Simplify for Success - Conversation with Ilona Koti
As a former foreign diplomat with 25+ years in information governance (IG), Ilona Koti has extensive experience in privacy, cybersecurity and GRC assurance.
She discussed the importance of retention and its lack of implementation at several organizations. She explained how DataMaps create a hub and provide the opportunity to monitor the data from the ground up and down to the document type level.
Listen to the podcast here:
*Views and opinions expressed by guests do not necessarily reflect the view of Meru Data.*
Hello everyone, welcome to our podcast around simplifying for success. Simplification requires discipline and clarity of thought. This is not often easy in today's rapid-paced work environment. We have invited a few colleagues in data and information governance space to share their strategies and approaches for simplification.
Today, we will be talking with Ilona Koti. Ilona is a former foreign diplomat with 25 plus years in Information Governance and extensive experience in privacy, cyber security, and GRC assurance. She specializes in content management system implementations, digital transformation initiatives for remote work, strategic information program development and auditing. She also provides advisory services to global clients in IT, Biotech, oil and gas, energy, manufacturing, public sectors and the world government.
Ilona has an MLS and an MSIM from Syracuse University. She holds the Certified Records Manager, Project Management Professional and certified information privacy manager designations and is completing a doctoral studies in cyber security. Additionally, Ilona is a teaching fellow at the University of Dundee in Scotland and a fellow of the Institute of Information Management in Africa and is a past President of ARMA International. As a keynote speaker, board director, teaching fellow and published writer, Ilona is a recognized leader in the Information profession.
Hi Ilona, welcome to the show.
Thanks so much, Priya.
So you work at the intersection of privacy, security and IG.
As you work with clients, what role does cross-collaboration play?
Absolutely, and thank you for recognizing the overlap that, you know, a lot of information professionals have nowadays between these various sectors and at the same time the clients will also have various roles. But, for me, it's sometimes like it’s what hat am I going to put on today? Am I almost advising you in some legal capacity, even though I'm not an attorney or am I giving privacy insights? Am I doing records management, security, various types of audits, overviews as well, but for the clients too.
I think in some cases, depending on the size is, they don't have the budgets to really hire an official privacy officer that might be internal or the Security Council, and sometimes there will also be multiple roles in that capacity as well. But without everyone collaborating, I think that you found as well that it's the synergy isn't there and that could cause potential like duplicate projects occurring at an organization or, you know, just hidden things happening that would be a lot more beneficial for organizations if it was collaborative. I mean, have you found that as well?
Yeah, I absolutely agree. So, I worked with companies where you have a huge security or and uh, privacy team and maybe, a fairly significant information governance team as well. So even if you take those companies, cross-collaboration is important because otherwise, you end up with duplicative efforts or projects that are at crossroads with each other. And if you take a much more midsize or smaller companies and then people have to wear multiple different hats and that becomes a different type of challenge because now you are pretty much each and every issue that we're talking about, whether it's privacy or security, there's so much complexity in it and so being able to be an expert in each of those areas and provide the level of expertise that is required of you from the organization and stuff.
So, I agree that it's and whether it's the same person or a different person or same team or they're all reporting to the same structure. There needs to be synergy because they're all closely related, and one feeds the other one supports the other and there's no way you can have an effective program if there is no cross-functional collaboration.
So, talking a little bit more about collaboration though, what helps cross-collaboration? Do you find there are challenges and do you have any ideas and how to overcome challenges or anything that you've seen that particularly works well within organizations as you work with them?
Sure, so this is where I always say that IG, IA...it's really, you know, as much psychology as it is technology and then your methodology and approaching it because there are a lot of ways and, you know, we go in there and we think we have a plan. But a lot of it is very holistic and it's change management focused. And a lot of these initiatives are having the staff believe in the executive leadership as much as it is in the quality of technology. Because if you have a leader that goes up there and like, hey guys, we're going to do this, here's our mission, here's what we're trying to achieve. I know this is going to be a little bit of extra work for you, but here's why we have to do this, and here's why we have to be good data stewards and protect not only our data but that of our customers as well.
And then if they offer training in addition to that, I think you can really get some traction because a lot of my dissertation work is as well and you know, privacy and the perception from software developers. And long story short, summarizing four years of research is that no one really trained the software engineers on privacy. So, they don't know what to do, and it's they do the best that they can in building a product. But this, as you mentioned, right? It's that synergy and that collaboration that should occur. I mean something even as simple as checklists or automation of those checklists in the SDLC might make it a little bit better and easier and top of mind. So, it's really trying to find that right level of balance to try to promote the adoption of good governance practices for data within organizations.
No, you bring up a very good point, right? I think I was mentioning this yesterday at a conference, and when you're trying to reach out whether it's software engineers or your business users, end of the day, there are what we typically end up doing is having these meetings where you have an hour-long presentation and you start communicating but at the end of an hour-long presentation, maybe after a busy day where I've just gone from one meeting to the other. I probably remember one thing. That's it, right?
So, you mentioned checklists and you mentioned good practices and things that you can, sort of, mention to them on a more regular basis than through meetings. And that if you can effectively do and to do that effectively across business users, across software developers, especially in a larger organization, you're talking about hundreds, if not thousands of people, but it can go a long way in first understanding right?
So part of it is if I understand and then I'm more likely to cooperate and then of course, then I need the tools. But the first part is me fully understanding what is required of me and why, and that is not that easy. We talk about training, but good training is, while it's very easy, but it's also very tough to implement and I think if we can do a good job at using technology to leverage that and bring things to the developers, the business users, I think governance and cross-functional collaboration will improve.
For sure, so with that. If you have a good project manager, a lot of it is basic project management skills and just being organized and taking good notes within meetings. So, if you have action items, a lot of times, people let those action items drop off, they don't follow up on and then they don't, you know, really execute and then you need to actually take that forward, implement that. This is where your communication plan will help you have the mission statement and then have a very controlled process throughout all of this.
But one of the things too that I have always said is that for information governance, it's really interesting when you bring that into play because we've struggled with that as an industry to implement. And after again, years of research as well, I find that it's because the decision rights, they're not completely in place for information professionals, so while you can implement, you can't really hold people accountable for that.
So, there's been no authority that has been given to records managers, even you know, privacy officers in some cases is to hold people accountable and call them to task for things that there have been, you know, in oversight and certainly if senior management is not actively involved. How is this really going to take hold within an organization to become an effective process that is almost second nature and top of mind for every staff member when they process information in an organization.
So, you brought up a good point, decision rights and the other part of it is assurance, which is also kind of necessary to hold people accountable.
So, you talk a lot about assurance and why it's critical. So, how do you implement assurance and incorporate that into your privacy or information governance programs?
Absolutely. So yes, I have been spending a lot of time and lectures this day, either sharing some of the findings from my research here because having been a past ARMA president as well, I have found that even though information governance was a great idea, it was something that was needed many years ago, because this information was exploding, but there was something when that happened and Gartner had said, OK, it's a specification of decision rights and that it should be segregated from ITG which is IT governance. But there is a lot of other factors and components that played into that. And even for one, as I had mentioned already are the decision rights and if you go and think about the Leland Roth Management Consultants there who came up with the ability to implement those decision rights, they're just not there within organizations.
And in some cases too, it's not just that, even if a records manager had the authority to, typically the personalities of some records managers, they haven't been that what has been needed to really enforce things, you know, they're normally very nice people. They're somewhat introverted and so how do you take that now and approach and confront some of your coworkers and say you're not doing what you're supposed to be doing, and this is where governance needs to turn into assurance, right? Because with governance, think of a politician, they're out there, they make a lot of promises before they get into office, but once you're in office right there is reality and what happens but at the same point in time you can, you know, get sidetracked, and if there's no one there to hold you accountable, how do you really ensure that it's done? And this is where assurance and, in my opinion, it's through the use of technology and audit trails, you can really start guaranteeing that things are in place.
So if you take a lot of these processes, if you automate those processes and then you have your reports and your audit trails that are standard, it's a lot easier to show senior management from a very neutral perspective who has and hasn't done things. Especially, on the control documents or the types of information right, PII, SI, PCI, those things that, you know, contain truly sensitive and confidential information. That is one way on how you would really drive home information assurance and take what was governance but yet have it be more effective and have the metrics in place to show what has or has not been complied with.
So, you talked about leveraging technology to make assurance happen or make governance more effective. How have you leveraged technology to solve problems? Can you share some examples of how you've simplified to succeed?
Sure, and just because you know sometimes it's simple, still doesn't mean that it doesn't take time to do. I started many years ago evaluating content management systems, ECM, and EDMS, so it was a lot of times in the beginning it was hey, do we need these best of breed systems, we need this, but if you're a smaller organization, it's not that you don't want to do governance. It's a lot of times that you can't afford to do it because you have very limited budgets and not everyone has hundreds of thousands if not millions of dollars to implement these systems, so I've really, you know, taken a very customized approach in seeing what is realistic for various clients, even the small to mid-tier ones and it's just sometimes taking what's there, but a lot of times it's just the process and doing a process restructuring and training and applying it to what some of those technologies are there.
So, in some cases now I will look at some of these vendors and they may not have all the bells and whistles, but as I say, sometimes the Kia will still get you there, right? Not everyone needs the Porsche, but that's where we've done that. But at the same time, you know implementing workflows, applying metadata appropriately in conjunction with that taxonomy file structure to do reporting and then definitely like seeing, you know, what other little pieces of technology might be available in addition to, you know, these huge ERPs and other ones. And you have this great data map that you utilize too in some cases the data map is a huge piece that is missing, you know, from various clients because I don't think that you can do privacy or security well unless you know what you have, where that information is located and who has access to it to start with.
So, I mean how did you come up with your technology that you started for tracking debt, you know Data Maps.
So, for me, it was the same thing. I think I spent many years consulting and I felt that, as a consultant, you had the best of intentions, you set up a program, you would leave with spreadsheets and then at some point you find that this spreadsheet doesn’t sustain very well, and one of the things that sort of happens with governance is you have, you know, you have consultants there. There are experts they're brought in for certain pieces of information and so you have assessments and sometimes organizations go from assessment to assessment to assessment or maybe phase one of a project to again the phase one of a project to phase one of a project
So, I felt that there was a need to turn the table and look at it from how do you sustain this? You know having something fundamentally sustainable within the organization where it might not be a, you know, a cold data map on day one, but something that you can kind of grow, build and sustain over many years and it gets rich. And of course, it's being used by, I truly believe in the fact that governance is only possible when you can crowdsource, as in you get your stewards to be part of it. So, where you would be able to get the entire organization to contribute and use then it becomes this tool that obviously Gator map is just one piece of the puzzle.
But it can be the foundational element of a governance program, so that's at least our story in terms of where we are and why we thought that data map would kind of help with information governance.
That's great, and I totally agree with you, right? Because so many times it's been skipped over and you know, we've been given like these beautiful elaborate systems. But it always comes back to it too and even doing a retention schedule. It's amazing when we go to clients and they're like, well, we don't know what systems we have or here's your retention schedule now apply it and then it's like, oh right cause no one actually thought that they had to implement the schedule and, it's so frightening to me sometimes because there's a lot of organizations that are out there that I know haven’t turned the switch on retention or don't regularly do retention or have even turned it on in some cases on some of the systems that have it built-in because they haven't understood how to apply the rules to the systems.
So, I think that, you know, with the data map being that hub, there is a lot of opportunity to monitor it. Like you said, it's from the ground up and you know, especially, think of when you do a PIA the privacy impact assessment for the organization, you do have to do that inventory type of approach to really understand, you know what's there at least you know at the record series level, if not down to the document type level depending on what you've identified, has PII or SII in it.
You brought up a really, really, really good point, so I know PIAs that, you know, obviously, it has to be at a process, you start with kind of doing an assessment of a process and then you have a records retention schedule and many times you walk into organizations and they don't match like, you know, or you go to a security assessment and it's a completely three different pieces of the puzzle and there is no way to fit them together at all because they are in three different languages even though they're all English. So, I agree with you and the same with the records retention schedule, so nobody has. We've always, as an industry, talked about here is a retention schedule and these are the rules and the regulations governing it. But in order to actually push the button to where you can actually delete it, you have to be able to take that and say, OK, so this might be the rules, but this is what I have.
Otherwise, it's a piece of document. And it's actually a very nice, you know, an important piece of document, but how do you actually go from there to identifying and actually deleting, so there's no way to implement it? And when you start putting the data map together with their records retention schedule, that's when you realize how much of the information is missing and what the gaps are. And I feel that we're evolving, we're learning and we're probably at an inflexion point where maybe if we had the same kind of pot gas six years from now, we'll be talking about, oh, that's normal so.
Right, and that's where I think, you know, the benefit is right, especially with the executive team basically educating it because I don't think that they even realize, you know, the magnitude of data that's involved, and then it's not just the record and this goes back to the ITG thing and separating records and IG from ITG and why? I don't think that should happen anymore because it's not just the record, it's about the supplemental information surrounding the records such as the metadata, the associated links without the backup copies, and if you're in computer forensics, you're going to find this. If it wasn't, you know, appropriately purged and then destroyed according to your DOD2022.22 standard.
So, there's a lot of things that just factor into it, but I find that the IT departments and many do a great job in protecting their data universe. But that universe doesn't need to be that large if they purge their documents in, you know, the normal course of business in conjunction with their retention schedule. And if they took that data map and linked the retention schedule, the security and the privacy pieces to that one based document through a unique code, and then you started applying it because everyone's like. Oh, here's, you know, the retention schedule. But I'm like, yeah, it's like a treasure map now. You still have to go out and find the treasure. it's not just a magical one solution.
No, I agree and the other part even the concept of what is a record and what is not a record? What is a duplicate? I think there needs to be an evolution like you talked about backup copies. Yes, it's a duplicate. You may have staged copies, we may have like, there is a lot of asynchronous activities that are happening so which means the data is probably staged for a certain period of time before to make sure that you're able to roll back before if something happens right? So today IT kind of knows about it, but it's very well-known during design and then as you sort of go through implementation and maintenance, it's slowly forgotten and stashed away.
And then there's pieces of information that are connected so our records retention schedule works really, really well from a document type perspective, but when you take the entire universe and look at the 600 or 700 systems and all the information that was created and is being created, how do you translate some of that and look at what is a duplicate and, you know, our own understanding of what is a duplicate? It doesn't mean every duplicate is something that is purgeable in a one year or using the other category.
So how do you sort of define some of these things a little bit better and maybe it is, you know, you have a schedule that matches the legal requirements and then you have an implementation plan that kind of adds more nuances to it. But either way, there's a lot of details that we need to sort of work out as we look at cross-functional collaboration.
For sure, it is a multi-year process, especially the larger of an organization that you are and the more staff that you have and data that you process. So there are various types of phases that occur, you know, what I would say for one is you have to start with the inventory and that data map to at least get it down and then you need to prioritize what data is in place. So, you go through, you identify again PII, SII, anything that may contain something sensitive or important to the organization you might take on like a longer-term system with some of the low hanging fruit of like a quick win. So, you chunk that away, and I think that's the first approach to it is making it manageable so that you can execute it because, I think, too often organizations try to take on far too much at once. People get overwhelmed, people leave, and then, you know, you're back to where you started. I've seen so many organizations like rehash the plans or have things that they should have implemented years ago from older assessments, but they never got to because it became overwhelming. So, that is what I would say too. But again, you know, my initial dissertation topic was on visual classification and going text agnostic and relying on vectors to find the data. Because then you're, at least, speaking the same language as a computer versus relying like on text software.
So, I think that AI is also like another good approach in doing these types of data analytics, because when you're looking at, you know, some of these hash marks here to see, is it a truly unique department, you know, that software can do well, but I know that the industry as a whole went to like a big bucket classification capacity because it was still manual and fair enough, right? You can't do millions of records, you know, all on your own. But I think that as, you know, AI comes into place, and you look at some of this vector classification. If you do go down to the document level and rely on forms, it's like giving a computer a set of eyes so that the computer can go through and process and classify and appropriately place those documents where they should be, no matter, you know, where they are as long as they have, you know an appropriate tag to it. And, uh, retention period. I think you know that's a step forward. I think we're still many years away from having something that's seamless without having to do a lot of training. But I think, you know, we're definitely headed in the right direction, and then it obviously comes down to the budget per organization. Not everyone is going to be able to do something like this right away from an AI capacity. So how do you do that using a reasonably affordable software and a manual type of interface. I mean, what are your thoughts on, you know, like auto-classification and the data and even the risks around that?
I believe that and again I come back to like if you do not take the effort to at least organize at a certain level, right? Yeah, it is a great idea and I think AI will get cheaper so and more affordable and there are probably ways to kind of leverage the technology most companies have to make that happen too, so I do not believe that AI is, you know, unreasonable or difficult or very cost-prohibitive. And I agree with you that as AI evolves, you can get to a document level, and you should be able to kind of be more granular and be able to manage, and that's the only way we are going to be able to solve this problem. But I also think that if you think that AI will solve the problem and just believe that it's AI that is going to get us there, I don't think that's going to be the case because that's where you get into most of us would like to press the easy button and not do any hard work and say OK, I will purchase the software and I'll throw data at it, right? But you need to have a structure, a way to define a lot of basic things in place like a data map, that kind of starts with a little bit of that structure and then after that with that structure, if you leverage AI now, you're giving it a little more depth as opposed to, just expecting AI to be able to figure everything out. Because I feel like it's the same as you know what I would kind of say search, so if you take Amazon and you know there's a lot of structure that is being fed, there is an industry of or an army of people that are sort of looking at how products get ranked, how search is bringing up products and whether the ranking is accurate. They are looking at descriptions and whether the descriptions are proper enough so there's a lot of metadata and curation that happens.
So, without that in a corporate setting, you don't really have metadata and curation because where we generate data for our work, we don't actually curate. That's not a responsibility that we've all taken up as business users, right? So that part of it if it happens naturally, at that point, it will become normal for AI to be able to kind of effectively classify data, but if that curation doesn't happen and that's where you need to have a program and it's not expensive, it's being organized like you said, so being organized to set up that and you can go a long way with just that. And then after that, you know, when the budget is appropriate or when the timing is nice. If you can implement AI, you would see a lot more benefits.
For sure, and this is where, you know, like the continuum model takes place is technically, when you create records you should have thought of the life cycle before that data is even created, and again it's a vicious cycle of, training the users and the developers when they build this tool so that they understand retention needs to take place here, permissions, certain types of use, redaction, you name it right? Whatever comes up. But like with AI, it's almost like it's like the RV on autopilot. They think if they buy that RV that the autopilot is going to work. It's like, no, you still have to be driving the vehicle and you can't leave it unattended, but it will certainly help you along the way. And one of my old business partners, we used to say it was like there's nothing artificial about AI at this point in time. There's still a lot of manual intervention and training it can take on some cases at least six months for some of the very sophisticated systems to even train them to have an appropriate, rating and classification. So, there's still, someone behind the wheel really monitoring where this is going to go but you're right, it's just a matter of time, before it does become more affordable. But until that point you can't just sit there and wait and say oh wait for AI to get cheaper, or oh, I'll just rely on, you know, the system out of the box.
Because then again, the data and accuracies start to happen, and that's where I think you know a lot of organizations will either get overwhelmed or misclassified data, and you still have to at least put it into a very high-level category I think, much as a lot of the frameworks, if you look at like NIST and COBIT, that first stage is still identification and that is again something that I think is very frequently skipped over or you know it's just either left there, someone didn't have the time, or they didn't think it was as important. And that's how we come up with these piles and piles of information that are unstructured and just sit there and people don't really know what to do with it because they haven't been trained on it or have, you know, the technology or the time to even get to it.
So, what do you think are some of the biggest challenges and how do we overcome these challenges?
So, I think as unfortunate as COVID was, I think you know, COVID really propelled people to work remotely and to collaborate, so I think that there is more collaboration than there has ever been because it was forced on all of us so well, that was and still is, I think, a challenge, I think It's been accelerated a bit, but I think in a lot of cases you know change management is a huge component of it because you have people like hey I need to change the way I'm working or there's a process or I'm required to do a lot more work and then, of course, even the little voice goes in like well, what's in it for me? Because how many people actually do things that they're not required to do right? Or checking the box unless it's really necessary, so in some cases, I think if you tie in good data governance to your staff performance plans and make it a part of every one's annual review process, there is one way that you can really encourage that type of collaboration and care and protection of data and if they didn't do before, it might be the little push that they needed to be better about it. So that is one case.
And then I think, it's having senior management understand the importance of it because, as I mentioned, that these systems are expensive, it's not just something that you can typically write a check for or put on a P card, unless you buy like a rogue, you know, online edition of something that wasn't put on a data map or tracked, but besides that, I think that, you know, time and thought does have to go into it. And if the executive team isn't, you know, really informed of what the importance and the benefits of having good governance practice is then, I think they could be missing out on that because information is truly a strategic vital asset, and you can have all the technology that you need. But how are you going to maintain that competitive edge based on potentially data analytics, speed to market, a variety of other things that you could use your information for?
So that is, I think, that's the flip side of things is to have that in addition to just having data compliance, lowered litigation, I know, different parts of the world that where you can't have these ridiculously expensive lawsuits like you do here. They're still about quality and business process improvement, so I think same message spun, you know, 612 different ways, sometimes on having those good governance practices and not just letting old knobs delete data pile up that can cause, you know, various types of risks and errors and legal and compliance issues. So, I think if you can get the people aspect on board of that, you know the equilibrium axis of the people process and technology component. But that's just it. But in addition to using, you know, a reasonable technology that can help you that is going to be the consultant's answer there is it will depend on your organization and what you're trying to achieve.
So, I think we're, you know, we're getting better at it every day, but it will, much as with anything, take time and require a well thought out plan.
How do you use metrics in your program and how has it helped inform the program executives?
That's really a great question, thank you. So with this in metrics. One of the things that again when you spend this much time in doctoral research, you get pretty good at doing surveys and data analysis. And you know, I was never really a math person until recently when I was like, oh, this is really fantastic, and it just really got me into doing a lot of the surveys and I was on the original like ARMA metrics task force, where we created these like beautiful 115 questions and here, we are 10 years later, going wow nobody really wants to answer, you know, 115 questions over 4 hours.
So, I started doing my own version of this and creating this survey that is still based on that and it maps back to a lot of the questions, but I've customized these questions and I work with clients in these design sessions to create these. But I've created these surveys to show where the skews are rather than just say that they, you know, map to the principals like you have a 2 in compliance. Like, here's your skew. Here's what your survey audience has said, here's potential points for improvement, but when you have those metrics, and what people have to realize too. In some cases, when you do surveys, it's the perception of someone, so you can do a survey like that to capture what the perception is and then take that with a grain of salt, obviously. But sometimes you ask those questions, even if you know that something isn't implemented just to showcase the senior management like, hey, you know, we thought we were doing a good job, but we really scored it too. Or in some case, oh, we aren't doing this, but the organization thinks that we are doing it. So, we think that analytics and doing those types of, you know, survey-based ones are really important.
Other than that, I think you know if you can do dashboards as well within the organization. Some of you know the various information systems and tools, they will give you some pretty good dashboards to do. You can also try to pull certain reports or have reports customized for you. Hopefully, you've created the metadata to really use that and make your lives easier, if possible. Because I do think that reporting is very important based on the metadata behind that. But again, it's that assurance component of it when you automate it as much as you can, and now you have real-time reports that you can use the lies yourself and present to, you know, executive management. I think you're going to have better results, but as an industry, in general, and when you look at these scholarly articles, we haven't really had a lot of it because a lot of the metrics that we do rely on, and the data volumes will come from bigger vendors. And again, being both a practitioner and academic here, you try to avoid that bias, like I said, you know, you can pull what's there, you can try to work with partners. You can do your own analytics, be consistent, try to capture what you can. Some of it is obviously just totaling things, but don't be afraid to go out there and do a survey and get the pulse to gather those metrics and then present it to senior management in something that they can understand. I think a lot of times too, we think that executives will know things and they may not. So, you know you have to define things like metadata and what information governance is because they don't really quite know it from a perspective as we do.
So, I think that we are really at that stage where we do have to present viable metrics to senior management to get that buy-in because of the seat at the table, in my opinion hasn't it really happened yet? Right security professionals are getting their privacy professionals out there. But the people managing the data directly, I don't think have gotten that type of recognition as needed just yet, and there's a variety of reasons that you know, I always go into my presentations, but I think that capturing whatever data, you can, as long as it's reasonable, right? Unless there's a good business reason for it to do, it will really help make your business case on what it is that you're trying to achieve.
Well, some great thoughts. Thank you for your time. It was fun to talk to you.
For sure. Thank you so much and thank you for having a great product that's based on a simple concept like a data map but is really integral to having a really good information program within an organization.