Establishing Efficient Data Governance Processes to Add Business Value

These days, organizations are awash with more data than ever before. The challenges this presents are compounded by evolving regulatory changes such as the General Data Protection Regulation (GDPR), which has necessitated significant changes when it comes to the storage and handling of EU citizens’ data.

Today’s CIOs face a common challenge to establish an information governance program that will enable the organization to embrace the data-driven era, while maintaining IT security and ensuring compliance during its implementation.

The success of an information governance program requires collaboration from the entire C-Suite, with CIOs, CISOs, chief data officers (CDO), and chief compliance officers taking a strategic role. If organizations assign this task to the CDO only, it may not lead to the desired effect, as they often lack the necessary authority and resources.

In fact, Gartner predicted that 90% of enterprises will have hired a CDO by 2019 to unlock the value of their information assets, but just half will be considered a success in this regard.

What makes a value-driven information governance program?
The concept of information governance emerged from compliance, where the former concerns data protection and retention according to specific standards. However, as volumes of data increase in the data-driven era, information governance has evolved to include the management of other types of data, including non-sensitive.

A recent report by The Compliance, Governance and Oversight Counsel found that 60% of corporate data has no “business, legal or regulatory value.” If an organization is flooded with information, it complicates the protection of sensitive data, boosts storage costs, and hinders an employee’s ability to locate necessary information among thousands of files. A holistic information governance program tackles all these issues and provides businesses with analytical insights and value.

Visibility into enterprise content is a fundamental aspect of value-driven information governance. It includes the ability to discover various types of data, classify it effectively and precisely, as well as to define ROT files across critical data sources. This empowers IT teams to clean up unnecessary data, to enhance records management, and to improve search capability. Such an approach can be applied to critical business areas, and metrics can be set based on their performance measures.

For example, analysts from Osterman Research suggest storage costs, user productivity, and costs of eDiscovery process as metrics, calculating that effective information governance can save an organization of 2,500 employees $52.8 million in a 5-year period. 

Tips for implementing effective information governance
The implementation of a proper information governance program can present a headache for CIOs and CISOs, as it changes the ways in which organizations handle their data. Here are a few best practice tips for success: 

Establish metrics
To establish actionable metrics as well as to set timely goals, it is important to calculate costs thoroughly. To evaluate storage costs, businesses should include costs of terabytes used, the cost of labor required to manage systems, as well as the cost of space to house them.

They should consider the average size of emails, number of employees, file systems, the total number of SharePoint Installations and so on, and then multiply all parameters by the annual growth rate. With this information at hand, organizations will be able to evaluate cost savings from the information governance program before and after implementation.

Deploy the right technologies
It is essential to deploy a combination of technologies that enable an organization to understand various types of data as well as to maintain security controls over it throughout its lifecycle. The former starts with automated data classification that covers the broadest variety of organizations’ information assets.

It is important that businesses consider if their technology can accurately identify sensitive data as well as complex data such as proprietary PDF files, for instance, and, identify duplicate or irrelevant content enterprise-wide. They must also ensure it can integrate with security solutions such as data loss prevention tools or auditing technologies as well as with the required data sources. 

Implement a defensible deletion program
Defensible deletion reduces risk by eliminating information in-line with an organization’s legal obligations and company guidelines. It also ensures the deletion of unnecessary information. While many organizations conduct annual audits of their records in-line with compliance standards, this type of activity should be conducted more regularly, and cover both sensitive and non-sensitive data.

The approach I have described considers information governance as a vital step towards increasing an organization’s overall data maturity. In the data-driven era, an effective strategy for data governance will help IT and security teams to articulate the value of such a program to the C-Suite, and ensure that value is derived from enterprise data without compromising on security or compliance.

What’s Hot on Infosecurity Magazine?