SkyTerra Podcast Episode 5: What to Consider in Governance, Risk and Compliance
[00:00:00] Ross Jordan: Welcome to the SkyTerra podcast, where we are empowering your business to do more. I’m your host, Ross Jordan. Every other week, we’ll explore the world of technology, what has changed, how it might impact your business and why it matters to you. We will bring you interviews with business and industry leaders and discuss how technological advances impact your business and our lives.
[00:00:22] Whether you’re a tech enthusiast, a professional in the field or just curious about the future, this podcast is for you. So grab your headphones and join us on this exciting journey into the world of technology. Let’s get started.
Good afternoon. Thank you, Daren and Denise for joining us today on the SkyTerra podcast. Today, we’re going to be talking about data governance and compliance and the impact that it has on organizations. So thank you both for your time today. Welcome.
Denise England: Sure.
Daren Rathbone: Hey, you’re welcome. Glad to be here.
Ross Jordan: Excellent. Well, let’s get started. So Daren, we’re going to start with you. So explain to me what data governance is from an IT standpoint.
Daren Rathbone: Well, data governance is a broad label because there are so many areas that you could focus on, especially in the Microsoft Purview space: areas such as classifying your data by leveraging sensitivity labels or applying actionable policies to keep sensitive data within the organization.
There’s implementing some sort of data lifecycle to your environment, maybe to clean out old, outdated data, or maybe you’ve got some compliance requirements where you need to get rid of data that’s older than seven years, for example, also, discovery. I think a lot of customers we work with don’t really focus on the discovery much when they come to us, but it is a sort of a silo of Purview in the data governance space. You know, your legal team has the ability to create searchable cases and dealing with legal issues, so to speak, you can get in trouble if you don’t have the data to present. So that’s just another area that I feel falls under data governance.
Ross Jordan: It’s one of the things most companies don’t think about. If you’re not supposed to have it more than five years, and you do, that means just as much risk as not having it when you needed to have it, right?
Daren Rathbone: Yeah, and the last sort of piece that I’ll just kind of touch on here is, you’ve got your data governance from a technical standpoint. But it’s also educating your users, because the change can be drastic to them and getting them to adapt and adopt the changes will also help the implementation of your data governance. It’s critical if you can’t get them on board.
Ross Jordan: What do they call that? Where you do IT on the side. Come on, Dan has a word for it, I always use it. But you’re working around the policies because it’s more convenient.
Denise England: Circumventing policy.
Daren Rathbone: So a lot of user education there.
Ross Jordan: Yeah, yeah, making them comfortable with it. So, Denise, you’ve had a lot of experience in dealing with organizations taking this on and adopting governance policies and compliancy policies. So, why is data governance important to an organization?
Denise England: It’s important whether people want it to be or not. I think there’s a couple of things that come to my mind when I think about why it’s important.
One is that increasingly data and, you know, what we’re talking about is electronic information. The more we use our tools, our technology tools, the more data we have. And so because the amount of data we are producing and consuming is growing as organizations so much it becomes an integral part of what we do on a daily basis and important part of who we are as organizations and how we succeed.
So if you are not governing your data, if you’re not proactively thinking about how you’re protecting your data, how you’re managing your data, how you’re cleansing your data, how you’re ensuring that it’s accurate or up to date, you will lose the ability to operate effectively in your organization. Because we have so much data year after year, it becomes essential to have a data governance program to feel like you’ve got a handle on your data.
The second part that came to my mind that I wanted to mention is even if you decide as an organization you don’t care about any of that, regulators are knocking on our doors saying you have to care about it because in particular, individuals are concerned about their own data and so regulators are coming in helping individuals to have control over rights around their data and protect their own individual data.
So to the extent that you have employees and you have their data or you have customers and you have their data, you potentially have regulatory requirements that you have to meet as an organization to ensure that that data is handled with care and meets regulatory obligations.
So that’s why data governance is important to organizations, both from a cost perspective or a value add perspective, and in order to meet regulatory requirements, legal requirements and have a good organizational reputation. You want to have positive reputation, be thought of as someone that individuals trust their data with and trust are right. And you want to be an organization that people want to work with.
Ross Jordan: Absolutely. Well, and there’s no shortage of regulations out there. We’re finding new ways to regulate new stuff. So every time you turn around, there’s new and more exciting ways to be regulated. But when you’ve worked with organizations and they’re designing their policies and procedures towards, governance and compliance, what are some of the action items that organizations should consider to decrease the impact to their internal customers, their own team?
Denise England: A couple of things that come to my mind are to cast a wide net of information when seeking input about how you do your jobs or perform your obligations day to day, how you interact with your data. One of the things that I recommend is that, for the leaders who are implementing or, kind of going down the path of taking on data governance, policies or practices, take the time to talk to a lot of people at your organization about how do you interact with your data? What are our procedures? What do we need to make sure we don’t break when we make changes to our procedures or who does what around here?
So when you’re thinking about data governance and how new policies or practices are going to impact the organization’s day to day, you want to make sure that you have an understanding of how people are actually interacting with your data on a regular basis so that you don’t disrupt their efficiency and their productivity. You don’t disrupt it too much. You’re going to disrupt it. You’re going to ruffle feathers. You’re going to get people saying that they’re uncomfortable and they want to leave things the way they are. There has to be a balance of making good data governance decisions to protect your data, handle your data appropriately and ensuring that you are taking into account productivity and efficiency.
Ross Jordan: Absolutely.
Denise England: And then on the flip side of that, or after the fact, is training. So it’s almost two sides of the same coin, before you implement and make a decision about what you’re going to implement in terms of data governance, solutions, practices, changes, that first thing is to get a lot of information from end users.
The second thing is to educate end users and make sure that what you are putting into place is well-understood and that you give them not just the “here’s what you have to do differently,” but the “here’s why are we doing this.” Just give them the why, give them some appreciation for how these changes to their daily routine are having a positive impact to your organization.
Ross Jordan: I think those are great examples. You both have mentioned training and the disruptiveness that something like this can create. I think it’s important and we’re going to talk about that some more later. But I’ve been a part of two organizations that have deployed governance policies or internal governance policies. One of them just did it and didn’t do any kind of internal training and it incapacitated the organization. I’m not joking. We couldn’t get access to files. We couldn’t do our jobs.
The challenge was somebody had to go back and undo all those things or undo to a point where then everybody got access to it. It ended up being something where they finally said, forget it. We’re just not even going to do it.
Conversely, you guys here at SkyTerra have done the same thing as well, but it was done differently. It was done with intention and done with purpose so that we could secure our data the way we needed to.
But one more thing was done. And Daren, I’m going to ask you about this: The thing that you guys did was that you incorporated our opinions in the construction of how we manage the policies. But you guys also took the next step forward, which was to generate ways to work through the challenges that we were certainly going to see.
Today was a great example, right? I had a document I received from the outside. I needed support from another member of the organization. I just forwarded it over. Well, our governance policy doesn’t allow us to do that So I had to find a way to do it and you guys created a process That enabled us that when we had a challenge with the policy, we could work through it.
So, Daren, switching over to you now, I mean, when you’re setting this kind of stuff up, how do you create policies and procedures internally that keep an organization from face planting?
Daren Rathbone: Yeah, it deals with working with your user base, like we did here. If you just go and implement it and leave your users in the dark it’s going to be a failed implementation and then the organization as a whole is going to decide, well, we’re not going to waste our money and effort on this, because it failed. Those eyes at the top level management may not have seen that it was a poorly implemented plan and just saw that it didn’t work. So we’re not going to go there.
In reality, if you plan and design, and get user feedback on how they’re dealing and working with the data. And having maybe lunch and learns… I think that was a big help, too. Where we could be questioned directly and answer them right away.
Ross Jordan: Policies were in place,
Daren Rathbone: Yeah.
Denise England: Or even afterward. An important part of a broad program like data governance is you’re prepared to adjust and learn and have future versions, if you will, that “don’t expect that we’re going to get it perfect the first time.” Once you are able to get your end users trying to work day to day under the new regime, so to speak, you get feedback about what isn’t working or what is insurmountable and why it’s insurmountable and you then learn different ways that you can accomplish your goals.
So I think that one of the things I’ve learned along the way is remembering what your end goals are in data governance, and understanding we have this policy in place in order to achieve X, or we have this control in place because we’re trying to protect XYZ, and when you get feedback about how that control is impacting a user’s day-to-day work, you can say, “Okay, are there other ways that we can control what’s being shared or how it’s being shared or change the scope that will still achieve our end goal in a less intrusive way or account for this particular unique business need?”
Ross Jordan: Now, I think this is an important point, too. I mean, you said begin with the end in mind, but, but constantly go back to it. There’s a purpose. You need to do this. There’s a cause that’s making you want to do it. It’s time. It’s money. It’s an evolution of the organization. It’s really a maturing of the organization.
Candidly, when you guys have built, not only our policies, but the policies for our clients and customers, when you look in retrospect as those, because I wish I could say it’s perfect every time, it’s not, right? Some of them – it’s not our fault – but it just doesn’t go right every single time from beginning to end. There are always challenges.
You guys created a way for us to give you feedback. And I remember thinking to myself when you did this, it was like, “Hey, we’re going to do a policy. That’s step one. Step two is we’re going to slowly implement this, right? And then we’re going to narrow it down as you guys move forward.” Or as we got more familiar with it, you were just teaching us how to do it better. I think it was perceived as kind of tightening the noose, right? Nobody wanted to change, but we needed to, right? It’s better that we did, but, but when you’re doing this with other clients, if you wouldn’t mind, kind of provide some feedback. I mean you’ve seen this work really well. Describe to me, in your own opinions, what’s different about what is a successful deployment and the challenged deployments. What makes those two things happen?
Denise England: One of the things that I’ve seen as successful recently is doing a proof of concept and having the organization start small like we did here at SkyTerra. So we work closely with our clients. As a partnership, it’s not just a project where we set something up and let you go and you never hear from us again. But that with one of our clients in particular, we’ve been in the middle of a proof of concept that does tackle a small scope of data and area of the organization to go through that feedback process together and hear what uniquely in their organization their challenges are and what their end users are struggling with and learn from that in order to apply an improved version to the next phase that would be a bigger scope, so it would take on additional data, additional individuals, but that feedback loop is something that we get to stay a part of. It’s not just something that we, provide technology for and close the project and let the client go on their way without any support.
Ross Jordan: So it’s not set it and forget it, really?
Daren Rathbone: Yeah, it’s a living, growing thing. Absolutely. And just to add to that, I think it’s finding those early adopters that can be your voice of reason to the general population of the users.
They’re acceptable to change, acceptable to being the guinea pig, you know, what we refer to to test out your policies and your theories and, really see that they’re working or not. And if things are working in a positive way, they can help spread the word, get everybody on board.
Ross Jordan: It’s not as bad as everybody thinks, right?
Denise England: You need your vocal champions. Definitely. Absolutely. And then, Daren, I don’t know if you have an example of some kind of trends of why things end up working less well that you want to share. But I could.
Ross Jordan: Are there things that you need to do that have long-term implications in the organization that you should plan for right up front when you’re thinking about data organization? You begin with the end in mind, you’re right, but I mean are there things that you need to do very early on that are going to help a company be more successful with their deployment than they would be if you didn’t do them? You can call them best practices or maybe just the “oh crapskis” right? What, what do you not want to do?
[00:18:35] Daren Rathbone: I think some of that might be, getting their data organized. We are working with a client that leverages SharePoint heavily. I think not all of the access controls are set up to the best that they should be, and focus on getting it set up, with permissions that are on a need-to-know basis. That way, let’s say a user gets compromised and if their permissions on sensitive data is set up in a manner such that it’s not just wide open, but configured so that they only have access to what they need to know, it decreases the amount of expansion that that person that’s trying to get your data can get to. So that’s kind of one thing that comes to mind. I don’t know if you have…
Denise England: I guess I would also just add a lot of testing beforehand. One of the big facets of data governance, regardless of what part of data governance you’re talking about, is It’s kind of a prerequisite of knowing your data. So there’s this big kind of chant in the data governance community of know your data. A lot of organizations who come to us just don’t even know where their data lives, how big is it, how sensitive is it, what do I care about, what don’t I care about…
It can become really overwhelming to organizations to try to even figure out where to start or to just feel like they’re supposed to protect all of their data all at once or govern all of their data all at once. So I think one of the keys to success is being okay with a small success and thinking about what you actually are concerned about protecting or concerned about governing and saying “let’s start small” so that you can actually implement a solution and you’re not stuck in paralysis of how huge this undertaking is.
Ross Jordan: That’s a good point. Paralysis by analysis is absolutely a real factor.
Daren Rathbone: Those small wins aren’t anything to just ignore, right?
Ross Jordan: That’s a good point, and I think it also harkens to what you’ve said to clients in the past, Denise and Daren, feel free to step in on this as well, but it’s almost like the Louvre, right? You start with the Mona Lisa, you start with your most critical data, the most important data, the crown jewels, if you will, and you work out from there, right? Make sure that that first piece is most secure.
How do you help an organization define what are their crown jewels? Customer lists, customer data, IP? I mean, there’s all this stuff. What should they consider that little win that protects the most sensitive data? How do they define what that is?
Denise England: I would start by saying most clients come to us for a reason, right? None of our clients are knocking on our door because they are just like, “Hey, I keep hearing about data governance.” Most of the time, they’ve been told they need to worry about something, or they’ve experienced an inciting event that has caused them to say, “I’m concerned about my intellectual property,” or “I’m concerned about my employees’ personal data that has to do with their salaries” or “I’m concerned about something I was told I need to be concerned about.”
Often, I think that the individuals at organizations who we’re talking to forget that; what it was that caused them to start thinking about data governance in the first place. And they just have to be reminded of what started this conversation. What was the inciting event or the piece of data that you came across that caused you to feel like, maybe we should be talking to someone about data governance improvements? That’s where I would encourage organizations to start.
Ross Jordan: Okay. That’s great insight. So, Daren, we’ve got a governance and compliance framework that they’re definitively having to move towards, there’s a target. Let’s say we’re not one of those organizations, right? Say I’m just Joe Schmoe out here doing a job. I don’t have any kind of ISO compliance, SMA fed ramp, you know, CMMC, I don’t have that that I have to work toward. Why is this important to me anyways? Why do I care?
Daren Rathbone: I mean, the data is your intellectual property. It’s what’s keeping your business going, right? So if you don’t protect it, you’re not going to be employed tomorrow, potentially, right? If it’s all stolen. Good point.
Ross Jordan: Well, I just was curious. Outside of a compliance requirement, why would I want to go through it? Why do I want to go through this hassle? I think it’s a question we get in business development. Yes, it’s really easy when there’s a target, but it seems like governance, compliance and management of your data doesn’t seem to be important to clients unless there is that regulatory requirement for some reason.
What I was hoping to be able to identify is, let’s say I’m a restaurant. All I am is a Mexican restaurant in the middle of Loveland, Colorado. Why do I care about my customers’ data? Why do I care about credit card information? Why do I care about who they see or what’s on my cameras or anything like that? I think the challenges that customers face are that they don’t have to do it, so they may not want to, but they really should. They really, really should.
Denise England: Can I just offer up there? You know, the evolution and enhancements in the AI space are putting data governance at the top of organizations’ minds more. I think what we’re hearing from potential clients recently is data governance becomes a topic as a result of interest in benefiting from an AI tool, some kind of machine learning tool or enhanced searching tool because it’s “garbage in garbage out.” If you’ve got good information that these tools are leveraging, then you’re going to get good results and vice versa.
Daren Rathbone: Yeah, right. Going on that mention of data lifecycle management. If you are leveraging AI, like Copilot, and somebody is going to search for a list of the most frequently drunk bottles of wines or something, and your list of those top wines isn’t updated, Copilot’s going to find the old data, and it’s just not going be pertinent or relevant anymore.
Denise England: Yeah, you’re a restaurant that has information about how many cases of that bottle of wine you’ve ordered over the last year, and if that information is missing an invoice or is outdated for some reason, the ability to find the accurate information is lacking. So data governance can help with that.
Ross Jordan: We’re going to come back to that, the AI piece, I think that’s important to touch on, but I’m going to give you guys some time back. Thank you so much. I really appreciate you guys and, we’ll see you later.
Denise England: Thanks guys. Have a good one. Ross Jordan: Thank you for your time today. We appreciate you listening to the SkyTerra Technologies podcast. For further information, you can find us on LinkedIn or at www.skyterratech.com. Have a great day.
