Post By: Peter Baumann, CEO of ActiveNav
**This article appeared in Cybersecurity Law & Strategy. © 2021 ALM Media LLC. Reprinted with permission.**
Companies are collecting and managing more data than ever to create value, which, as a result, is essentially making every company a “data” company. But for data to provide value, organizations need to know where it is, who has access to it, how it’s managed, its longevity value, and how it needs to be secured and protected.
With privacy laws forcing companies to know their data, organizations struggle to walk the line between keeping data for value creation and disposing of it for risk mitigation. With more data being created than ever before, how can organizations strike this delicate balance?
Unfortunately, in my experience at ActiveNav, it’s often only when a company experiences a cyber breach or nasty litigation that the executive board starts thinking about all their data lying around. The chart below illustrates how the value of information decreases over time, but its risk increases. Take for example office documents, the orange line. By the time you get to the one-year mark, this information has already lost approximately 80% of its value. However, some organizations will keep office documents for 5, 10, sometimes even 20 years – even though it’s not providing any business value! Why?
The key point to this graph is the costs, the black line, stays relatively flat. But look at the risk line. From a legal and regulatory perspective, storing information that does not provide value is extremely risky. This risk can be mitigated; companies just need to commit to putting the right processes, procedures, resources, and technologies in place.
Traditional Approaches to Information Don’t Work
Some of the biggest breaches that have happened over the last three or four years have been caused by information that’s lying around, especially in archive systems or older systems without adequate security protections in place. And even if the data is old, the data that’s breached and the personal information within it is just as damaging as “new” data. It helps to calculate the value of money today vs. the unknown cost tomorrow. Money talks – but how can you convince senior leadership that an information governance project is needed?
How to Get Buy-In for Information Governance Projects
One of the most important things you can do when beginning an information governance project is to come up with good metrics about the cost versus the benefits. The great thing about most information governance projects is they can be handled over a time horizon so that costs can be controlled. Whether your metrics center around efficiency, litigation, or a security metric (or some combination), develop a set of quantifiable metrics and then arrange your projects over time to ensure a positive return on investment.
Link Information Creation, Use and Disposition to Business Objectives
After you’ve gotten buy-in for your project, ensure that you link information use to business objectives.
Ask:
- What are our organizational objectives (business, legal and regulatory)?
- What information is needed to achieve our objectives?
- How long is that information useful?
- While it is useful, how does it need to be organized (access, security, privacy)?
- What do I do when information is no longer useful?
Data Remediation – Just About Deletion?
You may have heard of the term “defensible disposition”. However, the problem is, if you start with the idea of “what can I get rid of?”, you can’t answer that question until you answer the question of “why do I need to keep it?” This is what drives you back to the five questions listed above. The goal of remediation is to only retain information valuable or necessary to meet your organization’s business, legal, or regulatory objectives and obligations.
A simple framework for remediation is:
- Gain Visibility
- Develop and Apply Appropriate Measuring Sticks
- Act on the Data
Gaining Visibility
What you are trying to do is just find out what information you’ve got. At the highest level, you’re trying to determine what the data is. Is it sensitive? Is it stale? Data discovery tools can help you determine where your data is, what it is, and what it’s about. You can do this through a mix of different capabilities including harvesting the metadata, extracting file names, running specific rules for sensitive information, and ultimately getting some context about the information.
Apply Measuring Sticks
There are different ways of putting a classification on a piece of data. What is it? Is it an email about vacation schedules? Is it a PowerPoint? Is it a piece of data in a database?
When you’re working on getting visibility into your data, think clearly about what measuring sticks you’re going to need to apply to the data so you just need to look at it once to get all the information you need. That’s why data classification is so important.
Act On Your Data
Once you’ve discovered and measured your information, you then need to determine what you’re going to do with all this information. Sometimes deletion is the hardest part. Whether you decide to leverage existing capabilities or buy a built-for-purpose tool to help you with remediation, the important thing is that your approach can properly convert your measuring sticks, be able to apply them to the data, and then act on it.
Getting Started
Start small and go after the low hanging fruit and use these small wins to gain stakeholder confidence. Set metrics out in advance. Is it efficiency gains? The number of files deleted? Whatever it is, track it from the very beginning, because you can use those metrics to help justify additional resources.
Effective information governance is possible, but it requires a coordinated approach among stakeholders. To be successful, Information Governance/Data Governance needs to be embedded in your company’s culture.
About the Author: Peter Baumann is the CEO of ActiveNav, a data privacy and governance software provider and innovator of DMaaS (Data Mapping as a Service).