The Emergence of the CIGO (Chief IG Officer)

Transcription

1 The Emergence of the CIGO (Chief IG Officer) ACC/IG Committee Quick Hits July 21, 2016 Jason R. Baron, Esq. Information Governance and ediscovery Group Drinker Biddle & Reath LLP Washington, D.C Jason R. Baron 2016

2 The Challenge

3 Living in an exponential world 3

4 Acceleration

5 Greater Complexity in an IT and soon IoT world

6

7 DON T WE ALREADY HAVE THIS COVERED? The limitations of the CIO role Custodian of all technology Information-focused leader Need for someone to fill in the gaps 7

8

9 IG FACETS TRANSLATE INTO IG DUTIES AND RESPONSIBILITIES Non-Exhaustive List of Examples: - Information asset management - Coordination with Information Security staff - Data and records policies up To date - Oversight of data remediation - E-discovery readiness - Privacy policies up to date, including with respect to global interests (e.g., EU privacy shield) - Risk Management - Role in procurement of new IT systems - Analytics and monetization of data - Training of employees 9

10 WHY DO WE NEED A CIGO? To provide information leadership (nobody owns the information function) To coordinate information related functions (removing silos) To balance and prioritize risk and value (tailored approach) 10

11

12

13 In the SUITE SPOT : DOES THE CIGO NEED TO HAVE A C-SUITE POSITION? 13

14 TO WHOM DOES A CIGO REPORT? CEO CIO CFO Legal There is no correct answer: it depends on organizational culture and practice 14

15

16 A DAY IN THE LIFE OF A CIGO: Nascent maturity Depends on the maturity level of the organization In Level 1: - CIGO identifies missing or underveloped key facets of IG - Begins building alliances and working relationships between facets - Reviews existing policies and recommends revisions - Assesses current IT infrastructure and determines needs of the organization - Develops employee education programs based on existing policies and procedures - Develops a risk framework and strategies for dealing with known risks - Drafts quick wins and concrete projects to advance IG goals - Outlines an IG Council or suitable framework for escalation of data-related issues Source: FROM IGI CIGO TASK FORCE REPORT (2015) 16

17 A DAY IN THE LIFE OF A CIGO: Intermediate Maturity In Level 2: - CIGO continues to shore up existing facets and assumes leadership role for IG facets - Leverages existing alliances to have IG issues considered at start of projects - Expands and updates existing policies across all practices - Identifies/implements technological solutions to facilitate consistent application of IG policies - Expands employee education programs and audits compliance - Grows organization s incident response readiness, including to regular or anticipated events (e-discovery, investigations, employee departures, etc.) - Formulates concrete projects to advance IG goals - Use IG Council for escalation of data-related issues SOURCE: FROM IGI CIGO TASK FORCE REPORT (2015) 17

18 A DAY IN THE LIFE OF A CIGO: Advanced Maturity In Level 3: - CIGO in leadership role ensuring that major facets of IG have resources to maintain and improve functions - Responsible for coordinating and integrating all information-related activities alliances and working relationships between facets - Leads the organization s formal IG governing body that meets regularly to proactively coordinate IG functions - Streamlines technology processes, enhances compliance, and extracts business value from information - Conducts regular formal auditing of all policies and procedures SOURCE: FROM IGI CIGO TASK FORCE REPORT (2015) 18

19

20

21

22 IG CORE TEAM Senior level sponsorship from CEO or C-suite CIGO (C-suite or direct report to C-suite) CIGO staff IG Council (CIGO chair, with peers) Subject matter experts across disciplines 22

23 IG COUNCIL Escalation process Issues IdenDfied IG Core Team FuncDons as Gatekeeper IG Council Review & Decision Ad Hoc Team Tasked With Concrete Project Progress reports to CIGO & IG Council Socialize Decision & Follow- up Ad Hoc Teams Flexible 23

24 The Path Ahead

25 How Do We Overcome IG Resistance?

26

27 How do we persuade?

28 Is it time for IG Moneyball?

29

30

31 MORE REAL LIFE CONCRETE IG PROJECTS WITH CIGOs LEADING THE WAY: CIGOs involved in --Migration to Office 365: Legacy Issues --Crafting messaging policies that make sense to users --Harmonizing existing retention policies into a global records schedule --Issuing global privacy program guidance --Training employees to recognize cyberrisks, including responding to phishing --Putting into place new data classification taxonomies --Sharepoint data remediation 31

32 Is it time to push IG at the Board level?

33 IG questions for the Board to ask for a report from the CIGO on: Why is our organization keeping a vast amount of information in the first place? What defensible deletion policies makes sense to implement? Are there regulatory requirements for retaining data, and if not, do existing retention policies continue to make sense?

34 More IG questions for the Board to ask: Are there ways to segregate high value data from the morass of ephemeral data, so as to make reasonable categorical decisions on what to retain and what to dispose of? Has our organization considered acquiring state of the art analytics tools to facilitate searches for ESI in response to lawsuits and investigations?

35 Still more IG questions for the Board to ask: How is our organization using cloud storage and what protocols are in place to ensure continued access to data under all circumstances? What policies are in place over ESI not in direct control of the IT staff, including BYOD and shadow IT policies?

36

37 Culture Change is Possible 37

38 Leadership Leaders especially those that are change agents -- can only succeed when they have a reservoir of goodwill that allows them to convince followers that their fates are correlated. --Warren Bennis ( ) ( dean of leadership gurus )

39 Jason R. Baron Drinker Biddle & Reath 1500 K Street NW Washington DC (202) jason.baron@dbr.com 39