Information Governance Leadership and Vision

Introduction

In this blog series we're looking at the practical implications of making Information Governance (IG) stick. We're doing this because it’s clear that most people think IG is important (few people dispute it) but, in practical terms, it’s tough to execute, especially when it comes to governance of unstructured (or user-generated) data.

Having introduced our take on IG in our overview article, ‘Living on the Left of the EDRM’, the next logical step seems to be to take a look at leadership and vision. Of course, leadership and visions is where any meaningful change really starts but, from our perspective, IG has a special relationship with leadership because IG is effectively an insurance policy. This means that, without any explicit external driver or catastrophic event, it takes foresight and commitment from leadership to establish a sustainable IG program. For those who have been in the IG industry for a while, the realization that this insurance policy is necessary has been a slow process but, with global privacy regulations at the fore and breach rates inexorably rising, the need for leadership in IG has never been greater.

A Burning Platform

Change and transformation programs often get off the ground from sheer force of will; from a leader who (because they’ve seen the consequences of benign neglect) has a conviction about the right thing to do and, has the credibility and skills necessary to align the organization around a goal. These people view their organization’s situation as a literal burning platform, a place where the organization simply cannot afford to remain without unacceptable risk and, they drive their efforts towards resolving that situation.

To help those without that foresight, in 2020, Gartner did a good job of characterizing the burning platform in more objective terms. Its Market Guide for File Analysis Software (G00356351 dated 6 Feb 202) broke the drivers for an IG insurance policy into four dimensions:

For any organization’s IG leadership, whether that falls under compliance, the CIO/CDO’s office or wherever, the dimension that matters varies by industry, by organization or according to the individuals involved. To help, we’ll use these dimensions to build a menu of options from which to choose or to which to add.

Compliance

Data privacy should be the first concern of almost all organizations; the first wave of response addressed specific requirements for privacy management and drew upon a range of existing practices (such top-down or manual data mapping) to get off the ground. Now, with growing awareness and maturing regulations, a second wave of expectations will necessitate a broad IG program to demonstrate and sustain compliance. Alongside data privacy, many industries have specific regulations (such as Health Insurance Portability and Accountability Act or Privacy of Consumer Financial Information) which require working IG efforts in a similar way. Whatever regulation, in unison they demand a common framework of data stewardship practices to which IG is exceptionally well placed to respond.

Whether or not leadership judges that these regulatory drivers alone make the case for investment in an IG program, it won’t take long before customers will begin to make the case for them either directly though contracts and agreements or indirectly through ‘voting with their feet’. In some cases, customers have begun to assert specific requirements on their vendors or service providers in the form of information audit reports or formal attestations, the essence of which requires that an organization can demonstrate it knows where the customers’ data is stored and that it is adequately protected. No capability is better placed than IG to respond to this need.

Finally for this part of the menu, let’s consider merger, divestiture, and acquisition (M&A) activities. It may be that these are better positioned under risk rather than compliance, but the bottom line is that data transfer is a significant part of any such event, backed by warrants or similar assurances. Whether on the receiving end or as the sender, the compliance of transferred data, or otherwise, is an increasingly important consideration given burgeoning regulatory pressures; in the extreme, the ability of a divesting organization to provide assurances of data compliance could impact the value of, or liability associated with, the deal.

Risk

Like compliance, above, there is a clear headline risk that, alongside more traditional information security measures, an IG program provides important mitigation against. In short, the top line item driving information risk in any organization should be the risk of breach and subsequent data loss. Indeed, organizations should consider breach an inevitability and should carefully consider the costs of response vs a more proactive stance. Of course, in the area of information security, this is a foundational driver, but the case should be made for IG to complement that effort in a synergistic relationship. In our experience, its the IG and Records groups that understand unstructured data and have the know how to best orchestrate its oversight. Breach risk becomes reality once information security measures have failed, at which point, bad actors have a considerable time for 'free play' inside the information environment. With a working IG program in place, the chances of bad actors finding the crown jewels they are seeking is significantly reduced; what’s more, as the organization learns of the event and moves into a response phase, the first question is ‘what information was lost?’. Organizations with sound IG in place can readily answer that call while those without have to, effectively, stand up an IG effort at no notice, incurring costs many of orders of magnitude greater than those of a proactive stance. Further, since IG provides assurances about what information is where and manages its continual disposition based upon the organization’s risk profile, it also reduces the cost of information security in the first instance, since costly controls can be focused where they are needed.

In short, an effective IG program reduces the blast radius of data events such as breaches or legal discoveries (and see also M&A events above) both in terms of the liability for data loss and the cost of operational incident response.

Efficiency

The menu options for efficiency have varied over time; in the early days, reducing the cost of storage and backup was the primary game in town. Back then, data cleanup might be justified on a simple ‘per terabyte’ business case.

However, the last decade or more has seen a series of paradigm shifts in technologies and approaches to data storage. Beginning with the plummeting costs of storage arrays and archive services through to the scale and scope of cloud infrastructure storage services, the cost and efficiency case for IG has become sketchy or, at least, unclear.

The reality is that efficiency gains from IG can still be relevant, depending on the context:

• • Wholesale cloud infrastructure adoption requires data migration. An effective IG program allows migration costs to be reduced by reduction data scope. In short, it allows organizations to choose what goes and what is disposed of.
    
    
  • As cloud storage services become more sophisticated, cost models have evolved. While storage costs may be highly attractive, egress costs can be prohibitive. IG’s role here is to enable the organization to select the right storage approach based on the nature of the data in question.

While we wouldn’t place efficiency at the top of any IG vision, it seems clear that it must play a part. In recent customer discussions, data lifecycle cost has, once again, become more important. Further, users who are the victims of migrations without any IG oversight are apt to comment "This is just a fancy version of our messy file shares" and are left to deal with both learning the new technology AND navigating cluttered and poorly managed data. For these reasons we would consider efficiency as part of an IG vision or business case.

Value

All organizations should have data value as one of their top table initiatives. Typically, these initiatives fall under the umbrella of data governance (DG), a conceptual peer of IG, which builds a picture of the data streams and assets which underpin the value of the organization and seeks to identify insights and opportunities to grow that value. Traditionally, the nature of unstructured data, and the associated records management discipline, has led IG to be founded in compliance, risk and efficiency. However, with most unstructured data now being ‘born digital’ and records and information professionals bringing competencies in its management at scale, the time is ripe for IG to join the data value party. Indeed, a strong IG capability should consider value a necessary next step while the most forward-thinking organizations could event lead their IG effort with value-based performance measures.

In short, when organizations seek to organize unstructured data in way that enables it to be drawn upon in some value stream, this necessitates governance standards and practices to that data, all of which are the daily business of IG. IG leaders should therefore be placing value high on their agenda and ask themselves how they can bring unstructured data into the organization’s information architecture and create trusted, valuable data streams from unstructured data. We’ll give examples in a later article, but by way of a look ahead, we’ve seen contracts management, engineering and technical drawings, training data sets and geological mineralization concepts spawn from strong IG programs and contribute to the organization’s bottom line.

Zero Dark Data

We’ve covered the ‘why’ of IG, the burning platform of poorly managed or ungoverned unstructured data, and now we’d like to make the case for a bigger vision – a guiding principle which aligns the organization around the overall effort. In common with our North Star, it should come as no surprise that we see Zero Dark Data (ZDD) as the rallying call for any information professional and especially any IG program. Sure, leadership can neglect a vision and simply take a project-wise approach which lines up SMART objectives and knocks them down one-by-one, but chances of sustained success are significantly improved with a consistent guiding light.

ZDD establishes a position whereby knowing about and understanding data assets is the root from which everything else grows. In many ways it’s the antithesis of the current situation and, like all good visions, its aspirational in its scope. However, it has the advantage of being like an inbuilt pressure relief valve, since it challenges the organization to understand its data and then do nothing more than make pragmatic policy-drive decisions based upon that understanding. This is the heart of IG and a necessary waypoint to compliance, managing information risk, delivering information efficiency, or driving any kind of value from unstructured data.

ZDD can be implemented in slices or layers – there is no need to boil the ocean – and so leadership can adopt a ZDD vision and has the freedom to construct and adjust a delivery program matched to its resources and needs. While ZDD thinking can be applied to any kind of data, it has most utility in the land of unstructured data in the wild, where runaway data volume, freedom of user action and growth in the number of repositories has caused it to become a significant source of compliance risk. Furthermore, it is in these data wildlands where a sizeable percentage (if not the majority) of data breaches or eDiscovery events begin.

Compete or Comply?

The tension between investment in compliance and driving improvements to the bottom line is a fact of life for any leader. Compliance in and of itself is a heavy burden to bear, with complex and diverse requirements needing significant investment which often yields far from rapid nor tangible results. We’ve even heard plausible deniability cited as viable mitigation for lack of proactive compliance. It’s no surprise, therefore, that IG often struggles to gain traction beyond a few point projects.

At the heart of this blog series lies an assertion that the compliance and risk drivers we identified earlier can no longer be ‘kicked into the long grass’ and that the lack of a proactive IG program truly is a burning platform – a situation which can no longer be tolerated. In our first article we discussed brand reputation and, earlier, we identified increasingly explicit demands for evidence of sound data stewardship in third-party compliance requirements. The rule of thumb that response is radically more expensive than up-front mitigation has been born out in the cost of eDiscovery and in the headlines surrounding, for example, the US Government consent order applied to Equifax following its well publicised data breach. Indeed, the Equifax response and recovery involved a whole-of-business effort which swept up more traditional security measures as well as more forward-looking initiatives for both data and IG.

This then leads to this article’s conclusion that, far from being just an insurance policy, IG programs build a necessary set of resources and capabilities that not only enable compliance and mitigate enterprise risk, but also have clear potential to drive new value. Leaders therefore need not consider ‘compete OR comply’, rather they should lean into ‘compete AND comply’. Working towards a ZDD vision leads naturally to the management of less, more valuable data; this, in turn, promotes compliance, optimizes risk and enables opportunities to develop valuable insights from unstructured data. At this point, it’s worth noting the corporates are investing in Environmental, Social and Governance (ESG) programs as part of a growing acknowledgement of the brand value of attached to transparent responsible action. As data footprints skyrocket, it follows that information leaders who get better at storing less data will be making a concrete contribution to the ESG bottom line.

However leaders prioritize their unstructured data governance effort, they should be sure to return periodically to one core question: When you want to bring unstructured data into the picture, will you ready?”