On this episode, we sit down with Amy Worley, Managing Director at Berkeley Research Group. Amy advises clients of the global consulting and research firm on developing, tracking, and reporting on meaningful KPIs. Moreover, Amy assists in monitoring the effectiveness of a data protection program and information governance framework in clients' systems.
Building an Information Governance Framework
with Privacy at the Forefront
The Rules of Data Privacy
"If the business doesn't understand the value to them, then you won't get the buy-in. Asking people to take additional steps for compliance and risk purposes adds to their workload."
Architecting a large-scale data protection program is a complex undertaking. Amy recalls the intricate process from her previous company: "What we did was we started with identifying the geographic areas where we thought the risk was highest. And we then built out a very, very detailed project management plan based on the risks of the company," Amy explained. "And we got the compliance committee to sign off that they agreed with our risk assessment, and we went very methodically step by step, putting the program in place based on the risk of the business."
However, getting businesses 100% on-board can be tricky, especially if they don’t quite understand data privacy rules. "If the business doesn't understand the value to them, then you won't get the buy-in," Amy says. "Asking people to take additional steps for compliance and risk purposes adds to their workload."
"Departments are traditionally siloed. But you can't have privacy without security."
Just recently, Amy started working with a global pharmaceutical company. She applied a more proactive approach with understanding their security status. "We talked to them about what they think privacy looks like, and also what their experience is in terms of data breaches, whether personally or professionally. We asked for IT to provide us one of their security team members to be a part of the program build out," Amy explained. "And if we recommend that they need IT, or security support, that person is in the room and can be a part of the development. Departments are traditionally siloed. But you can't have privacy without security."
The Importance of an Information Governance Framework
With the global pandemic shifting work environments, Amy talks about business continuity challenges and how an information governance framework is more important than ever.
"Businesses can be more agile than they thought they could."
For the most part, she has had her fair share of clients initially afraid to implement new systems without solid data privacy rules. However, "businesses can be more agile than they thought they could," said Amy. "Necessity is the mother of invention, creating forcing mechanisms." She believes more people will be willing to embrace these new technologies. "I think we are going to see a lot more investment in communications, video conferencing, and messaging apps."
Monitoring KPIs in an Information Governance Framework
In the podcast, Amy shares how her company gamifies the monitoring of KPIs in their information governance framework. "For a data privacy program, we look at how many reports of suspected data breaches you're getting," she says. "For risk assessments, we ask: How many are you getting per quarter? How long is it taking you to get them through?"
Berkeley Research Group also tracks training as a KPI, but not in the traditional way. "We track it in terms of engagement," Amy explains. "So when we send out one of these 90-second videos, [we look at] how many people watched it all the way through. Then we'll have a little survey question at the end." Meanwhile, with privacy, they track data subjects or consumer requests. "How many people are reaching out to the privacy office with questions? How many data deletion requests? That kind of stuff," she says.
"We say: 'Here's what you were paying at a store, right? And here's what you would have paid if a lawyer had to review it.' And that gets executives to pay attention, because that's dollars."
Lastly, they look at the total data that the client is storing, then perform data disposition exercises to get them to start getting rid of low-value data. "We'll gamify deletion gigs, then take that to finance, put the hard numbers on it." This effectively shows their clients their storage and avoidance costs. "'So here's what you were paying at a store, right? And here's what you would have paid if a lawyer had to review it.' And that gets executives to pay attention, because that's dollars."
Data Privacy Program
In terms of data privacy, Amy also weighed in on the dilemmas of the virtual school environment, post-COVID. "I have actually talked to some schools and suggested that they do some monitoring and start looking at those messages. Look for the bullying, the inappropriate conduct," she says. "Also, on the contracting side, make sure that it's really clear who's responsible for what on these technologies."
"You'll have some families with kids who have had computers for a long time, and they know how to deal with it and act appropriately. But that is not always the case."
This echoes our own discoveries around high-risk messages in virtual school environments. The messages particularly involved cyber bullying, inappropriate conduct, and drug use. "Kids, especially in the early and middle grades have such different technology values. You'll have some families with kids who have had computers for a long time, and they know how to deal with it and act appropriately. But is not always the case," says Amy.
"You just have to monitor the right way."
Amy believes that most school districts have done the best they can to provide a virtual learning environment for children in these times. However, she also believes that improvements could be made in terms of monitoring such systems. "I have had some inquiries about the rules around monitoring. You just have to monitor the right way. And I think it will be very interesting to watch how that evolves."
You can listen to the podcast episode here, and it is also available on Stitcher, Apple, and Spotify. The Zero Hour Podcast is the intersection of information security and business innovation. Learn from industry experts in cybersecurity, marketing, and business management. We talk about the challenges and opportunities that come with new technology. Join the conversation now!