The Content Governance Mindset for IT Leaders

We’ve all been subjected to quaint media features that try to make business leaders seem like a joyful walk on the beach. They usually have a title like, “A Day in the Life of the CIO”, and they are laden with tropes that try to make the person relatable (“…and at 9:34 am, I finally get around to drinking that latte I got at Starbucks on the way into work!”), but truly the whole thing is just an annoying ploy to make you feel inadequate. Who really gets up to ride their Peloton at 5:30 am, reads the Wall Street Journal AND The Economist over turmeric and kale smoothie by 7:00 am, solves a major fire drill that could possibly shut the company down by 1:14 pm, and is home to coach their kids’ soccer team by 5:30 pm?

The reality is that you - like many of us - undoubtedly have a dedicated team who is continuously paving the way to make your days operate smoothly. But no matter how organized you are or how good your team is, your day can become a montage of nightmares before your car even hits the parking lot if your company data is compromised. For IT managers who are responsible for data governance, there are days when unforeseen issues spiral out of control while you scramble to apply fixes, isolate a threat, and prepare to remediate. That’s to say nothing of the communication and damage control you’ll need to implement as well.

When the day goes sideways, the repercussions are far beyond just getting home late for dinner. A data breach or a successful ransomware attack puts the entire company in jeopardy; as word trickles out, customers panic, the press has a field day, and nothing you do to fix it seems like enough. No one wants that.

Achieving that perfect day where everyone is happy, your children are perfect, and no one is trying to steal your data may be an impossible goal (even though I’m sure your children are perfect). But when it comes to security and governance, the most we can do is prepare and anticipate. The key is to anticipate the right potential scenarios and to deploy the right tools to give you advantages over threats.  Applying these policies and controls will be important aspects of your preparation and mitigation strategy:

‍Know thy data: Your IT environment is undoubtedly complex. Even for growing, young companies, data is scattered among cloud workloads and multiple applications that operate in a variety of different ways. Some have dependencies on integrations and data that is connected through APIs and other means, while others function in a distributed, but independent fashion. Your cloud will have different accounts, maybe different cloud providers, even. User groups will be set up based upon geographic location or based on your org chart. And then there’s the added complication of all of these things changing, all the time.

The key is to have continuous insight into your data through automation. AI-enabled visibility gives you a way to baseline normal behavior so you are able to identify abnormal behavior before it becomes a major problem. If a priority one issue arises in a content repository you have no awareness of, you won’t be able to frame any sort of incident response.

‍Apply configurations and settings that are specific to your data needs: Cloud services and most business applications come with default settings for accounts and users — Microsoft SharePoint provides this as a convenience. But neither Microsoft nor any other vendor truly knows your unique needs and specifications. Some of these needs will be based on internal requirements, while others are dictated by compliance frameworks that are unique to your industry. As a result, vendor-provided settings can be inadequate to meet your governance needs. A preferred way to operate is by applying account-based, team-based, or even company-wide standards through a single content services solution. In this way, you are able to apply baselines for acceptable behavior for your critical content and the users who work with it.

‍Have an incident response plan: A sure-fire way to avoid a bad day is to always have an incident response plan in place, where all processes, participants, and outcomes are defined. It begins with near real-time and always-on assessment of the governance state of your critical data. That gives you visibility so you can be alerted immediately to issues. If a piece of content has been accessed by an unknown user, or a document does not adhere to a certain compliance specification, you’ll know about it immediately and can deploy an incident response plan to swiftly solve the issue.

‍Make data governance a priority: The idea of manually maintaining a compliant state for your IT environment, and being able to keep detailed reports of it over time is untenable. Beyond just the sheer amount of work it would take to constantly spot-check all applications and data repositories, there’s also the opportunity cost that pulls your team off of valuable projects. Instead, use your team’s time more effectively by automating compliance for things like GDPR, CCPA, HIPAA, PCI, and others. This will avoid a massive backlog of work that comes from doing period audits and will alert you to data governance vulnerabilities as they happen.

For IT managers who prefer to start and end their days without fire drills, here are some resources that will help you create, implement, and manage an effective security and compliance strategy for your cloud:

• Create a smart approach to content governance: content governance is not just a series of checklists. It requires an approach to the way that technology is deployed and used, and a framework for acceptable behaviors. In order to develop your own approach, there are a lot of factors to consider, including data minimization, data archiving, user roles, and a host of others. This guide, Smart Content Governance: Unleash the Power of the Modern, Cloud-based Office, provides a survey of the different considerations you should bring to defining your governance strategy.
• Prevent ransomware: Ransomware is always a potential issue, and it’s something that every organization should be prepared to detect and thwart. Think about these prescriptive measures as you define the rules for your approach to governance; this guide, The Fundamental Steps Every IT Admin Must Take to Prevent Ransomware, provides specific details that can guide your work.
• Avoid content sprawl: Content sprawl is the invisible killer, so to speak. It is an organic outgrowth of your IT evolution, but that growth can lead to greater exposure of your content to threats. It’s an especially common issue for organizations that use multiple tools from a single vendor, all of which allow for the easy creation and sharing of content — in this case, think of Microsoft and all the tools that may make your team’s life more efficient, but also leads to more potential for harm to your data. The blog, The Problem of Content Sprawl gives an overview of the issue, and How Data Governance Reduces SharePoint Content Sprawl offers specifics about the prevalence of sprawl within Microsoft environments.

By developing a content governance plan, and by adopting rigorous best practices and creating the right mindset, you can help your organization avoid falling victim to lapses of oversight and control.

‍Photo by Matthew Henry on Unsplash