MCC: What are the drivers behind corporate information governance (IG) initiatives?
Lawson: Risk is a big component along a number of lines. One pertains to unwanted data, meaning information that lives inside of the enterprise but adds no business value. This information presents risk when a company is required to access it downstream or provide it to others. There are additional risks in inadvertently purging data that may be subject to regulatory retention or litigation hold requirements. The key is to ensure that everyone is aware of its existence and the need to retain it. Additional risk lies in not realizing the value of data, meaning information that could be highly valuable to the enterprise or to its clients. There are also the more obvious financial risks, which include the cost of storage, data access and downstream analysis.
MCC: Can you give some examples of unrealized value when it comes to corporate data?
Livingston: Let me take a quick step back to describe the important difference between data and information. They are not interchangeable terms. Data refers to unprocessed facts and figures, while information is the contextual result of processing and analyzing data to provide a tangible benefit to the company. In practical terms, companies that understand their data can process it into useful information that can be leveraged to achieve a specific business goal. For example, by examining internal infrastructure to locate where highly confidential information resides specific to applications, one could compare the security risk profile for those same applications and thereby identify the highest vulnerabilities within the organization. The key in deriving valuable information from a process like this is knowing what points to compare.
Lawson: To your question about unrealized value, in theory, when one business unit doesn’t share information, other units lose the opportunity to create value. Take national cybersecurity as an example. Agencies are cataloging all types of information, which are then shared. While all of this material may not be perfect, the threat intelligence value that is created by sharing this information is immeasurable.
As another example, if you take that up the corporate chain, a board of directors looking to create value might request business analytics from the customer care group: call logs, transaction records, tracked demand for a product and client demographics. The business analytics team may not even realize that this information is available internally and may be purchasing it from third parties. That’s the kind of situation where IG initiatives, by identifying these sources and connecting the dots, can create significant value at multiple levels within the company.
MCC: Given today’s data volumes, what’s the best approach to corporate IG initiatives?
Livingston: It’s common knowledge by now that what used to occupy a couple of file cabinets in a corner office now equates to data stores the size of the Library of Congress. Given that data is checked in and out during the course of business, we’ve found that the best approach is a traditional library model, meaning the logical grouping of information to make it more accessible. Indexing data at a parent taxonomy level, similar to creating a library’s card catalog, allows for easy retrieval and cross-referencing to other topics, applications or native warehouses, so users can see all information relevant to their searches and job functions.
The whole idea of logical organization implies a fundamental shift for most IT departments. The expansion of technology, bandwidth and connectivity has made information more easily virtualized, meaning that you can access it from any location around the world; therefore, IT is shedding its physical mentality of maintenance in favor of logic-based systems that operate within cloud-based storage. Here, information is grouped intelligently around policies, such as those relating to disaster recovery or regulatory compliance, providing better visibility into the company’s risk and, more generally, aligning data access with business goals.
Lawson: Extending the value beyond logical organization is what you might find in an advanced IG program. Think of it as Google searching for enterprise data. Their platform is a great example of bringing a tried-and-true model into the here and now: they logically organized information and then made it dynamic by adding search analysis and evaluation capabilities, so now users can organize information in reports or visualizations and look for content across the logical boundaries that they’ve set – all on the fly. All of this is presented in dynamic reports and visualizations that are meaningful and useful.
MCC: How does this tie in with defensibility?
Livingston: Both the 2007 and 2010 Sedona Principles for Managing Information & Records reference a specific U.S. Supreme Court ruling in U.S. v. Arthur Andersen, essentially an appeals claim in which Arthur Andersen successfully defended its actions in destroying records on the basis of having a documented legal preservation policy allowing for such destruction. So it’s a safe bet that a company with policies in place for organizational structure of their data – including systems that allow for searching and the subsequent disposal of stale information – will be better prepared to defend its process further down the road.
Lawson: Follow-up is critical because only part of the purpose is served by establishing a defined process for deleting data based on business requirements, regulatory requirements or the lack thereof. Actually enforcing it and carrying out the purge is an equally important part of defensibility. A robust IG program will go further by identifying the systems, validating the freshness and the accuracy of the data, tracking litigation or regulatory preservation or collection activities, and then tracking audits on retention and purging.
IG systems time stamp and track when policy decisions are made and enacted, as well as indicate which regulatory or discovery obligations warrant modifications to otherwise mandated purges. When matters arise, you can quickly search for the relevant systems; you have the tools to show the business reason behind a purge and answer an opposing party’s claim that certain documents should have been retained.
MCC: How do IG systems serve a company’s need to protect its intellectual property?
Lawson: IP is the lifeblood of many of today’s companies, and its protection converges with equally critical concerns related to cybersecurity. The ability to classify and then search for systems based on identified breach attempts or risks will lead to smarter decisions about data protection. Further, those strategies can be applied across the enterprise on a proactive basis, such as tracking access rights and providing a holistic solution for evaluating metadata as it pertains to IP, and enabling data protection more generally. The ultimate goal is to stay on top of trends and protect the company’s competitive edge.
MCC: Talk more broadly about business intelligence. What solutions does iDS offer?
Livingston: With our xiG℠ platform, iDS has implemented what essentially is an online Wiki that encompasses policy, procedure and any of the logical information buckets that a company wants to track. The xiG platform drives long-term value because it allows companies to see how information changes over time and learn from that process. Think about it. If you could look back at history and empower yourself to change your future in a positive way, wouldn’t you? Of course you would.
Legacy data, when managed proactively to avoid risk, provides organizations with a learning opportunity that creates efficiencies, drives bottom line savings and enables companies to adapt to the changing marketplace – all without drastic changes to their internal organizational structure.
MCC: Please describe first steps for a company looking to initiate an IG program. How can iDS help?
Livingston: The first step is to establish a basic understanding of its library by creating an index or a system of organization that’s best suited to the company’s goals. This is a long-term effort that requires a partner to help with strategic decisions and facilitate the process. That’s what we do at iDS, and we can provide exactly the right team for the job, from data protection experts and data analysts to IT and legal professionals. The xiG platform is really a blank slate that can be customized to match the company’s goals and create methodologies to manage their defined buckets of business-critical information.
Lawson: In a typical iDS information governance engagement, we work with legal, compliance and IT stakeholders to understand their priorities, whether it’s reducing discovery costs or protecting critical intellectual property, as well as their pain points. Expanding on Trent’s point above, once a client’s libraries or comprehensive data maps are created or are in progress, we identify technical and functional systems, discover the type and business purpose of information within those systems, understand the company’s retention needs as they relate to business objectives and regulatory and legal requirements, collect the information and, finally, populate the library index card catalogue. The underlying goal is to determine how value can be gleaned from the systems through the interactions of actual users. All of that information is then consolidated into the xiG platform, which allows dynamic, searchable access as well as powerful analytics and visualization capabilities.
For clients who want to self-serve, this can be a daunting process because the xiG platform’s signature answer to questions like “how do we classify data” is “anyway you want.” What iDS and our IG experts are here to do is to help target the issues, provide templates for proven best practices and deliver the goods when it’s time to expand.
MCC: In closing, tell us why IG is a “must-do” project.
Livingston: I compare IG to retirement planning. If you’re not planning for tomorrow and learning from your mistakes, you’re destined to fail, and it’s just as important to maintain a successful program as it is to set it up in the first place. The critical point is that, in doing so, you can adjust to market developments, maximize profitability and help your company succeed over time.
Lawson: The visibility of IG-related issues, such as litigation preparedness, discovery costs or data and IP protection, rises to the board level. The risks in these areas have reached a critical mass in today’s business world, and boards are willing to dedicate budgets and time to implement holistic IG systems and policies to manage them. While quantifying downstream results for the reduction of discovery costs is easier than pinpointing the benefits of avoiding and addressing IP or data leaks, smart IG systems stem from a single platform that addresses all of them at once. And everyone can see the benefit of protecting company assets from competitors and would-be attackers.
Published March 20, 2015.
