Episode 5 - What to Consider in Governance, Risk, & Compliance

Episode 5 - What to Consider in Governance, Risk, & Compliance [00:00:00] Ross Jordan: Welcome to the SkyTerra podcast, where we are empowering your business to do more. I'm your host, Ross Jordan. Every other week, we'll explore the world of technology, what has changed, how it might impact your business and why it matters to you. We will bring you interviews with business and industry leaders and discuss how technological advances impact your business and our lives. [00:00:22] Whether you're a tech enthusiast, a professional in the field. We're just curious about the future. This podcast is for you. So grab your headphones and join us on this exciting journey into the world of technology. Let's get started. [00:00:41] Good afternoon. Thank you, Darren and Denise for joining us today on the SkyTerra podcast. Today, we're going to be talking about data governance and compliance and the impact that it has to organizations. So thank you both for your time today. Hey, welcome. [00:00:55] Denise England: Sure. [00:00:55] Daren Rathbone: Hey, you’re welcome. Glad to be here. [00:00:56] Ross Jordan: Excellent. Well, let's get started. So Darren, we're going to start with you. So explain to me what data governance is from an IT standpoint. [00:01:04] Daren Rathbone: well, data governance is a broad label because there are so many Areas that you could focus on, especially in the Microsoft purview space, areas such as classifying your data by leveraging sensitivity labels or applying actionable policies to keep sensitive data within the organization. [00:01:27] There's, implementing some sort of data lifecycle, to your environment, maybe to clean out old. Outdated data, or maybe you've got some, compliance requirements where, you need to get rid of data that's older than seven years, for example, also, e discovery, [00:01:49] I think a lot of customers we work with don't really focus on the discovery much when they come to us, but it is a sort of a silo of purview in the data governance space. You know, your legal team has the ability to create, searchable cases and, dealing with, legal issues, I guess, so to speak, and you can get in trouble if you don't have the data to present. [00:02:14] So that's, I think, just another area that I feel falls under data governance. [00:02:19] Ross Jordan: It's one of the things most companies don't think about. If you're not supposed to have it more than five years, and you do, that means just as much risk as not having it when you needed to have it, right? [00:02:29] Daren Rathbone: Yeah, and, you know, I think another, the last sort of piece that I'll just kind of touch on here is, you've got your data governance from a, you know, a technical standpoint. [00:02:43] But it's also, your users, you know, educating your users, because the change can be drastic to them and, getting them to adapt and adopt the changes, will also help, the implementation of your data governance. It's critical, you know, if you can't get them on board, it, [00:03:04] Ross Jordan: What do they call that? The where you check IT, where you, ah, you do IT on the side. Come on, Dan has a word for it, I always use it. But you're working around the policies because it's more convenient. Yeah. [00:03:15] Denise England: Circumventing policy. [00:03:15] Daren Rathbone: So a lot of user education there. [00:03:18] Ross Jordan: Yeah, yeah, making them comfortable with it. [00:03:21] So, Denise, you've had a lot of experience in dealing with organizations taking this on and adopting governance policies and compliancy policies. So, I mean, why is data governance important to an organization? [00:03:37] Denise England: Sure. It's, important whether people want it to be or not. I think there's a couple of things that come to my mind when I think about why it's important. [00:03:48] One is that increasingly data and, you know, what we're talking about is electronic information. The more we use our tools, our technology tools, the more data we have. And so because The amount of data we are producing and consuming is growing as organizations so much it becomes an integral part of what we do on a daily basis and important part of, who we are as organizations and how we succeed. [00:04:22] So if you are not governing your data, if you're not, proactively thinking about how you're protecting your data, how you're managing your data, how you're cleansing your data, how you're ensuring that it's accurate or up to date, You will lose the ability to operate effectively in your organization. [00:04:45] I think increasingly because we have so much data year after year, it becomes essential to have a data governance program to feel like you've got a handle on your data. And then the second part, That came to my mind that I wanted to mention is even if you decide as an organization, you don't care about any of that, regulators are knocking on our doors saying you have to care about it because in particular, individuals are concerned about their own data and so regulators are coming in helping individuals to have control. [00:05:20] Rights around their data and protect their own individual data. So to the extent that you have employees and you have their data or you have customers and you have their data, you potentially have regulatory requirements that you have to meet as an organization to ensure that that data is handled with care. [00:05:40] Absolutely. And meet regulatory obligations. So that's why data governance is important to organizations, both from a cost perspective or a value add perspective and from a, you have to, in order to, meet regulatory requirements, legal requirements, and have, good, organizational, reputation, you want to have positive reputation, be thought of as someone that individuals Trust, their data with and trust are right. And like people, you want to be an organization that people want to work with. [00:06:18] Ross Jordan: Absolutely. Well, and there's no shortage of regulations out there. [00:06:21] Denise England: Yeah. [00:06:22] Ross Jordan: We're, we're finding new ways to regulate new stuff. So every time you turn around, there's new and more exciting ways to be regulated. But when you've worked with organizations and they're designing their policies and procedures towards, governance and compliance, what are some of the action items that organizations should consider to decrease the impact to their internal customers, their own team? [00:06:46] Denise England: Yeah. So a couple of things that come to my mind are, to cast a wide net of information when seeking input about how you do your jobs or perform your obligations day to day, how you interact with your data. One of the things that I recommend is that, the leaders who are implementing or, kind of going down the path of taking on data governance, policies or practices. [00:07:23] Take the time to talk to a lot of people at your organization about how do you interact with your data? What are our procedures. What do we need to make sure we don't break when we make changes to our procedures or who does what around here? So when you're thinking about data governance and, how new policies or practices are going to impact the organization's day to day, you want to make sure that, you have an understanding of how people are actually Interacting with your data on a regular basis so that you don't disrupt their efficiency and their productivity. [00:08:13] Ross Jordan: Absolutely. [00:08:13] Denise England: You don't disrupt it too much. You're going to disrupt it. You're going to ruffle feathers. You're going to get people saying that they're uncomfortable and they want to leave things the way they are. There has to be, a balance of, Making good data governance decisions to protect your data, handle your data appropriately and ensuring that you are taking into account, productivity and efficiency. [00:08:42] Ross Jordan: Absolutely. [00:08:43] Denise England: And then on the kind of flip side of that or the. After the fact is, training. So it's almost two sides of the same coin, before you implement and make a decision about what you're going to implement in terms of data governance. solutions, practices, changes, that first thing is to get a lot of information from end users. [00:09:08] The second thing is to educate end users and make sure that what you are putting into place is well understood and that you give them not just the, here's what you have to do differently, but the, why are we doing this? Just give them the why, give them some appreciation for, how these changes to their daily routine are. [00:09:35] Having a positive impact to your organization. [00:09:38] Ross Jordan: No, I think those are great examples. You both have mentioned training and the disruptiveness that something like this can create. And I think it's important. And we're going to talk about that some more later. But I've been a part of two organizations that have deployed governance policies or internal governance policies. [00:09:57] And one of them just did it and didn't do any kind of internal training and it cavitated the organization. I'm not joking. We couldn't get access to files. We couldn't do our jobs. And it wasn't about The, the challenge was to me, somebody had to go back and undo all those things or undo to a point where then everybody got access to it. [00:10:16] It ended up being something they finally said, forget it. We're just not even going to do it. Conversely, you guys here at Skyterra have done the same thing as well. But it was done differently. It was done with intention, and it wasn't done with it was done with purpose so that we could secure our data the way we needed to. [00:10:33] But one more thing was done. And Darren, I'm gonna ask you about this. But the thing that you guys did was that you incorporated our opinions in the construction of how we manage the policies. But you guys also took the next step forward, which was to generate ways To work through the challenges that we were certainly going to see and I today was a great example, right? [00:10:56] I had a document I received from the outside. I needed support from another member of the organization. I just forwarded it over Well, our governance policy doesn't allow us to do that So I had to find a way to do it and you guys created a process That enabled us that when we had a challenge with the policy, we could work through it, right? [00:11:15] So, Darren, switching over to you now, I mean, when you're setting this kind of stuff up, how do you create policies and procedures internally that keep an organization from face planting? [00:11:30] Daren Rathbone: Yeah, I mean, it deals with, working with your user base, like we did here. If you just go and implement it and leave your users in the dark. [00:11:40] It's going to be a failed implementation and then the organization as a whole is going to decide, well, we're not going to waste our money and effort on this, because it failed. Those eyes, at the top level management may not have seen that it was a poorly implemented plan and just saw that it didn't work. [00:12:00] So we're not going to go there. When in reality, if you plan. And design, and like we did, get user feedback on how they're dealing and working with the data. And having maybe the lunch and learns, I think that was a big help too. Where, you know, we could be questioned directly and answer them right away. You know. [00:12:27] Ross Jordan: Policies were in place, [00:12:27] Daren Rathbone: Yeah. [00:12:28] Denise England: Or even afterward. An important part of a broad program like data governance is you're prepared to adjust and learn and have future versions, if you will, that, don't expect that we're going to get it perfect the first time and once you are able to get your end users trying to work day to day under the new regime, so to speak, you get feedback about what it [00:12:59] isn't working or what is insurmountable and why it's insurmountable and you then learn different ways that you can accomplish your goals. So I think that one of the things I've learned along the way is Remembering what your end goals are in data governance, and understanding we have this policy in place in order to achieve X, or we have this control in place because we're trying to protect XYZ, and when you get feedback about how that control is impacting a user's day to day, work, you can say, okay, are there other ways that we can control what's being shared or how it's being shared or change the scope that will still achieve our end goal in a less intrusive way or account for this particular unique business need? [00:14:01] Ross Jordan: Now, I think this is an important point too. I mean, you said begin with the end in mind, but, but constantly go back to it. There's a purpose. You need to do this. There's a cause that's making you want to do it. It's time. It's money. It's, it's an evolution of the organization. It's, it's really a maturing of the organization. [00:14:19] Candidly, when you guys have built not only our policies, but the policies for our clients and customers, I mean, when you look in retrospect as those. because I wish I could say it's perfect every time. It's not right. Some of them, some of the times it's not our fault, but it just doesn't go right every single time from beginning to end. [00:14:43] There's always challenges. You guys with us. created a way for us to give you feedback. And I remember thinking to myself when you did this originals like, Hey, we're going to do a policy. That's step one. Step two is we're going to slowly implement this, right? And then we're going to narrow it down as you guys move forward, right? [00:15:05] Or as we got more familiar with it, you were just teaching us how to do it better. I think, I think it was perceived as kind of tightening the noose, right? It's like what, nobody wanted to change, but we needed to, right? It's, it's better that we did, but, but when you're doing this with other clients, both of you, if you wouldn't mind, kind of provide some feedback. [00:15:25] I mean, you've seen this work really well. Describe to me, in your own opinions, what's different about what is a successful deployment and the challenged deployments. What makes those two things happen? [00:15:37] Denise England: Yeah, I guess one of the things that I've seen as successful recently is doing a proof of concept and having the organization start small like we did here at SkyTerra. [00:15:53] So we work closely with our clients. As a partnership, it's not just a project where we set something up and let you go and you never hear from us again. But that with one of our clients in particular, we've been in the middle of a proof of concept that does tackle a small scope of data and area of the organization [00:16:23] to go through that feedback process together and hear what uniquely in their organization their challenges are and what their end users are struggling with and learn from that in order to apply an improved version to The next phase that would be a bigger, scope, so it would take on additional data, additional individuals, but that feedback loop is something that we get to stay a part of, and it's not just something that we, provide technology for. [00:17:04] And close the project and let the client go on their way without any support. [00:17:11] Ross Jordan: So it's not set it and forget it, really? [00:17:13] Denise England: What do you mean? [00:17:14] Daren Rathbone: No. Yeah, it's a living, growing thing. Absolutely. And just to add to that, I think it's, it's finding those early adopters that can be, your voice of reason to the general population of the users. [00:17:29] You know, they're acceptable to change acceptable to being the. The guinea pig use, you know, that we refer to to test out your policies and your theories and, really see that they're working or not. And, you know, if things are working in a positive way, they can help spread the word, you know, get everybody on board. [00:17:51] Ross Jordan: It's not as bad as everybody thinks, right? [00:17:53] Denise England: You need your vocal champions. Definitely. Absolutely. And then, Darren, I don't know if you have an example of some kind of trends of why things end up working less well that you want to share. But I could [00:18:09] Ross Jordan: Are there things that you need to do that have long term Implications in the organization that you should plan for right up front when you're thinking about data organization, right? You begin with the end in mind, you're right But I mean are there things that you need to do very early on that are going to help a company be more successful with their deployment? [00:18:25] Then they would be, if you didn't do them, you can call them best practices or maybe just the old crap skis, right? What, what do you not want to do? [00:18:35] Daren Rathbone: I think some of that might be, getting there if they can get their data organized, we are working with a client that leverages SharePoint heavily. [00:18:50] I think not all of the access controls are set up to the best that they should be, and focus on getting it set up, with permissions that are in a need to know, basis. That way, you know, user, let's say a user get compromised, you know, and if their permissions on sensitive data is set up in a manner such that it's not just wide open, but configured so that they only have access to what they need to know. [00:19:21] It decreases the amount of, expansion that maybe that person that's trying to get your data can get to. So that's kind of one thing that comes to mind. I don't know if you have. [00:19:33] Denise England: I guess I would also just add a lot of, testing, beforehand. One of the big facets of data governance, regardless of what part of data governance you're talking about, is It's kind of a prerequisite of knowing your data. [00:19:50] So there's this big kind of chant in the data governance community of know your data. And a lot of organizations who come to us just don't even know where their data lives, how big is it, how sensitive is it, what do I care about, what don't I care about. And so it can become really overwhelming to organizations to try to. [00:20:17] Even figure out where to start or to just feel like they're supposed to protect all of their data all at once or govern all of their data all at once and so I think one of the keys to success is being okay with a small success and thinking about What you actually are Concerned about protecting or concerned about governing and saying let's start small so that you can actually implement a solution and you're not stuck in paralysis of how huge this undertaking is. [00:21:00] Ross Jordan: That's a good point. Paralysis by analysis is absolutely a real factor. [00:21:05] Daren Rathbone: Those small wins aren't, anything to just ignore, right? [00:21:08] Ross Jordan: Well, that's a good point, and I think it also harkens to what you've said to clients in the past, Denise and Darren, feel free to step in on this as well, but it's almost like the Louvre, right? [00:21:17] You start with the Mona Lisa, you start with your most critical data, the most important data, the crown jewels, if you will, and you work out from there, right? Make sure that that First piece is most secure. How do you help an organization define what is their crown jewels, right? Customer lists, customer data, IP, I mean, there's all this stuff. I mean, what should they consider that little win that protects the most sensitive data? How do they define what that is? [00:21:45] Denise England: Sure. I would start by saying most clients come to us for a reason, right? None of our clients are knocking on our door because they are just like, Hey, I keep hearing about data governance. [00:21:58] Most of the time they've been told they need to worry about something, or they've experienced an inciting event that has caused them to say, I'm concerned about my intellectual property, or I'm concerned about My employees personal data that has to do with their salaries or I'm concerned about something. [00:22:26] I was told I need to be concerned about. Often, I think that the individuals at organizations who were talking to, forget that. what it was that caused them to start thinking about data governance in the first place. And they just have to be reminded of, well, what started this conversation? What was the inciting event or the piece of data that you came across that caused you to feel like, maybe we should be talking to someone about data governance improvements. [00:22:58] That's where I would encourage organizations to start. [00:23:02] Ross Jordan: Okay. That's great insight. That's great insight. So, you know, Darren, let's, we've got a governance and compliance framework that they're definitively having to move towards, there's a target. Let's say we're not one of those organizations, right? [00:23:19] I'm just Joe Smo out here doing a job. I don't have any kind of ISO compliance, SMA fed ramp, you know, CMMC, I don't have that, that I have to work towards, right? Why is this important to me anyways? Why do I care? [00:23:33] Daren Rathbone: I mean, the data is your intellectual property. It's what's keeping your business going, right? [00:23:38] And so if you don't protect it. You're not going to be employed tomorrow, potentially, right? If it's all stolen. Good point. [00:23:44] Ross Jordan: Well, I just was curious if there's, you know, outside of a compliance requirement, if there was a, if there was, you know, why would I want to go through it? [00:23:52] Why do I want to go through this hassle? I think it's a question we get in business development. Yes, it's really easy when there's a target, but it seems like. Governance, compliance and management of your data doesn't seem to be important to clients unless there is that regulatory requirement for some reason. [00:24:08] And what I was hoping to be able to identify is, is if I'm a restaurant, right? All I am is a restaurant. I'm a Mexican restaurant in the middle of Loveland, Colorado. Why do I care about my customers data? Why do I care about credit card information? Why do I care about who they see or what's on my cameras or anything like that? [00:24:26] And I think The challenges that customers face are that they don't have to do it, so they may not want to, but they really should. They really, really should. [00:24:35] Denise England: Can I just offer up there, Please do. You know, the evolution and enhancements in the AI space are putting data governance in the top of organizations minds more. [00:24:49] I think what we're hearing from Potential clients recently is data governance becomes a topic as a result of interest in benefiting from an AI tool, some kind of, machine learning tool or enhanced searching tool because it's garbage in garbage out if you've got good information that these tools are leveraging, then you're going to get good results and, vice versa. [00:25:28] Daren Rathbone: Yeah, right. Going on, that, mention of data lifecycle. Management, if you are leveraging AI, like copilot, and, somebody is going to search for, a list of, the most, frequently, drank bottles of wines or something. And, you know, your, your list of those top. [00:25:51] Top wine isn't updated, you know, Copilot's gonna find the old data, and it's just not gonna be pertinent or relevant anymore, so to speak. [00:26:01] Denise England: Yeah, you're a restaurant that has information about how many cases of that bottle of wine you've ordered over the last year, and if that information is missing an invoice or is outdated for some reason, the ability to find the accurate information is, lacking and so data governance can help with that. [00:26:28] Ross Jordan: We're going to come back to that, the AI piece, I think that's important to touch on, but I'm going to give you guys some time back. Thank you so much. I really appreciate you guys and, we'll see you later. [00:26:37] Denise England: Thanks guys. Have a good one. [00:26:42] Ross Jordan: Thank you for your time today. We appreciate you listening to the SkyTerra Technologies podcast. For further information, you can find us on LinkedIn or at www.skyterratech.com. Have a great day.