Uncovering Hidden Risks 7.27.22
Ep 2 | 7.27.22

3 Ways to Prepare for the Future of Data Governance and Collaboration


Erica Toelle: Hello, and welcome to "Uncovering Hidden Risks," a new podcast from Microsoft, where we explore how organizations can take a holistic approach to data protection and reduce their overall risk. I'm your host, Erica Toelle, senior product marketing manager on the Microsoft Purview Team. And now let's get into this week's episode.

Erica Toelle: Welcome to "Uncovering Hidden Risks," a podcast to examine the end-to-end data governance story across an entire organization, including people, places, processes and products. The risk landscape for organizations has changed significantly in the past few years. Traditional ways of identifying and mitigating risks simply do not work. In the past, organizations have focused on external threats, but risks from within the organization are just as prevalent and harmful. Today's episode focuses on one of our favorite topics - empowering end users to do more through collaboration technology. First, let's welcome today's guest host, Chris McNulty. 

Chris McNulty: Well, thanks, Erica. Hi, folks. My name is Chris McNulty. So at Microsoft, I'm the director of product marketing for a next-generation content services team. And so that is a broad range of solutions that's inclusive of technologies like SharePoint and Stream and OneDrive and Syntex, all of which come together to address organizations' need to do more with their content. And as Microsoft 365 has grown and as the needs of organization to bring more and more business-critical content at the core of their operations expressed through Microsoft 365, obviously, governance becomes critical to that, allowing people to have confidence in the platform and to make sure that everything that they're putting in is being governed appropriately, whether it's for things like retention or information security, DLP, all the rest, all the requirements for having a mature set of business experiences around that content. So information governance is something that's been near and dear to my heart for many, many years, going back prior to my days at Microsoft, as you well know, Erica. You know, governance is often expressed as, you know, the balance between runaway usage and users running away and being able to have those clear patterns and practices around, what are the business outcomes we're trying to achieve, and how do we get there? So love being able to come on and support you on today's topic. 

Erica Toelle: Perfect. Thanks, Chris. I think you're the perfect host for today's topic. So there's a couple interesting things I think we could cover today. So as an example, it seems like there used to be this kind of separation between collaboration and data governance, and that's been eroding lately, and they're kind of becoming the same thing. So in your opinion, what are some of the impacts of this change? 

Chris McNulty: Sure. If, you know, you go back to, you know, the history of having systems of engagement and systems of record, which meant that you could get all this tremendous productivity happening around environments like SharePoint and all of these information silos where you had mission-critical content that people never may have engaged with in the ordinary course of work, that kind of reduces the value because if there's information I need and it's harder to get to, then I may not get the information I need. And so I think as the industry as a whole and as Microsoft in particular is evolving to supporting that higher level of criticality, how do we enrich people's everyday experience with that mission-critical content to establish those business goals, which are so important and the justification for why we have information governance in the first place? So I think that blending is really a good thing because it means we're going to bring some of the rigor and structure and patterns from traditional ECM into the collaboration realm. And likewise, we're going to bring more interactivity into those traditional records management sorts of behavior. So I think it's a win-win, but it definitely comes with some other changes that we should be mindful of. 

Erica Toelle: Perfect. I think you've done a great job outlining some topics we can cover in today's episode. With that, let's introduce today's guest. Jeff Teper is a corporate vice president at Microsoft who leads design, product and engineering for Microsoft's content creation and collaboration tools. These tools empower over 1 billion people at work, school and home to achieve more. His team is responsible for Microsoft Teams, OneDrive and SharePoint. We look forward to hearing his thoughts on data governance. Thanks, Jeff, for joining us. 

Jeff Teper: Thanks, Erica. It's great to be here. Jeff Teper - I lead the teams focused on collaboration, Teams, OneDrive and SharePoint, as well as our metaverse work. 

Erica Toelle: Perfect. So maybe a great first question for you is, how do you define data governance? Some people define it as an end-to-end solution to help protect data, manage risks, maybe something to do with regulatory requirements. But how do you define data governance? 

Jeff Teper: Yeah, I think it's a holistic approach that - companies' information that spans the rules and guidelines, the technology, the processes and, most importantly but sometimes forgotten, culture. And it's well worth every organization writing down its governance strategy. It's - is a function of multiple things. What's the regulatory environment that it's part of? What is the approach to risk and confidentiality of information, whether it's about products or people-related issues? And then stewardship of information for archival retrieval, e-discovery. So I think you need to take a very holistic approach with the requirements coming from both outside and inside the organization and focus not just on technology but also culture and process. 

Chris McNulty: You know, it's interesting - like, when I talk to customers, one of the things that they think a lot about in the governance realm is the business outcomes that they're trying to drive. And sometimes, that gets also into the application space. Like, which applications are - should be used to achieve which purposes based on, you know, not just the security profile but its innate characteristics? So I was just wondering, what are some of the things that you've heard from customers in the space that are top of mind for them? 

Jeff Teper: It's a wide variety of things that - I think, Chris, you really hit the nail on the head - is that you first got to start with the business requirements. Clearly, one for a big set of customers is complying with regulations, and there's a growing set of regulations. They could be financial. You know, what are your - what's required for you in disclosure in the financial markets? They could be environmental, you know, if you're manufacturing things. They could be things around markets and competition. They could be things around privacy. And so I think, you know, a big focus where a lot of customers focus first is complying with the law and managing the risks of the organization. And that's the first part. But there's also other outcomes around protecting the confidentiality of information inside the organization where it's less of an external pressure. But if you're a chemical company and you're developing a new chemical compound or a pharmaceutical company doing a new drug, you have not only the external regulatory requirements, but you want to protect the sensitivity of that information and not have it leaked or walk out the door with, you know, employees leaving for competitors and so forth. And so there is definitely a set of information disclosure risks that companies are concerned about. And then just lastly, protecting information for, you know, whatever future needs. You don't know what you want to archive information so you can learn from the past projects you've done. You may have a lawsuit that you need to address. And so, you know, understanding your archiving and e-discovery strategy. But I think that the big ones are, as you said, you know, following the laws and protecting your company against risks, both external and internal. 

Chris McNulty: Great. 

Erica Toelle: Jeff, you often use a phrase in your keynotes - making powerful things simple. And I think that's really applicable here as we think about the convergence of data protection and user productivity collaboration. What advice would you give to people planning data governance in an organization to make those powerful tools more simple for the end user? 

Jeff Teper: Yeah, I think first, the most successful discussions I've had with organizations' IT is when you've got the stakeholders or BOEs (ph) representing the business need for a collaboration and the challenges and risks for data governance because if you just are focused on empowering users with collaboration, then you may take some unacceptable risk. But similarly, if you just are writing a data governance strategy in the absence of any thoughts of collaboration, then you may stifle productivity in your organization in ways that create even bigger risks, you know, the risk that you can't innovate and compete and service customers. And so I think it's really key when you write the data governance strategy - is get stakeholders involved who represent both collaboration and data governance. 

Jeff Teper: And just to give a more specific technical example, as, you know, one of the things we're really excited about is fostering cross-company collaboration Microsoft 365. We have B2B - business-to-business, business-to-consumer collaboration capabilities with external sharing, say - and SharePoint. And one of the newer areas of our stack is something called Teams Connect with shared channels where two organizations can share a channel. Say, their marketing department and their ad agency and their PR firm wanting to work together on a product launch - clearly, very sensitive information you don't want to leak, and you want data governance rules. You know, if you're releasing a new product, even internally, you may limit the number of people who know the brand and the pricing and so forth, but you have to work externally to get that done. Your PR agency needs to know. Your ad agency needs to know. 

Jeff Teper: And so understanding scenarios like that and how you may be able to use B2B collaboration in Microsoft 365, classification labeling and protection, those kinds of things to create spaces. So you're advancing the ball on both collaboration and productivity, and data governance is pretty key. If you just swing the pendulum to data governance, you're going to impact the company's ability to innovate and compete in a way that's even as - just as bad as leaking information fundamentally. And so you've got to do both. 

Chris McNulty: You know, I think that's really true, Jeff. You know, as you well know, like, going back to the origins of what was at the time called ECM, you know, you had this distinction between systems of engagement and systems of record. And kind of at its worst, what it led to was these really high-cost platforms where documents that nobody ever looked at would go - but they were the repository of key information and with a lot of great governance around it - and then sort of a Wild West of collaboration spaces where there's no rules. Anyone can do anything because it doesn't matter. And I think kind of stitching those two disciplines together has had a lot of value for our customers. And I think that extends to the platform. 

Jeff Teper: Yeah. As Erica asked, making the controls you have that - digestible by human beings, the ability to label a site or a team. This is a top-secret team - and have a set of policies associated with that. In order for anybody to use that as opposed to go around it, like you said, Chris - it needs to be really simple. You know, it's something where you have this idealized view what human beings will comply with. It's a, you know, a 62-step form. It's just going to look good in a planning document but fail in the real world. 

Chris McNulty: The other thing - I think when you start bringing those two disciplines together is it comes together in the platform. And, Jeff, you and I have talked about this before, that, like, the success of SharePoint in M365 as a flexible, compliant, high-performance platform has benefits beyond the immediate Microsoft application success for our customers. Can you talk a little bit more about, you know, what you see as the value of our platform? 

Jeff Teper: I've always start first with customers. And so we talked about the organizational needs for both governance and collaboration. And then you go down to the next level, which is the end user. And I think that's where you see that platform advantages really clearly. So first is the business user - the end user of our tools. They, for the most part, want to comply with rules and regulations, but they want to get things done. They're overloaded. There's competing pressures on their time. They need the tools to be streamlined. They need the ability to collaborate with other people without having to work around these systems. And I think by giving people a unified collaboration environment around Teams with SharePoint as the underlying content management system, we've given end users a unified, simple way to collaborate with others inside and outside their organization in a way where they can comply. 

Jeff Teper: So the end users obviously start with, you know, getting things done and collaborating. Then the IT people - and also people who are stakeholders for data governance - that will include people not in IT, like your legal group, for example. They need to enforce these policies. Some of them are coming faster than ever with regulations. You know, we all see this in the press every day. The regulations are changing wildly in different markets around the world. And the legal department, the IT department is super challenged to figure out how to digest those and make those operable. And I think the fact that we've built auditing, e-discovery, classification labeling and protection, multi-factor authentication, policy-based, you know, controls on what network, what device, what user and on and on and on - and, you know, new things we're investing in - Purview is a great example of something where we started out with some core capabilities, and then we're now adding enormous depth on it. Part of our platform is that we've integrated that all in - that we give you a holistic view of data governance. That group of people are going to say, hey, great, I can meet the growing internal and external data governance needs with a unified platform, and then I don't have this fragmentation of 10 different governance tools and different things for Teams versus SharePoint versus Exchange. I have a holistic environment. I could do it at reasonable cost, etc. 

Jeff Teper: And then the third group is the developer community - people who want to build business processes, as you well know, Chris. Collaborative workflow is for RFPs, for, you know, invoicing, etc. And those hit those first two audiences. And so I'm the developer. I need to build an RFP workflow system that is easy enough for people to use so that we can win the business but has data governance built in so that we're operating ethically within the rules of the law and that we're, you know - we know, you know, we're not committing to a price that we can't meet or something like that. And so there's workflow associated with it and approval. And that workflow and change history of the content is audited, and the final version is immutable and all those kinds of things. I think the fact that we have the most holistic platform for work that blends collaboration with data governance in a way that end users, IT and their partners in legal and developers can use is pretty unique and meets the dual needs of the challenges where we got to work better. But we also have to work in a way that's more compliant. 

Chris McNulty: Thanks. 

Erica Talley: Absolutely agree. Maybe to take a step back for a second, I think we're in a really cool place. The last 2 to 3 years, we've solved a lot of the traditional challenges that came along with data protection and collaboration. Like, as a specific example, it used to be really difficult if a document was encrypted to have it appear in search, to co-author - and we've solved these challenges now. 

Jeff Teper: Yeah. 

Erica Talley: So looking ahead, what do you think are, like, the next big rocks in this data protection plus collaboration story that we're going to need to solve? 

Jeff Teper: I think the biggest challenge that hits both stakeholders - the end user stakeholders and the people chartered with data governance is the overload of information. And this is where AI and machine learning and other algorithmic approaches come to the rescue because the end user could be overwhelmed with information, chats, documents, etc. The people who are chartered with governing things could be overloaded with information. And so, you know, take external sharing and collaboration. Got to foster it. The company that doesn't work well outside their organization with customers and partners is going to fail. They will be out of business. It's an existential risk to companies if they can't figure out how to collaborate externally via something other than email and video calls. 

Jeff Teper: But the volume of information in a medium, large organization going externally is high. And so it's not like somebody in IT and legal could review every document. And so you set up policies, but AI is going to help us do anomaly detection on access to information. And so it can say, hey, you know, Chris just downloaded more documents than normally people do or shared more documents externally and created three external sites. And, you know, at least that's something we want to ask and look into. And we all wish we didn't have to deal with these things, but whether intentional or unintentional, accidental kinds of governance risks, these are the things that happen. So I think you already see it in our stack, applying AI and machine learning to both user overload and data governor overload. But I think that will be the biggest area of focus. And, you know, obviously this is where the industry is going. And security and compliance and governance generally is having that machine learning algorithms get better and better to help us all cope with this. 

Chris McNulty: Good to hear you say that. I mean, one of the things - and this is stuff I know we've had in our stack for years, but being able to kind of forge that partnership between the AI and the human side of it where someone is - you know, if I'm sharing a document that has credit card information in it, first and foremost - like, I never see credit card information, so that's probably a mistake. But both being able to impart a policy and also to enlist my help in saying, hey, you just did this. You may not have meant to do this. And so we're going to take these actions but wanted to let you know what was going on - I think, yeah. 

Jeff Teper: That's a good one. And the other one that's a complex one that you know well from our work with SharePoint Syntex is, you know, going back to contracting and RFPs and things like that, these are complex documents where different companies will allow different degrees of leeway in constructing those contracts to win the business or - and different organizations will have different degrees of boilerplate and flexibility. And, you know, again, if you have to hire enough law school graduates to review every single contract, you know, you'll just slow that organization down. But if you can have machine learning assist the user creating content in Word from boilerplates and assembling things together, then you see, hey, this contract is deviating quite a bit from the norms. This is the one you should really focus on versus reading all the contracts that are, like, exactly the same as our standard ones. It'll just help everybody focus on winning the business in a way that is feasible, ethical, etc. So I think there'll be more and more places where you'll have this AI augmentation - both the people getting work done and the data governors trying to make sure there's not undue risks. 

Chris McNulty: So when Erica asked me to sit in on this podcast and told me that she was bringing you in, Jeff, you know, I was really excited about being able to ask you a question that's much more broad than even data governance because you get to talk to so many customers. And you have, you know, a view into so many technologies that we haven't even talked about publicly yet. So without getting into a disclosure moment, what are some of the things that really excite you about where you see the future of our technology going? 

Jeff Teper: I love technology, but I love even more when it excites customers, and it helps them in their business. And I just - you know, you asked the question, what's top of mind? Yesterday, I met with a major manufacturing company who I have talked to for a decade plus. And this company, when I first started talking to them, it was a very governance-centric conversation, sort of to the topic of this podcast. And basically, it netted out for them that they couldn't go to the cloud. They just didn't trust any third party to steward their data. They just saw nothing but risks in that. And, you know, we had a dialogue which is like, in the cloud, we'll innovate faster. That will help you organizations compete and innovate. But at the same time in the cloud, you'll get better governance tools than you have on premises, and those will also benefit from faster innovation. And we've got these certifications and audits and so forth so that you can see the practices we have for stewarding your data are actually more rigorous than the ones you might have had yourself on premise. But dig in to our details and give us feedback. And, of course, yeah, there were places we could do better. And, you know, 10-plus years ago, they give us feedback, and they've now moved to the cloud in a huge way. And this was a company that had serious data governance concerns that kept them from going to the cloud in, say, 2012 and is now full steam ahead in 2022. 

Jeff Teper: So the conversation I had with him yesterday, there was definitely an element of this, but it was much more things like, well, how can AI help us absorb all the information in our organization to help people make decisions? How can we bring this to our frontline workers in the manufacturing floor on a device so that they have the expertise and our processes and troubleshooting that our organization has built up over the years? How could we use things like the metaverse to build digital twins of our factory floor so that we could simulate processes and do anomaly detection? How can we, you know, work with you and the things you're doing with Viva in training so that we can have more just-in-time training that's dynamic and not three years out of date and can evolve and grow with the business? And we can recommend that training to people based on what's actually working versus what we think might be good training. And so yeah, it was interesting from - to see this relationship go from a customer which 10 years ago was about 90% about data governance and 10% about productivity to one where it's in this - you know, there were breakout sessions with other people on data governance. Don't worry. But this one was really about the power of the technology to help them compete and transform and innovate and engage their employees precisely because they felt comfortable that we had this best-in-class data governance. 

Jeff Teper: And, you know, our portfolio is expanding with things like Purview and so forth, new user interfaces, AI machine learning, you know, new creation tools for video - you know, there's just - I could go through our whole portfolio. I'm super excited about it. You know, I just think we're just early innings, as you would say as a Red Sox fan, Chris, on... 

Chris McNulty: It's funny - I was sort of wondering if you were going to bring up Mesh. I had a similar conversation with a very traditional energy-based customer of Microsoft's yesterday. And, you know, after they got through kind of the initial view of this immersive Metaverse-derived workspace, they really got to some of those practicalities of, how do we construct digital twins of our engineering equipment? - being able to bring people together in these 3D spaces and the dynamic translation and the gestural notions. You know, that's another thing. Is it at the heart of data governance and compliance? Probably not. But it's one of the things that I know I'm excited about and our customers are excited about, and I know that you're kind of at the forefront of what we're doing there. 

Jeff Teper: Oh, but it will be because let me give you a fine example, deepfakes. So we are certainly on the verge in the industry of doing not just cartoonish avatars for people but photo-realistic, real-time rendering of people, machine learning from their conversations and facial reactions to be able to simulate people. And in fact, all, you know, the Hollywood Studios do this all the time in special effects in a asynchronous rendering way where, you know, you see, you know, sometimes, there's a stunt man or woman, and sometimes, there is a avatar, stunt man or woman that - you know, they actually use not just motion capture but machine learning algorithms to generate skeletal behaviors for the person beyond what you even used in motion capture. Well, all that's going to come to the metaverse. 

Jeff Teper: And so we have - as you probably saw this week, you know, we published our stance, our latest stance on responsible AI, where there are going to be governance issues in this world. So how do I know that the person in this virtual meeting with me that said, I approve your plans is real Erica, not just virtual Erica? Because it sure looks like Erica down to how many polygons are rendered in her face that make her look like the real person. And her speech patterns are simulated. So we've got to have authentication technologies that validate that that's really you in the metaverse and not just some simulation. So not to say Erica should start working on Purview for the metaverse just yet, but it's coming. These issues are coming. 

Erica Toelle: We'll be ready. We'll be ready when you are. Well, we're almost out of time, and we've covered so much great ideas today. Jeff, if you were to summarize very succinctly the top three ways that you recommend that people prepare for the future of data governance and collaboration, that would be really great. 

Jeff Teper: Yeah, I would say - you said succinct in three things. So let me... 

Chris McNulty: (Laughter). 

Jeff Teper: One is I would suggest each group write down how we work. Write the objectives for that work group, whether it's product development or advertising, and get stakeholders in that work group that represent IT and legal and business and write down, here's how we work. Here's who could see the information. Here's the requirements for retaining that information. Doesn't have to be a 50-page doc, but just write one or two pages on how we work balancing the collaboration data governance needs. Because there is not going to be one document that Microsoft should publish for everybody. Oil and gas is different than financial services is different than hardware, etc. 

Jeff Teper: The second is make sure you've got a modern tech stack. The difference in the tools that you can use that are available today from us and others that have harnessed the power of cloud and machine learning are a quantum leap beyond what was available three years, five years ago. And so you owe it to yourself to tackle these problems without armies of lawyers and IT administrators to use cloud AI-powered algorithms. And so get the tech stack. 

Jeff Teper: And then the third thing would be all these tools have policy knobs. You know, you could - in our classification labeling and protection, you could have 700 labels in an idealistic world for the organization. Imagine that dropdown dialog box. The user is never going to understand it. So one thing I've learned in 20 years in content management systems is design just enough data governance that human beings who have limits to their cognitive overload can actually absorb. And so those would be the three things. Have a plan for how you work balancing empowerment and governance. Get a modern tech stack, particularly one that leverages AI machine learning. And then design things that require work from an end user that are actually feasible for real human beings to understand and comply with as opposed to ignore. How's that? Concise enough? 

Erica Toelle: Love it. Love it. I learned something, too. So the last question we ask all our guests - what is your personal motto or words that you live by that you can leave us with? 

Chris McNulty: One I've used for years is be your own biggest fan and your own toughest critic. In a lot of things in life and in work, we - you know, we want to get the most out of things. We want to do the best we can. And if you're not raising the bar on your team, your company, yourself, you're not realizing your full potential. And so you just got to have an honest view of, like, where could I learn from others? Where could I do better? - and really be focused on that. But at the same time, have gratitude. You know, cut yourself some slack. Life is hard. You know, there's a lot of challenges. We don't know things upfront. All human beings make mistakes. And, you know, celebrate the wins, big, little and small, because those things will give you and your team the energy and the comfort and security to deal with the criticisms that naturally come in from yourself and others. So be your own biggest fan. Be your own biggest critic. 

Jeff Teper: That's great. 

Erica Toelle: Thank you so much, Jeff, for joining us today on the "Uncovering Hidden Risks" podcast. I learned a lot from hearing your perspective on data protection and collaboration, and you certainly gave me a lot to think about. If you want to hear more from Jeff, you can catch him on Twitter at @jeffteper or at one of his Microsoft 365 community conference keynotes. And thank you, Chris, so much for joining us today as our co-host. 

Jeff Teper: Oh, thanks a lot. You know, it's really been fun. As you know - this audience may not know - I co-host a Microsoft 365 podcast every two weeks called "The Intrazone," where we kind of look left to right across all of Microsoft 365 and bring in customers and partners and our product teams to talk about what's top of mind and to help share and shed some light on what we're doing in M365. So it's really been a lot of fun actually coming to a different podcast because this is a topic, as I said before, that's really near and dear to my heart. So thank you so much for listening. And hope to see you again here and also see you on "The Intrazone." 

Erica Toelle: Great. We had a great time "Uncovering Hidden Risks" with you today. Keep an eye out for our next episode. And don't forget to tweet us at @msftsecurity or email us at uhr@microsoft.com. We want to know the topics you'd like to hear on a future episode. Be sure to subscribe to "Uncovering Hidden Risks" on your favorite podcast platform. And you can catch up on past episodes on our website, uncoveringhiddenrisks.com. Until then, remember that opportunity and risk come in pairs, and it's up to you where to focus.