Log In

Commentary

E-Discovery and IG in 2017 and Beyond: The Recording of Our Online Discussion Now Available

We had a great online discussion this week with IGI Charter Supporter OpenText about trends in e-discovery and IG for 2017 and beyond. We also talked about the significance of their recent acquisition of Recommind and what it says about OpenText's product strategy and the market in general.

The video will be available here on our public site for a week, at which point it will move to the Resources section of our growing online community, where you can create a profile and interact with your IG peers. The slides from this online event will also be available there shortly.

 

Eight Reasons It’s Time for a Data Map

A data map is an inventory and visualization of your company’s data and information assets. The rising number and severity of data breaches is generating strong demand for maps, and there are other reasons to create, improve, and sustain one.

  1. Data Maps Make Chief Information Security Officers (CISOs) More Effective. The newly hired CISO, on day one, wants to see the company’s data map. Without one, how would they know what they’re supposed to protect? Not all information is created equal, so it does not all require the same level of protection. How will your CISO identify and find the sensitive data? Without a data map, the CISO flies blind.
  2. Data Maps Drive Business. We live in the golden age of data analytics. Your teams want to harness vast stores of structured and unstructured data to develop needle-moving insights. However, they need the comprehensive awareness that a data map provides to know where the most accurate and trustworthy data lives.
  3. Your Board Wants a Data Map. The National Association of Corporate Directors, in its Cyber-Risk Oversight Handbook, instructs board members to ask management for a data map. Your board will not take kindly to being told “no” because data maps are an “ocean boiling” or “Golden Gate Bridge painting” exercise. Data maps are both of those when you do it wrong, but something else entirely when you do it right.
  4. Data Maps are Essential for Compliance. FINRA regulations in the financial markets, PCI for retailers, 21 CFR Part 11 for pharmaceuticals, and HIPAA in healthcare are some well known examples of the massive and growing volume of laws, regulations and standards focused on data protection. Frankly, it is very difficult to achieve compliance with these kinds of directives without a data map.
  5. Data Maps Let Us Actually Treat Data as an Asset. Data needs a sponsor at the corporate table, much like the head of HR has responsibility for the people in an organization. Most organizations do not have this role because – candidly – most of us blithely talk about information as an “asset” but few of us have the tools or the mandate to actually inventory, assess, and manage this asset. This needs to change, and the data map provides a central tool that this new kind of information leader needs to drive the change. This mandate might be given to an existing CIO, CFO, General Counsel, COO, or to an entirely new role that is emerging called the Chief Information Governance Officer (CIGO).
  6.  Data Maps Create Data-Centric Organizations. The process of data mapping involves people from across the organization, including IT, Finance, Legal, and business unit leaders, among others. This process engages employees and helps stakeholders across the organization think and act in a data-centric way. Critical questions emerge, such as: what data are we collecting and why; how do we use the data to make better-informed business decisions that create incremental value; and what can we do to ensure that the data is of high quality?
  7. Data Maps Make Good Housekeeping. Studies show that about two-thirds of an an average knowledge worker’s data is redundant, obsolete or trivial (ROT). Eliminating ROT lowers storage costs, and it’s easier to find and protect the useful data that remains. However, as many organizations hauled into court have discovered, getting rid of the wrong thing at the wrong time can result in enormous penalties and even criminal charges. Good housekeeping in the data environment is not possible without an accurate, comprehensive, and up-to-date data map.
  8. Data Maps are Doable. Data get balkanized within lines of business and in functional areas across organizations, creating unnecessary risk and limiting our ability to realize value from them. These assets reside in data centers; in devices such as cell phones, tablets, laptops and thumb drives; in the cloud; on paper; and elsewhere. New technology and techniques to locate, identify, track, and visualize data makes the job of building and sustaining a data map within the reach of every company.

Craig Callé is a member of the IGI Advisory Board, a small group of senior professionals and subject matter experts representing the disciplines that together comprise Information Governance. The Advisory Board provides feedback and direction on the IGI's agenda and strategy.

 
Global Information Governance Day

Global Information Governance Day: Four Years In

Happy Global Information Governance Day, everyone!

It’s hard to believe that today is already the fourth annual Global Information Governance Day (GIGD). This year I saw the date coming up on the calendar and helplessly watched as it approached closer and closer. Yes, GIGD was coming for another year. In prior years, we have done a lot around this day, including Twitter chats and other things, which were fun.
This year, however, we are fortunate enough to be so fully engaged in defining the best practices and the profession of IG that we haven't had as much time for GIGD hijinks s we have in the past.

Reflecting on this, I think our experience mirrors that of the IG professionals we work with in our community. Like theirs, our heads are down—laser-focused—on actually doing IG, as opposed to thinking about it, trying to define it, or just talking about it. And, even though I may be a characteristically humble Canadian, I'm not too humble to avoid letting the IGI take credit for a huge part of this transition.

Four years ago, as Tamir Sigal, Garth Landers, and I stood in the back room of Faces & Names in New York, (now the headquarters of our annual cocktail reception—thanks to the 350 people who managed to squeeze in a couple weeks ago—and riffed on Tamir's idea for GIGD, I have to be honest with you, we were laughing at the idea of having the audacity of just, well, declaring that GIGD was a thing. In hindsight, I guess audacity was probably the most important element of that discussion.

Barclay T. Blair, Founder and Executive Director of the Information Governance Initiative (IGI) and co-creator of Global Information Governance Day (GIGD).

Four years later, it's kind of crazy to see GIGD become a thing, with a lot of chatter and announcements happening in our industry. At the time we invented GIGD, the Information Governance Initiative wasn't even a gleam in my eye, unless you count a set of messy slides I created in a fever dream as a "plan."

Standing in that same spot a couple weeks ago, I was frankly kind of amazed at what has happened to IG in the past four years, and what we have accomplished at the IGI in only two.

    • Yesterday, I presented our annual report on a webinar for AHIMA, a valued IGI partner and professional association for 60,000 information professionals in health care that has gone all in on IG.
    • Last month, we partnered with Skytop Strategies at an event with an audience that I have never discussed IG with before. They are so hungry for knowledge and best practices around IG. These are the people who design, sit on, and build public company boards. A cool triangulation occurred at that event, where a great speaker from one of our events, Scott Ernst, a VP at Wells Fargo Insurance (and all round good guy), was a major contributor to an animated discussion around the role of IG in cyber insurance policies.
    • Next month, we're doing an event with Skytop focused on the connection between cyber security and governance for institutional investors and shareholders.
    • We have also done events and research with partners in the chief data officer world, in big data analytics, and in cyber security.

It's still hard for me to believe that I am talking about IG with these and so many other amazing communities in privacy, cyber security, big data, analytics, and the list goes on. Here is more of what we have achieved this year:

    • We recently met with senior executives from one of the world’s largest hedge funds, who are being asked to incorporate IG into their assessments and valuations of the companies they invest in.
    • Today, there are IG leaders in our corporate counsel group who now have IG staffs of dozens of people and budgets of tens of millions of dollars. (Check out the roster from our Chief Information Governance Officer (CIGO) Summit last year, and mark your calendar for May 25-26 for this year’s event, which will be even bigger and better.)
    • Over the last year, our engaged audience at the IGI has doubled to more than 11,000. The number of providers supporting us also more than doubled.
    • We created the IGI Awards and handed out our first CIGO of the Year Award to an amazing leader at MasterCard. Check out her acceptance video here.
    • Our in-person events reached more than 1400 people, and our webinars reach thousands. In 2015, we held 7 boot camps; numerous dinners, webinars, partner events; the first annual CIGO Summit, and a national conference on IG.
    • We have created numerous resources and publications, too, including, e.g.,
      • Stories in Information Governance—The IGI 2015 Benchmarking Report.
      • The IGI Annual Report 2015-2016—Based on our survey of the IG community.
      • Information Governance 2020-2020 Vision on Information Governance—looking at the predictions of IG leaders for the future of IG.
      • Introducing the Chief Information Governance Officer: A New Information Leader for a New Era.
      • And much more. Check out all of our publications available at our online community.

Our signature piece, the IGI Annual Report, now in its second year, shows how the discipline has grown and that the work of IG is getting done. This is worth a deep-dive read to bring you up to speed with what is happening today in IG. Among other things, it shows that most providers in the space predict rapid growth this year, and over one third predict at least 30%. The community is also coalescing around the need for a designated IG leader—which we had anticipated and have championed in the idea of the CIGO.

In short, we have, four years after the idea for GIGD was birthed in the kind of punch drunk conversation you have with your friends during marathon conferences, a true IG industry, market, and profession have emerged.

OK, that's about all the time we can spare for reflection. Back to work, everyone.

But, for those of you paying attention at home, don't worry, I will not disappoint. As has become the established tradition on this day, I close with the ceremonial viewing of goats yelling like people.

Happy GIGD!
Barclay

 
Skytop and IGI Events

Zenefits’ C-Suite Shakeup: IG Comes to Silicon Valley

It’s not every day that a CEO of a unicorn valued at $4.5 billion resigns.

But that’s exactly what happened earlier this week when Zenefits announced Parker Conrad, the HR software company’s cofounder and CEO, had resigned.

What happened?

Back in November, BuzzFeed reported that Zenefits was allowing its sales team to sell health insurance without licenses in at least seven states. (The fintech company, which was founded in 2013, generates revenue when its customers buy health insurance policies from insurers via the platform.)

Making things worse, details emerged yesterday suggesting Conrad allowed his California-based brokers to fake their mandatory training. The former CEO is said to have thought the 52-hour certification program—which was required by the state—was too long. So he created the company’s own training program, effectively allowing employees to fudge their numbers.

Compliance might not be sexy to investors or executives. But as David Sacks, the company’s new CEO, stated in his letter to employees announcing Conrad’s departure, compliance “is like oxygen” for a company in a heavily regulated industry.

If the stars align, hot, fast-moving and growing tech companies chug along as fast as they can toward an IPO. But in that race to the finish line, they cannot act in ignorance of their IG obligations. Sooner or later, it’ll catch up to them—just ask Conrad.

In Silicon Valley, there’s a tendency for startups to act as though the rules don’t apply to them as they seek to disrupt industry after industry. This makes sense to an extent, because startups have to move fast in order beat their competitors and reward their investors with an IPO.

But those IPOs have to be successful. Though Zenefits received that impressive $4.5 billion valuation, we’re now looking at a company that ran headfirst into the brick wall of reality.

A long path forward

Sacks’ letter, which is posted on the company’s blog, lays out a useful model for a bold, wholesale change—including the creation of a new C-suite position, the Chief Compliance Officer.

“We must admit that the problem goes much deeper than just process,” Sacks tells his staff. “Our culture and tone have been inappropriate.”

The new CEO obviously has his work cut out for him as he attempts to turn a laissez-faire tech company into a more formidable force in a heavily regulated industry. Moving forward, Zenefits will emphasize integrity in all that it does—including its compliance obligations.

It’s true hindsight is 20/20. But it’s probably safe to say that Zenefits executives and investors wish the company was built on strong IG principles from the outset. At the very least, the unicorn would have a lot less of a headache.

It remains to be seen if the cavalier attitude that characterizes most tech companies—i.e., “grow first, ask questions later”—will actually damage Zenefits (and other startups that inevitably encounter similar problems) in the long run. What investors, regulators, customers and the markets do over the next couple of quarters will give us the answer.

 
IGI Automation

Simplifying Information Governance Through Automation

Our organizations are experiencing unprecedented growth in the volume, complexity, and importance of information. This growth is so remarkable that it is outstripping our ability to properly govern and exploit information using traditional methods and technologies.

Information Governance (IG) is a new approach that is designed for this new reality and powered by new technologies that can intelligently automate key governance activities. IG ensures that we have the rules and infrastructure in place to minimize information risk, thus enabling us to put that information to work with clarity and confidence. However, successful IG depends upon ability to reduce reliance on our employees for the most critical IG tasks, thus freeing them to focus on their jobs. In this blog post, I will briefly address some of the common failings of traditional approaches and discuss how IG and automation can help.

Manual Classification

Our experience has taught us that manual classification is often less than ten percent effective. Automated systems enable organization to use metadata to classify documents the moment they are created. Digital data is created quickly, shared widely, stored chaotically, and classified sporadically, creating a new set of challenges that traditional, manual approaches cannot address. Unlike paper static paper records, digital records quickly proliferate across all corners of the organization. Classification upon creation eliminates the marked inefficiency associated with post-creation audits and everyday document retrieval.

Improper (or Non-Existent) Cataloguing

Organizations need a uniform approach to storing information. Digital documents are an additional piece of the increasingly complicated IG puzzle. Not only are most companies in the dark about how much data they own, they are also inflating risk by retaining information that should have been disposed, making effective, accurate governance a near-impossibility. This is why IG is no longer merely a suggestion, but a necessity. Due to an inability to successfully implement a retention schedule effectively over physical and digital repositories many organizations do not defensibly delete documents.  However, according to a recent Gartner report, 30 percent of an organization’s data is redundant, outdated or trivial (ROT) and 50 percent of data has an indeterminate value. And, despite the reduction in cost of digital storage, IT infrastructure costs on the whole continue to rise.

Confusing Retention and Destruction Schedules

Enforcing retention schedules uniformly across an enterprise’s digital data has become a near-impossibility using traditional approaches. Automation is an essential way to simplify compliance. Even simple techniques, like automating reminders and status updates about the eligibility of records for destruction can make a massive practical difference. Much of our information has little ongoing value, but due to both our ignorance about its status and our ability to defensibly implement our retention policies, we default to keeping it – indefinitely. This signals to parties both inside and outside of our organizations (like courts and regulators) that we do not take our record-keeping obligations seriously - or at least not seriously enough to even comply with our own policies.

A retention schedule is a vital component of any IG solution, as it provides an authoritative framework for getting rid of unnecessary information, which not only benefits legal compliance but also makes employee’s lives easier by enabling them to better access information that has real value to them.  However, traditional, outdated retention schedules only serve to increase the likelihood that many documents (both paper and digital) will be neglected and disappear into the “black hole” of information that no one recalls or governs.

Leading organizations realize that automated IG approaches are the way forward, as automation enables those organizations to pragmatically reduce risk and increase value related to their information assets. Put simply, automatic, user-friendly, and collaborative IG approaches empower organizations to simplify and govern information environments that have become dangerously disorganized and overwhelmingly complex.

Rob Hamilton_RecallRobert Hamilton, Global Vice President of Information Governance & Records at Recall

Rob Hamilton is the Global Vice President of Information Governance & Records at Recall. Rob joined the Brambles family of companies in 1998, when he accepted a role in Customer Service for CHEP, Recall’s sister company. Rob joined the Recall team in 2009 as Global Director of Contract Compliance. Rob is international business leader who has worked in China. He holds a MBA from Pepperdine University’s Graziadio School of Business and Management in Leadership & Managing Organizational Change and an undergraduate degree in Marketing from Miami University’s Farmer School of Business.

 
The Best Job That’s Up For Grabs

The Best Job That’s Up For Grabs

Data and other information assets are the lifeblood of any organization; yet, rarely are they comprehensively managed as critical assets. These assets are balkanized within lines of business and in functional areas across organizations. They reside in data centers; in devices such as cell phones, laptops and thumb drives; in the cloud; on paper; and elsewhere. Unless organizations understand these assets, they cannot fully protect and monetize them. One, C-level executive should be empowered to sustain a comprehensive information governance program, and there has been neither a more important time, nor a bigger opportunity, to do so.

Data breaches are on the rise, and they are indicative of weak controls that can ignite regulatory responses and

Photo courtesy of Steve Mitchell-USA TODAY Sports

Photo courtesy of Steve Mitchell-USA TODAY Sports

cost organizations dearly. For the Chief Executive Officer and Chief Financial Officer, breaches can mean much more than just diminished brand value or reputational damage.

Need proof?

First, the recently updated internal control framework that is a foundation of Sarbanes-Oxley makes breaches a cause for possible criminal liability. Second, the Federal Trade Commission (FTC) has brought over 50 cases against companies that have exercised poor housekeeping of consumers’ personal information, leading to expensive settlements. Third, the U.S. Securities and Exchange Commission’s (SEC’s) cybersecurity enforcement actions thus far have been focused on financial institutions, but growing congressional pressure may lead to broader activity. There is an alphabet soup of other regulations that obligate organizations to maintain data more securely. However, regulators are not the bad guys here; it’s the hackers and other bad actors that compromise data security and trigger costs beyond the regulatory pain. Regardless of the motivation, organizations must adjust to a new style of Information Technology by getting visibility and control over their data and information assets.

The opportunities to create value from information governance are tremendous. Organizations are rapidly outgrowing IT architectures built around relational databases and structured data. New platforms and tools can help people collect, prepare, analyze and visualize huge amounts of data, including unstructured data developed from social media, Internet of Things sensors, and other touch points that yield valuable new insights on consumer behavior. These platforms and tools are collaborative and intuitive to operate, so executives and analysts in the lines of business can more quickly make smarter decisions without having to rely on Finance or IT to get them information. Now that organizations can close the books on time, they should more quickly derive richer insights about the future, not just the past.

Information governance technology, people and processes reduce cybersecurity, litigation, compliance and other risks and create value through the use of emerging data analytic tools and practices. A successful information governance program leader would command the respect of the organization’s C-level of executives, and align everyone with interests in data across the lines of business and functional support areas. The Finance, IT and Legal areas produce the most likely candidates for a role in information governance, and the ideal candidate would have familiarity with all three, and perhaps others.

Chief Financial Officers are recognized as the stewards of company assets. They are first in line when it comes to understanding and accommodating the demands of Sarbanes-Oxley, the SEC, the FTC and other regulators. CFOs are familiar to the Board’s Audit Committee, and they must confront the growing evidence of weak controls that data breaches represent. CFOs are the architects of the chart of accounts and key data repositories of data like enterprise resource planning systems. With their Controller, they make sure the books get closed on time each month, and their Internal Audit staff ensures compliance with control procedures. They are naturally data-driven as they not only marshal budgets but also design and review key performance indicators. They develop insights from data in business intelligence and predictive analytics exercises. The CFO’s team also includes enterprise risk managers, who have a vested interest in maintaining secure data and the means by which residual risk can be transferred with insurance.

Chief Information Officers are closely associated with data, especially with regard to the infrastructure and operating systems that carry the data and store it when it’s at rest. Security is a natural and all-consuming function and, at larger organizations, Chief Information Security Officers also get involved. They apply technology management standards and frameworks from NIST, SANS, COBIT (ISACA), ISO and ITIL, among others. CIOs assess and deploy data analytics tools that lead to value creation. They are responsible for managing the licensed software and hardware assets, as well as software as a service applications (SaaS apps) and cloud hosts. Data is really just another asset they need to manage.

General Counsels bring a pronounced sensitivity to privacy and compliance issues that make them comfortable with information governance responsibilities. Records and information management, including retention policies, often originate from this group. Operating with a ‘lean data’ mentality, they drive lower storage costs, as well as greater efficiency and accuracy in accessing content. Their central role in litigation and due diligence make them no strangers to evolving eDiscovery, archiving and other technologies to manage data and information assets. Armed with knowledge of the law, they carry weight in any organization, and can drive policy enforcement in ways that other groups respect. They shepherd the innovation process when they work with developers of intellectual property.

The person running information governance will confront conflicts when balancing the interests of risk mitigation and value creation. For example, the legal side of the house generally advocates ‘less is more.’ They are more likely to champion records retention policies that eliminate the potentially embarrassing email that they would prefer not be discovered one day. Business analysts, on the other hand, are never quite sure what data they might need one day, so they would just as soon keep it all, especially as storage costs continue to decline rapidly and analytical tools become more powerful and user friendly.

Chief Information Governance Officers are starting to emerge at large organizations today, and their role in risk mitigation and value creation can be tremendous. More prevalent, but narrower, roles include Chief Digital Officers, who tend to come from Marketing backgrounds, and Chief Data Officers, who tend to concentrate on structured data and analytics. Many organizations feel they cannot afford yet another C-level position but, at the very least, one C-level executive should carry the responsibility for comprehensive information governance. Who should “own” data and the information governance process at your organization?

Craig Callé – CEO, Source Callé LLC

Craig CalléCraig Callé is a Data Advocate. He runs Source Callé LLC, a Philadelphia-based consulting firm that helps organizations mitigate risk and create value by treating Data as the critical asset. Boards of Directors, as well as CFOs, CIOs, GCs, and their teams, turn to them to prevent, detect and remediate cybersecurity incidences, unlock the value of their data, and create comprehensive information governance programs. They have a special focus on the large, growing, and remarkably under-addressed attack surfaces that originate from employee use of cloud-based services and third party vendors with network access.

Most recently, he was SHI International Corp’s Chief Strategy Officer and also was responsible for all pre-sales support, partner management and service delivery functions, including its IT Asset Management Group.  SHI is one of the largest IT solutions providers, with 2014 revenue of $6.0 billion.

He has been the CFO at Amazon.com responsible for Digital Media, including Kindle and Audible.com, and the North American Books e-commerce businesses. He also was divisional CFO and Treasurer at Gateway, helping to lead the turnaround and sale of the company to Acer.  As SVP-Finance and Treasurer at Crown Cork & Seal, he helped transform the company into the global consumer packaging industry leader.  He began his career as an investment banker at Salomon Brothers, where he completed numerous  transactions for Fortune 500 and emerging companies.

He holds BA and BS Econ (Wharton) degrees from the University of Pennsylvania and an MBA from Harvard University.