Simplify for Success - Conversation with Howard Loos
Howard Loos, the Chief Information Privacy Officer and Director of Information Management at Brigham Young University were on Simplify for Success, a podcast series presented by Meru Data and hosted by Priya Keshav to discuss IG programs.
Howard discussed how he enables technologies like Data Maps to simplify processes. He emphasized how Data Maps help the privacy world in identifying the data category and its location while also saving them time and effort and reducing the overall risk.
Listen to it here:
*Views and opinions expressed by guests do not necessarily reflect the view of Meru Data.*
Transcript:
Priya Keshav
Hello everyone, welcome to our podcast around simplifying for success. Simplification requires discipline and clarity of thought. This is not often easy in today's rapid paced work environment. We've invited a few colleagues in data and information governance space to share their strategies and approaches for simplification. Today we will be talking to Howard Loos.
Howard has more than 25 years of experience in data privacy and records and information management. During most of these years, Howard worked as a consultant, working in financial, manufacturing, oil and gas and technology industries, as well as in education and federal government.
His specialties include reducing an organization's information related risk, program development, organizational governance, requirements gathering and mentor selection. Howard attended the University of North Dakota where he received his bachelor's degree, majored in both Business Administration and Records and Information Management. He later received an MBA from the same University. Howard currently works at Brigham Young University as a Chief Information Privacy Officer and Director of Information Management. Hi Howard, welcome to the show.
Howard Loos
Thank you.
Priya Keshav
You've had many years of experience in developing and implementing enterprise-wide IG programs, and now you're putting together a privacy program for your company. How do you build a business case? Any tips that you can share?
Howard Loos
You always have to get some senior level support for any of these programs, either privacy or you know, records management or IG. They're not projects that have a fairly rapid ending. They are ongoing programs, and if you don't have senior level support to fund it and to help remove obstacles and to help enable you to succeed, and to have you placed properly in the organization.
It's an uphill battle. It's kind of like pushing a wolf up the hill. And I've seen in the records management space. 20 years ago, we always used to say it's so hard to get any traction with senior level management. But now most senior level management is aware of IG and of the policy.
Priya Keshav
Now how do you balance, you just mentioned that these are multiyear programs, right? so there's no way to kind of take it as a project finish and be done with it. You know we live in a world where we only do things that you know produce immediate results. So how do you balance setting expectations that these programs are likely to take many, many years, but also provide you know immediate results for the senior management.
Howard Loos
What's worked for me is to develop a road map of; this is what the program's going to look like. And for me, what I found was it normally takes about three years to get it up and running in a large organization. But then after you get the main pieces running, there's other things you need to do to maintain the program and to get adoption throughout the organization.
Organizations are like large ships and. And anyone in the governance role is like a really small letter that's trying to move the ship a little here and a little there. I found you know during this process you want to identify some quick wins that you can look at so.
What I did was I met with, this is before COVID, so you could actually meet with people. But I talked with the 20 key stakeholders and tried to find out what's keeping them up at night, what? What kind of risk do they have? And then as I developed my program plan, in a very high level, you could you look at it on one slide because there was no detail under that.
But you know, in the next like five years out, in the first few years we're going to do this, and then I would enter within that, some key wins that the stakeholders truly want to see and if you can get those done. Uhm, people seeing ongoing progress. I'd like to at least get one good thing done every year that I could report to you that made a difference to the organization in either reducing costs or and or reducing risks.
Priya Keshav
So, you talked a little bit about putting it all into one slide and kind of tying this to the theme of our podcast, which is simplifying for success.
Essentially, there are two ways to simplify breaking down the parts to reduce the complexity or identifying a new and innovative way to do the same task. Would you choose one over the other? Or do you even think of these as choices versus you know one follows the other? What are your thoughts on that?
Howard Loos
Yeah, that's a good thing to think about here. I know that, if it's too complicated, it's too hard to understand, and then it's too hard to make decisions about. And not only that, but it's also too hard to actually follow and do.
I always have a saying that you have to make things simple or even brain dead simple to get it to work. The big picture, I like to boil it down to very high-level concepts. 1 slide. And then I like to break up; OK, what am I going to do this year? I like to make it 1 slide. And then in the details, I deal with them myself. And I try to break them apart as simple as I can.
I know some tasks that you're trying to do complicated, and I've heard the term, you know trying to boil the ocean. So, what I have seen work successfully is take a couple of the highest risk items and work on them first, and that often opens the doors for the next items.
When you try to take the whole thing. And present the whole thing together as a problem and present the solution for the whole thing. It's really, I mean large organizations have complex problems and I found it's easier just to find the highest risk area. Well, two and work on them first, knowing that it's part of the whole puzzle. I hope that helps answer the question.
Priya Keshav
So, you kind of believe in reducing the complexity by breaking down the parts, looking at the parts that can be easily fixed, or the ones that are most risky and tackling them first with kind of a prioritized agenda where you sort of keep added till you get through the entire workload
Howard Loos
Yes, I've also heard it said, Eating an elephant, one bite at a time.
Priya Keshav
Makes sense.
Howard Loos
You know the whole thing is there, you know.
Priya Keshav
No, yeah, I agree. I think boiling in the ocean is a very common term that people sort of always attribute to governance or information governance for that matter, privacy also. The program when it needs to be introduced the right way is so large that it can be quite difficult for somebody to sort of absorb that.
But sometimes breaking down the parts can take you so far, and then you kind of reach a dead end because you can only optimize so much. Sometimes it requires a new way of doing things. But an organization probably needs some time to absorb and get culturally accustomed to the idea of innovation before they're willing to benefit or take that leap.
Howard Loos
Yeah, you should never go into a project trying to do things the same way. You should always look for innovation in each piece that you're doing. I would never work on just one piece without knowing what the whole picture, at a high level, is supposed to look like so that any progress I make is addressing the major risk or that it’s aligning with the mission and goals of the organization.
I would never just do one step on its own. And you know, sometimes when we implement technologies, it enables us to change the way we do things.
Priya Keshav
So, can you share some examples of how you have simplified in the past?
Howard Loos
Uhm, I'll give you a privacy method and then a records management method. Since I work directly in those two areas. In the privacy area. I started going around doing assessments with every organization. In the privacy world there's a term that IG has often heard, it's called creating a data map. And in the privacy world, they specifically state what they're looking for. They want to be able to know where the personal information is within the organization.
So, I went around to 10 of the highest risk areas. And, you know, identified the kinds of personal information that was being processed, where it was being stored, where it was being shared. Who had access to it? And in some cases, I even went down or drilled down to the very data element level, but most of the time it was, you know, what category of personal information was in.
And also, because we deal with, you know, data from residents who live in the EU, is any of this data coming from the EU? So, if you think about it, collecting it all on a word doc, it's fine to collect it, but it doesn't put it in a usable form. I would estimate there's about 300 assessments that eventually have to be done. And how on Earth am I going to be able to track who is using certain types of personal information? Unless it's in a system that can help me.
So, in this case we had to acquire a system that could actually support tying all these pieces of information we were collecting together in a usable way. So, for example, I could look up a department and say, oh they're collecting this kind of information in these systems. I could then pick one of those systems and see which departments across campus are using that system that are using that same information. And kind of like a matrix, I can pretty much slice and dice it the way I want so I can find what I'm looking for. Without enabling technology, I would have to manually sit there and hunt through it.
Records management approach. Uh, this goes way basic, but we run our own record centre and initially everything was done manually and if someone wanted to check out a box or put a box in. It was a Manual process where you created the form. And the paperwork took longer than doing the delivery. So, we automated that process through enabling technologies to be able to very quickly and efficiently Fulfill requests and that's the paper world.
In the electronic world. We have a process where the information to be managed and put under retention and other more governance criteria is being stored. And that’s where they’re working with the data in the documents already. Again, it took technology. I call it enabling technologies to be able to simplify the processes.
What I have found is when you go into an organization, and you start working with the actual people who are doing the work If governance equals doing more work. They will be resistive, not that they don't want to help out, but usually they don't have enough time. So, if you can do something. Maybe some of it's in the background? But if you can show them how this new model can actually save them time and effort and reduce the risk of the organization. It’s a win
Priya Keshav
Great examples there. You mentioned technology in the first case, but what role does technology play in building out these programs and how have you leveraged technology to solve some of the IG or privacy problems? You've sort of answered this question, but if you have additional thoughts around how technology helps.
Howard Loos
Sure, I was just in a meeting the other day, where I talked about this concept. And that is that, you know, the question was raised; Is technology going to solve this problem? And some people said yes, and some people said maybe, and I said, you know, and this is something that you and I both understand that it takes people, process, technology and controls to actually address problems to mitigate this.
When I think of the people side, I think of the governance, the organizational governance elements that are needed in place. Now, do you have executive support? Do you have the right committees in place to help you? And do you have the people out in the field that can actually help with the work? whatever it's needed.
Some of this is all automation, some is not, so some problems can be solved just with technology but building a program is not technology. Technology is just an enabling component ff the program. I think of it as 80% of the work is done through the people in the process part. And then the last step is getting the technology in place to assist with that. And then you follow up with the controls to audit and make sure that what needs to be done is actually getting done.
Priya Keshav
Yes, I totally agree with you. So, as you sort of put this people process and technology together and implement the right type of controls. What are some of the biggest challenges that you face and how do you overcome some of these challenges?
Howard Loos
Well, that again goes to the eating an elephant. One bite at a time. You are going to have pockets of resistance. And I have always encountered, first of all, if you have senior level support. The next thing you really need to do is get a policy approved because you can point to a good policy. And that can help motivate people to say, oh yeah, I need to be doing this.
If there's pockets of resistance. I've always moved to the areas that need this and will benefit from it. And they become the quick wins. And over time, the resistors will buy into it because at some point they're going to be the ones being left behind if they don't get on the bandwagon. So, I've never been stopped by resistive pocket side.
And when I say that I don't mean any disrespect. I again I don’t see people saying no, I won’t do this, it’s just that they don’t have time and they’re either burnt out with their work or they just don’t know how it’s going to help them.
So somehow, it's funny, but some people you just say OK, they're retiring in five years, we'll circle back with them. And sometimes that's the only thing you can do. It's kind of funny. But yeah, senior leadership approach. For me, what's worked is getting good policy, good support from a committee that represents the various areas of the organization that can help guide me.
And then just going to work and finding the areas that really need this. It's hard for someone to want to do governance, if they don't think it's important. You got to find the people in the organization that need it. And we'll address the risks that they're concerned about first. I take the 80-20 rule, 20% of the departments represent 80% of the risk, so why not start with about 20%?
Priya Keshav
That makes absolute sense, and you know, with any program that's kind of true, right? You're going to always have resistance in a larger organization, you're going to have people with different viewpoints. Those things make absolute sense. Any other closing thoughts?
Howard Loos
Now when we started the 80-20 rule, we identified that 20% of the highest risk, we found a change out there in the departments. So, we worked with the committee and with the senior leadership and we all came to an agreement about who should be our priority targets. Not that we wouldn't, you know, skip the rest. But you know who should we prioritize?
And then when we went to these departments, we told them that they were identified as a priority department. And that we should, you know, I don't want to say give them special treatment. But in a way. It was in everyone's best interest if we addressed the risks in these areas first. They actually opened up and became more helpful. We saw the changes.
It's like the half Hawthorne effect that I studied in college where they put brighter lights in in an area and they found that the work productivity went higher. And they thought it was because the lights were brighter, but they found that productivity increased because the people felt that management cared about them, so they were willing to work harder.
And so, I've seen that help, oh, we're a priority department, you guys recognize us. You know anything to do with the carrot over the stick helps.
Priya Keshav
Great thoughts, thank you for taking the time, Harvard.
Howard Loos
You're welcome.
