As the mountains of data grow, so does the variety of strategies CIOs are marshalling to manage that information, and profit from it.
Cause and Effect
Two factors are propelling the interest in information governance. First, a raft of recent federal regulations has made it a top priority for companies to better account for how information is being handled within their organizations. Laws such the Health Insurance Portability and Accountability Act (HIPAA) and the Financial Services Modernization Act (also known as Gramm-Leach-Bliley) require strict privacy protocols for medical and consumer-banking records, while the Sarbanes-Oxley Act mandates an audit trail for critical accounting activities and requires procedures that limit the ability of employees to access and alter internal corporate files. Companies that have government contracts must meet numerous post-Sept. 11 security demands, ranging from keeping data from getting into the hands of potential terrorists, to providing the government with information about international communications, to reporting suspected illegal activities, such as money laundering. Meanwhile, businesses facing even minor litigation are frequently subpoenaed for information about obscure e-mail trails to satisfy discovery requirements. With all these directives involving their data systems, executives who fail to govern the information their companies maintain, or access, can no longer use ignorance as an excuse.
The second factor is more daunting because it involves much more than just learning to follow regulations. After three decades of aggressive computerization, companies are drowning in data; indeed, many companies have begun to conclude that they can no longer benefit sufficiently from the vast amount of information they maintain. According to research coauthored by economist Hal Varian, a professor at the University of California–Berkeley's Haas School of Business, people produced about five exabytes of new information in 2002, twice the amount created just two years earlier. (Five exabytes is roughly equivalent to the information that would be contained in half a million new libraries the size of the print collection at the Library of Congress.) About 92 percent of this new information is stored in magnetic media, primarily hard disks. E-mail contributes at least 500 times more data each year than the amount generated by new Web pages.
Information governance programs are an attempt to corral all of this information into a useable form, an ambition that so far has eluded most organizations. "The difficulty will be in managing this information effectively," says Varian. "This is no easy task. Our ability to store and communicate information has far outpaced our ability to search, retrieve and present it. Information management may turn out to be one of the major challenges of the new century."
The most visible effect of information governance can be seen in the attempts by companies to standardize policies relating to data throughout the entire organization. Typical are the recent initiatives at Radiate Group, a Chicago-based marketing subsidiary of the $10.5 billion advertising conglomerate Omnicom Group Inc. Like many ad agencies, Radiate is made up of nearly two dozen smaller firms, some of them tiny six-person outfits, others with hundreds of employees. Because Omnicom is a public company, it and its affiliates are subject to Sarbanes-Oxley regulations, which (among other things) require corporate chief executives and CFOs to attest that they have ironclad systems in place to protect the accuracy and integrity of financial data.
To comply with these rules, John Luoma, Radiate's CIO, implemented a set of universal data controls defined by Omnicom, both automated and manual, that can be applied to all of the individual computer networks and other information repositories at each of the company's firms, no matter what their size. This was intended to replace the ad hoc data procedures that had been cobbled together by Radiate's subsidiaries, many of which were of little use if a suspected financial fraud prompted an investigation.
Luoma applied a data-management template defining the roles that IT, finance, human resources and supervisory executives must play in order for the organization to vouch for the accuracy of information and for the safeguards that protect it. Radiate's firms were directed to fill in the names of people who would be responsible for each of these tasks. Luoma could then do spot checks to see if these guidelines were actually being followed. "I flew down to one agency that had attested it was keeping up to date on antivirus protection," says Luoma. "And I asked for the screen print from five workstations showing what version of Symantec software was being used, as the policy calls for. They said they hadn't taken the screen prints, but they knew they were compliant. That's not good enough. In this environment, we have to prove we are compliant, not just believe we are."
Since that meeting, much has improved at Radiate, Luoma says, particularly in taking the information rule book seriously, and in storing data in more uniform ways so that specific pieces of information can be easily retrieved. All of this is making Luoma sleep easier. "I am more of a data compliance officer than a technologist," Luoma says. "There's a real comfort that we've had better information governance rules forced on us by Sarbanes-Oxley. Before that, there was nothing on the IT side that required any level of care with sensitive and material information. It was a free-for-all."
Similar wide-ranging measures involving data security and privacy are being implemented at many companies. Sunrise Medical Inc., a Carlsbad, Calif.-based firm that makes and sells a variety of home healthcare products such as wheelchairs and portable respiratory devices, has tightened the screws since HIPAA privacy regulations regarding patient medical records took effect in 2003. Although Sunrise doesn't sell directly to consumers, dealers do occasionally place orders containing patient names. Sunrise also manufactures a sleep therapy device that monitors sleep apnea. Data from these machines is transmitted to Sunrise's computer networks and is also available electronically to doctors.
Because of HIPAA rules, Sunrise has created a separate set of policies for these patient-related records. For starters, Sunrise is storing this information in isolated computers that have no connection with the outside world. In order to obtain information from these secure files, a handwritten request must be approved by a Sunrise supervisor, who has himself signed a document indicating that he knows the information is sensitive and that it is illegal to disseminate without patient permission and a legitimate purpose. In addition, data in these computers is encrypted when electronically transmitted. To make sure the system is working, Sunrise conducts regular security audits in which a third-party firm tries to hack patient data. "All data that falls under this governance policy, we treat differently from the rest of our data," says John Kirkpatrick, vice president of global business systems at Sunrise. "As recently as five years ago, or even less, we would not have taken these kinds of precautions. Now, it is a forefront issue for us."
- Get a Grip
- Cause and Effect
- The Technology Solution
- Life on the Edge