Episode 6: What to Consider in Data Governance: Compliance and Risk, Part 2
Ross Jordan: Welcome to the Sky Terra podcast, where we are empowering your business to do more. I’m your host, Ross Jordan. Every other week, we’ll explore the world of technology, what has changed, how it might impact your business and why it matters to you. We will bring you interviews with business and industry leaders and discuss how technological advances impact your business and our lives.
Whether you’re a tech enthusiast, a professional in the field or just curious about the future. This podcast is for you. So grab your headphones and join us on this exciting journey into the world of technology. Let’s get started.
We’re going to come back to the AI piece. I think that’s important to touch on. But even using the example of the Mexican restaurant, again, one of the challenges you have is like recipes, right? Recipes are your IP. It’s what differentiates your food from another fast food restaurant or not. And a lot of times in the restaurant industry, you’ll have turnover, right?
You’ll have cooks or chefs or waiters or waitresses, management that come in and learn everything that makes you unique. And then they can take that to the next organization. So managing the data within the organization, regardless of compliancy requirements or not, it’s kind of interesting.
So Denise England brought up a good point. We’re plugging Copilot here a little bit. We have done a lot with Copilot in the last 12 months. It’s come a long way. The tool’s been evolving, which can sometimes be its own challenge, right? But somebody is looking at artificial intelligence or they’re looking at Copilot or any of the other large language models as integrating into that, what do they need to do with their data? How do they need to start?
Denise England: I’m going to come at this from a business perspective. There’s two different angles. I feel like I say that a lot. There’s always two things that pop in my mind when you ask me a question, Ross. But I’m going to keep going with that theme.
The first thing that I think about in implementing AI and thinking about data governance is that there are concerns around whether people have access to something they should not have access to. So today, if you are not using an AI tool like Microsoft’s Copilot, as an individual, I might go searching for information that is sensitive in nature, it’s confidential and I shouldn’t know how much my colleague Daren Rathbone makes and maybe my SkyTerra data governance team hasn’t done a very good job of making sure that I don’t have access to that data.
I could spin my wheels for a while and I can’t find it because I’m just individually looking through resources that I have. As soon as you have access to an AI tool like Copilot, your ability to unearth confidential information exponentially speeds up. And so if I accidentally have access to something I shouldn’t have access to, like Daren’s salary, Copilot can help me find that information in a matter of minutes as opposed to hours. So people start worrying. Leaders in an organization start worrying about the fact that it’s been not a big deal to protect their data up until they want to implement something like Copilot and then people can access something they didn’t realize they had access to a lot faster.
Ross Jordan: That’s a good point.
Denise England: And then the other thing that Daren alluded to is that need to delete old data, delete outdated data, remove data that’s no longer relevant so that it doesn’t show up in a twinning like Copilot or other kind of AI tools.
Ross Jordan: Could you maybe expand on that a little bit there?
Daren Rathbone: Yeah, it’s as I think Denise said before, garbage in, garbage out. So if you’re giving Copilot this set of data, And it’s years outdated, then that person that’s trying to leverage Copilot for whatever their business need is, is not going to have accurate data. And it’s going to be false, and they’re going to look bad in the light of whomever they’re presenting this data to.
Ross Jordan: So that’s a good point. It’s very important. Agood example from my own experience would be recently, I had a client address a project that I had absolutely no cognitive knowledge of. I hadn’t even heard the terms before. Customer wanted to know had we done it before? And how many times had we done it?
I was able to use Copilot. It pulled up documents that were all sales related, right? That showed me not only had we done it, who we had done it with, who the engineers on the project had been, and that I could, using Copilot, speak to it at least. Yeah. It looks like we’ve done it three or four times, been doing this since 2017 from the looks of it.
And then I took that information back and provided it to senior leadership and said, “Hey, I have another one of these projects.” And it was fascinating that I heard from them, “Oh yeah, but we didn’t do that successfully. And here’s why, and here’s what the cost was.” Now, that was a series of data that I didn’t have access to. That was financial records, that was project information. Those were things that were not available to me. So I didn’t have the whole picture. But our data governance kept me from seeing what I shouldn’t and didn’t need to have access to.
So when you set up data governance policies and you apply a tool like Copilot on top of it, the criticality of that is that if you’ve not got the right settings for the right classifications of individuals, like what Denise said, I would have access to all kinds of things.
So how does an organization do that? How do they make those decisions? Because it seems like it’s not a single decision, but it’s not thousands of decisions, but there’s a working process that you go through to help identify everything from folder permissions and restrictions.
And I feel like I’m just rattling on here, but how do you guys do that? How do you guys define that?
Daren Rathbone: Yeah. Starting small again, as we’ve mentioned before, one of the hardest parts or things an organization takes on is taking that written policy and trying to transform it into a data governance policy. We’re not always working with that person that is in that compliance officer seat, and we might be dealing with somebody from the IT team, and they’re trying to relay what they think they want to implement for data governance, but it’s not really fitting into the business requirements from the actual business people.
I think that’s why Denise is here, too. She’s able to get the right information out of these people and the business side and translate it into what we need to implement for policies that will work for their business. Not slow it down.
Ross Jordan: So is it safe to say we basically just tune it in a little bit? We start with broad decisions on policies or who has access or whatever, and then we just tweak it down and tweak it down and it can’t be perfect the first time, right? This doesn’t come out of the box, it’s like, we’re done.
Daren Rathbone: No, and it won’t be. So the beauty of it being in the Microsoft space is you can set up policies in a simulation mode. So for example, you can set up an auto-labeling policy to detect sensitive data. Maybe just focus on one SharePoint site or a couple of SharePoint sites.
And it can go and look for information such as Social Security numbers, and if it finds a match, this simulation mode of the policy will then report out all the documents that it found a match for that then allows the business to review the results, determine if it’s actually accurate or not, or if you need to maybe tweak the confidence level.
That sensitivity to just essentially hone in on the accuracy. You don’t want to go and label a document that has a phone number in it as sensitive when it’s actually supposed to be, you know, looking for Social Security numbers or something. And it’s somewhat customizable, right? It is. Yeah. And it’s that iterative process.
You set it up in simulation mode. You can look at the results and then you can enforce or turn that policy on. And expand the target scope as you see it working and improving, you can then add more sites to it and just kind of build out that auto-labeling of your documents across the organization.
Denise England: Through a lot of conversations with representatives at our customers, we can understand what their appetite is for restricting people from seeing things. And so we can say things like, okay, your controls should be focused on providing warnings and education and putting a tag on something, labeling a document to say. This is confidential and that signals to users that it should be treated in a particular way without then controlling whether or not it can be accessed or what can be done with it.
So it can be a spectrum of restriction. So you can go anywhere from informative – we’ve got these labels to signal to our users this is sensitive information. You’ve read our policies and you know how you should treat this document because it is sensitive information – all the way to no one but the CEO is even allowed to open this document because it is sensitive information.
So you can have that ability to kind of toggle how conservative and how controlling you are about what people are allowed to access and what people are allowed to do with their sensitive data.
Ross Jordan: Yeah. So that brings up a good point. So we’ve talked a lot about managing the data at rest, if you will. It’s a document that’s been created, it’s sitting here, this is the location, here’s the path to it.
That’s a document, right? We can control who has access to that document. But you guys have also set up policies that enable us to manage the flow of data as it comes through. So whether I create a Word document, no matter how I start it, you guys have a label for it, right? It’s, it’s confidential external or something like that, right? That means it can’t go externally. I have to go in and actually modify that if I’m going to make that a marketing piece.
Describe the difference to you when you’re looking at data, as data sitting at rest or data in motion. How do you build that for a customer? Because it almost seemed like two things, right? Here it is sitting here, but here I’ve got a flow of information coming into and out of the organization. What are the decisions the customer has to make to make that work successfully?
Daren Rathbone: It’s defining their levels of sensitivity on the data and sensitivity level can and cannot be shared externally. So, you know, here at SkyTerra, we have, let’s say, for example, a document labeled highly confidential, that’s not allowed outside the organization period. So, you can’t email it. You can’t share it and that’s it, but there are additional controls to implement so that if it does get outside the organization, nobody can read it. I’m referring to encrypting those really sensitive documents so that it’s the most restrictive down to one or two persons, maybe, that have access to read it.
Denise England: I was just thinking about that difference between data at rest and data in transit. And thinking about an organization’s risk appetite. And so when you’re thinking about that data traveling, how much is an organization willing to take on a risk that information is going to get into the hands of someone they didn’t intend to be able to see that information. It’s not only how confidential is this data, but also how much risk am I willing to take as an organization that this data gets into the hands of someone that was not the intended audience.
Ross Jordan: That’s a great example. I think, too, in the business development side, we identify it as a risk appetite, right? You have complete lockdown security at this site, and you have complete convenience and no security at this site. Somewhere along here is where your decisions have to be made in order to define your risk appetite.
We have to lock it down. There’s no way we can have it be exposed. Therefore, we’re going to do everything that we can. If you want to make it even more fun as you can add security. Can add convenience. Well, now let’s throw in the third point of the triangle cost. How much do you want to spend to do it?
The cost factor is very low to be convenient, but the risk is much higher. Or, you go to the other side of the spectrum and the cost is very expensive to do it, but you diminish the risk of having something exposed. So it’s very much, at least on the business development side, it’s a conversation: “Where do you guys want to land on this? What’s more important? You want to make it easy or you want to make it secure? Tell me where you want to go.” That risk appetite’s a big point.
Denise England: That gets into the economics of it as well, right, of the risk reward or the cost benefit analysis, I should say. What is the benefit of going through this implementation versus how much it’s going to cost either in actual dollars or in time.
Ross Jordan: Soft cost.
Denise England: Something that occurred to me was just, as you were talking about those different factors, is assessing that data that is going to be the most beneficial to secure, right? And so when you’re talking about that cost analysis, that risk assessment, that brings us back to why it’s valuable to start with something you know is highly confidential or is going to be most beneficial for you to protect, and instead of trying to boil the ocean, as they say, and that’s why implement strategies on all of your data, starting with something that is going to be valuable to put the effort on and really focusing in on a, a small win as we’re talking about earlier.
Ross Jordan: Are there topics that you guys want to cover? Is there anything you think we should address?
Denise England: I guess we’ve hit on it a little bit, but I think about the need to start small and be okay with things not being perfect. So going into an endeavor like this, being able to say, it is going to be iterative and it’s not something that you can just flip a switch and then never think about again.
That’s both frightening and also relieving. It’s frightening because it has to become ingrained in your organization and it’s never going to go away, but it’s relieving if you can say, you know what, let’s start somewhere. It doesn’t have to be great, but it’s going to help us to make incremental progress and then build off of it.
Ross Jordan: No, that’s a good point, too.
Daren Rathbone: It is important that we do that. And that they refer to it as the data governance journey.
Ross Jordan: That’s a great point. And I always say you eat an elephant one bite at a time, right? Yes.
Daren Rathbone: We get to know our customers really closely on some of these implementations because it’s not just a cut and dry, you know, Google migration, where we’re taking data from A to B and educating the users and then we’re done. This is a long, long project journey. And the more we work on it, the more we understand how the business is working and can make the tweaks and the edits, to just improve on the implementation.
Ross Jordan: Well, it’s not a cookie cutter, right? This isn’t what we did for the last group we’re going to do for you. It can’t be. It’s got to be very specific to them. And I think that that anxiety of once you start this, is there an end? No, there’s really not. It’s kind of like your health, right? It’s something you have to work on all the time. You can’t just let it go.
Denise England: And that’s okay. Right. It’s okay that there is no end date. It’s that you want to just say, am I making progress from one point in time to the next? What are my milestones? How can I confirm that something is better today than it was two weeks ago? And that doesn’t mean that it’s perfect, but that you’re improving. Your data is more secure or better quality today than it was last month and what can we do next month to build off of that.
Ross Jordan: And sleep better knowing that you’ve started the path. You’re on the journey. It’s going to improve. It’s going to get better from here. Everything’s going to be okay. No, I think that’s a great point, too, because so many people just see this as a massive challenge. Although it can be, it’s not as daunting as it looks from the first step, right?
I love the way you put that. And I’ve heard that before. It’s a journey, and a journey of a thousand miles begins with the first step. Well, I want to make sure that you guys know that I cannot thank you enough for your time. I appreciate the insight. I appreciate the commentary, the conversation.
I also appreciate that you guys are in this day in and day out and it’s challenging and it’s difficult, and I haven’t even scratched the surface of what it takes to do it. So all recording aside, thank you guys for doing this every day. A lot of people out here sleep better because of what you do. And that’s a true statement.
Daren Rathbone: Thank you.
Ross Jordan: I will leave it to you guys. If you feel there’s something we missed, should address.
Denise England: I think like the biggest thing we’re hearing, honestly, it’s you have to have people who are ready, just an investment in data, like it doesn’t have to be done overnight. It doesn’t have to be that you take on this mammoth, but that you’re going to be doing this for a while and it’s okay. It’s okay.
Ross Jordan: I think the way you described it, too, as there’s a target, let’s just get there, but we’re not going to get there the first time. But I use value a lot of times when you can kind of see that’s going to cost an arm and a leg.
And it’s like, “What’d you drive to the office today? You know? What’d you drive? What’d you drive today? Benz, Volvo, you know, what, what’d you drive?” And they’ll describe a lot of times lately, it’s like a pickup. It’s like, “Oh, pavement princess. Nice.” But the point I make with that is, “why didn’t you do it in a 72 Super Beetle? It’s the same thing. It gets you where you need to go. Why did you pick the BMW? Why did you pick the Dodge Ram?” And you can listen to them. It’s almost like, “Well, geez, it’s because it’s bigger. It’s more secure. If I was in an accident, I’m more protected.”
I said, “So those are the things that are valuable to you. I just need to find that same answer in your data. Where’s that data at? What’s that? What’s important to you over there?”
Denise England: That’s a really good point.
Ross Jordan: And if it’s important to you enough to drive to work, it should be important enough for you to keep your job or your employees’ jobs. So values are a big part of what we have to discuss. It doesn’t mean it wins every time. I think it relates to them.
Thank you so much. I really appreciate you guys. Thank you.
Denise England: I always like when people are interested.
Ross Jordan: It’s fun stuff. It’s good stuff. I appreciate you guys. I really do. I was not joking when I said thank you for doing what you do. Yeah. It means a lot.
Denise England: Thanks. Absolutely.
Ross Jordan: All right guys. All right. We’ll see you later.
Denise England: Thanks guys. Have a good one.
Ross Jordan: Thank you for your time today. We appreciate you listening to the SkyTerra Technologies podcast. For further information, you can find us on LinkedIn or@www.skyterrateech.com. Have a great day.
