How to Create a Digital Workplace Governance Program

In a recent discussion with a client concerning a digital workplace initiative, they related that some of the data they were migrating to SharePoint Online hadn’t been edited since the early 1990s. I wrote this off as a fluke until another client recounted the same story just a few weeks later.

No one who collaborated on those files still worked at these companies, so how would the current leadership know if the information was important? An easy answer has always been to keep all the data, because storage is cheap—but that just defers the problem and contributes to continued data sprawl.

What to Delete and What to Retain

So, the next best solution is to delete the data that’s no longer needed. But knowing what should be deleted and what should be retained is a huge challenge.

Addressing this challenge often falls to IT and InfoSec. They face questions like:

  • What’s the oldest file that our organization is storing on a server?
  • Has the file been migrated to SharePoint or SharePoint Online?
  • Do we still need that file?
  • Is it OK to finally delete the file?
  • Who in the business is responsible for this content?
  • Is anybody accessing this information?
  • Is this information regulated in any way?

Imagine attempting to find these answers, and then to make the right decisions about data—now,multiply that by tens of thousands of files. This is a nearly impossible task, and yet IT and InfoSec often shoulder the responsibility of building one-size-fits-all information governance policies for their organizations.

Claroty

However, these questions should not be ignored and cannot be accurately answered with one-size-fits-all policies.

So far, the picture is bleak. IT and security stakeholders understand that information governance, including life cycle management and records management, is a key step for both mitigating risk and improving end-user experiences; people shouldn’t have to sort through decades of context and content when searching for information. But deciding what to retain is overwhelming because of the sheer amount of data involved. So how do we proceed?

Well, for your oldest files – there are several great information governance solutions on the market with clever analytics, flexible policies and powerful automation. These solutions are great at cleaning up big problems quickly, but what if there were a solution that simply prevented the problem from happening in the first place?

The best way to address the source of the problem is to democratize life cycle management. Move the life cycle management decisions closer to the business and away from InfoSec and IT. Empower business users and business leaders—the people that are closest to the content and collaboration and have life cycle management training, tools and supportand engage them often. The end goal is that any of the remaining files has a clear history of accountability as far as who retained that content and, more importantly, the business rationale explaining why it was retained.

Three Ways to Democratize Life Cycle Management

1. Govern Digital Workplace Creation

Modern collaboration platforms like Microsoft Teams or Slack have democratized the creation of workspaces; they are designed so that any user in your organization can create as many digital workplaces as they need, as often as they need them. Gone are the days of ITmanaged file servers and file shares.

This presents a challenge because the more workspaces that exist, the more rapidly content sprawls and the more life cycle management decisions need to be made. To address these challenges, CISOs must create policies that restrict who can create workspaces and establish standardized approval processes. It’s especially important to capture and retain several pieces of metadata in the process, such as:

  • What the digital workplace is going to be used for (project code, corporate initiative, product ID, etc.)
  • For how long should the content and conversations be retained from the date of creation (Six months? Six years?) Allow the business to choose from a limited number of options established.
  • Which person is accountable for managing the content in the workspace and making life cycle management decisions for that workspace? Who is the primary owner? (Often, it is the person creating/requesting the workspace, but not always. Track this separately from the workspace membership and ownership)

2. Require Periodic Review and Attestation of the Digital Workplace

Maybe a digital workplace was created for a long-term project planned to last two years or more, but your collaboration analytics platform has uncovered that the workspace hasn’t been heavily used for six months. For example: If you retained metadata for the primary owner, you can reach out to that person directly and have them decide if the digital workplace needs another owner or should be archived, deleted or maintained. The power of tracking a single accountable person lies in knowing who to contact, even if they no longer own the workspace or participate in the team. If they’ve left the company, their prior manager can be identified to answer any questions about the workspace. Larger organizations and small but highly collaborative organizations can benefit from investing in automation to monitor usage and communicate with workspace owners at scale.

3. Simplify Records Retention

Most organizations treat collaboration digital workplaces as “transitory collaboration” solutions and have a more formal repository for important records. However, if the effort required to shift content into a records storage location is too taxing or confusing, end users won’t comply, leading to either data loss or data sprawl. To help prevent this, CISOs should provide periodic reminders about records retention expectations and invest in training and business automation, where necessary, to improve and streamline the end-user experience.

The primary goal of collaboration governance is to strike a balance between streamlining end-user experiences, thus earning end-user trust and participation while mitigating business risk. Make life cycle management easy for your business users. Target workspaces instead of specific files for your governance policies where possible and empower business users and leaders to make the decisions within the parameters established by IT and InfoSec. With these processes in place, future IT leaders won’t have to make uninformed decisions about what to do with the files that are being created today.

As we move ever further into the era of the digital workplace, it’s the modern CISO’s responsibility to abandon legacy collaboration governance ideas and embrace the democratization of collaboration.

Avatar photo

Brandon Long

Brandon Long is a collaboration security and governance solution architect with Unify Square.

brandon-long has 1 posts and counting.See all posts by brandon-long

Application Security Check Up