No company wants to get dragged into a lengthy e-discovery process or be penalized for avoiding government compliance...
regulations. That's why information technology governance, which focuses on the performance and risk management of information technology systems, is so important.
And it's not just the CIO's responsibility; storage managers must also develop and execute on a good information technology governance program, and educate users as well. Todd Erickson, news and feature writer at SearchStorage.com, recently interviewed Barclay Blair, director and practice lead at Phoenix-based Forensics Consulting Solutions' Information Governance Division. Blair explains the role of storage managers in building and caring for compliance systems; what tools they can use for data archiving, data retention, data classification and e-discovery; why they should look into creating an enterprise map of information; and how they can ensure their organization's readiness in case of litigation.
You can read the transcript below or listen to the interview as an MP3.
SearchStorage.com: Let's talk about how storage managers should be involved in an organization's information governance program. Why does the storage manager play a critical role in developing IT governance policies?
Blair: The short answer to that question is that they're the only ones that understand the technology and the architecture. So their role is critical because they have to educate the lawyers and business owners on what's possible or practical in the storage environment when it comes to crafting policy.
SearchStorage.com: What tools will storage managers need to successfully implement and run a company-wide information governance program?
Blair: When I hear the word "tools," I actually think there are two categories of things that we need to think about. Certainly, there's the obvious: the software and the hardware. And then there's the other tools, like the policies, and the implementations and enforcement of those policies.
On the software and hardware side, there's some pretty obvious tools that come into the mix today in a contemporary institution when it comes to information governance.
Certainly, systems that help us separate out archiving functions and backup/business continuity functions are essential. There's an absolute plague in corporate America that has been caused by inappropriate use of backup systems for the archiving of data. The backup system is the worst of all possible worlds when it comes to litigation. So tools that help us clearly delineate between "we're keeping this stuff because it's a business record and we just want to move it off of our expensive systems, so let's archive it," and systems that are designed to keep all information in the event of some kind of disaster. So that's No. 1.
No. 2 on the software and hardware side is that we need systems to help us automate the retention of data. There are a lot of smart tools out there that can help us automatically classify information and take the burden off of the employee when it comes to saying, "Hey, this thing's valuable; we have a statutory requirement or a business requirement to keep it, so let's put it here. This stuff has no value; let's get rid of it."
The third area on the software and hardware side is tools that can help us get at the information in a precise and efficient way when we need to, and often the most dramatic need for that is in the context of a litigation audit or investigation. So in the world of e-discovery, that ability to pinpoint the information that we need, to find it and to suck it out of those systems, and manage it and produce it in an efficient way is essential.
On the other side of the tools house -- on the policies and procedures side -- I think that a really valuable concept is the concept of systems of record, and defining systems of record. We define our systems of record -- i.e. the systems where we are going to manage the stuff that we keep long-term -- and then we invest in the right amount of governance for those systems, and we don't expect the same level of governance on systems that were just used for transitory information or temporary information. So defining what systems are the official systems, and then defining the level of governance we're going to put around them, helps create a realistic plan for taking control of information governance.
SearchStorage.com: What can storage managers do to determine an organization's readiness for a government investigation or litigation?
Blair: Well, one of the things that I like to say to my clients, and maybe they don't like to hear, is that if you stand back and look at this problem from a high level, I actually believe that the title CIO -- chief information officer-- is a lie. I simply don't believe it's true in most institutions. And what I mean by that is that most CIOs view his/her responsibility as limited to keeping the lights on, keeping the systems running.
You know, there's the old saying in the technology world: "Garbage in, garbage out." And the view of the technologist, the storage manager, the CIO is that we can't be held responsible for the stuff that the business owners do and the systems that we manage. And that may be true. Certainly that's the way most IT departments are structured.
But the problem with that is, OK, if it's not the guy or the gal with "chief information officer" in the title, then who is it at that executive roundtable who owns this responsibility? And I posit that at most institutions, it's nobody. So, therefore, it falls through the cracks.
So what's the storage manager to do? I think that they have to help their institutions answer that question.
One of the ways to help get to that question and answer that question is this concept of mapping of sources -- creating an enterprise map of what information the enterprise has, where it is, what it is and how to get to it.
It can be a gargantuan task, but I think it's cut down to size by first focusing on systems and repositories that are litigation-likely; in other words, those systems that are likely to contain information of interest in a typical lawsuit or investigation that the company faces. And those systems are obvious: the e-mail system and all of its attendant backup systems, as well as anywhere else unstructured content resides.
So I think putting together a source-mapping exercise will help to illustrate the gap that exists at every company between the IT understanding of information and the business understanding. And unless that gap is bridged, we're going to fail again and again when it comes to [information governance], whether just for day-to-day business purposes or for these extreme events we face in e-discovery.