We invited Robert Smallwood on #SimplifyForSucess, a podcast series presented by Meru Data and hosted by Priya Keshav.
As the CEO at IG World magazine and Chair at Certified IG Officers Association, Robert spoke on the results of a recent global IG study. He discussed the evolution of IG, tools being used in IG and the obstacles in IG.
*Views and opinions expressed by guests do not necessarily reflect the view of Meru Data.*
We invited Robert Smallwood on #SimplifyForSucess, a podcast series presented by Meru Data and hosted by Priya Keshav.
As the CEO at IG World magazine and Chair at Certified IG Officers Association, Robert spoke on the results of a recent global IG study. He discussed the evolution of IG, tools being used in IG and the obstacles in IG.
*Views and opinions expressed by guests do not necessarily reflect the view of Meru Data.*
Priya Keshav:
Hello everyone, welcome to our podcast around simplifying for success. Simplification requires discipline and clarity. Of thought, this is not often easy in today's rapid paced work environment. We've invited a few colleagues in data and information governance space to share their strategies and approaches for simplification.
Today, we'll be talking to Robert Smallwood. Robert is an author of eight books on IG topics, including second edition of “Information Governance: Concept, Strategies, and Best Practices” published in 2020 and he is also a leading trainer of IG professionals. Robert serves as a managing director of the Institute of IG, which provides training and research and CEO and publisher of IG World Magazine, which recently held the IG Gov World 2021 conference in 3D virtual reality, and also the founder and chair of the Governance Board at the Certified Information Governance. Officers Association, which provides advanced IG training, mentoring and certification services. So, let's welcome the hardest working man in IG, Robert Smallwood. Hi Robert, welcome to the show.
Robert Smallwood:
Thank you glad to be here. I appreciate the invitation.
Priya Keshav:
Today we will talk about information governance. Robert, you recently did a global survey around information governance to understand the challenges and priorities for the organization around IG, right?
Robert Smallwood:
Yes, we partnered with some leading organizations in IG, including Hyland Software, Iron Mountain, E DRM, and E Discovery. The Institute for Information Governance, which is the training arm of our business as well as Certified Information Governance Officers Association. And we did a global IG study which we opened up in the July timeframe and we wanted to find out, get some benchmark data on, what's happening in IG? How is it changing or evolving? What tools are being used? What are the obstacles, and those kinds of things and I think we got quite a bit of good information in that report.
Priya Keshav:
What is information governance? Is it just records management, renaming themselves or more than that?
Robert Smallwood:
It's certainly more than that, and, there's been, maybe, some confusion, because different organizations and different companies when information governance sort of sprang into the United States around 2014. I mean it had started really in the UK in practice with the National Health Service around 2000-2001. It didn't really hit the United States till 2014, that's when the IG initiative was formed. That's when I published a book through Wiley, an information governance textbook and all the companies in records management started to sort of rebrand themselves as information governance and so did some of the E Discovery companies and some of the others. So, it sort of had a confusing effect on the marketplace because it initially looked like information governance was just glorified or fancy records management, and it's certainly not that.
We can clearly see in this recent study that it's really a discipline where we attempt to minimize information risks and costs while maximizing information value. And I like to say in short, the information governance is security, control and optimization of information, so we want to secure it within and outside the enterprise. We want to control information within and outside the enterprise, and we want to optimize it, so minimize its costs and maximize its value. It's this multidisciplinary approach that we can see those disciplines, those overlapping disciplines converging more and more. It was primarily records management really in first place. So, 4, 5, 6, 8 years ago, but now it's really in a tide when we ask practitioners, what do you emphasize in your information government program?
They say legal records management, information risk, and privacy and data archiving and storage as well as E discovery and even all the way down to data science and data monetization. So those overlapping disciplines, primarily their privacy, security, E discovery and data governance, those have gotten, from our research, closer and closer aligned and associated with information governance. So, it's a whole organization approach, holistic approach to managing and governing information, to try to break down silos of information and leverage the value of information across the entire organization and to make employees aware of the risk of information as well. But the downside of it.
Priya Keshav:
So, is this a compliance or a strategy? I mean is it is the end goal? I know you kind of talked about reducing the risk and making it more effective for people to use information. But is the end goal better data, monetization, or manage some of the key risks?
Robert Smallwood:
Well, data monetization actually came in last in terms of the emphasis in IG programs. We want to see that move up more and more because you really have to have clean data before you can monetize data. So, that's not going to be the end goal although there might be a specific project that may be driven by a Chief Data Officer under the umbrella of an IG program, but certainly compliance has evolved in terms of the retention requirements for records and the disposition requirements for records, E discovery, and legal and regulatory requirements are factor into how long we keep those records in that information. But it's you can really sort of think of it as information digestion. We want to get rid of the information we've already digested and used, and its value has decreased, get rid of that and make room for new information, fresh information that can be of value to the organization.
So, compliance is certainly a part of it, but it's sort of an “all hands on deck” approach to governing information. We've had sloppy automation for years and years and this and information governance is really an attempt to clean that up. We've had companies throwing in software here and there and on top of each other or maybe not fully utilizing the software. And we've got a lot of mishmash of systems out there, hundreds, and in some large companies, thousands of applications, and it just really needs to be cleaned up so that we have good, clean information.
We use tools like master data management to make sure that we have a single version of the truth and that we apply tools like analytics when we get that clean data and that's really the Holy Grail of information governance, it’s getting to the metadata of unstructured information, which is 80 to 90% of what organizations use each day and unstructured information can include scanned documents, PDFs, excel spreadsheets, Word document, and PowerPoints and even email. Although email has some metadata, it's typically not in a structured or standardized format, it's often called semi structured so information governance is trying to go after not the databases, those need to be governed as well, that's structured information. But primarily the focus is on unstructured information, which is everything else. So yes, compliance is involved, but so is privacy. Privacy awareness training, for instance, is a good step in an IG program. Security awareness training is a good step in analogy program, so it's this multi-disciplinary approach.
Priya Keshav:
What are some of the biggest roadblocks when it comes to IG, in executing this unified approach or a cross disciplinary approach across the enterprise?
Robert Smallwood:
Yeah, we asked practitioners that and the leading one has been in sort of first place for the last five or seven years, which is really just awareness and understanding of information governance because it's got these moving parts and it's multidisciplinary. Just people understanding what the approaches, and then what the value is on the other side. That, and ultimately the organizations that have information governance programs in place are going to be more efficient at managing information. They're going to be better at leveraging the value of information and ultimately return greater profit to stockholders.
Priya Keshav:
So, who do you think IG should report to?
Robert Smallwood:
Well, typically the way an IG program is structured is you'll have an executive sponsor and you'll have an IG lead which may be a Chief IG officer. It might be a person who came up through privacy or security or the records management, but whoever is leading. And the IG lead may report to compliance, the IG lead may report to security or maybe the IG lead may report to the general counsel or even CIO, but the structure of the program is typically an executive sponsor who is likely to be the CIO or chief legal officer or general counsel in a medium or large organization. And that executive sponsor has kind of a hands off approach, but just looking at milestones and trying to initially make the business case and garner the budget and resources and the people to staff the steering committee. And the steering committee needs to be made up of people, certainly from privacy security, IT, records management and any business unit that is involved particularly early on and the business units that you want to target are the ones that are going to benefit the most, so those would be the ones that the business unit that has, for instance, the most litigation or the business unit or units that have the most challenging, the greatest challenges, and just finding and using information.
I mean I did work for well, it's all public now, so Colonial pipeline a few years ago and they were they had it really atrocious information management practices and, in that case, in that case we recommended a complete clean up and, a move away from shared messy shared drives over to a managed environment with content services and for our enterprise content management and using final analysis to do all that cleanup and because they had an issue where they couldn't find the document for three weeks, a compliance document.
I mean the regulators said hey, we need to see your maintenance records for the pipeline, and in this particular spot, and they were able to dig it up three weeks later and the regulator said you need to be able to find that in 15 minutes it needs to be online. They had no enterprise taxonomy, no metadata strategy, it's just a mishmash all over and really poorly managed, but their problem was they're making a lot of money and when you have a company that has thousands of employees with a billion in revenue, which is unheard of. That's a million revenue per person. And making 100,000,000 to as much as 400 million a year profit. Just you know, it's hard to let them know it's hard for them to accept that they're doing anything wrong, or that they could improve or change.
When I let them know that they had these vulnerabilities and they had an excessive amount of information risk which was in the first paragraph of the executive summary, they brushed it off and said, “well, we've got cyber insurance and, so if we have a blatant breach, we'll just clean it up with cyber insurance.” Well, look what happened! The breach ended up costing their brand a lot of brand equity. Their plans to go acquire companies, after they cleaned up their own in-house issues had to be put on hold and changed, and a lot of companies wouldn't want to be acquired by a messy company like that had those kinds of vulnerabilities and ignored them. Then the CEO had to go testify in Capitol Hill. Now CAP cyber insurance doesn't cover all those things and it doesn't cover the loss of confidence in your employees because all the employee data was stolen as well.
So, this is a company that's really got some issues because when I was in there four years ago, they had probably 40% of the workforce that was going to retire within five years, and was eligible to retire, so they really needed to get their information systems cleaned up, but they brushed it off. They decided they would focus simply on cyber security and protecting their perimeter, and I guess we all know how that worked out cause the problem is, once they get inside your perimeter, they have free access to everything and they lock things down and a $5 million supposedly ransomware payment was made. I think it was probably more. Whereas information governance looks at information security from the inside out, rather from the outside in.
So, we had identified specific crown jewels, the most valuable information in their organization which was, in this case the nomination system, which means really the scheduling system for who's going to put 10,000 gallons of jet fuel through the pipeline and who's going to put 10,000 gallons of diesel or 100,000 gallons of gas. Who's buying it and what's the volume? And when I was interviewing a person in that particular office called Business Development, they said a person become a billionaire really fast with this information and I said well what? How was that? And they said well, because if you knew what types of fuels were being purchased and in what volumes, you could make bets as an investment banker or hedge funder in New York, a Wall Street and make a lot of money fast, and so when I asked how that was protected, well it was just sitting there in an Excel spread.
So, our recommendation was to lock that down, encrypt it and implement data loss prevention, which they hadn't implemented. Although I think it was maybe sitting around somewhere so, cyber security just doesn't work on its own. I think cyber security really need an information governance lens to look at the value of information within the organization and prioritize those assets and allocate resources appropriately to protect those assets.
Priya Keshav:
So you mentioned a lot of things, so I'm kind of, this question may be redundant, but I'm asking anyway because you mentioned metadata taxonomy being able to understand where your crown jewels are, but how important is deletion and retention schedule to IG?
Robert Smallwood:
It's really important. In fact, if you look at the Sedona principles, the Sedona conference, which is a group of top attorneys and tech savvy attorneys as well as some top information governance and practitioners and records managers, and key people. One of the tenets of their eleven principles is that you simply must disposition information that no longer has business value, and it's met its regulatory retention requirements. And there was a debate about four or five years ago, maybe in the IG space about should we even worry about disposition, so we even throw this stuff away because storage is cheap, and it just is too costly and timely and politically charged to go through all of this information and see what we need to keep and see what we don't need to keep.
Maybe we have search tools that are so great we'll just be able to find what we need. That #1 sends a signal from management that it's OK to have just sloppy information management practice and #2, the search tools aren't that good, so you often will get redundant or out of date versions of information you're looking for. And #3 storage isn't cheap, it isn't free. It costs money, and maybe if Microsoft or Amazon are just giving you free storage, you have to think about why would they do that because it costs money to have raised flooring and air conditioning and have people physically working in the data center and it's not just a cost of physical storage at all.
I'll give you an example. We had done some work with a PNC Bank which is the fifth largest bank in the country, and this was about five years ago, and they had so much dark data and ROT. They didn't really know where to start, but they had an electronic storage cost that was increasing about 40% a year and so I think it was 40 million. And then the next year was going to be 56 million and then it was going to be 72 or 75 and then 100. So, you're going from 40 to 100 million in about three or four years. If you could just stop the accumulation of copies of information that you don't need.
An average company has seven or eight copies of the same information lying around in different places, and so with tools like file analysis, you can look to locate all those copies, you could completely destroy a disposition, shred them electronically and keep those costs down as well as all the associated labor costs and overhead associated with that. So yes, dispositioning is key and if you look even just at the ARMA generally accepted record keeping principles, disposition is one of those. So yeah, you have to get rid of some information and we need records managers to help us to sort out what can we get rid of and when. And then that is always going to have to be blessed by a general counsel or the legal department.
Priya Keshav:
So you mentioned the records department and you talked a lot about the unstructured data. Data minimization has taken a new meaning and obviously a renewed priority because of privacy, and a lot of data that is referred to by the regulators, when they sort of refer to data minimization. And some of them may be records, but a lot of them may not be because they're talking about individual fields or metadata and not necessarily a whole record, right? So, I saw a post the other day on LinkedIn where somebody had written about data retention and not referenced records managers at all and talked about just deletion and data retention from a privacy perspective. Who do you think should own data minimization and how do you integrate non-records and a strategy around deletion of non-records into the records management program? If it's something that should fall within the RIM if it shouldn't because it's something different. I mean again. I'd like to hear your perspectives on that.
Robert Smallwood:
Well, data minimization in the privacy space is really the principle. One of the principles of privacy which is only collect the private information of individuals that you need to do a specific task that they have authorized. But data means that minimization really. There's a bigger concept than I know my colleague Doug Laney, who's the pioneer and author of Infonomics has some case studies, some analysis where companies looked at information they were storing and found out that whole datasets were costing them more to store and manage than they were valuable to the company. So they had a new approach where they simply refuse the data and so you want to refuse data if it's going to be more costly to manage over the long term and just not even take it on in the first place, but you want to just design your processes to minimize the collection of data, and particularly, just unnecessary data.
You have to get down to, do we need it or not? I think that as an approach, the pendulum has swung back from big data. I guess the big data approach is collect as much data as you can and as many different fields as possible and keep it as long as possible because you never know when you might need it, but now in terms of just people have such a difficult time finding the information they need and being able to use it because of all these tools that are out there, like Teams and Slack and all these additional tools.
So, the responsibility for data minimization, it may be something that a you. Know a Chief Operating officer or CEO might say, hey, we're going to do this, but it really has to come down to, I believe, the business units. The business units will understand what Information they really need that has value and, of course, they have to work with it because IT is going to have to either refuse or delete this information, but you can't simply leave that decision up to it because they don't have the context that their business units might have. So, I think it's a good trend if it's making people rethink how much information you're collecting and why they need it. And with that mindset of data minimalization, I think that's one of the pieces of the puzzle to trying to get your arms around governing information.
Priya Keshav:
Should it be with your records management schedule or should it not be?
Robert Smallwood:
Well, I think data minimization is a concept, but in terms of the records retention schedule, you have what's called the retention and disposition. So, it's built right into the retention schedule. So, it says for this particular file series, we have to keep it for, let's say, three years. And here's the regulatory requirements that say that and then you track that and then when that file series is met its regular attention requirements, you want to delete it all and all copies of it. So that's tough to do, but you can use tools like file analysis to find all copies and that means paper and electronic, and you can do a digital shredding of electronic conference.
Priya Keshav:
Any closing thoughts around IG or some specific things that on the survey that maybe we didn't discuss through my questions that you'd like to kind of highlight.
Robert Smallwood:
Yeah, I think it's a great time to be in IG, it's a very exciting time. You can see I was at the IP privacy, security and Risk conference last week in San Diego, and you can see companies in privacy adding the word “governance” to their tagline and moving into the data governance space and really, overall information governance space. And then you have another interesting trend that is just starting, which is E discovery companies like EXTERRO, which is a major company moving into the privacy space, so this overlap of privacy, records management, security and E discovery is getting more and more pronounced, it's more and more obvious. And it's a very exciting time because look, privacy things change every day in terms of the regulatory requirement from a security standpoint. We can minimize the risk of a breach and then minimize the opportunity for bad actors to get inside and get to our crown jewels by securing those. Then we've reduced the overall risk, so it's an exciting time to be in Information governance. And you can come at it from different perspectives from those different facets.
One thing I wanted to touch on with the study was that change management is a big part of information governance programs. And when we talk about obstacles, that was one of the top three or four as well. Just having a change management plan and program in place and we're actually going to do a deep dive on change management with the Certified Information Governance Officers Association, we're going to have a conference in March 24th and 25th in San Diego. And we're going to focus on change management since that's a key obstacle that popped up in the in the study, and this will be at what we're calling an Information Governance Leadership Summit, so it'll be only people who are certified in information governance and those that are on their way to that path. So top people from major companies, and change management is a big piece and I have been wanting to get change management inserted into the IG reference model for a few years, they just came out with a new version. They still didn't put it in there, but I hope they would.
But that's another key thing, you really have to explain to people how you're going to change the potential work environment. And why you're doing this and how it's going to benefit them, as well as the overall organization. So really, what's really important in IG programs is to align the IG program objectives with the corporate objectives or organizational objectives, because then you can get executive support, and executive sponsorship is the number one key factor in terms of success in IG program. And that alignment of objectives comes by learning exactly what the organization is trying to accomplish and then trying to make sure that you align those objectives.
For instance, with Colonial pipeline, they're objective was to start making acquisitions, so their proposal for information governance program was to clean house and get things organized, get some IG literacy there so that they could use information governance as a lens to be able to evaluate potential M&A targets. And to see about the quality of their information that they're giving them. And whatever it is, if you can find those top two or three corporate objectives and then align your IG program with it, you'll have a much better chance for success.
Priya Keshav:
Thank you so much Robert. It's been a pleasure to talk to you.
Robert Smallwood:
Thank you, I appreciate the opportunity.