Three Steps to Master Information Governance in Your Organization
Erica Toelle: Hello! And welcome to "Uncovering Hidden Risks", a new podcast from Microsoft, where we explore how organizations can take a holistic approach to data protection, and reduce their overall risk. I'm your host, Erica Toelle, Senior Product Marketing Manager on the Microsoft Purview Team. And, now, let's get into this week's episode. Welcome to another episode of the "Uncovering Hidden Risks" podcast. In today's episode, we will discuss Information Governance, and the industry trends that we are seeing in this space. Information Governance is the overall strategy for managing information at an organization. It is a discipline that spans several markets, including data governance, security, compliance, data privacy, and content services, and more. Recently, these markets have begun to converge; highlighting the sometimes conflicting requirements between these disciplines. Let's dig further into this trend, issues, and solutions with today's experts. First, let's introduce today's guest hosts: Natalie Noonan. Natalie is one of Microsoft's top Information Governance experts, and helps customers to define and plan their strategies. Natalie, would you like to share a bit more about your background for our listeners?
Natalie Noonan: Thank you, Erica! Thrilled to be here. So for many years, I was a program manager in financial services. And while we were typically focused on delivering some new service, or a new product, we were also really struggling with classic Information Governance challenges, who owns what data or information asset, how do we classify it, how do we dispose of data so that we have less to manage, or to migrate, or to secure. So that led to recognizing this as our own hidden risk, if you will, and then advocating for it, and eventually building out a dedicated Information Governance program at my former company. I later moved into consulting in the same space for a few years before coming to Microsoft. And here, in part of our global blackbelt team, that works with our customers, partners and engineers as organizations assess and implement data security and governance solutions like Microsoft Purview.
Erica Toelle: Thanks, Natalie! Also joining us today is our guest expert, Randy Kahn. Randy is a globally recognized leader in Information Governance, with his consulting team advising major multinational corporations and governments on various Information Management issues. He has been an expert witness in major court cases, and is a trusted adviser to corporations and government agencies. Mr. Kahn is also an accomplished author, speaker, and Adjunct Professor of Law and Policy of Electronic Information and the Politics of Information. Thank you for joining us, Randy!
Randy Kahn: Hey, thanks, Erica! And super glad to be with you guys today. I would also just say, as by way of introduction, that I think that this podcast is super timely, in that most companies are grappling with how to manage their information assets. And I would say many of them are not doing such a great job.
Erica Toelle: Perfect. And I think that's the perfect transition into today's topic. So, Randy, to start, could you please tell us more about this trend that you're seeing around the convergence of security, data governance, privacy, and compliance?
Randy Kahn: Yeah, so the way that I think about trends in today's information environment, it's a little bit like the perfect information management storm, where you have greater value of information; lots of folks willing to break all kinds of laws globally to steal that. Right? So value up, threat to your information up. The value also is up. At the same time, your information for most organizations is located in more places, sometimes outside of an organization's control. There's greater privacy expectations, and all of that information is traveling at the speed of light. Right? So that's sort of the setup of this perfect information management storm. But wait, there's more. We also live in this space today, where that value, as the information value went up within an organization, different parts of the organization see information completely differently. Right? So there's a diametrically-opposed view of information assets. And I'll give you an example. Right? So say, for example, there's an AI business unit, which is driving business, which is making business faster, better, cheaper, and they want information for longer periods of time. They don't know what business question they're going have in the future. And, therefore, they want that stuff, that information, that asset, that information asset, around longer and longer. And then on the other side of the organization, there's a privacy professional, or an information security professional, or a lawyer, who has the complete opposite view, which is privacy, as an example, they want less information for shorter periods of time. So within that same enterprise, within that same organization, you have all these different interests, that they're looking at the exact same information asset, and saying, "This is what I think we need to do with it." Right? And that creates this incredibly confounding, incredibly complex environment. And in that context, older rules, more employee-centric solutions, employees lifting, doing the heavy lifting, is simply no longer tenable. And I think that really is where we are in 2023.
Erica Toelle: How do you think the increase in laws and regulations around the management of data, especially regarding privacy, affect this trend?
Randy Kahn: Well, one of the things that we've seen over the last two decades is that every year we have more laws, more regulations, more self-regulatory directives, that tell organizations how to manage their information. And, increasingly, whether it's information security, whether it's privacy, whether it's retention, whether it's ownership, disposition, access, whatever, those laws, more and more laws, for more and more organizations, create an environment in which it's super challenging for big organizations to make sense of this hodgepodge of directives, to harmonize this body of law regulation. At the same time that we have a business to run, at the same time that there are outsiders seeking to steal or access our environment to steal our information. Right? So the information management challenge has have never been greater; the theft of information has never been more damaging, and the impact to the reputations of organizations from failure have never been more painful. Right? And I'm going to give you an example that maybe makes this case. It's a West Coast gas company. I'm not going to mention its name. It's not really important. But what's really interesting is that this organization had this massive explosion. Sadly, a bunch of people died, and there was a bunch of property damage. And when the state looked at the actual event, what they learned very quickly is that information mismanagement was ultimately the cause. The downside of which was well in excess of a billion dollars, and regulators constantly knocking at the door and inviting themselves in to see why the company just could not get its information management act together.
Erica Toelle: Natalie, are you seeing similar challenges in your work with customers?
Natalie Noonan: Yes, absolutely. So our customers are often sharing challenges with balancing these types of conflicts between opposing regulations, or even the mismanagement of information in their organizations. One of the things that I think has really changed the game for a lot of our customers are the different privacy and security regulations, that ask for us to now minimize our data. So we see this concept of having something like a privacy maximum, things imposed by GDPR, or CCPA, or NYDFS. These are all different regulations that our customers are now challenged with, and have changed the game from saving information forever, to one where we must know how long we need to retain it, and we must dispose of information. And that, in turn, is allowing us to comply with other obligations, or conflicting obligations, like a customer's right to be forgotten. So we must know what information we have. We must be able to delete it upon request, and understand all of these relationships across privacy, and security, and retention. And so when customers come to us, often with their current state, they have these overly-broad rules that they've implemented. So for example, a financial services customer shared their retaining e-mail and files for 10 years across the board. Or other customers come to us, and they have yet to implement their programs at all. So they're really seeing this drive to implement, or also to modernize, or to advance their program. This is really necessary to now meet these privacy and retention requirements in a very reasonable and scalable way.
Erica Toelle: I love your point around how the focus is shifting more to deletion than retention, and I think that's a big change for a lot of people. And, generally, these are just some big challenges that organizations are needing to overcome. So, Randy, how do you suggest people approach a solution?
Randy Kahn: So for most organizations, I think the problem is just so massive and so overwhelming. So the first thing that I would say is to think about it, people used to say: "How do you eat an elephant?" And the answer, of course, is: "One bite at a time." And the point is here, you know, the information footprint of most organizations is this monsterly [phonetic] complex, growing organic body of information that allows their business to function every day. At the same time that that body is letting business happen, it also is this monumental challenge to manage more stuff in more places that we talked about. And so to really take on the challenge, try to simplify the task to pick one thing to deal with that really is confounding, that impacts the organization. And that's the first cut. And then the second cut is really having some sort of a framework. And we use a framework that's really three simple steps. The first is to size up your information footprint to know what information you have, where you have it, who has access to it, what contracts impact it. The second one is to really organize all the governance, and legal, and privacy, and information security requirements around that information footprint. And that's, you know, content-specific, where it's located, the jurisdictions in which you're doing business. And then, finally, to -- it's sort of the HSA of it, the harmonize, to simplify, and automate. That is to make sense of all those requirements, business, and legal, and regulatory, and privacy, and InfoSec, to harmonize that to a simple or a simpler answer. And then, finally, to automate some sort of a solution. So the earlier point that Natalie made, which I think is a great one, is that the world is very much focused on less is more. Right? How do we defensively dispose of content that's no longer needed, because keeping everything forever isn't a viable solution. So that's sort of the simple cut; again, three simple steps.
Erica Toelle: I love those three steps and breaking it down that way. I'd love to hear more about how you size up the information footprint. I feel like that can be a daunting task for a lot of people. So how do you recommend we approach that?
Randy Kahn: Yeah, so you know, the first thing is, as it relates to that information footprint, so, increasingly, organizations have third parties that have access to their information, or third parties doing something on behalf of a company. Say, for example, it's a HR function. So you need to figure out where you have your information resources, who has access to it, who has control over it? What are the laws, regulations, privacy requirements that apply to it? And you start to really size up that information footprint. Because the thing is, unless you know what you have, it's very difficult to figure out how you're going to manage that pile. Right? And so, really, the first step is really getting a handle on what you have, where it's located, and who has access to it.
Natalie Noonan: So this step to know your data seems critical to our customers in a few different ways. It's so important to know what data we have, and get a really deep understanding of the volumes, and the types of sensitive, and personal, and business-critical data that they have, and where it's stored, and who the data owners are, how that information is being shared. I think a lot of those insights can be so critical to customers getting support for their program, and identifying, you know, maybe where they have potential critical business partners in their organization to get started. And it helps give them a bit of a baseline as to where to start, where it's most important or critical to start. And also lets them have a place to begin to show their success and progress over time, which is really going to help them drive user adoption, as well as quantify cost and risk reduction.
Erica Toelle: Randy, what types of requirements are important for information governance?
Randy Kahn: Well, so for large companies, it's really daunting, right? So there can be hundreds, sometimes thousands of laws that impact how organizations manage information. And if you think about like a typical big organization, right, I have record retention issues. I have privacy issues. I have information security issues. I have AI driving in a completely different direction. That is sort of that perfect information storm. And all of a sudden, you, like, look at your pile of information, which is growing exponentially; it's traveling at the speed of light, and I'm doing business across the globe. So really to, you know, is that second prog to size up your legal and regulatory requirements, as well as your business needs, you really have to, as we talked about a moment ago, not only know what information you have, but know where you're doing business, what kind of business you're doing in various jurisdictions, to understand the privacy requirements, and your security needs, storage requirements, retention obligations, and then match that up against, again, what the business needs from the information. And it sounds daunting. We do it all the time. There's ways to organize that information, all of the various inputs. But unless you have a method to size up all those requirements against your business needs, applied to all your information footprint, it's just not going to happen. And I would say added to that, we live in this environment now, where our customers and our employees have heightened expectations for privacy. So if an organization, not only is not addressing the legal requirements, but also this new sort of expectation of customers that you're going to manage my information, because they see it as theirs, in a way that protects it and doesn't expose it, I really think organizations have even a deeper and more profound challenge.
Erica Toelle: Yeah. And I also think, like, what you implied there is a lot of times, these groups, maybe security, privacy, traditional records management, haven't necessarily had a collaborative chat before. And so there's some interesting people dynamics going on while you're gathering these requirements, and relationship-building that are going to only benefit you as you progress through your program. So, Randy, now that the organization has clearly identified their requirements, they've built some relationships, what's next?
Randy Kahn: Yeah, so the next step, which is really an art of navigating and negotiating the various inputs to come to some sort of harmonized decision. So I have privacy folks; they want to keep less information for shorter periods of time. I have business intelligence and machine learning, and AI people want to keep more information forever. I have retention people that say, different categories of information need to be kept precise periods of time. And I have litigation folks that want a completely different answer. So unless I get all of those inputs, and, really, it's sort of like as a team sport, right, to harmonize to one solution, a simplified solution, I need to have the right players at the table, articulating their interest, deciding what they can live with to come to a full-bodied answer that the organization can live with, that can satisfy our regulatory and legal requirements, and, also, again, address that privacy expectation of our customers. Right? That's the beginning of it.
Erica Toelle: Randy, I think what you're saying is super interesting. And I'm just curious, who are you seeing leading this type of initiative? Like it's a lot of work to kind of be that collaboration leader, or sometimes maybe referee. And I'm just curious, is it usually legal leading these conversations, security, or does it just depend on the individuals involved? How does this actually play out?
Randy Kahn: Yeah, so it's a really great question. You sort of hit it up from two totally different perspectives, both of which are exactly spot on. So one is, who do you need at the party to make the party actually fun and functional? Right? So, and we'll talk about that in a second. The other one is the actual individual. And I think a lot of times, people don't really think about who is really great at pulling the oars of the boat. Like if I have an individual that has institutional knowledge, that understands the organization politically, that can make stuff happen, I want that person at our party. I want that person pulling the oars. Why? Because, individually, they can make stuff happen. Period, new paragraph, to the earlier point, right. So who do I need as part of my team, or who do I need as part of the solution to get to done. And I would say, at a minimum, right, you need to have business folks. And you need as high up in the organization to get support for this kind of initiative, and funding for this kind of initiative, and get the rest of the team behind it. And then I need to have legal represented. I need to have privacy and InfoSec represented. Perhaps, compliance as well. And most importantly, to make a lot of this work, it's not going to happen without IT professionals of various kinds. Right? Maybe it's a storage person. Maybe it's a CIO or CTO kind of person. But, again, you're going to have a multiplicity of people that make up the team, that's going to be essential to get to done. Because I needed a- I need a full bodied answer, not an answer from one organization. I'll give you an anecdote. Years ago, my firm was asked to come and deal with a policy on e-communications for a large, fast food company. And I went with a couple of my consultants. And we were sitting around a table of 12 lawyers. And I started to laugh. And one of the guys said, "Why are you laughing?" And I said, "What you seek to accomplish with 12 lawyers will never get done." I said, "You have business interests that you're not representing here. You have technology interests that you're not representing here. You have business people. If your business people think that you're creating a policy, it imposes a rule that makes it tougher for business to happen, this is never going to fly." So I do think the way you're thinking about is spot on.
Erica Toelle: That's super valuable advice. Thank you. Natalie, you have so much great background actually working in an organization, leading these types of initiatives, but then also your experience as a Microsoft global blackbelt, speaking to customers that are going through these programs. I'd love to hear about any examples or stories you have from your experience around this.
Natalie Noonan: Yeah, absolutely. So when I was first responsible for building out an Information Governance program, it is really one of the first things that we did was build, you know, what was our information governance framework or structure going to look like? And so, you know, identifying what policies and standards we were going to build, how we drafted or updated retention schedules, for example, and what those accountability structures look like, like Randy was mentioning. How do we get that executive top-down support that really drives the importance of the program and the organization, and brings everyone along with you. In addition to, you know, how do we identify what technology and approaches we'll use to implement those policies into the organization. And as I work with my customers, they often will share something very similar as to what does their program framework look like? What is high value to them, or what does their culture look like in terms of what they're trying to achieve, almost like the mission of their program. So often, today, it is things like, "I want to minimize disruption to my end users." I hear that all the time. So how can I do that, you know, in how I implement my program in the organization. As a company saying it, you know, we don't believe our employees and our end users have a lot of time to spend thinking about classification of what type, or to manually, successfully do those types of things. So that will become, again, part of what they address, and their framework, and their intent in how they build their program into the organization, and how they communicate and train that, and so on. So I found that very, very helpful to have those types of conversations with our customers to, you know, understand what's important to them, and what's top priority to them in terms of implementation.
Erica Toelle: Yeah, that's a great point about the end users, and not having them be responsible for all this. I mean, if it's complex for the experts, the security compliance privacy experts, gosh, I'm not sure we can really expect the end users to do anything around this anymore. Randy, I'm curious, I'm sure there's somebody listening to this podcast that's like, "Yes, exactly. This is what I need to do in my organization." And maybe they're the person that can help drive this cross-silo collaboration. What advice do you have for this person on how to get started?
Randy Kahn: Yeah, before I go there, I actually, you both commented about something that I think is super important to focus on. And it really, I think, nicely segues into your question. And that is this idea that in a world where we have exabytes of data that are created in hours, not in years, or in decades, you have this volume that is just massive; it's traveling at the speed of light. And to expect, in this context, that employees can actually do the heavy lifting, I think those days are long over. So to the extent that you're looking for a solution, if you build it and make the employee the center of the universe, you will absolutely fail. Which brings me to technology. If you can't automate, and this goes back to, you know, that whole idea of simplifying and automating, if you can't make it simple enough for a piece of technology to apply behind the scenes without impacting employees, and the end users, again, I think it's failure.
Natalie Noonan: Yeah, Randy, completely agree with you. If you were in a program that was just getting started, what are some of the things that you would do first?
Randy Kahn: So there's any number of really confounding complex problems that impact most organizations today. And so the simplest way of thinking about taking on the challenge, I think, for one, find one problem that impacts the organization, and build a team to address the problem. And as it relates to selecting the problem, I'm a huge fan for picking low-hanging fruit first. And what that means is, there are problems in an organization that are screaming to be addressed yesterday. It's a problem that impacts privacy. It's a problem that impacts information security. It's a problem that impacts storage, for example. And so after you build the right team, what you've done even before that is size up that problem to ensure that that problem, when solved, is going to net something to the organization, which will be a victory, right? So we're going to invest some time, we're going to invest some money, but what we're getting out of that is a problem resolved in earnest once and for all. It's a storage requirement that's no longer needed. It's money saved because we're being more efficient, or we're taking the problem away from employees, or we're disposing of a body of content, or mitigating a risk. Right? So when thinking about how to take on information governance, it's one problem that screams to be addressed, and building the right team to make sure that the problem goes away earnest once and for all.
Erica Toelle: Yeah, I love that. So we've been talking a lot about Information Governance, as it exists today. Looking ahead to the future, what do you think is coming for Information Governance?
Randy Kahn: So Information Governance, and organization's absolute mandate to manage information and compliance with laws, privacy requirements, information security needs, as well as customer demands, is not getting any simpler. And so to get this right, to take on the challenge, two things will happen if you do it right. One: you'll be faster, better, cheaper, as a business. You'll be leaner. Your information footprint will be clearer, smaller, and easier to manage. And then most acutely, as it relates to law, and compliance, and governance, you're going to be legally-compliant. So that's the first thing. Right? And I would say most importantly, as it relates to the practical side of information governance, organizations have to get out of the mindset of thinking that the employee can be the center of the universe to manage information, whether it's privacy, information security, retention, storage, disposition, whatever it is. The only way that this is going to happen, and make the organization a leaner, more efficient business, as well as a more legally-compliant business, is by baking in solutions into great technology to make the place home.
Erica Toelle: Wow, this has been just such a great discussion. This convergence of security, privacy, compliance, governance has been something I've certainly been thinking a lot about, and really appreciate both of your thoughts on that. Unfortunately, that's about all the time we have for today. So to wrap up, I'd love to ask you the question that we ask all of our guests. So, Randy, starting with you, what is your personal motto, or what words do you live by?
Randy Kahn: Well, there's lots of mottos that I have, but one that's completely germane to today's discussion is: "Festering problems don't magically disappear." Unless you deal with the issue now, it's going to be way more challenging, and way more expensive to deal with it once they implode down the road.
Erica Toelle: Love that! Natalie, any words of wisdom or personal motto that you want to share?
Natalie Noonan: I think one of the, I guess, themes that I would say, I tend to live by is to remain adaptable to whatever life throws at us. I know that's essentially something that I've followed throughout my career, and learned a lot of new things by keeping adaptability front of mind.
Erica Toelle: Yeah, adaptability is certainly great for all of us to keep in mind. Thank you, Natalie. So thank you both, Randy and Natalie, for joining us today on "Uncovering Hidden Risks". Really appreciate your time.
Randy Kahn: Thank you so much!
Natalie Noonan: Thanks, Erica!
Erica Toelle: We had a great time "Uncovering Hidden Risks" with you today. Keep an eye out for our next episode. And don't forget to tweet us at MSFT Security, or e-mail us at firstname.lastname@example.org. We want to know the topics you'd like to hear on a future episode. Be sure to subscribe to Uncovering Hidden Risks on your favorite podcast platform. And you can catch up on past episodes on our website, Uncovering Hidden Risks dot-com. Until then, remember that opportunity and risk come in pairs, and it's up to you where to focus.