A CISO’s Guide to Overcoming Governance Silos

In today’s workplace, silos are (in a very real sense) the enemy. Why? Because they directly undermine business outcomes.  

Consider for example “Conway’s Law,” the principle articulated by computer science pioneer Melvin Conway, that system architectures mirror the communication style of their builders. In “How do Committees Invent”, he put it this way, “Organizations which design systems… produce designs which are copies of the communication structures of these organizations.” In practice, this means that disjointed, inefficient communication between teams leads to those teams producing disjointed, inefficient output. This is true whether you’re designing software, selling consumer goods, or providing critical legal services.  

Knowing this, many recent technology shifts have specifically targeted finding and removing siloes. And just like any area of technology, information governance is prone to becoming siloed. While tech silos create data sprawl, governance silos create accountability vacuums, policy breakdowns, and security concerns. Overcoming governance silos not only ensures that your organization stays compliant with regulatory and contractual requirements, it also helps support broader outcomes. Fixing them requires looking at a complex set of factors, including some that are easily overlooked. We asked Future in Tech’s Chief Information Security Officer, Ed Moyle, to give a security perspective and provide organizations a starting point to breaking down governance silos. 

Where and How Governance Silos Occur 

Blind Belief in Functionality 

It’s a common problem: set it and forget it. But good governance requires more than a blind belief your policy is functioning as it should in practice. Just getting a policy into practice is one of the first places governance breaks down. Policies can often unintentionally remain theoretical or rely on manual enforcement, meaning they fail to make that first step towards consistency: operationalizing. Operationalizing your governance allows you to turn it into repeatable, enforceable workflows. 

The next place governance breaks down is the step from execution to oversight. Organizations create a policy and make an implementation plan, but fail to build in follow up. No one is assigned to regularly audit that controls are in place, that metrics are being tracked, or that the intended outcomes (e.g., risk reduction, business agility, regulatory compliance) are being achieved. 

This is especially true of tools where they can become like “plumbing”, operating invisibly and without oversight until something catastrophic happens. Meaning organizations who took the initiative to automate some or all of their governance processes then assume that things are working as they should - with no one checking unless things break (at which point the damage has been done.) In extreme cases, APIs have been broken for months with no one noticing. Newer software like FiT’s are much quicker at catching and fixing broken integrations, but they shouldn’t be a replacement for appropriate oversight. 

Overconfidence in Controls 

Organizations often overestimate the strength of the controls they put in place. This pops up in three key areas. 

1. Access control issues arise when there is not enough attention paid to who can see what. Some organizations struggle with overly broad permissions, such as allowing an entire department access to records or information where user-level containment would be more appropriate. For others, there are no record or object-level restrictions at all, either because they haven’t been implemented, because they’re missing, or because those restrictions aren’t supported by the overarching governance tool. Likewise access “sprawl” is common: when users are provisioned with access that doesn’t go away even when a user changes roles or the access is no longer appropriate. 
2. Data protection failures happen when policies lack granularity - or lack follow through on granular protections. Common weak areas include encryption that doesn’t enforce user-level business rules, missing or failing data segmentation controls (such as mixing records within a database), failure to classify data consistently and accurately, and lack of adherence to retention rules (for example not adhering to data decommissioning schedules). 
3. Monitoring deficiencies occur from a failure to assign an overseer role. These can include a lack of appropriate monitoring and recording access altogether, or only partial monitoring that misses information, such as recording an audit entry but not recording the specific user responsible for the event. Many organizations also falsely assume data and loss prevention tools will prevent access control misalignment. And finally, there’s the risk of “deadhead” monitoring, when audits and log events aren’t reviewed, maintained, or understood, and thus the action is performed to no real effect. 

Organizational or Process Breakdowns  

In addition to tools and policies, there’s also always the risk from the “human element.” Ownership gaps - a lack of clarity around who owns a given set of records or data - mean no clear accountability, which in turn leads to "orphaned" data that slips through the cracks. These ownership gaps frequently arise from silos within an organization. When information governance decisions and processes require coordination between several teams that rarely otherwise interact, communication and collaboration breakdowns occur, leading the retention policy itself to breakdown. 

How to Fix Governance Silos 

Good retention policies are complex and granular, fixing silos that are bound to occur. But when you know your governance structure hasn’t yet accounted for those silos, here’s where to start. 

Start with an Inventory 

Sometimes called an audit or process audit, a systematic examination of data and how it's used allows you to see where everything is - and it’s often not where you think. Organizations, especially law firms, tend to believe that everything lives on the DMS, when in fact copies or originals exist in several other places (e.g., network shares, data sharing platforms, physical folders, etc.). These spaces are often not governed, meaning staff forget they’re there when it comes time to close the matter. Before you can even think to manage tech and governance silos, you have to know where everything truly is.  

Understand Your Preferred Outcome 

This might seem straightforward, but organizations often forget to ask themselves what they want to have happen.  What are the key drivers (across potentially multiple stakeholders) for the governance program in the first place?  If the goal is not well-defined, the policy can’t be either – meaning actual objectives never get met. Make sure you’ve decided on, communicated, and operationalized what you want to have happen to every document and data type you produce or receive in your organization. Ensure all stakeholders are represented in these discussions to make sure that what you put in place meets everyone’s needs.   

Define Your Edge Cases 

Once you’ve decided on your preferred outcome most of the time, you can move on to your “edge cases”. In what scenarios do you not delete or store according to your retention schedule? What needs to happen instead? Who’s in charge of making sure that does happen? FiT’s Information Governance platform can help you operationalize these situations, as well as the typical scenarios, eliminating errors from manual processes. 

It’s important to keep in mind that different areas of the business can have different priorities and interests.  Therefore, as you evaluate preferred outcomes and edge cases, establish mechanisms to collect and incorporate stakeholder feedback and factor this input into your automation efforts.  Moyle put it this way, “Governance should be a guardrail, not a roadblock. Processes that don’t understand how the business actually works just guarantee they’ll be bypassed downstream. First work with stakeholders to gain consensus on the reality of what they need and their goals. Only then can you define enforcement policies that work for everyone and don’t interfere with the day to day.”   

Build in Technical Enforcement

Part of operationalizing your compliance policy is building in the right controls and then validating that they’re working. Consider the following areas for regular checks: 

• Access authorization: ensuring the right personnel have access to the right information. You can automate this process and receive a report of findings, or perform manual testing at agreed upon intervals. 
• User permissions: confirm that permissions are accurate for each user and in line with defined expectations. 
• Application controls: utilize red teaming or other hands-on testing, such as penetration testing, to validate access controls inside of an application. This is particularly critical if your organization uses applications developed in-house. 
• Environmental controls: build in periodic required validation activities. Consider combining validation with ongoing "hygiene" activities you are required to conduct anyway, for example, BIA, internal scanning, internal pen testing, etc. Leverage the results to evaluate the effectiveness of your data protection, access/authorization/authentication, and segmentation controls. 

To optimize your processes here, consider what information and data you can track and manage to help move you closer toward a “virtuous cycle” of ongoing improvement.  For example, define and track metrics that pertain to information governance and adjust or fine tune your processes according to the impacts they make. These include - but certainly aren’t limited to - access request volume, time to deprovision, policy exception rates, and legal hold frequency. Evaluate for anomalies and address failures or unexpected results as they arise.  

Establish Joint Ownership and Communication Paths 

While these recommendations are written from a security officer’s perspective, information governance affects too many departments to be the sole responsibility of tech or security. Breaking down silos means involving enough of the right stakeholders. Identify those players who can champion your information governance efforts, and establish owners inside all business areas whose work is accountable to your governance standards. The right people and the right tech together are your best bet at preventing governance silos and the adherence failures that naturally arise from them. 

‍

Much of the work of breaking down governance silos occurs at a process and policy level, and decisions will be unique to each organization. What remains the same is the benefit of the right information governance software. A highly configurable software that can audit where you data is living, operationalize what you want to have happen, and alert you when edge cases pop up will break down much of your siloed governance issues. If your current software isn’t living up to your needs, FiT can help. Schedule a demo with our team to see how our information governance software can solve your governance silo challenges. 

‍