Episode 6 -What to Consider in Governance, Risk, & Compliance, Part 2

Episode 6 - What to Consider in Governance, Risk, & Compliance, Part 2 [00:00:00] Ross Jordan: Welcome to the Sky Terra podcast, where we are empowering your business to do more. I'm your host, Ross Jordan. Every other week, we'll explore the world of technology, what has changed, how it might impact your business and why it matters to you. We will bring you interviews with business and industry leaders and discuss how technological advances impact your business and our lives. [00:00:22] Whether you're a tech enthusiast, a professional in the field. Or just curious about the future. This podcast is for you. So grab your headphones and join us on this exciting journey into the world of technology. Let's get started [00:00:41] We're going to come back to the AI piece. I think that's important to touch on. But even using the example of the Mexican restaurant, again, one of the challenges you have is like recipes, right? Recipes are your IP. It's what differentiates your food from another right. Fast food restaurant or not. And a lot of times in the restaurant industry, you'll have, you know, turnover, right? [00:00:58] You'll have cooks or chefs or waiters or waitresses, whatever management, even that, that come in. Learn everything that makes you unique. And then they can take that to the next organization. So managing the data within the organization, regardless of compliancy requirements or not, it's kind of interesting. [00:01:13] So she brought up a good point. We plugging co pilot here a little bit, we have done a lot with co pilot in the last 12 months. It's come a long way. The tool's been evolving, which can sometimes be in its own challenge. Right. But somebody is looking at artificial intelligence or they're looking at co pilot or any of the other large language models. [00:01:32] As integrating into that, what do they need to do with their data? How do they need to start? [00:01:36] Denise England: I'm going to come at this from a business perspective. There's two different angles. I feel like I say that a lot. There's always two things that pop in my mind, um, when you ask me a question, Ross. But, um, I'm going to, I'm going to keep going with that theme. [00:01:51] The first thing that I think about in implementing AI and thinking about data governance is that there are concerns around whether people have access to something they should not have access to. So today, if you are not using an AI tool like Microsoft's Copilot, as an individual, I might go searching for information that is sensitive in nature, it's confidential and I shouldn't know how much my colleague Darren Rathbone makes and maybe my SkyTerra data governance team hasn't done a very good job of making sure that I don't have access to that data. [00:02:39] And I could spin my wheels for a while and I can't find it because I'm just individually looking through resources that I have. As soon as you have access to an AI tool like Copilot, your ability to unearth confidential information exponentially speeds up. And so if I accidentally have access to something I shouldn't have access to, like Daren's salary. [00:03:08] Copilot can help me find that information in a matter of minutes as opposed to hours. So people start worrying, you know, leaders in an organization start worrying about the fact that it's been not a big deal to protect their data up until they want to implement something like copilot and then people can access something they didn't realize they had access to a lot faster. [00:03:32] Ross Jordan: That's a good point. [00:03:33] Denise England: And then the other thing that Darren alluded to is that. needs to delete old data, delete outdated data, remove data that's no longer relevant so that it doesn't show up in a twinning like Copilot or other kind of AI tools. [00:03:51] Ross Jordan: Could you maybe expand on that a little bit there? [00:03:54] Daren Rathbone: Yeah, it's as I think Denise said before, garbage in, garbage out. [00:03:58] So if you're giving Copilot this set of data, And it's years outdated, then that person that's trying to leverage Copilot for whatever their business need is, not going to have accurate. And it's going to be false, you know, and they're going to look bad in the light of whomever they're presenting this data to. [00:04:20] Ross Jordan: So that's a good point. It's very important, you know, a good example from, from my own experience would be recently I had a client address a project that I had absolutely no cognitive knowledge of. I hadn't even heard the terms before. Customer wanted to know, had we done it before? And how many times had we done it? [00:04:38] And I was able to use Copilot. And it pulled up documents that were all sales related, right? That showed me not only had we done it, who we had done it with, who the engineers on the project had been, and that I could. Using copilot speak to it at least. Yeah. It looks like we've done it three or four times, you know, been doing this since 2017 from the looks of it. [00:04:59] And then I took that information back and then provided it to senior leadership and said, Hey, I have another one of these projects. And it was fascinating that I heard from them. Oh yeah, but we didn't do that successfully. And here's why, and here's what the cost was. Now, that was a series of data that I didn't have access to. [00:05:16] That was financial records, that was project information, that was things, those were things, I should say, that were not available to me. So I didn't have the whole picture. But our data governance Kept me from seeing what I shouldn't and didn't need to have access to. So when you set up data governance policies and you apply a tool like copilot on top of it, the criticality of that is that if you've not got the right settings for the right classifications of individuals, like what Denise said, I would have access to all kinds of things. [00:05:49] So how does an organization. How do they do that? How do they make those decisions? Cause it seems like it's not a single decision, but it's not thousands of decisions, but there's a working process that you go through to help identify everything from folder permissions and restrictions. And I feel like I'm just rattling on here, but how do you guys do that? [00:06:07] How do you guys define that? [00:06:09] Daren Rathbone: Yeah. Starting small again, as we've mentioned before, um, you I think one of the, one of the hardest parts or things an organization takes on is taking that written policy and trying to transform it into a data governance policy. We're not always working with that person that is in that compliance officer seat, and we might be dealing with somebody from the IT team, and they're trying to Relay what they think they want to implement for data governance, but it's not really fitting into the business requirements from the actual business people. [00:06:47] I think that's why Denise is here too. She's able to get the right information out of these people and the business side and translate it into what we need to implement for policies that will work for their business. Not slow it down. [00:07:05] Ross Jordan: So is it safe to say we basically just tune it in a little bit? We start with broad, we start with broad decisions on policies or who has access or whatever, and then we just tweak it down and tweak it down and it can't be perfect the first time, right? This doesn't come out of the box, it's like, we're done. [00:07:20] Daren Rathbone: No, and it won't be. So the beauty of it being in the Microsoft space is you can set up policies in a simulation mode. So you, for example, you can set up a auto labeling policy to detect sensitive data. Maybe just focus on one SharePoint site or a couple of SharePoint sites. [00:07:42] And it can go and look for Information such as social security numbers, and if it finds a match, this simulation mode of the policy will then report out all the documents that it found a match for that then allows the business to review the results, determine if it's actually accurate or not, or if you need to maybe Tweak the confidence level, that sensitivity to just essentially hone in on the accuracy. [00:08:17] You don't want to go and label, you know, a document that has a phone number in it as sensitive when it's actually supposed to be, you know, it's looking for social security numbers or something. And it's somewhat customizable, right? It is. Yeah. And it's that iterative process. You set it up, simulation mode. [00:08:35] You can look at the results and then you can enforce or turn that policy on. And expand the target scope, you know, as you see it working and improving, you can then add more sites to it and just kind of build out that auto labeling of your documents across the organization. Okay. [00:08:56] Denise England: Through a lot of conversations with representatives at our customers. [00:09:02] We can understand what their appetite is for restricting people from seeing things. And so we can say things like, okay, your controls should be focused on providing warnings and education and putting a tag on something, labeling a document to say. This is confidential and that signals to users that it should be treated in a particular way without then controlling whether or not it can be accessed or what can be done with it. [00:09:42] And so it can be a spectrum of restriction. And so you can go anywhere from informative. We've got these labels to signal to our users, this is sensitive information. You've read our policies and you know how you should treat this document because it is sensitive information. All the way to no one but the CEO is even allowed to open this document because it is sensitive information. [00:10:13] And so you can have that ability to kind of toggle how conservative and how controlling you are about what people are allowed to access and what people are allowed to do with their sensitive data. [00:10:32] Ross Jordan: Yeah. So that brings up a good point. So we've talked a lot about managing the data at rest. If you will, right, it's a document that's been created, it's sitting here, this is the location, here's the path to it. [00:10:44] That's a document, right? We can control who has access to that document. But you guys have also set up policies that enable us to manage the flow of data as it comes through. So whether I create a Word document, no matter how I start it, you guys have a label for it, right? It's, it's confidential external or something like that, right? [00:11:03] That means it can't go externally. I have to go in and actually modify that if I'm going to make that a marketing piece. Describe the difference to you when you're looking at data, as data sitting at rest or data in motion. How do you, how do you build that for a customer? How do you, because it almost seemed like two things, right? [00:11:21] Here it is sitting here, but here I've got a flow of information coming into and out of the organization. What are the decisions the customer has to make to make that work successfully? [00:11:30] Daren Rathbone: It's defining their, I guess, levels of sensitivity on the data and sensitivity level can and cannot be shared externally. [00:11:41] Right. So, you know, here at SkyTerra, we have, let's say, for example, a document labeled highly confidential, that's not allowed outside the organization period. Mm hmm. So, you can't email it. You can't share it and that's it, but there are additional controls to implement so that if it does get outside the organization, nobody can read it and that's, I'm referring to, uh, encrypting those really sensitive documents so that it's The most restrictive down to one or two persons, maybe that has access to read it. [00:12:14] That's cool. Denise, anything to add to that? [00:12:17] Denise England: I was just thinking about that difference between data at rest and data in transit. And thinking about an organization's risk appetite. And so when you're thinking about that data traveling, how much is an organization willing to take on a risk that. [00:12:44] Information is going to get into the hands of someone they didn't intend to be able to see that information. It's not only how confidential is this data, but also how much risk am I willing to take as an organization. That this data gets into the hands of someone that was not the intended audience. [00:13:09] Ross Jordan: That's a great example. I think, too, in the business development side, we identify it as a risk appetite, right? You have complete lockdown security at this site, and you have complete convenience and no security at this site. Somewhere along here is where your decisions have to be made in order to define your risk appetite. [00:13:31] We have to lock it down. There's no way we can have it be exposed. Therefore, we're going to do everything that we can. I also, if you want to make it even more fun as you can add, you can add security. Can add convenience. Well, now let's throw in the third point of the triangle cost. How much do you want to spend to do it? [00:13:48] Right? The cost factor is very low to be convenient, but the risk is much higher. Or, you go to the other side of the spectrum and the cost is very expensive to do it, but you diminish the risk of having something exposed. So it's very much, at least on the business development side, it's a conversation, where do you guys want to land on this? [00:14:05] What's more important? You want to make it easy or you want to make it secure? Tell me where you want to go. That risk appetite's a big point. [00:14:11] Denise England: That gets into the economics of it as well, right, of the risk reward or the, the cost benefit analysis, I should say. Sure. [00:14:19] Ross Jordan: Sure. [00:14:19] Denise England: What is the benefit of going through this implementation versus how much it's going to cost either in actual dollars or in time. [00:14:32] Ross Jordan: Soft cost. [00:14:33] Denise England: And I think something that occurred to me was just, as you were talking about those different factors is assessing that data that is going to be the most beneficial to secure, right? And so. When you're talking about that cost analysis, that risk assessment, that brings us back to why it's valuable to start with something you know is highly confidential or is going to be most beneficial for you to protect, and instead of trying to boil the ocean, as they say, and that's why implement strategies on all of your data, starting with something that, you know, is going to be valuable to put the effort on and really focusing in on a, a small win as we're talking about earlier. [00:15:29] Ross Jordan: Very words. Are there topics that you guys want to cover, or maybe we have an address that you want us to. I mean, seriously, is there anything you think we should address? [00:15:39] Denise England: I guess we've hit on it a little bit, but I think about the need to start small and be okay with things not being perfect. So going into an endeavor like this, being able to say, it is going to be iterative and it's not something that you can just flip a switch and then never think about again. [00:16:04] And that's both frightening and also. Relieving because it's frightening because it has to become ingrained in your organization and it's never going to go away, but it's relieving if you can say, you know what, let's start somewhere. It doesn't have to be great, but it's going to help us to make incremental progress and then build off of it. [00:16:30] Ross Jordan: No, that's a good point too. [00:16:32] Daren Rathbone: It is important that we do that. And as they refer to it as the data governance journey. [00:16:37] Ross Jordan: That's a great point. And I always say you eat an elephant one bite at a time, right? Yes. [00:16:45] Daren Rathbone: We get to know our customers really closely on some of these implementations because they, it's not just a cut and dry, you know, Google migration where we're taking data from A to B and educating the users and then we're done. [00:17:01] This is a long, long project journey. And the more we work on it, the more we understand. How the business is working and can make the tweaks and the edits to just improve on the implementation. [00:17:16] Ross Jordan: Well, it's not a cookie cutter, right? This isn't what we did for the last group. We're going to do for you. It can't be. [00:17:22] It's got to be very specific to them. And I think that that anxiety of once you start this, is there an end? No, I, there's really not. It's kind of like your health, right? It's something you have to work on all the time. You can't just let it go. [00:17:33] Denise England: And that's okay. Right. It's okay that there is no end date. [00:17:38] It's that you want to just say, am I making progress from one point in time to the next? What are my milestones? How can I confirm that something is better today than it was two weeks ago? And that doesn't mean that it's perfect, but that you're improving your, you know, your data is. More secure and, or better quality today than it was last month and what can we do next month to build off of that. [00:18:15] Ross Jordan: And sleep better knowing that you're, you've started the path, you're on the journey. It's going to improve. It's going to get better from here. Everything's going to be okay. No, I think that's a great point too, because so many people just see this as a massive, a monstrative type challenge. Although it can be, it's not as daunting as it looks from the first step, right? [00:18:36] It's, I love the way you put that. And I've heard that before. It's a journey. It's a journey and a journey of a thousand miles begins with the first step. Well, I want to make sure that you guys know that I cannot think, you know, for your time. I appreciate the insight. I appreciate the commentary, the conversation. [00:18:52] I also appreciate that. You guys are in this day in and day out and it's challenging and it's difficult and I haven't even scratched the surface of what it takes to do it. So all recording aside, thank you guys for doing this every day. A lot of people out here sleep better because you do. And that's a, that's a true statement. [00:19:08] Daren Rathbone: Thank you. [00:19:09] Ross Jordan: I will leave it to you guys. If you feel there's something we missed, should address. [00:19:12] Denise England: I think like the biggest thing we're hearing, honestly, it's, you have to have people who are ready, just an investment in data, like it doesn't have to be done overnight. It doesn't have to be that you take on this mammoth, but that it's, you're going to be doing this for a while. [00:19:30] Yeah. And it's okay. It's okay. Yeah. [00:19:34] Ross Jordan: I think the way you described it too, you guys described it as there's got, there's a target, let's just get there, but we're not going to get there the first time. But I use value a lot of times in definitional people, when you can kind of see what's like, well, that's going to cost an arm and a leg. [00:19:48] And it's like, what'd you drive to the office today? You know? What'd you drive? Whoa. What do you mean? What'd you drive? What'd you drive today? Benz, Volvo, you know, what, what'd you drive? And they'll describe a lot of times lately, it's like pickup, it's like, Oh, pavement princess. Nice. But the, um, the, the point I make with that is. [00:20:05] It's like, why didn't you do it in a 72 Super Beetle? It's the same thing. It gets you where you need to go. You just, why did you pick the BMW? Why did you pick the Dodge Ram? Why did you, why? And you can listen to them. It's almost like, well, geez, well, it's because it's bigger. It's more secure. If I was in an accident, I, I'm more protected. [00:20:23] I said, so those are the things that are valuable to you. I just need to find that same answer in your data. Where's that data at? What's that? What's important to you over there? [00:20:31] Denise England: That's a really good point. [00:20:33] Ross Jordan: And if it's important to you enough to drive to work, it should be important enough for you to keep your job or your employees jobs. [00:20:39] And so values are a big part of what we have to discuss. It doesn't mean it wins every time. I think it relates to them. Thank you so much. I really appreciate you guys. Yeah. Thank you. [00:20:49] Denise England: I always like when people are interested. [00:20:51] Ross Jordan: It's fun stuff. It's good stuff. I appreciate you guys. I really do. I was not joking when I said thank you for doing what you do. [00:20:56] Yeah. It means a lot. [00:20:57] Denise England: Thanks. Absolutely. [00:20:59] Ross Jordan: All right guys. All right. We'll see you later. [00:21:00] Denise England: Thanks guys. Have a good one. [00:21:02] Ross Jordan: Bye. Bye. [00:21:03] Denise England: Bye. [00:21:04] Ross Jordan: Thank you for your time today. We appreciate you listening to the SkyTerra Technologies podcast. For further information, you can find us on LinkedIn [email protected]. Have a great day.