Information Governance: Who's In Charge?
For other industries, it's not as straightforward. The way some companies are viewing that situation is: ‘What if you can't locate this document in 24 hours? Would it matter that much?' ‘What if you lose a particular document...what does it cost?' Making that ‘balance sheet' calculation allows a company to apply value to various types of documents, and helps them decide the disposition of a document, and makes them think about the damage a leak or a loss might cause.
AM: So, to what degree are companies out there practicing safe records, or being proactive in their records health?
TK: I'm thinking that the number of companies practicing avoidance versus proactive management is a LOT higher! If I had to hazard a guess, I'd say that more than 50% of companies are playing the ostrich head in the sand game.
TS: The size of the company has a direct impact on how they view information governance. The bigger the organization, the more geography, the more politics, the more jurisdictions... it is just harder. But it's also true that companies DO approach it piecemeal; you have to start somewhere. For a FORTUNE 50 company to implement a complete governance program from day one is impossible. You need to get a few base hits to justify the investment, and to determine the importance of an information governance program.
AM: So the trick is to pick the low-hanging fruit...
DG: We say that low hanging fruit are just slow-moving weeds. But Tamir is right. You can't boil the ocean. We have a new inquiry from a potential customer who wants to index 40 petabytes of data. That's crazy; that would take forever, even with the best technology. So our go-to-market strategy is to understand information needs from a top-level view, and allow organizations to do lighter indexing, sample what they have, decide what's redundant and what's not. If you try to take it all on at once, you'll never really win. It's like the war on terror; you can fight it forever and never really win. You have to whittle it down to manageable chunks.
MLM: That's why third parties—like all of us here today—exist. We provide the means to track what's important and what's not, and make it possible to go back and track the history and be able to prove what you're doing. Storage is getting cheaper, and keeping things for 10 years is getting more attractive, especially with cloud storage coming into play.
AM: Sure, if storage is cheap, there's a temptation to keep everything. But we've already determined that's not a good plan. The business side wants to keep everything, just in case it turns out to be important; the IT guys want to erase everything... I just don't know how that decision gets made in the real world.
TS: Over pizza and beer! It's not an issue of technology; it's an issue of politics and culture. I am sort of tongue-in-cheek about pizza and beer, but sometimes that's what it takes: people getting together. You have to have these discussions. But it also has to be top-down. From the senior executive-level down, or otherwise it will just never happen.
AM: But is that realistic? I can promise you that the IT guys and the legal guys and the business guys and the executive people can meet at the Christmas party and never know each other.
TS: That's exactly right. So there needs to be a place where they can virtually meet, and put in their requirements. What we see coming in the next few years is information governance becoming a service, a place in the cloud where they can find their policies, determine what they need to keep, why they need to keep it, how long they need to keep it, and make sure this information is available to all the stakeholders in legal, business, records, IT, whomever. And believe it or not, this initiative is coming usually from the CFO, because, as David pointed out, there's a great cost factor in this.
AM: Is governance a policy matter that can be taught, or a technology issue that can be automated?
DG: They're not mutually exclusive. You can't use technology unless you have good policy, and you can't apply policies without good technology. I've seen a lot of companies that write good policies, but how do you propagate those policies down to the level of a fileshare? That's where the breakdown occurs. The opposite is also true; I've seen companies that understand everything in their fileshares, but can't relate it to a policy. So they are not mutually exclusive.
MLM: This is why people implement governance boards and gathering requirements. It's cyclical. This is why there are project managers. There's always a back and forth between IT and business. ‘We need to do this.' ‘We can't afford that.' That's where good project management comes into play-you always move forward and continually enhance. A good governance policy is always in a state of improvement.
AM: So when you think of governance, is it a defensive or offensive strategy?
TS: Why can't it be both?