Governance jitters increase

Read time 9min 50sec

Can an auditor walk into your organisation tomorrow and leave impressed with the state of your storage, data governance and compliance to current South African law? If circumstances require you to comply with international standards as well, would you pass those tests too?

If you can confidently say yes, then would you still be happy if the auditor was accompanied by an expert enterprise storage consultant, someone with the knowledge to see through any technical fudging? What if some government representatives with wide knowledge of the Consumer and Protection of Personal Information Acts were right behind them? Would they also agree with the checkboxes so confidently ticked?

There's a growing realisation among South African companies that these are real questions that need real answers soon, both because of business imperatives and looming legislation. Brian Balfe, solutions specialist at Dell SA, says he's seen this realisation become more common.

"There's a far deeper view of the fact that companies need to be doing something now than when we discussed this three years ago," he says. "Then we were asking: compliance with what? Everyone now knows that there is new legislation in place.

“One of the myths is that governance and compliance is an IT function. It certainly can be implemented by IT but it can't be driven by IT. It needs to be owned by a CFO, a COO or a CEO. We're pushing an open door now and customers are looking at the relevance of information governance to their businesses. You can't solve it with technology: it's a business process decision. And I think we're a lot closer to the European market than we were three years ago."

Data should also belong to the division that uses it.

Fred Mitchell, Drive Control Corporation

Emson Moyo, CTO of Gijima, says proper governance comes from the right corporate governance and the right architecture. "Feeding into that is IT governance. As you go down the stack, you get into information governance and data governance. On the infrastructure side, you need to start with the right business architecture and then your enterprise architecture. Only then will you start getting clarity. But if you don't have those two in place first, you can talk governance and tick the boxes but your infrastructure won't be aligned."

Bennie Kotze, manager of enterprise content management consulting for NokusaEI, agrees SA is further down the line when it comes to realising that something must be done.

"But I deal with the more unstructured stuff: documents, scans and images, and there, unfortunately, South African companies aren't nearly ready.

“It boils down to managing information as a resource but we pay lip service to that. We need to treat it exactly the same way as we treat money and plant and people. We need management practices and technology practices that support businesses rather than own them, and most importantly, information behaviours and values: how we train people to treat information properly.

“Ownership is an issue. I don't think executives understand the importance of data, whether structured or unstructured. And they don't realise that some stuff they mismanage is really important. Contacts, for example, in most organisations are a mess."

Who owns what?

The question of ownership and ultimate responsibility is a thorny one. For Mike Rees, business development manager at Commvault, data is the responsibility of the IT department.

"But information is the business' challenge," he says. "Even if you have all the tools in place and you tick all the boxes, it doesn't matter if you don't ask the question: why are we making a copy of our information? If you answer that question, then the business can at least decide to do it in the most efficient way.

“The problem is that a lot of organisations do it in a piecemeal approach, which is insanity. But there's so much insanity that it's become the norm. Staff complements and budgets aren't growing at the same rate as data, so all of this has to be done more efficiently."

Fred Mitchell, Symantec division manager at Drive Control Corporation, says there are practical ways to push responsibility to those that need to be in charge.

"Data should belong firstly to the organisation, but it should also belong to the division that's using it. IT has a responsibility for backing things up, but it should be a divisional manager's responsibility to ensure backups have happened should things go wrong. Otherwise the day comes when everyone wants it and it's too late."

Gijima's Moyo says IT managers need to speak more business language.

"I think this is where we become misaligned to the rest of the organisation. We need to show business value. It's a no-brainer that data is an asset and has a value, but can we put a value on it? “If you're going to need investment in the integrity of it, then what does that mean? When you start showing them that the cost of failure is high, for instance, if a system fails and the client slaps us with a penalty, then it's easy to make the case for spending R2 million to avoid R10 million worth of penalties."

Penalties from clients are one thing. Penalties from the authorities are another. According to Mike Bergen, MD of MigrationWare, unlike most developed countries, SA doesn't have laws in place that bring bite to the argument.

"We have a Protection of Personal Information bill coming - it's still not here but legislation has been in place in Europe for 15 years now. That Act will have real teeth. It will hold directors personally responsible if there are any breaches, it's going to impose hefty fines for data loss and that will focus businesses a lot more on the issues.

“I'll give you an example. There's one instance I know of, of a South African company losing about 40 000 customer records. That company is a subsidiary of a European company that was fined 2.2 million pounds for that breach - in Europe, not here."

Getting a handle on the problem

It's a no-brainer that data is an asset.

Emson Moyo, Gijima

How should organisations approach the dreaded audits? Dell's Balfe wants to see more transparency on both sides.

"What I would like to see happen as an IT professional is for everyone to be involved in discussion nine months before an audit happens, where it's made clear what the interpretation of best practice is. So then rather than treating it as the cops coming in to do a raid, we understand what they're searching for.

“If I was sitting on the auditing side, I'd be less interested in the gibberish and the detail and more interested if there was a clear strategy about the different types of data, the legal obligations and the good governance rules about how the business is run for competitive advantage. In short: is there a plan and how is it implemented?"

Product proliferation hasn't helped towards this goal, notes Commvault's Rees.

"Vendors and salespeople go around and sell products they say will make a customer compliant. But a single product cannot make an organisation compliant. The organisations have to make themselves compliant and may use a product or two - or three or four - and they need to do it wisely and intelligently to get away from the insanity that we have now."

More transparency makes more business sense too, notes NokusaEI's Kotze.

"If you look at service delivery for the public sector, say for example, the Department of Housing, if the data and the documents are available through a portal and what's been going on there is transparent, then service delivery will improve. We're not talking about data or information technology, we're talking about building better houses. It's the good old business case: why are we doing something? It has fallen into disuse.

“You need to assign ownership to benefits. It's not a question of selling an all-singing, all-dancing system but to be able to track things over time. In some cases in the mining industry, you need to be able to keep records for 80 years after the life of a mine. That's a terribly long time to be thinking about data retention, and yet it must be done."

Sometimes, management may decide that not protecting information is an acceptable risk. MigrationWare's Bergen says he knows of at least one incident where an IT department identified a problem with the way personal information was being handled but were advised by its internal auditors and legal people not to worry about it.

You can never completely escape the need for a human eye.

Herbert Kunzmann, Accenture

"They would take the risk, and when the law came into effect, they would take action. So this is a South African organisation prepared to take that level of risk of losing data and reputation. The problem with that is, guys like you and me have our data in there and they are taking risks with our information as well."

Dell's Balfe says this is a manifestation of the stick approach to compliance.

"The stick approach works to a point until you get a large company that sits there and says, based on the facts in front of us, we're making a call not to do anything. That immediately absolves IT from responsibility, which is good in one sense, but were the facts presented in a suitable light? Did they actually have the facts to be able to make that call?

“I say to my customers: don't use the stick. Rather stick to what's good for your business instead of worrying about legislation that doesn't exist yet. Investing in something that protects against data loss may seem like household insurance if you haven't actually lost anything, but if it improves data access, then you've improved your business. People are getting tired of being told what to do. What they will thank you for is good advice on how to improve your business."

Another problem is lack of automation. Commvault's Rees says he's come across a 'crazy' example of automation done wrong.

"I've seen an IT guy in charge of backups have to enter data into a spreadsheet to record the fact that backups were taking place. That's a waste of a highly intelligent person's time but the organisation's attitude was that it was being compliant. Rather use something that can produce automatic reports."

That should be balanced with human observation, says Accenture's senior manage of security and risk Herbert Kunzmann.

"Automation is a good thing and it's very necessary, but you can never completely escape the need for a human eye. For example, if you have an automated system and you don't check it daily or weekly, you might find in six months' time that it stopped working six months ago. At that point, you might wish you had someone entering it manually into Excel.

“There is a valid fear of making your own job redundant but you need to take a step back and realise where you need a human eye on and human control of processes. It's a balance."

See also