Governing Governance: Not An Easy Thing To Do
"Information governance" is all over the news. It's a relatively new and buzzy discipline, but trending fast toward general acceptance. I like when that happens, but it's not an area in which I am tremendously well versed. So when I caught this assignment, I sought out the best person I could think of to have a chat. Tamir Sigal is the senior marketing professional at RSD. He's also a friendly and talkative dude, and has become a friend. And on top of all that, he also has some strong opinions regarding the state of the art in information governance, and more.
"If you ask any company—especially public companies—‘do you have a governance policy?' They will say, ‘absolutely!' They'll point you to their annual report, they'll show you their website. You'll never hear a company say, ‘Nope. We're not compliant with any governance policy.' The challenge they almost always have is enforcing that governance policy. I have a governance policy at home with my kids... do you think they follow every rule of that policy? No. Same thing with most businesses," says Tamir.
"The term ‘governance' is an umbrella term," Tamir insists. "There's a lot of different types of governance. For example, when Joe Smith leaves your company, there has to be an IT-level of governance. You need to disable his email account; you need to disable his access to all the business systems, his voice mail, his key card to enter the building... that's the governance you need at a basic IT level. But nobody talks about the information that he leaves behind. What do you do with his email? What do you do with his SharePoint sites? His performance appraisals? That level of governance policy has to come from legal, and from HR and from IT also," he says. And it's not altogether a solved problem.
"I would argue that it's better NOT to have a policy than to have a policy and not follow it," continues Tamir. "If you have a policy that's not being followed, then you have a lot of explaining to do to your shareholders, to the courts, to your customers and to the market."
The main reason, Tamir argues, that "information governance" is getting so much traction at the executive level is that the executives are the ones who will be mentioned in the Wall Street Journal. They're the ones who sign the audit reports and the financial statements. They have a personal and professional obligation to protect information.
"One thing that does trouble me is that companies, and vendors, too, admittedly, pitch information governance as a threat. ‘You're going to get sued.' ‘You're going to be out of compliance.' ‘You're going to have an employee steal information.' Simply scaring companies is not the way to address it," Tamir insists. "They don't want to hear they have out-of-compliance issues. They know they do. And they already know they're going to be sued. Scaring them with that stuff is no longer effective." Jeez, I thought, that's what I've been doing for years. "What companies want to hear is: You have a massive amount of data. Instead of being afraid of it, how can you take that information and grow the business from it? Yes, governance has to do with securing the information. But it also has to do with using information for greater value," he says, emphatically.
That's the other side of the coin that people don't talk about—the value of information. This is what separates the great companies from the mediocre companies, says Tamir. "Companies like Wal-Mart, and FedEx... what makes them great is their ability to take information and use it as an asset. Information is what drives an organization, whether it's through the development of new products, or looking at new geographic regions to expand into, or companies to acquire or be acquired by. People are not spending enough time talking about value creation versus risk avoidance."
E-discovery is one reason that information governance is up front and in the news now. Changes in the FRCP have brought it to the forefront. Also, the volume is staggering—"90% of the massive amount of information companies deal with has been created within the last two years," points out Tamir. That's a pretty amazing statistic.
Then you have the BYOD phenomenon. "People are bringing their iPads to conferences, and taking notes, making presentations, responding to email, updating their Salesforce.com pipeline, creating contracts they need to get to customers. All that content belongs to the organization, but the device might not. So what happens when that employee leaves the organization? Or the employee loses that tablet? What happens to the information? It's imperative to have a policy to protect that information, and to enforce that policy across all those devices," says Tamir.
It's easier said than done. When you think about all the many devices, all the various systems they address, all the technologies, it gets pretty complicated pretty fast. To what degree is a company responsible? "It varies, unfortunately," answers Tamir. "There's a recent case when a doctor had all his patients' medical records, unencrypted, on his laptop. And it was stolen. It all depends on the degree of the sensitivity of the issue. And some are more visible... look at LinkedIn, for example, where they got hacked and all the passwords were stolen. That's a bigger media issue than a salesperson who leaves his phone in a taxi. There are also varying degrees of business exposure. What about the pharmaceutical company developing a new drug, not yet under patent protection, and an employee takes that information to a competitor?"
It Starts With A Policy
"Believe it or not, a lot of companies don't have policies that cover things like tablets and handhelds. They're starting to, but it's early. Then you need a mechanism to enforce those policies. And THEN you need to be able to prove you're enforcing those policies," says Tamir.
"Some of that can be automated," he says. "Especially in ECM environments such as SharePoint or Documentum, or what have you. But some of it is not—it relies on the user. I'd like to say you can automate 100%, but you can't. You do need to rely on the employee."
Oddly enough, Tamir thinks that cloud storage has actually made governance easier. It's true that employee X has a version of a document on her tablet, and in her smartphone and on her laptop at home. But the "official" version of the document is stored in the cloud, and is managed by the organization's governance program.
But it is also true that there can be multiple copies of the document floating around-it gets passed from person to person, maybe tweaked a little along the way. And they each are legally discoverable. "That's true," Tamir adds, "and I have not seen a perfect solution to address that. There's technology to de-dupe. There's rights and privileges technology, which isn't really being pushed that much, to my surprise. But it's expensive, so people choose not to do it.
"I think of it like a credit card: you pay now, or you pay later. And if you pay later, you pay a lot more. It's also like an insurance policy; you feel like you're paying for nothing... until you need it. When there's a stimulating event, you feel differently about the investment you've been making. You don't know when the ‘accident' will happen, and you don't know how big it will be, but when it DOES happen, you're very happy to have that policy." Until then, he implies, you resent having to pay for it.
"Think of why people speed on the highway: One is that they have brakes, so they can slow down if they have to. Two, they have a radar detector, so they can mitigate the risk of paying a penalty. And the third reason is that have an insurance policy. So subconsciously, people drive faster knowing they have three ‘risk mitigation' factors to rely on. So in the same analogy, companies feel they can ‘move faster' knowing they have controls in place. So, an executive thinks, ‘I can be more competitive if I have certain controls in place. If I get in trouble, I can respond quicker,'" Tamir explains. Also, Mr. or Ms. Executive can also choose to "put the brakes on," depending on how information is being generated or how much control he or she feels she has. So the insurance analogy stretches out pretty far.