I am an independent consultant who specializes in the Security & Compliance features of Microsoft 365. Most of my customers are seeking guidance and expertise from me on how they can gain compliance using the Information Governance and Information Protection controls availed to them. Although each customer is at a different stage of their journey and has unique requirements, there are repeatable conversations I have with most. The topics of conversation center around the common challenges, misconceptions, and (sometimes) hard truths based on my observations with customers on their compliance journey.
For organizations, the struggle is real.
Before diving into the plethora of Microsoft 365 Protection and Governance technical controls available to a customer (and there’s a lot of them), I find it helpful to take a step back and soften the ground by having a frank conversation around some challenges that may arise throughout the course of their compliance journey. Usually customers appreciate this approach because it helps them realize early-on the scope and breadth of the Compliance initiative they’ve embarked on. This is helpful for conveying to the Executive team why gaining Compliance will likely take longer, cost more, and have a bigger organizational impact than they had originally planned on.
The bright side is it will be worth it in the end.
I call this my “Elephant in the room” talk. I say this because although most people have a sense of these things, these topics often aren’t directly addressed prior to the Compliance project starting, and because of this, many organizations stumble right out of the starting blocks. If they’re acknowledged too late in the process, it can be difficult to proactively and effectively manage them by the Compliance team. My advice is to have this talk, get in front of these things, and tackle them head on. You won’t regret it.
Note: I’ve come up with 7 Facts. I call these Facts because I’ve seen them enough times with customers of mine that they warrant the label. Your mileage may vary. 😊
Fact 1: Most end-users don’t care about compliance
End-users DO care about the business value the content is providing. Unless you’re a Records Manager or on a team directly related to Compliance (Legal, Risk, Audit, etc.), compliance and handling controls are typically not top-of-mind when users are working with content.
What can help? There are 2 key components to getting in front of this and ensuring success. The first is automating compliance as much as possible – there are many automation features purpose-built to help with this issue both on the information protection and the information governance fronts such as auto-apply capabilities, auto-labeling, trainable classifiers, and SharePoint Syntex. The second is having a well-established end-user training and adoption program in your organization for “Staying Compliant”. This is a by-product of a strong governance program for your Compliance project and could include things like establishing a common vocabulary, defining the handling controls for content in your organization, and providing specific examples of records and sensitive data. Make it real for them.
Fact 2: A perfection-based approach will paralyze progress
A quote from a favorite workout instructor of mine suits Compliance perfectly…
“Progress. Not Perfection.”
This, by far, is the biggest impediment I see in organizations on their compliance journey. Paralyzed by decisions, compromises, and choices to be made, and fearful they won’t make the right (or “perfect”) one, organizations often respond by delaying and not making any decision at all.
What can help? If you can, taking a risk-based rather than a perfection-based approach is a good alternative and first start. (An approach which I’ve had numerous conversations about with a retention colleague of mine – Andrew Jolly)
Decide what needs to be retained/protected based on highest risk and protect those things. Apply blanket controls to cover everything else, even as a temporary measure. Yes, you won’t have perfection day one, but at least you’ve moved the needle in the right direction. This is the basis behind the Crawl-Walk-Run strategy, one I highly endorse. Take incremental, small steps over time to improve your organization’s Compliance posture. Make a mistake? Re-assess, re-adjust, move on.
Fact 3: It’s easier to never delete anything
That is, until you get burned! ☹ At the start of their compliance journey, most organizations I consult with don’t delete anything in an automated manner. I’ve seen first-hand what happens when organizations “over-retain”.
At best? It makes things harder to find and it’s difficult to know where the official version of a document “truth” is. Many organizations live this reality every day and is often the underlying reason why people “hate” SharePoint.
At worst? An organization is faced with considerable fines and expense for non-compliance due to over-retaining. For example, personal data you may be storing across your tenant, and your obligation under a GDPR Data Subject Request to provide the “right to erasure”. You must be able to erase these records in a reasonable timeframe (currently 1 month) – the steps you take to do this will be monumentally harder if you aren’t deleting anything and you don’t have some automated tools in place to assist.
Storage has become relatively cheap these days so fear of running out of space due to over-retaining is no longer a reason to delete anything. There needs to be a compelling reason to delete content as soon as you should, and compliance is that very reason.
Be careful… don’t be tempted to take the easy path and retain everything forever. This approach could, and likely will, burn you eventually on the compliance front.
What can help? Define a retention schedule and an information governance plan. This includes a clear definition of your organization’s business records and the retention requirements and controls around each. Decide what truly needs to be kept forever, what has different retention/deletion requirements, and what’s considered transitory or a convenience copy. Over time, plan and implement retention/deletion controls to satisfy these requirements across your tenant workloads. The Crawl-Walk-Run strategy is a well-balanced approach to implementing retention focusing on the high-value content first.
It’s also important to ensure end-users understand the “why” behind retaining and deleting content. An informed end-user is an ally in your organization on the compliance journey.
Fact 4: Compliance isn’t going away and in fact it’s getting more complicated
It’s time to lean in. The number of rules and regulations an organization must adhere to today coupled with the number of applications, the number and types of devices in use, the identities at play, and the ever-increasing cyber-security threats make today’s Modern Workplace a complicated place to apply Security & Compliance controls to… I get it. This challenge isn’t going to change any time soon and in fact I think our environments will get even more complex and Security & Compliance teams will be challenged even more to help organizations stay compliant.
What can help? There are many Microsoft 365 features to help. This is by no means an exhaustive list, however hits on the main ones within the Information Protection and Governance space:
- Leverage MIP automation controls at scale to apply protection and retention. This includes auto-apply, Artificial Intelligence and Machine Learning capabilities such as Trainable Classifiers and SharePoint Syntex to set a Sensitivity label and Retention label
- Leverage a CASB tool (like Microsoft Cloud App Security) to gain insights into the applications your users are using and what they’re doing with the content so you can apply the appropriate controls to mitigate risk
- Leverage Conditional Access to control what can be done based on device, user location, and content location
- Leverage Data Loss Prevention to prevent your organization’s sensitive data from getting in the wrong hands
Fact 5: Compliance isn’t cheap
This may be true, but neither is non-compliance. I receive hundreds of questions each year about licensing Compliance features with the underlying focus on cost, and yet rarely do conversations center around the cost of non-compliance. It’s not a zero-sum game.
Non-compliance costs can come in many forms:
- First example: any organization that’s been fined with a GDPR penalty knows first-hand the hefty price tag non-compliance comes with
- Second example: accidentally sharing sensitive information to the wrong party can cause an organization embarrassment, loss of trust, loss of reputation, and ultimately loss of business which can be an expensive, often unrecoverable mistake
- Third example: Over-retaining content can cause what I call “back-end” confusion. Users storing duplicate copies of documents because they can’t trust anyone else’s version, spending too much time finding content, messy search results. At scale, this translates into significant amounts of time wasted across an organization’s human resources on things not providing business-value to the organization. This is an expensive problem.
Fact 6: Compliance is complicated
Don’t underestimate how complicated it can be. Looking for a quick fix? Hoping to wrap this Compliance project up quickly and move onto other things you want the business to focus on?
This is a marathon, not a sprint.
It takes a significant amount of time, thoughtful planning, training, end-user adoption, and organizational change management to execute your organization’s Compliance strategy. This is yet another reason why Crawl-Walk-Run is a pragmatic and proven approach and one I’ve witnessed success with.
Fact 7: Compliance will have an end-user impact
Get ready for it. Although you should certainly strive to have minimal impact on end-users’ productivity and collaboration experiences in your organization, the reality is they will notice and likely be impacted.
What can help? The antidote is two-fold… technology and people.
- On the technology side, there are several tools to help gain insight on what users are doing to possibly “work around” the rules you have in place (examples: Microsoft Cloud App Security, Data Classifications, Label Activity Explorer, DLP Overrides). Use these tools to help you understand what users are doing, and how you can help them do it in a safe, secure, and compliant manner. You can also use these tools to adjust your configuration as required
- On the people side, adoption is key. Use education, good Organizational Change Management practices, patience, and understanding. Have a well-established Compliance Governance team in your organization and business process Data Stewards* embedded across your teams to help manage Compliance at scale.
*Although everyone across an organization should receive Compliance training, business process Data Stewards have a special role on their own teams to help reinforce the need for good data stewardship practices for a team’s business processes at the local level (although not required, very helpful).
It’s not only about technology – behind the content are people just trying to get their job done. We need to be good technology partners with business users to realize true Compliance success.
I hope you found my 7 “Facts” interesting and can possibly relate to a couple of them in your own organization. Use these to start your own conversation with your Compliance team and look to gain alignment on how to move forward together.
Thanks for reading.
You are absolutely spot on with this, as usual.
Thanks Todd! 🙏😊
Brilliant stuff, thanks for sharing
Thanks for the feedback Craig! 🙏😊
Great set of facts! Well put together article Joanne, so many ideas for conversations on all these aspects.
Thanks Andrew! Hope you don’t mind the shout-out I gave you! 🙏😊
Many thanks, and looking forward to further discussions on the topic of risk based records management.