Subscribe

Governance in the open source era

Third-party providers can't be used for storing and distributing certain corporate information.

Muggie van Staden
By Muggie van Staden, CEO, Obsidian Systems.
Johannesburg, 25 Jun 2015

In the digital world, business is driven by data, with corporate governance providing the mechanisms and processes for the control and management of it. Given the prevalence of open source in the platforms used today, how are companies managing their fiduciary requirements while still giving employees the flexibility of working in a collaborative environment?

Regulation provides companies with strict guidelines on the kind of information they keep and how it is stored. The introduction of the Protection of Personal Information Act (POPI) also means certain things cannot be stored outside the borders of the country. But, as with all regulatory requirements, companies need to take a systemic approach to how they balance stakeholder expectations of openness with corporate requirements.

A big part of this is to ensure employees understand governance from an information perspective. They need to appreciate that while certain applications might be wonderful from a consumer perspective, it does not necessarily meet enterprise-level requirements for security and data safety.

Take the concept of file-sharing as an example.

People have become so used to applications like Dropbox, Google Drive, and Microsoft OneDrive, it has become almost second nature to share documents and images with family and friends. With the consumerisation of technology, there is a certain expectation that this open and collaborative approach to information is mimicked in the corporate environment. After all, is it not simpler to share a presentation with a customer or an agency using such a file-sharing platform than having to jump through countless (and onerous) security hoops?

Unfortunately, when using such a platform, the information is stored on the servers of the provider. While it might not seem a big deal to have party photos stored on a computer in the United States, different rules apply to corporate (and customer) data. Simply put, these third-party providers cannot be used for the storing and distribution of certain corporate information.

Defeating the purpose

Countless times, although companies might have the best high-end security environment money can buy, the rather counterproductive act of employees using Dropbox to save sensitive corporate data still occurs. The concept of file-sharing is a good one, but businesses need to start applying that mindset to creating in-house solutions. Decision-makers must give the IT department the functionality and control to establish an internal file-sharing methodology that meets governance requirements.

In the past, cloud computing initiatives have been great, but IT can quickly lose control of which employees do what activities on various platforms. The same thinking should apply to file-sharing and data storage.

IT can quickly lose control of which employees do what activities on various platforms.

As stated, employee education becomes an integral component of this new dispensation. Just as staff members receive security briefings and directives on cloud solutions, so too should they be made aware of compliant file-sharing solutions and good corporate governance practices when it comes to data on both the company side as well as the client side.

Hot water

The reality is non-compliance with POPI and the like can cause a company a lot of trouble. The financial costs could be significant, not to mention the reputational ones. If employees store data in the wrong place, it could have serious repercussions on governance. So, who is responsible for this? Is it the IT department, or perhaps HR? Unfortunately, there is no real answer to this. Companies need to decide internally and manage this information environment more effectively than they might have been doing in the past.

Another consideration is how open source data systems in Africa are growing in popularity, thanks to their cost efficiency and flexibility to integrate with older machines and infrastructure.

But, despite the convenience of these systems, they still need to meet compliance standards. Whether it is a public sector department or a private business, open source gives the customisability required to grow with changing infrastructure demands. Given how corporate governance also continually evolves to meet new market conditions, this gives technology teams the impetus to adapt to these new frameworks. As with file-sharing considerations, these open source data systems need to be integrated in such a way that there is no risk for leaking information, irrespective of the platform.

So, while the digital world presents business with opportunities to do virtually anything, there is a balance to be had between what is done in a consumer environment and what is allowed in a corporate one, from a legislative perspective. Decision-makers should evaluate their systems closely and have a balanced approach between what business needs to do and what IT can allow to happen.

Share