating new ideas. Team members at all times can see the latest versions of working documents and files. Communications use natural language. Changes, additions and comments carry signatures so that team members can recognize contributions as well as discern mere suggestions from authori-tative directions. Workflows become clearer, the team can more clearly prioritize its efforts, and the process becomes more collaborative and organic.

It’s no secret that data silos are bad for business. When valuable corporate information stays locked within spreadsheets, emails, workgroup file servers and departmental databases, collabora-tion comes to a standstill. Meanwhile, data deemed too sensitive to risk sharing may not be shared at all.

Today, cross-functional teams are too often relegated to sharing files via whatever means necessary, which includes the thumb drive—an approach that actually increases the risk of data leaks. At the same time, working groups are continually plagued by versioning issues, often unable to tell where and when changes are being incorporated or whose file represents the most comprehensive, up-to-date information. Ad hoc approaches may get the job done—eventually. But questions still loom surround-ing data and process:

u Accuracy—how do we know our sources are providing the right data or the proper formulas?

u Timeliness—are these the latest versions using up-to-date data points?

u Consistency—are the data sources, tools and forms familiar, or do they vary with each iteration of any process?

u Security—is data protected throughout the process, or are there weak links in the chain?

u Efficiency—is there a way to limit bottlenecks and increase productivity?

For years, the organizational dream has been the balance between two broadly competing objectives: central control versus wide-ranging access. Here, the IT organization oversees the security and integrity of vital data, content and tools within central repositories while at the same time providing as-needed access to all authorized stakeholders. For most, complex legacy solutions and processes have kept this dream from becoming a reality.

That is, until recently. As the menu of technology tools prolifer-ated, a sort of democratization began taking place. Business units feeling the need for closer collaboration began taking action on their own. “Because end-users have a business need to share information, they’ll find ways to make that happen if their com-pany doesn’t provide the right tools,” says Rasmus Theede, chairman of the board for the Danish Council for Digital Security, an independent group of security experts that advises private companies and the government about cybersecurity risks.

Today’s cloud-based collaboration platforms are transforming the way enterprises secure, share and unlock the value of corporate information

BREAKING DOWN SILOS

NEXT-GENERATION COLLABORATION


For example, at global media giant News Corp, employees throughout its nine strategic business units were finding col-laboration difficult using the existing mix of internal applications. A key problem: data tended to be dispersed throughout the enterprise rather than being housed in a central location. So in the name of productivity, rather than waiting for a solution, employees began seeking out their own solutions. Independent of the central IT department, the workforce adopted a leading cloud-based file-sharing application that became the de facto standard for storing and distributing important files.

Such cloud-based, file-sharing platforms are quickly establishing themselves as must-have resources. Best-of-breed cloud-driven

information repositories provide a leap forward from rigid data silos, allowing corporate teams to more easily work together with data files, text documents, large graphics, video files and presentations.

Yet easy collaboration with less friction isn’t the only promise. In theory, when information grows organically, people are more motivated, creative and better able to interact within a natural exchange of ideas and data. When such a sandbox is not only easy to use but also conforms to essential governance practices, so much the better.

Data privacy and security risks are all too real. Understandably, IT departments and companies overall need reliable controls. But at the same time, end-users are under continuous pressure to improve processes and performance, and so they gravitate to the most effective tech tools available.

For these realities to coexist, more companies need to find a way to bridge the gap between an IT department’s need for control and an operating unit’s desire for agility. Any approach to incorporating cloud-based, enterprise-class file sharing and collaboration takes upfront planning and careful management. Almost invariably, such collaboration between IT and business units begins with clearer communication about the value of and means to data security and governance.

To arrive at the needed balance, progressive CIOs must adopt new roles to foster effective and secure collaboration. At Anheuser-Busch InBev, IT and security staff are cultivating close relationships with various line-of-business managers. “Security professionals [need to be seen] as a business enabler versus being seen as the police,” says Eric Hlutke, global IT security and compliance director. So in practice, IT security specialists need “to become a partner with the business. As IT security professionals, we’re constantly looking for ways to secure data and managing risk, while still enabling the business to move fast enough to stay ahead of competitors.”

Tim Banting, principal analyst for collaboration and communica-tion at IT consulting-focused Current Analysis, says this sort of challenge is widespread. According to Banting: “We’re seeing two big trends across all types of enterprises: the decentralization of the IT budget and the democratization of IT buying decisions.”

Primarily, continues Banting, this is a matter of bringing business managers up to speed about the risks of failing to meet essential governance needs. “Many businesspeople don’t fully understand the implications; too many people believe security is somebody else’s problem.” But in reality, everybody plays a role. “This is why having clear policies, employing technologies such as digital-rights management and having well-written employee contracts that spell out an individual’s responsibility are so important,” says Banting.

Successful CIOs are those who can become strategic advisors to senior executives and line-of-business managers. “A modern CIO will meet with these groups to say, ‘These are the file-sharing vendors we’ve assessed, and these are what we believe are the best solutions,’” Banting explains. “The CIOs will then work with business managers to decide on the single best option.”

To further address the democratization of buying decisions, the IT department must also regularly speak with both end-users and compliance executives, adds Banting. They should focus on the

MELDING AGILITY AND GOVERNANCE

“Because end-users have a business need to share information, they’ll find ways to make that happen if their company doesn’t provide the right tools.”

— Rasmus Theede Chairman of the Board, Danish Council for Digital Security


Trevor Moore is the CIO at a large university in the Middle East. Moore sees his job as providing tools that are both easy to use and able to conform to the organization’s fundamental data security needs. That’s meant contracting for an enterprise version of cloud-based sharing and collaboration solutions as well as the centralization of the associated data and information resources. According to Moore, “It’s now a data-driven world, where infor-mation is a strategic asset.” Cloud-based solutions, he continues, allow the university to securely share its data and related collaboration and information assets among students, faculty and researchers.

Kevin Cornish, chief information officer at the University of Califor-nia, Berkeley’s Haas School of Business, sees similar advantages with the security capabilities of the best file-sharing applications and emerging collaboration platforms. Cornish says that many of the students and faculty use their smartphones and public Wi-Fi when collaborating with peers and sharing information. In this instance, “[we] want to make sure that that transaction is protect-ed with end-to-end encryption rather than relying on everyone to go the extra step of logging into a [virtual] private network.”

Alternatively, the CIO could pursue capabilities that would distinguish between sensitive and non-sensitive information. But by automatically encrypting data without end-user intervention, all data is protected, even if intercepted or misdirected. “I don’t want to have to distinguish between data that isn’t sensitive and data that requires tight security and confidentiality,” Cornish explains. “I just want to make sure there’s a platform that serves that need broadly so I don’t have to worry about it.”

Executives at News Corp, where end-users led the push for cloud-based collaboration, eventually recognized that while

such a bottom-up approach might be operationally effective, it could not provide acceptable levels of information security and governance. So the company looked at the tools already in place but then evaluated a business-grade version of the same.

The results of the pilot test were enlightening. The business-grade solution clearly fostered intimate yet well-governed collabora-tion across departments and functions. It meanwhile enabled a more secure means of working with authorized partners and customers. The test also revealed new and compelling patterns of collaboration previously unnoticed by senior executives that could now be documented and shared throughout the enterprise.

Based on the successful pilot, the company rolled out the plat-form throughout the enterprise. According to Ross Piper, vice president of enterprise at Dropbox, “Cloud-based file-sharing [at News Corp] became the glue that brought people together across workgroups, applications and geographical locations.”

Now that the platform is widely deployed, News Corp’s IT department is seeing additional payoffs. The group has been able to consolidate the number of servers formerly dedicated as FTP sites for file storage and collaboration. In addition to reducing hardware costs and management overhead, the move strength-ens security and governance by eliminating data storehouses that aren’t under IT’s direct control.

Finally, at Permira, a London-based private equity firm, senior IT manager Carolyn Lees says governance processes identify “crown jewels,” her group’s parlance for data requiring the highest levels of protection. Her staff then works with end-users to aid compliance with internal data security and privacy

CASE STUDIES IN SECURITY

means of enabling collaboration in the context of governance policies and controls.

But thoroughly vetting security capabilities can be a challenge. Can the system distinguish among varying degrees of data

risk and access levels? Does the product have relevant data security and privacy certifications such as ISO 27001/27018 and SOC 1/2/3, and does it support compliance with industry-specific regulations such as HIPAA? Is data encrypted when traveling over networks?

“Many businesspeople don’t fully understand the implications; too many people believe security is somebody else’s problem.”

— Tim Banting Principal Analyst for Collaboration and Communication, Current Analysis


policies. On one hand, that means regular communications about policies, but Lees doesn’t stop there. “We also use stan-dard auditing tools to see what applications people are using, and through operational audits, we see how people are work-

ing,” she explains. “The end result is being able to find a solution that best meets the requirements for data governance, while also giving end-users practical access to information.”

It should be noted that cloud technology actually tends to enhance security. Companies, acting on their own, have limited resources. Moreover, their core business is not typically data security or privacy—those are sidelines. By comparison, for cloud providers, data security and privacy are core service attributes, meaning any breaches in security would be disastrous for reputation and sales.

Consequently, providers of cloud services enlist a full cadre of security expertise, commensurate with investments in a core service offering versus a mere compliance item. Moreover, these firms work with a wide range of clients and industries to gain greater insight into a broad spectrum of potential risks. The end result is a fuller set of leading-edge tools and best practices than any single company could hope to amass. Through sheer scale, the cloud tends to become a more secure environment than most businesses could muster on their own.

Still, individual companies must assess their own risk profiles. And traditionally, the approach to data privacy/security tends to feature a significant top-down element. Facing all manner of regulations, not to mention how a data breach might injure corporate reputation or customer loyalty, the enterprise first assesses its overall compliance needs and accompanying tolerance for risk. Fields such as healthcare, retail or the public

sector, says Max Aulakh, chief security architect at Mafazo Digital Solutions, are particularly highly regulated and at risk.

But an exclusively top-down approach is not always the most effective. In all fields, end-users face unrelenting pressure to improve processes and performance. At the same time, they have unprecedented direct access to tools that are generating breakthroughs in collaborative efficiency. So in many instances, such tools are being implemented “on the fly,” with or without direct IT approval.

Accepting this new reality, IT departments need to think more about enablement. That means working more closely with their end-users to identify the tools and processes that are actu-ally needed or in certain cases, already in use. Once these new workflows are understood, the IT department can develop an ecosystem of policies/controls/tools whose addition can bring current practice into compliance.

Regardless of the development approach, all collaborative tools must ultimately be configured to adequately comply with essential data security/privacy needs. Concludes Aulakh, “Once the regulatory aspects are approved by the [IT and] legal team, CEOs will become much more comfortable with the full collaboration approach you roll out.”

THE ROLE OF CONTROLS

“I don’t want to have to distinguish between data that isn’t sensitive and data that requires tight security and confidentiality. I just want to make sure there’s a platform that serves that need broadly so I don’t have to worry about it.”

— Kevin Cornish Chief Information Officer, University of California, Berkeley’s Haas School of Business

“Cloud-based file-sharing [at News Corp] became the glue that brought people together across workgroups, applications and geographical locations.”

— Ross Piper Vice President of Enterprise, Dropbox


Cloud collaboration and security are accelerated by the rapid development of both application programming interfaces (APIs) and collaborative ecosystems. The former are tools and proto-cols that aid in the development of secure yet flexible connec-tions within and without the enterprise. The latter are groups of firms who promote or benefit from closer cloud-based collabora-tion with producers including vendors, suppliers, logisticians and distributors, often forming within broad industry classifications.

APIs and the rise of ecosystems offer new flexibility and security controls to IT managers. Together, they give cloud file sharing a platform with programming hooks that partners can use to connect related services, such as enhanced security. “APIs are available so vendors can plug in security frameworks for data-loss protection, enterprise mobility management and other areas,” says Terri McClure, senior analyst with the Enterprise Strategy Group. “As a result, once the file gets into the ecosystem, it’s subjected to the rules that are in place throughout the company.”

Cloud-based file-sharing systems within an API-powered ecosys-tem have the potential to enhance security in a number of ways. Some third-party security applications enable biometrics for two-factor authentication. Others automatically connect users to a secure network tunnel whenever they open an application associated with sensitive information. With single sign-on (SSO) tools, once users are logged into the main corporate network, they can access any corporate application for which they’re

authorized, including enterprise-class file-sharing solutions. Similarly, if users move from their desktop to mobile devices, other types of security solutions can smoothly authenticate the additional hardware.

Another plus: ecosystems with an extensive catalog of APIs increase the chances that enterprises will be able to use the SSO, identity management and data-loss prevention solutions that are already in place. As a result, CIOs can integrate them within file-sharing platforms rather than running the security capabilities as standalone entities.

APIs also enable business users to take advantage of self-service IT capabilities. CIOs can allow end-users to choose desired appli-cations from pre-approved service catalogs—knowing in advance the applications can be securely integrated. It’s a consumer- centric approach similar to what people have become accus-tomed to in their personal lives when downloading apps for their smartphones. This gives IT managers the security controls required to meet corporate policies while end-users choose their preferred applications.

When all these considerations merge, enterprises see a long-awaited payoff: a comprehensive collaboration ecosystem that offers the ease of use that end-users will naturally gravitate to along with security controls that let CIOs, CISOs and compliance officers sleep better at night.

“Once the file gets into the ecosystem, it’s subjected to the rules that are in place throughout the company.”

— Terri McClure Senior Analyst, Enterprise Strategy Group

“Once the regulatory aspects are approved by the [IT and] legal team, CEOs will become much more comfortable with the full collaboration approach you roll out.”

— Max Aulakh Chief Security Architect, Mafazo Digital Solutions

APIS AND ECOSYSTEMS


All of the above means that competition among collaboration platforms is becoming less of a traditional features war (with vendors touting the latest bells and whistles). Instead, adoption is hinging on what happens behind the scenes, where winners are judged by three key criteria: security and compliance capa-bilities, how easy the cloud service is to use and the effectiveness of the underlying platform technology. Ironically, the last two areas are closely interrelated: the simpler and more attractive the platform is to use, the more sophisticated and complex it will be under the covers.

Key considerations include:

u Who is the vendor? CIOs say that applications managing something as important as corporate information require ad-ditional scrutiny. That includes investigating the reliability of potential vendors, their capital structure and ownership, how long they’ve been in business and their technology roadmap.

u How intuitive are the applications? Does it offer a user-friendly interface, or will time and money be needed for training before people can become productive with the soft-ware? “For me, it’s got to be super intuitive, which means that people who are not digital natives, but rather barely computer literate, can pick it up and immediately know how to use 80% of the functionality,” Cornish says.

Because adoption of cloud file-sharing solutions for personal use is so pervasive, enterprises must be sure any officially sanctioned application looks as easy to use by comparison. The so-called consumerization of IT will go a long way to benchmarking ease of use. Businesspeople are well-versed in state-of-the-art interfaces, thanks to mobile devices and apps that require little training.

u Can the applications meet our security needs? The Danish Council for Digital Security’s Theede says that a key means to promoting security and compliance is to create

security advisory boards. These should consist of a broad cross-section of people, ranging from business users and line-of-business managers to representatives from human relations, legal and the security departments. Such an approach, says Theede, “shows users that IT people won’t just issue orders from ivory towers.”

The key, says Theede, is to not use the advisory board to simply gather a list of end-user personal preferences. Rather, use the board to “gather actual business needs, which sometimes are very different from department to department,” Theede says. “Then select solutions that do the best job of serving these needs.”

u Will end-users embrace the applications? “Given how easy it is to download applications that offer the experiences that people expect, IT really needs to listen to its employee base to get buy-in for new applications,” says Enterprise Strategy Group’s McClure. “More people will use the solution when employees are part of the decision-making process.”

Failure to consider real-world usage can doom an application’s implementation. Dr. Dominic Thomas, co-director of the Center for Innovative Collaboration Leadership and an associate professor in the Sawyer Business School at Suffolk University, recently consulted for a company that was using a shared-drive service that was part of a business-productivity suite. The client was struggling to get users to adopt the new application. “When I talked with the users, they said the multistep process for adding one another to shared drives across departmental boundaries was too difficult,” Thomas says.

In contrast, “demonstrating the benefits of joining the corporate system will compel people to use it,” says Thomas. “This is espe-cially important for highly educated knowledge workers, who don’t typically respond well to command and control approaches.”

CHOOSING A PROVIDER

“Demonstrating the benefits of joining the corporate system will compel people to use it.”

— Dr. Dominic Thomas Co-Director, Center for Innovative Collaboration Leadership, and Associate Professor, Sawyer Business School at Suffolk University


In the end, the most effective selection and implemen-tation processes will be a collaboration between IT and the business units. Ironically, the best file-sharing and collaboration platforms are swaying some CIO attitudes about shadow IT—which refers to the increasing frequency by which business units begin downloading applications and contracting for cloud services without IT’s approval.

Shadow IT, once commonly derided by IT managers as a threat to their authority and security strategies, is now seen by many technologists as an opportunity. That’s because

some organizations see the phenomenon as a kind of continuous focus group that decision makers can monitor to see what new and leading-edge applications are gaining traction and require a closer look by IT. “Given how easy it is to get the shadow IT applications and the consumer-like experience that users expect, IT really needs to listen to its employee base,” McClure says. “That way, organizations get more buy-in from users, and as a result, they bring more data under management.”

CONCLUSION: ENABLEMENT, NOT COMMAND AND CONTROL

A CHECKLIST FOR SECURE COLLABORATION

Not all file-sharing and collaboration platforms offer equivalent security and compliance capabilities. Here’s what to do when it comes to enterprise-grade safeguards.

uStart With Platforms That Have Third-Party Validation Look for services that have been verified to meet widely accepted standards for security and privacy (such as ISO 27001 and ISO

27018), and that support compliance with regulations required for your industry (such as HIPAA for U.S. healthcare organizations).

uPick a Platform People Will Actually Use End-user adoption is essential for IT visibility and control. Pay attention to the platforms your end-users gravitate to, and determine

whether those platforms can enable enterprise-grade security.

uChoose a Provider Focused on Data Reliability Choose an enterprise-class service that takes robust measures to guard against data loss and make data highly available, such as

redundant storage in multiple geographic locations.

uEncrypt Your Data Make sure the cloud service uses strong, industry-standard encryption, such as 256-bit Advanced Encryption Standard (AES) for file

content “at rest” and Transport Layer Security (TLS) for data “in transit.”

uMake APIs Part of the Selection Criteria The best file-sharing solutions come with pre-built APIs for other important management and control functions, such as SSO, IDM

and SIEM products.

uImplement Access Management and Authentication Controls Single sign-on (SSO) and identity management (IDM) solutions ensure that business users can view only the files and applications

they’ve been authorized to access. In addition, close integration of SSO and IDM with Active Directory (or other directory systems) enables enterprises to automatically update access control rules.

uLink Security-Analytics and Data-Loss-Prevention Tools (DLP) to the File-Sharing Platform For example, before someone exposes a document with Social Security numbers or other designated data, DLP filters can notify the

security team or automatically block sharing, depending on preset policies.

uTest the Effectiveness of Administrative Controls In addition to giving IT and security managers the ability to secure the exchange of corporate data, these tools must work smoothly

with established practices and not impede data flows.


Forbes Insights and Dropbox would like to thank the following individuals for their time and expertise:

• MaxAulakh,Chief Security Architect, Mafazo Digital Solutions

• TimBanting, Principal Analyst for Collaboration and Communication at Current Analysis

• KevinCornish, Chief Information Officer, University of California, Berkeley’s Haas School of Business

• EricHlutke, Global IT Security and Compliance Director, Anheuser-Busch InBev

• CarolynLees,Senior IT Manager, Permira

• TerriMcClure, Senior Analyst, Enterprise Strategy Group

• TrevorMoore, CIO at a large university in the Middle East

• RossPiper, Vice President of Enterprise, Dropbox

• RasmusTheede,Chairman of the Board, Danish Council for Digital Security

• Dr.DominicThomas,Co-Director of the Center for Innovative Collaboration Leadership and an Associate Pro-

fessor in the Sawyer Business School at Suffolk University

ACKNOWLEDGMENTS

COLLABORATION CONTINUES TO EVOLVE

Innovation continues to disrupt many aspects of business life, and that now includes collaboration platforms. For example, leading-edge tools build on peer file sharing by creating virtual spaces where team members can gather to work on projects together and in real time. In the process, these platforms are changing how people perform their jobs and engage with their peers.

The attraction is clear. Rather than taking weeks or months to create the “final” version of a large project, these new platforms let team members brainstorm an idea, translate the vision into a clearly defined component within the larger project, and then validate the result to ensure that new element successfully serves the intended audience. Converts say this approach improves efficiency and helps teams more quickly roll out new initiatives.

The idea is catching on. “I’ve participated in a dozen meetings in the past month where real-time collaboration tools enabled people to work across organizational and geographic boundaries,” says Cornish of Berkeley’s Haas School of Business. “We’re [now] seeing outcome-focused collaborations pop up like mushrooms throughout our organization.”

“We’re [now] seeing outcome-focused collaborations pop up like mushrooms throughout our organization.”

— Kevin Cornish Chief Information Officer, University of California, Berkeley’s Haas School of Business

ABOUT FORBES INSIGHTSForbes Insights is the strategic research and thought leadership practice of Forbes Media, publisher of Forbes magazine and Forbes.com, whose combined media properties reach nearly 75 million business decision makers worldwide on a monthly basis. Taking advantage of a proprietary database of senior-level executives in the Forbes community, Forbes Insights conducts research on a host of topics of interest to C-level executives, senior marketing professionals, small business owners and those who aspire to positions of leadership, as well as providing deep insights into issues and trends surrounding wealth creation and wealth management.

499 Washington Blvd., Jersey City, NJ 07310 | 212.366.8890 | www.forbes.com/forbesinsights

FORBESINSIGHTS

BruceRogersChief Insights Officer

ErikaMaguireDirector of Programs

AndreaNishi,Project ManagerSaraChin,Project Manager

EDITORIAL

KasiaWandyczMoreno, Director HugoS.Moreno, DirectorDianneAthey, DesignerPeterGoldman, Designer

RESEARCH

RossGagnon, DirectorKimberlyKurata, Research Analyst

SALES

North AmericaBrianMcLeod, Commercial [email protected], ManagerWilliamThompson, Manager

EMEATiborFuchsel, Manager

APACSereneLee, Executive Director

setting information free€¦ · are immediate, interactive, able to support multimedia and more...

Documents