[BreachExchange] Don’t Be Intimidated By Data Governance

[Audrey McNeil]

http://cloudtweaks.com/2016/05/dont-intimidated-data-governance/

Data governance, the understanding of the raw data of an organization is an
area IT departments have historically viewed as a lose-lose proposition.
Not doing anything means organizations run the risk of data loss, data
breaches and data anarchy – no control, no oversight – the Wild West with
IT is just hoping for the best. On the flipside, opening the hood and
checking if policies or regulations are being respected means you have to
do something about it: define new policies and enforce them everywhere you
have data, a months long process that involves people’s time, money,
developing new skills, external experts and a lot of pain for IT.

Content Governance is about understanding the unknowns when it comes to
your content and answering questions: what do we know about our content? Is
it encrypted and stored at the right location? Are the right people is
accessing it? Is this file subject to regulations or is it confidential and
protected accordingly? What will be the business impact if it is
accidentally deleted? It’s a holistic look at the sum of what is produced
by your business.

The reality is that all businesses content needs to be governed. In my
interactions with customers, Chief Information Officers (CIOs), Chief Data
Officers (CDOs) and other peers there are several recurring themes or myths
that come up, here’s a look at them and some suggestions for tackling the
issues:

1. A content governance solution is long and costly to install. We need
experts.

Historically this has been the case with on-premises solutions that require
a lot of servers. The more data to analyze the more servers you needed. In
addition, running perpetual license software meant organizations needed
costly professional services experts to deploy it. By the time an
organization was ready to update its content governance policies IT would
usually find siloed, inconsistent and outdated systems – a patchwork
solution that had been ignored.

This problem is solved with a software-as-a-service (SaaS) content
governance solution. No additional hardware, no experts needed. It’s like a
whole team of data scientists working for you in the cloud.

2. There is no one size fits-all solution; I need many content governance
solutions to cover all my content repositories

This one is actually not a myth. To date, most solutions are very specific,
working only for email or only for Microsoft SharePoint and others. These
solutions do not play nice across repositories and leave IT in a bind where
there are specialty solutions for each type of repository and no single
source of the truth.

The fix here is to look to a solution that is open and supports a broad
variety of repositories and when it does not support the one you need
natively, ensure the solution has a software developer tool kit (SDK) so
you or your content repository vendor can integrate with it. This type of
solution removes the silo effect and creates a single source of the truth
in an agnostic way allowing customization of policies and the ability to
apply them across the board all at once.

3. For my cloud content the only option is to rely on the vendors native
content governance solution

It’s true that the majority of data governance solutions are mainly focused
on on-premises content. Also the cloud is quite new and there is no “cloud
standard” for content. As a result, a lot of cloud content applications
have their own governance tool. The problem is these solutions are limited
(you can’t be an expert at everything) and it means for every app you need
to use a different tool, limiting your visibility and control and making
your content governance quality dependent on each provider.

The fix here is to abstract the content layer (where the data lives) from
the governance logic (how the data is managed) so the policies can applied
to any content and the implementation of these policies are translated for
each repository. Such an overlay solution will have to be hybrid and unify
views across repositories with a consistent level of control.

4. Most content governance solutions are biased and encourage an upsell of
their own back-up, archiving or disaster recovery solutions

Historically, content governance has been an adjacent market for data
storage vendors with archiving, disaster recovery or back-up solutions
leaving customers wondering if the classification telling them which data
was mission-critical (typically a huge amount) and had to be duplicated was
not a self-fulfilling prophecy to cross-sell solutions. How can you trust a
content governance recommendation when interests are not aligned?

Going back to our key of being open, the solution to busting this myth is
to look for a vendor that is content repository and data storage agnostic,
independent and open. This will allow you to separate the vendor from the
solution, the action of the recommendation versus the recommendation. No
matter what the recommendation for managing your content, the goal should
be to separate the solution from the vendor and ensure the vendor you
select can work agnostically across repositories.

5. If my organization deploys a content governance solution, the usability
and productivity of users will be impacted

Introducing content governance means monitoring all activities around your
content and making the best decision on how to protect it. Solutions
designed with IT in mind often ignore usability for non-IT employees. If it
takes a knowledge worker more time to look for content on a repository or
to even access it there will be dissatisfaction and business productivity
loss – users will be driven towards so-called ‘shadow IT’.

The key to avoiding this is to select a vendor that has collaboration
expertise and understands content workflow – how information moves
throughout the enterprise. The goal should be to control the content not
the apps or the users.

At its core a content governance solution allows businesses to understand
more about their data, create and enforce policies to govern it and use
this information for business insight and decision-making. The goal is to
be open, collaborative and supportive of multiple repositories while still
supporting contractual and regulatory requirements. To be more productive,
users will select their preferred apps regardless of attempts by IT to
control them. Instead IT should focus on the content and how it is being
access by these users (not the apps).

The Win-Win: users can interact across repositories in an agnostic way and
IT can sleep at night.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160526/548a50a5/attachment.html>