In the first part of our 4 blog series, I shared Michael Osterman's view, industry analyst and president of Osterman Research, on what the coming months have in store for enterprises in tightly regulated and litigation-vulnerable sectors.
This second article gives you further excerpts from our interview, looking at post-pandemic shifts in information governance strategy.
Achmad Chadran: I want to talk a little bit about these key stakeholders. Would you mind sharing some of your insights and observations of people who typically own the information governance solutions, and where they sit in their organizations?
Michael Osterman: Information governance can be spearheaded by any of a number of different groups. If you're in a very heavily regulated organization – like a financial services company, a broker-dealer – typically, that's with a compliance department. It's a very formalized organization that has to do supervisory functions on the data from their broker-dealers, and so forth. So that tends to be headed up by a compliance officer with the compliance department. In some organizations, it's going to be the inside legal counsel; they're going to be the spearhead for this, because they understand the requirements to retain data, and so forth. In some businesses, it might be a Line of Business manager who might be somebody who needs to retain data for long periods of time. So he or she will head up the whole information governance effort. And we anticipate that organizations are going to be a lot more focused on information governance in the future.
Chadran: It'll be interesting to see if the silos start to break down. For now, as companies pivot from office-based workforce models to work-from-home models, the risk landscape has completely transformed, and I wanted to get your perspectives on this.
Osterman: The COVID-19 pandemic and the lockdowns imposed some drastic changes and required organizations not only to pivot but to pivot in a very short period of time. Some of these lockdowns were handed down with just 24 or 36 hours notice, and organizations had to go from an in-office environment to an at-home environment, with no planning at all, with virtually no lead time.
What we found is that it has had an impact on organizations’ ability to maintain their compliance and to block security threats and so forth. We found that before the crisis – and we did a survey in early April of 2020, to really understand what was going on with organizations’ response – 64% of organizations said that they were doing an excellent job at maintaining compliance. And you know that's not great. I mean, that's fewer than two-thirds of organizations that felt they were doing an excellent job. But that dropped to 56% during the pandemic.
And again, we surveyed organizations about three to four weeks into the pandemic. Similarly, 56% said that they were doing an excellent job at blocking security threats before the crisis, and it was only 49% during the pandemic. So we saw a fairly significant drop-off in the context of compliance and security and archiving and so forth, in terms of what organizations were doing.
Again, this is not a criticism of these organizations, because they were thrust into this with virtually no lead time. And this caught all of us by surprise.
Chadran: Right, your research definitely shows a distinct wakeup-call kind of moment. And it's amazing – the timing of your research – that you were able to pick up on this shift.
Read also "Compliance in the Remote Workforce Era", outlining how enterprises with work-from-home models, protect, secure, and analyze their data.
Osterman: What we also found is that, as I mentioned earlier, not all organizations archive today, and not all were archiving before, the pandemic, but what we found is that the pandemic and the lockdowns really did have a significant impact on how organizations were archiving their data. Shortly into the arc of the pandemic in early April of last year, only 59% of organizations were archiving all of their data as they were before, 31%, were archiving some of their data, and 10% were weren't archiving any data at all. And again, if organizations were not set up for at home work by their employees, in many cases, they just couldn't archive employees who were using their home computers, their own laptops, their own networks.
In many cases they were using a variety of new tools. We saw Zoom, for example, explode…Microsoft Teams, and so forth. Organizations really weren't set up for this at-home environment, and there was no way they could archive their data. That's going to come back to bite a lot of organizations. Over the next few years, as lawsuits roll around, as regulatory requirements come up. There's a lot of data that was generated for business purposes, that simply wasn't archived, it might still be there on a home computer or on a laptop on a mobile device, but it's not in an archive right now. And that's potentially going to come back to harm companies when they go look for this information and they can't produce it. Yeah, that raises a lot of scarier scenarios.
Chadran: One of the points you make here is that there are organizations that had once archived and then stopped? Did your research find reasons for organizations halting or curtailing archiving?
Osterman: We didn't explore that a lot. I suspect that most organizations had reduced their level of archiving because they didn't have the tools in place to do so. If they have, for example, an on-premises archiving solution – and a lot of organizations still do – it really wasn't set up to archive content from employees’ home computers, if they weren't backhauling traffic through the corporate network. And a lot were just doing work locally. So there was no touch point or interface between the home network and the corporate one.
Chadran: Here's a follow up question: with workers doing their thing remotely, have you seen a spike in the challenges that managers face in providing effective oversight?
Osterman: Oh, absolutely correct. Especially when employees in the sudden work-at-home environment are starting to use a variety of new tools – they were using Zoom, as I mentioned before – I mean, we saw use go from, like 10 million to 200 million users almost overnight. And a lot of the communications was sharing files back and forth, which is very easy to do in Zoom. And that completely bypasses whatever archiving system was in place before, because most organizations aren't set up to capture that content, even if they’re using Microsoft Teams.
Today, most organizations aren't archiving that content. There's a push to do that but they weren't, certainly, early on in the pandemic. And then there were just a whole variety of other communication tools. It's not only that decision makers and companies were scrambling to get things going; it was the employees themselves. They wanted to remain productive and duplicate this in-office experience, and so they used a variety of tools. And we've all heard about shadow IT? Well, during the pandemic, it was shadow IT on steroids, because there were a lot more tools used, and so a lot more stuff that was bypassing any sort of corporate governance.
Chadran: Shameless plug here: Micro Focus offers some very elegant ways to capture collaboration and social media content, including attachments, including metadata. And it's a lot harder when it's not protocol-defined like email is. It's kind of a wild west. Some of these platforms are on-prem, most run in the cloud. Some vendors do publish APIs to help with content capture, but many don't; it's not a priority for them, I get that. But it can also expose some serious vulnerabilities for companies, especially those in highly regulated sectors.
Click here for a free download of the Osterman Research white paper, "Archiving as a Key Element of Good Information Governance".
More details about the full range of IM&G products can be found here.
We’d love to hear your thoughts on this blog. Comment below.