August 30, 2021

Last Updated on January 15, 2024

Driven by the rising tide of privacy legislation, information governance is shifting from a powerful differentiator to a business-critical, must-have operational function. It’s only a matter of time before every organization that handles sensitive data will need information governance… but how far off is that time?

To share thought leadership and a forward-looking view on information governance, we invited David Gould, Chief Customer Officer at EncompaaS, to join a recent episode of The Virtual CISO Podcast. Hosting the episode is John Verry, Pivot Point Security CISO and Managing Partner.

John notes that many of the conversations he has with clients about information governance feel “educational.” He asks: “How far out is it before information governance is not something that’s on the horizon, but something that’s sitting right in front of us, that’s active for all of us?”

Better technology is emerging
As David notes, improving technology to help scale and support information governance activities will be a big influencer: “I think up until now, one of the limiting factors was that the solutions that were being deployed to buttress or support, or be the foundation for information governance programs, were actually quite limited. They were limited in terms of the sheer scope of what they could analyze. They were limited in the kinds of analysis that you can do on it. And I think a lot of the things that are being done at top-level DHS kinds of accounts, the NSA, CIA, a lot of the technology that’s being deployed in very secretive fashion is starting to be commercialized now.”

It’s all about analytics
“That technology is all about analytics,” continues David. “How do you analyze content? How do you put context around it? Does it belong with this part of content, or does it belong with another part of content? And now I think we’re just starting to see the benefits of these new technologies being applied to information governance applications. And yeah, I think there is a lot of education that still needs to go on, but I think the underlying assumption that people have is that they understand they have a problem, they just don’t understand the scope or the complexity of how to solve it.”

Automation is the key
“I think the consulting piece of it is out there; it’s really the automation piece,” asserts David. “Is it good enough for me to hire a high-powered consulting firm, spend a quarter to a half a million dollars or more, to get the binder on what my policies ought to be? In the old days, that was good enough. You would go into a regulator’s office of a large bank, and [ask], ‘How well are you managing your security?’ And they’d turn around and point to their bookshelf and say, ‘Look at all my binders on this.’

“The problem is, is how do you take what’s in that binder and actually automate it and then actually put it into a process that doesn’t impede an organization’s ability to do business, but does it in the background—but it has to get done? The volume of content is so high and it is so complex, you cannot outsource this.

“For example, I worked with a bank once and they tested us. They say, ‘We want to look at your automation tool, but we also have a team in India who are specialists in this.’ They gave us a 10,000-page document to analyze with machine learning. And they sent that same document to their folks in India. They looked at speed of response, accuracy of response, and value created out of that. And hands down, the automation piece won,” reports David.

The legislative driver
Of course, even if better technology is available and the ROI potential looks good, companies might not commit to a complex initiative if there’s no serious pressure to do so. With information governance, that pressure is privacy compliance.

“I think things like GDPR, like CCPA, like the new Virginia Act, are going to result in organizations getting really smart, doing the implication analysis of what those laws really mean,” David relates.

The bottom line
Technology and consulting are of little value if you don’t know what your goal should be.

David spells out what every organization should be trying to achieve with information governance: “The broader issue is how do you keep this information alive to only its purpose and then destroy it when you need to?

“These privacy laws have different sorts of requirements around that, depending on the jurisdiction, but they all involve one essential component, and that is, you’re really not allowed to keep information that’s no longer attached to an active business process, unless it has to be kept by retention law.

“So that is a very, very complex concept and it is very hard to be able to go through a piece of information and say, okay, this information has retention on it, or it may have legal hold on it, but it’s not being attached to an active business process. Do I keep it, or don’t I keep it?” David explains.

If you’re seeing the writing on the wall for information governance and want a quick and complete briefing, check out this podcast episode with David Gould.

To hear this episode all the way through, subscribe to The Virtual CISO Podcast on Apple Podcasts, Spotify, or our website.

Successful vCISO = All Security Roles Filled

This document outlines the 3 critical roles and responsibilities of a Virtual Chief Information Security Officer: Architect, Builder, and Operator.
Download the free inforgaphic now!