by Doug Meier - Pandora Media Inc.
on September 12, 2017
Legal & Industry Education
Whether in “startup” mode or in “recurring initiative” mode, we expect a lot from an information governance (IG) program and its leaders.
For example, the program should follow agreed-upon best practices, like adhering to a maturity model and aligning with the concept of Privacy by Design, and should establish processes like records management and legal hold notification. Likewise, the program leaders are expected to communicate policies and procedures, identify and remove unstructured data debris—including redundant, obsolete, and trivial information (ROT)—and maintain ongoing IG efforts.
These are all admirable goals and objectives, but it’s not enough. For an information governance program to survive, it requires alignment with and embracement of objectives that go beyond best practices and standard guidance. Here are a few ways to level up your IG program.
All data is not equally important.
How do you know which data is truly critical to business continuity and which data is highly sensitive and would be damaging if leaked, stolen, or lost? You rely on the data owners— the subject matter experts up and down the corporate chain who know.
How do you know if you’re demonstrating appropriate concern for your data that matters most? Your data classification schema and information sensitivity policy identify highly critical and sensitive data types. Agreed-upon information security policies are documented and followed by technical teams to assure the CIA (confidentiality, integrity, availability) of highly critical and highly sensitive record types.
Privacy and security should be embedded into the design and operation of software, APIs, IT systems, networked infrastructure, and business practices. Lobby for Privacy and Security by Design as a requirement, not a post-implementation afterthought. Use the information governance program as a bully pulpit for building data security and logical access security into the product or program design.
As IG professionals, we should be wary of seeming obtuse, academic, and pedantic to our tactical peers in IT, network infrastructure, development, and information security. The more significant our information governance initiative, the greater the likelihood that implementation will depend on a trusting business relationship with technologists who have other, mostly tactical, keep-systems-running priorities.
Whether deploying and testing file scanning software, migrating data repositories between platforms, evaluating data security/privacy/analytics vendors, managing unstructured data repositories in the cloud, developing an information rights management strategy, or deciding on encryption methods used for data at rest, in transit, or in use—take the time to look at your IG project implementation from a pragmatic, technologist’s viewpoint. Be sensitive to their workload and schedule.
A data security risk assessment and business impact analysis will establish the impact and cost of losing sensitive data in a security incident or data breach. Gartner IG expert Doug Laney makes a great argument for actively valuing information as an asset, not as just a liability. Going through the exercise of putting dollar signs on data—using methods similar to those assigning value to software and hardware assets—establishes a baseline for calculating IG program ROI and cost effectiveness.
Do something that clearly demonstrates meaningful results. Identify a glaring need that can be remedied through technological means without much resistance that’s worthy of being reported up to board level.
For instance, if your company’s email retention policy is KEF (Keep Everything Forever), enrolling employees in a 90-, 180-, or 360-day email retention policy achieves an immediate reduction in e-discovery and operational costs, reclamation of email server resources, reduction in legal and financial liability, and, best of all, forces people to stop using their email accounts as long-term storage repositories.
Most IG programs need a perception makeover. The message is too often, “we slow business down.” It needs to be, “we streamline and enable the business.” Like any other internal cross-functional initiative vying for attention, information governance goals need to be highly socialized, evangelized, and communicated as beneficial and critical. Don’t operate behind the curtain. Evangelize the benefits and efficiencies that have been realized by your IG program efforts.
Good information governance doesn’t happen in a vacuum. A comprehensive, transparent, and accountable identity and access management (IAM) program provides a foundation that allows an IG program to succeed and mature. Having assurance that the user is who they claim to be, and knowing what they have access to, is critical to enacting a common vision.
Each passing day, the volume of data scales exponentially. Increasingly, data is subject to exposure via social media channels and BYOD devices. Ad hoc data exchanges, via APIs or code snippets, are the norm. Compliance obligations in the form of data sovereignty, data privacy, and data consent mandates are looming. To meet these mounting challenges, the role of a Chief Information Governance Officer (CIGO) has a place at the table as the enterprise’s architecture is being planned, implemented, and reviewed.
Doug Meier is the director of trust & compliance at Pandora Media Inc. Doug has more than 20 years of experience designing, staffing, and managing enterprise architecture, enterprise security, information security, IT GRC, and related programs for Silicon Valley Internet companies.
8 Questions with In-House Powerhouse Ben Robbins of LinkedIn
Survey Says: Analytics Making In-house a Home
GDPR: The New Driver for Good Information Governance