Do not miss new blog posts! Subscribe to new posts, news, and updates.

  • Brian Tuemmler

Get Compliance Horses Back in the Barn

I am consistently running into a concerning schizophrenia in the way corporations manage their information. On the one hand, there are responsible corporate compliance professionals developing records and security frameworks to granularly understand and protect information in, for example, M365. On the other hand, there are responsive customer-focused IT professionals providing the latest (yet un-governed) collaboration and communication tools in, for example, M365. In the third hand, there are busy business professionals who put content where they always have, in large un-governed landfill shared drives, very much NOT in M365.


Way too often, these three groups can’t even see each other. That is the definition of a lack of information governance. They also have some fairly reasonable excuses for not seeing each other.


If you are the compliance professional, you have ways and methods to control and guide the governance of data, but you have to start at the beginning to get it right. Going back through the shared drive landfill or past collections of ungoverned Office content is daunting.


If you are the IT professional, you have a viral solution that costs little to implement and everyone considers it to be a safe decision. Since you are not the one facing the compliance risks, it makes sense to implement first and let the compliance people come in afterwards - if ever - to fix it.


If you are the business professional and the governed collaborative technology is not mapped to your business processes, you will skip using the system all together.


In other words, everyone’s horses have already left the stable. Upwards of 80% of your corporate information is unstructured content, a little under half is already in the cloud and only around 10% is actually in a compliant and governed environment. Indeed, we are talking about millions of horses out of the corral.


You do not have to just live with your past. We see a number of clients working on three fronts to try to solve this dilemma.

  1. Close the gate on point forward content. Don’t let M365 get implemented without a strategy to ensure that governance is included. Tie your M365 implementation to an organizational strategy, that will address the business goals and risks of the organization. This helps ensure that there is executive and strategic support for the decisions you make. That, in turn helps build support for the justification of expenditures and prioritization of activities. It also helps to support key business processes so that the business imperatives are not left out. If new sites and new teams are deployed with governance, you stop any new horses from escaping.

  2. Add governance to the content that is already captured but not corralled. Legacy content management systems, including on premise SharePoint, can retroactively be brought into compliance and often contain a lot of the necessary classifications and process design to save loads of work. Bringing them into compliance requires step number 1 above, along with some automatic conversion/migration. Don’t just assume that this information is a lost cause. If you are under the impression that governance and compliance cannot be done in SharePoint (an understandable position based on precedent), Microsoft is going through some monumental changes in M365. Particularly, for me, autoclassification is a lifesaver. As I mentioned, you already have about 10-15% of your unstructured content in a content repository environment of some sort. If your organization has recently purchased and started rolling out E3 licenses, you may have purchased a barn without a door. Retrofitting to make sure you have the latest governance capabilities and licenses is a smart way to go, and it is not too late. It is also not very expensive compared to the alternatives.

  3. Get a handle on ungoverned shared drive content. Thus far, you have rounded up only 10% of the horses out there. To get to the remaining 90%, an index, analysis and transformation of shared drives is easier than you think. If you don’t do this step, you are still 90% out of compliance with any and all of your unstructured content. eTrash removal is a part of this, but by no means the most important part. Lift-and-shift migration is also an option but leaves behind so much value. An index and analysis of your unstructured and ungoverned shared drive content can tell you lots of useful information as well:

  • Where to go to find information (research, decisions, agreements, and conclusions) you have created over the past 30 years.

  • What risk do you face against GDPR, CCPA, retention, legal or business activities

  • How effective and accurate will your M365 classifications be before you spend the time migrating it. I would argue (and have argued) that you should do this before you try to leverage autoclassification and AI in the cloud.

  • What content can and should you migrate or leave behind - or dispose before you migrate

These three steps should be done together to take advantage of all the synergies. It is the same information value regardless of the system. A partial answer give you only partial value. I am happy to talk about his if you want to reach out to brian.t@infotechtion.com


0 views

© Infotechtion