Episode 8

The intersection of information governance and cybersecurity with Andrew Ysasi

Andrew Ysasi is thoroughly immersed in information governance. As well his day job as Vital Records Control VP of advocacy, he is also a volunteer for ARMA, a teacher at San Jose State University, and a blogger at IG Guru. And he's loving every minute of it. He discusses the opportunities for information governance experts to partner with security teams to improve organizations’ security and lower risk.  

They also discuss:

  • How records and information managers can help cybersecurity professionals to overcome threats.  
  • Practical ways records and information managers can improve security.  
  • The importance of opening a dialog between information governance professionals and cybersecurity teams to ensure all data is captured and protected.  
  • What organizations should be doing right now to prepare for AI.  

Resources

🎧 FILED S02E4 Companies must focus on reducing risk, not just improving compliance | Dr Miles Ashcroft, RecordPoint

📨 FILED Newsletter The data privacy regulation floodgates have opened. Time to catch up.

Transcript

Anthony Woodward  

Welcome to FILED, a monthly conversation with those at the convergence of data privacy, data security, data regulation, records, and governance. I'm Anthony Woodward, CEO of RecordPoint. And with me today is my co-host Kris Brown, RecordPoint's VP of product management. How are you, Kris?  

Kris Brown  

Hey Anthony, how are you?

Anthony Woodward  

Yeah, good, good. I'm up on the northern New South Wales. So, my apology if there's some cows moving in the background or some other strange noises. It's I'm out sitting on a farm today, which is a little different. I wanted to introduce today's guest, Andrew, Andrew Yassi. Do you want to say hi, Andrew?

Andrew Ysasi  

Hi everyone. Glad to be here. Thanks for having me.  

Anthony Woodward  

And Andrew, it'd be great to get a little bit of your background. You're quite a different guest, I think, in terms of some of the things you've done than we've had on file in the past. So, I’m super excited to have this conversation.  

Andrew Ysasi  

Sure. Well, again, glad to be here.

Andrew Ysasi  

I'm an I. T. Person who converted into I. G. I made that transition about halfway through my career to this point in the late two thousands since then. I've been a volunteer here in the States at Arma. And currently the chairperson for the Institute of Certified Records Managers, I'm not sure if you're familiar with the ICRM.

Andrew Ysasi  

I've been volunteering with them for 10 years. And a company that I worked for was a local records company that was acquired by a company called Vital Records Control. And I do. Advocacy for them, their VP of advocacy, and my job is to mentor, educate, volunteer, and occasionally lobby on behalf of BRC to the industry as a whole and to stakeholders.

Andrew Ysasi  

So that's a lot of fun. And I run a blog called IG Guru and I teach at San Jose State. So, I'm pretty entrenched in the records information management and IG space, especially here in the States. And I love every minute of it. If you can't tell.  

Anthony Woodward  

Look sadly Kris and I probably live in the, in a similar realm.

Anthony Woodward  

So, it's fine. Oh, sadly it's a bit harsh. Well, I was going to say, it's great to find some kindred spirits really thinking about these topics. So, look, thanks again for making some time and we really appreciate getting your perspective on what's going on. I know you've been working. Whole bunch around the new ISO standard and doing a, you know, even doing some speaking and some presenting around it.

Anthony Woodward  

Do you want to give us a little bit of background on ISO 24143, if I've gotten it correct?  

Andrew Ysasi  

Yeah, you do. And thanks for asking about that. For quite some time, the industry relied on the ISO 15489, which was recently updated in 2016. Say recently, then, goodness, it's going to be 10 years in a few years here.

Andrew Ysasi  

But that was our standard that we operated on records information management. And we watched some of the other standards closely, you know, the 27, 000 series for security and privacy as those evolved. But we always relied on 15489 as really kind of our industry standard. And I was watching very closely the progress on the iso.org website to see when and how the new standard for information governance, the inaugural standard for information governance, you know, would be rolled out. What would be in it? And may of last year, it was released, and it was really an abridged version of what we're going to be seeing down the road.

Andrew Ysasi  

But it's been consistent with some of the information governance frameworks conversations, at least from a strategic standpoint that we've seen from associations around the globe on how to tackle. Information management at a strategic level, but also incorporating all the important functions of an organization specifically with this conversation.

Andrew Ysasi  

That's germane cyber security and hopefully from what I hear inside sources say that the full standard will be available. In 2027. So, we have some time to adapt and to start to raise awareness about the standard, but it is coming. It's real. It's not a buzzword anymore. This is something that we can kind of put our stake in the ground and say, this is a super discipline we can look forward to.

Andrew Ysasi  

Hopefully helping us with these cyber security and information governance challenges and opportunities now and in the future.  

Kris Brown  

So, Andrew, let's dive into that a little bit further, right? So, we like to talk about the intersections of these two things. So. Information governance and that cyber security information security element and even looking through the standard itself, you know, it sort of has all of the standard topics, your data management, you know, your regulatory compliance, your digital preservation, but as you work your way through the topics, it starts to get into open data and blockchain and quality management.

Kris Brown  

And yeah, obviously with an eye to 2027, I think you just said we want to make sure that we're all still ready there. How do you see that intersection playing out with professionals? So, the listeners of the podcast, for example, you know, what are the things they should be looking out for? And I'll obviously press, and I'll probably keep pressing as you, as you're talking, press on, you know, what's the advice? So how do you see that intersection playing out?  

Andrew Ysasi  

Sure. I think that right now organizations we know are struggling with cyber security challenges. That industry is matured very quickly because you could say the baptism by fire the just the amount of. Attacks, the threats that are out there are very real and they have cyber security groups have a significant amount of resources available to them to protect organizations, but they are in many ways outmatched by not only bad actors, but nation states.

Andrew Ysasi  

It's a very difficult game to keep up with, unlike cyber security, the RIM group side of things. We've been very mature for quite some time. The concept of data creation, how the data information flows from organization, how long to retain it is something that we're all grew up in this space are familiar with.

Andrew Ysasi  

So, I think there's opportunities for both of us to, with information governance being the catalyst to be able to help each other and say, look, you're under assault over on the cyber side. We over here in the records side can help you. And vice versa. And I think the information governance standard alone is a great segue into that conversation if there hasn't been a way to find that opportunity to talk about it up until now.

Kris Brown  

And so how do you think those information governance experts, the RIM teams, how can they practically impact cyber security from your position?  

Andrew Ysasi  

There's a number of different ways, but I kind of start, you know, at the academic side of looking at the principles of records information management. You know, what do we own?

Andrew Ysasi  

There's a lot of overlap when you look at IG and you start to peel through and look at, you know, if you have a Venn diagram of who's responsible for what, you know, that might have to be defined by an organization because there could be four or five groups part of the IG ecosystem that would claim responsibility or portion responsibility.

Andrew Ysasi  

But the two areas that. Typically live within records information management as far as ownership goes is retention and disposition. And if we can have a conversation with cybersecurity around that specific to not only the information that cybersecurity is protecting, but also maybe the records that they're producing that, I think, gives us the opportunity as RIM professionals to at least help with reducing the potential.

Andrew Ysasi  

Landscape that could be at risk by applying retention and also disposing of information securely, whether it's redundant, outdated, trivial, we've heard the term rot, or if it's genuine records that come up for destruction, if we can be a part of that and operationalize that, if we haven't already, I think that's really the 1st step.

Andrew Ysasi  

So, at that point, we are a. A partner in that discussion, instead of just a, well, call the records people and have them bring in some shred bins and shred all the stuff and have them leave again, if that makes sense.  

Anthony Woodward  

One of the problems we observe a lot of though in that conversation is people still think of the IG professionals as dealing with documents and dealing with shredded paper but dealing with electronic documents and not all data.

Anthony Woodward  

So, I'm interested in your thoughts around how do we expand that with cyber, so they understand that if you are in effect lowering the attack surface by having the redundant, obsolete and trivial data, including both structured and unstructured data removed from the systems via a set of processes, how do we go about telling them that?

Anthony Woodward  

Because I think there's a lot of pigeonholing of people where they think this is about Word documents, Excel documents, printed documents and not structured data. Or see even semi structured data.  

Andrew Ysasi  

Sure. No, that's a great point. And that is unfortunate that that's out there. And I will, I will say, cybersecurity folks are very, very smart.

Andrew Ysasi  

Very intelligent. And when I taught technology, most of the individuals who went into cybersecurity heads know many disciplines within it. It wasn't just something that they could study cyber, they had to understand programming and networking and understanding the operating systems and the different flavors that are out there.

Andrew Ysasi  

They had to have a broad knowledge of technology as a whole. So, by the time they become a cyber security expert or an analyst, they've been there and done that. Fortunately for them, the folks on the RIM side are also smart and they're just smart in a different way and have different experiences. And I think when we can come together and explain our backgrounds a little bit and how we can help each other and why our professions exist in the first place, that can help hopefully break down some of those misconceptions that are there.

Andrew Ysasi  

And I think I know most of the cybersecurity people I know are very data driven. So, if you were to show publications about managing 2000s.

Andrew Ysasi  

Into semi structured, you mentioned semi structured repositories and showing what we are doing to build knowledge on managing information within like a Microsoft SharePoint, Office 365, Teams, Oracle, SAP, how we're managing records in those environments, and even in the cloud that hopefully will build that.

Andrew Ysasi  

Or validate our experience that look, we, we understand paper records coming off of copiers and shredding them, but we can also apply those same principles and concepts to structured data, as well as semi structured data and really all information, whether it's within our quote unquote network perimeter or relying on a third party to manage it for us.

Kris Brown  

And I think that's an interesting comparison, right? Like, the paradigm for the cyber teams has moved on, like, you know, that that perimeter element is sort of where they, if I take the same approach of, you know, what cyber probably thinks records team does is just say, we bring the shredding bins to the room and away we go.

Kris Brown  

I'm sure that there are plenty of IG professionals who are like, oh, well, the cyber team puts the wall up and protects us from inside the wall. But. The pandemic has moved all that outside the wall, we're all SaaS, we're connected everywhere, we're working from many, many more locations. So, their role has genuinely changed in this, there's an acceptance certainly from the IG community that our role has changed too, but I guess my question here is, how do you see, and is there a weakness, if you will, where cyber does genuinely look at, and I think you even mentioned it a moment ago in your answer to Anthony's question, but they look at all all the data you know, whereas records professionals potentially aren't looking at all of the data today.

Kris Brown  

Like I'm looking at the standard that's, it doesn't use the word all a lot, but it just sort of talks to the totality of the information that, you know, helps the business do its job. Do you think that there's still a gap there in terms of the IG professionals going, well, you know, what, what is all?

Andrew Ysasi  

Oh, absolutely. There's a gap and I'm glad you brought that up because I think strategically where is going to make a difference is it's going to bring the records folks to the table and get a view into what they may not have seen before because cyber they have the burden of protecting all information.

Andrew Ysasi  

However, there could be very strict policies about what information is being created, when and where, because of the threats that are out there. And by the time they may put their controls and their patches and whatever they have in place to protect that repository, that information, then records might be aware of it, or maybe come across it during an audit of some sort.

Andrew Ysasi  

So, what records may think they know, cybersecurity probably has a better understanding of the entire ecosystem. So, by having that connection early, you can then have hopefully a conversation about retention of information, disposition for information, hopefully set up in advance and be proactive with those discussions.

Andrew Ysasi  

And even with IG, and I know we're not talking about information privacy. If you bring those privacy folks into the conversation, you might be able to anatomize data. If especially if there's PII involved instead of having to prescribe something after the fact. So, there's a lot of benefits to having IG.

Andrew Ysasi  

At least strategically, and as it flows down operationally, having us break down those barriers now is helpful. And I think it's important to note, too, that the amount of information for cybersecurity and how to learn is very plentiful. A lot of it's free resources. There's, you know, the MITRE ATT& CK Framework.

Andrew Ysasi  

There's the Cybersecurity Framework here in the States, NIST 2. 0, where I think it would behoove IG and RIM professionals to square up their knowledge in what cybersecurity folks are looking at. To either simulate attacks or to prevent attacks from happening and find opportunities where records may be created within those functions.

Andrew Ysasi  

And then you become that copilot in a way as it relates to protecting the organization moving forward versus trying to always wait for being, to be invited at the table. And that's all pre IG stuff. If IG is not there, hopefully already at the table anyway. But prior to that, you know, there's some things that you can do and not have to wait for a formal program to be set up.

Anthony Woodward  

Yeah, one of the things that is sort of implied in the new ISO standard, and I think, you know, we saw hints at it even in 16175 as a standard previously, was data loss prevention. So not just the processes that wrap around disposal and retention and classifying, but how do we actually start to integrate into that DLP sets of processes and being able to protect IP?

Anthony Woodward  

Have you seen any good examples of that occurring out there? And do you have any playbooks around IP protection?  

Andrew Ysasi  

Yeah, that's a great, great point. So, with the data loss prevention, I think the one area to look at is where I kind of go back to my I. T. days and I apologize in advance to your audiences.

Andrew Ysasi  

Sometimes I digress into personal experience. But when I was a system administrator rolling out Microsoft products, you know, that would be. Hundreds of thousands of policies you could set within the software. And if you didn't have that identified in advance, sometimes you'd say, well, that looks good.

Andrew Ysasi  

That looks good. You as the I. T. Administrator or system are making those decisions for the organization that the organization either doesn't want to be bothered about or has no idea there are out there. And so having the understanding that these switches or options are available out of the box for products like Microsoft and others.

Andrew Ysasi  

That could allow the IG team to create maybe guidelines, you know, step by step may be difficult because of the, the just the enormity of the policies that you can choose from within the software products, but at least giving you guidelines. So, these teams or these subcommittees can then create these policies and these repositories that are being created or have been created and can be applied and pushed down.

Andrew Ysasi  

That can be very helpful with mitigating data loss. There could be new features that come out that you can apply after the fact. And then of course, there's the training aspect I think is incredibly important as well. I know many of you probably have gone through mandatory training, but any, my recommendation organizations that I talked to is that you can have training that's tied to the specific applications that the employees are working on.

Andrew Ysasi  

That's going to resonate a whole lot better than. Kind of conceptual issues or concerns and not saying that that's bad, but if you really want to make a dent with the data loss prevention, you almost have to say this is the wrong way to send an email in a safe environment or in a sandbox of some sort by simply adding.

Andrew Ysasi  

An information with that could have personally identifiable information in it, or a wrong email or untrusted email, you can show how data loss prevention can automatically protect those things. And if you don't have data loss prevention in place, how the software capabilities don't protect from those types of threats, because I don't want to stun you, but humans, we make mistakes, right?

Andrew Ysasi  

So, we have to protect ourselves from ourselves at times. Yeah, no, absolutely.  

Kris Brown  

The standard itself sort of talks a little bit about AI, but given that it was published in 2022, and 2023 is the world of large language models and chat GPT. I'd be interested in your thoughts about what needs to happen between now and say 2027 in that space.

Kris Brown  

And obviously I'm asking you to pull out your magic wand there, Andrew, and what's the future look like? And I'm not sure any of us were ready for that future yet but talk to us a little about what the standard calls out now for those on the, again, the listeners who aren't particularly. I find with the new stance, like talk a little bit about your understanding of what's there and then where does it need to go?  

Andrew Ysasi  

For sure and I'm going to kick that question right back to you folks because I'm curious to get your take on this as well. AI and blockchain technology, or you know, what could say emerging technology? At least those are the two technologies that at this point in time are considered emerging tech are referenced in the standard, but very, very little information is mentioned.

Andrew Ysasi  

So, I think what organizations personally need to do right now is at least put the responsibility of AI somewhere within the organization, whether it's through technology legal somewhere. If you have an information governance committee, you know, have a subcommittee, you know, with AI, because. AI is being used in your organization, probably whether you like it or not, whether employees have their own ChatGPT accounts, whether they're using tools to fix how they write or to write information for them, they may be using AI to help do presentations or training.

Andrew Ysasi  

So there needs to be some overall governance to give employees in the organization some guidance, because there are some real, not only security, but IP Confidentiality, potentially privacy concerns with using some of these tools where we feel comfortable using them to make our job easier, but they can be presenting a lot of risks that we either have to deal with immediately, or we're going to find out down the road, we missed the boat.

Andrew Ysasi  

So, I think just starting with putting a person or committee in charge of AI is important. And I'm going to turn that right back to you guys. What do you guys think about AI right now and how it integrates with IG and where we should be and what we should do today?  

Kris Brown  

Yeah, look, certainly as the product VP here at record point, we're pretty proud of the fact that what we're trying to do is bring that help to the information governance group through using AI to help classify.

Kris Brown  

So, our product, for example, will allow you to build models on your data. It doesn't leave the system. It's your data and therefore they're your models but helping you to understand and build for scale. So, it ties back to that message. I said before about all. Selectively managing some of the information in the business does not a good information governance plan make.

Kris Brown  

But being able to do that for everything, the volume of data just is ever increasing. The investment in IG staff is not, and so we need to be clever about the tools that we use. So, I think there's lots of good use cases, and I think the statement you made around having a good understanding of what it is and what it means is important.

Kris Brown  

More recently, we've done a webinar around chat GPT and its applicability into this space. And obviously there are the privacy and other concerns that are related to that. But again, allowing public models to help determine the type of information you have or where the risk may lie. Again, at scale but these machines are able to do this 24 7 all day long.

Kris Brown  

It's repeatable. It's consistent. These things are predictable if you will, and therefore I'm trying to get to a place of “explainable” where you're able to understand what has happened and why it's happened. And so that you're able to. Proof that wonderful word of the information management space, which is providence, right?

Kris Brown  

Understand the providence of what really happened because that ultimately is what needs to happen there. We're, we're not going to be able to go to a court of law and go, well, it's not really my fault, sir. The AI did it, you know, that was the decision made by them, we need to train it. We need to take responsibility and therefore we need to be able to see what it's doing, explain what it's doing and be able to prove that.

Kris Brown  

If you now move to the generative AI component. I think this is incredibly important about what we do with that data. I think generative AI can help cyber security understand what could happen next. I think generative AI can help an organization from an IG perspective say, this is the policies you should be making based on the data that we're seeing.

Kris Brown  

I think there's, there's lots of really cool use cases that are in this space. So, I'm very pro. I think we've only just scratched the surface and, you know, but I think the advice that you've given is solid, right? Like organizations should understand what they're doing today, what the challenges are. I think that's starting to become more and more well known.

Kris Brown  

I'm not pro, let's slow it down and, and do those. Don't, don't get me wrong. I probably see the good in a lot of people and maybe I'm a little bit innocent in that way, but there are concerns.  

Andrew Ysasi  

Yeah, no, you bring up great points. I think one of the other challenges within the cyber security space is retention of just people and organizations right now.

Andrew Ysasi  

Big tech, you know, unfortunately, they're going through some pretty heavy layoffs. And I think one of the things that we're quietly going to see is, you mentioned with the generative AI with large language models. If there's a private repository that AI is going to be maintaining, especially on the cyber security side with how the organization responded to threats in the past, who responded and what was done, what were the outcomes that can be incredibly valuable down the road to people who show up and have to get in.

Andrew Ysasi  

They can simply just type in questions or maybe have questions automatically fed to them from AI to get them up to speed very quickly. Whereas before you had to rely on tribal knowledge or technical documentation or something else. So, I think there's a lot of great benefit to that from the cyber side.

Andrew Ysasi  

And I think on the RIM side, holy cow, we were worried about people and systems generating data. We saw from the kilobytes and the, all the way up to the Bronto bytes. And now you've got AI systems generating information that to me screams opportunity for RIM folk when it comes to, as you mentioned, provenance and retention and disposition of information.

Andrew Ysasi  

And maybe it's as easy as asking the system to say, hey, purge all information that was created by this AI, we'll say creature. You know, around this subject and then give me a detailed report that will be defensible, you know, if challenged, and then bam, it just shows up now it's pie in the sky stuff. But because we're scratching the surface right now, by the time 2027 comes around, I don't know if that could be even advanced upon AI is moving very, very quickly.

Andrew Ysasi  

It's almost quicker than what I've seen some of these other technologies move and being in the space since the mid-nineties. So, I wouldn't be surprised if there's other technology that comes off of AI. You know, as we saw kind of with the cryptocurrency space where it was Bitcoin, and then there's just proliferation of all this technology and DeFi economies.

Andrew Ysasi  

Now I can see reacting that way. And if not even faster, and of course, organizations and the law governments are going to be behind. Academia is going to be behind. When it comes to research and putting legislation there. So that to me screams opportunity for RIM and opportunity. And also, we need to get our act together from an IG standpoint to get ahead of all of this.

Anthony Woodward  

Yeah, I find it really interesting as I've observed this, like AI is not new. These are concepts from the 1950s and the 1960s that are now just being put into place. Which is really a very strong juxtaposition to blockchain, which you brought up, right? Because blockchain is a series of very new concepts around how you manage data.

Anthony Woodward  

And to be frank, if you were to ask my personal opinion, this is not a RecordPoint opinion, this is an Anthony opinion, I'm not sure that blockchain is going to see its life out. I think it will be replaced by other things. And I say that because I think there are some really interesting concepts in blockchain, but as a technology and as a technologist, even myself, I'm kind of cold on blockchain.

Anthony Woodward  

I've never been cold on AI. I think AI was always going to go through a march, and it's sort of going through these waves of just getting better and better and better. And if you said to me, hey, in fact, we do this in our own business. So, at RecordPoint, you know, where do you want to invest? Is it blockchain or AI?

Anthony Woodward  

And certainly, we actually had those debates. Probably seven or eight years ago, and we very strongly went down the AI route through those choices. And so far, it looks justified. And the reason I say that, right, is blockchain really requires a central, although the whole idea is to decentralize, you've actually got to have a centralized metaphor that everyone's going to buy into.

Anthony Woodward  

And I think all of these people here in the room, I know, certainly Kris, but I think you as well, Andrew, I'm sure I saw your name five years ago, six years ago, we were still talking about things like CMMI and integration between systems and how were we going to get data out of, you know, this sort of trim system to open text to whatever.

Anthony Woodward  

And we're only doing it on the basis of documents even. Right? So, this notion of, we're all just going to jump to, it'll all be in a blockchain, it'll be in the cloud and you're not going to manage it anymore. And it's a wonderful, it's a big step. That's out there somewhere. What's not out there? As I said, I think those concepts will come to fruition eventually, but is it in the form of blockchain?

Anthony Woodward  

Probably debatable. On the AI side, though, it's already here. It's been here for a while, and it's just getting better. And I think that's really the conversation. I like to start with people because there's a lot of people who are. Surprised that it just arrived and it's like, you're right. It is sort of surprising in that it's become a very useful tool very quickly, but in reality, as a piece of academic research it is a piece of something that's been integrated into technology for a while.

Anthony Woodward  

It's actually been sitting in the background. You know, GPT is nothing more than a really large Monte Carlo simulation, right? Now it's really large, but it's all it really is. Yeah. I think the generative AI stuff that's, that's really kind of captured the attention and had more of the wow factor than, than anything else.

Andrew Ysasi  

You know, the, the large language models, those are. You know, those are cool, those are fun, but you guys remember the stories about when Microsoft turned on their Twitter bot or they had Cortana, there was some sort of version or product they came out with, I want to say it was even pre COVID, and it became temperamental, foul mouthed, and just bad, right?

Andrew Ysasi  

I mean, it was, so I think people got a snapshot of, you know, if you don't have some sort of, as you mentioned, program governance or idea around this, at least with the AI side, you're going to potentially run into some problems. Some trouble, but I do think, and I think with the ISO talking about blockchain, I think it's relevant.

Andrew Ysasi  

And I agree with you that it's not going to be as relevant as what I, I think that's going to be more on our face from an opportunity and a challenge, but I think blockchain certainly when it comes to digital preservation, there may be blockchains that are decentralized storage nodes that are out there.

Andrew Ysasi  

Maybe some information is out. We have to manage now, and we have to contain or understand what's there. But I think on a broader scale, I kind of talking outside of cyber and IG. I think blockchain, I would love to see blockchain technology, ledger technology fix our monetary systems that we've grown accustomed to.

Andrew Ysasi  

But I think that's an entirely different conversation, probably over cigars and whiskey on a different type of format.  

Anthony Woodward  

We can start another new podcast if you like.  

Kris Brown  

Blockchain, I mean, cigars, cigars and whiskey. I mean, yeah.  

Andrew Ysasi  

And then start talking about the Bitcoin standard and the challenge with fiat currency and go.

Kris Brown  

So, Andrew, some of the things I'd really be interested in and probably more to, again, pick out experience. Like, can you give us a, what's your highlight or what's a really great customer story, or a really great working relationship story that you've had that ties this, you know, here's what it should look like?

Kris Brown  

We don't need names, obviously, but just more of the, can you give me a story of where IG and maybe cyber or IG and someone doing. Something really, really positive in a space ties back to, to, you know, these, these concepts and the, you know, the, the direction that we want to go  

Andrew Ysasi  

100%. So, one story that I can tell you is that there's an organization that had a really challenging audit results that was going to put their operation at pretty big risk, not only internally, but from external factors.

Andrew Ysasi  

So, I can't get into specifics here, but I think the audience will be able to follow that. Yeah. The outcome resulted in senior leadership saying we need to do something clearly, you know, this is going to impact how we do things. And when the RIM team and the I. T. team came together, it was the RIM group that we're having conversations about.

Andrew Ysasi  

Basic records and information management, tell us what you know about what's being created. Tell us where information is flowing through the organization. And how do you understand retention disposition? And what came out of that was IT being very open about here is the system that we use to manage all of the known IT assets.

Andrew Ysasi  

Here are the reports we get from accounting to show what we are spending our money on and where our budget's going to as it pertains to anything technology and what that ended up doing was it certainly expanded the ecosystem of knowledge of what the data map could look like from the RIM side. But it also let it be aware that you've got a partner and a resource over here that can help you Get into some of these areas that maybe were unseen before or not visible to the rent folks Where they can then reply retention disposition And the result of that was a very pleased regulatory body when it came to a post audit Report that frankly was scathing and I don't want to say that RIM saved the day or it saved today But because they work together in some ways had accidental IG involved That was significant because not only did it fix the audit issue, but it also moving forward said we need to work together So to me, that's Probably the best example I can give to your audience today of what I've seen, where the convergence of I.T. and RIM coming together with, with I. G. in mind has benefited the organization.  

Anthony Woodward  

If you think about the standards in cyber security, though, so if we go from the other side and we think about the 2700s and the NIST frameworks that you talked about earlier, and we talk about. The cyber needs, I wouldn't mind.

Anthony Woodward  

Also in this question, unpack it a little bit. We talked a lot about cyber as a concept. If you wouldn't mind a kind of defining cyber from your perspective, they talk about what are the problems today and tomorrow that are going to be the most urgent that we in the IG community should be thinking about beyond those elements we've talked about.

Anthony Woodward  

So, there's a little bit more color to that that we can share. Sure.  

Andrew Ysasi  

So, and I'm looking over here. I'm just going to go back to the MITRE ATT& CK matrix. And you mentioned that cybersecurity NIST, and there's obviously the COVID framework. I think holistically, we in RIM have to understand that cyber has a lot of frameworks and governance out there to help them with their challenges, but they have limitations with resources, and they have limitations with budget, just like we do.

Andrew Ysasi  

So, I think that an understanding of what the challenges are today operationally that the organization has, I think that's something we need to be aware of because there's book challenges, right? You know, look at these frameworks and you can see on paper. What you need to do, but that doesn't necessarily apply to what the organization has.

Andrew Ysasi  

So, I think there needs to be approach of what do we do today to help today? And then moving forward, where are our gaps against this specific framework that we want to pick? Or maybe a framework that the organization is using, and if there's a retention disposition element there, Highlight that from the RIM side.

Andrew Ysasi  

And I think also from the cyber side, continuing to train up, I'm going to go off on a side here that some RIM folks that I've talked to get frustrated reporting to legal because sometimes they feel a little out of the action. They feel a little away from the technology, maybe more reactive, and they want to be more on the ground floor.

Andrew Ysasi  

And I think this is an opportunity. To spread your span of influence over on the cyber side, but really understanding where some gaps could be and helping them fill in, whether it's in a quasi-analyst type of role or working side by side on some of these projects or operational functions of cyber security.

Anthony Woodward  

Absolutely. And it's a great answer, I think, for everyone to think about. Look, I mean, I suppose just in wrapping up, Andrew, do you have any blogs you follow, any places that we can, A, find you, and B, that you think we should be spending more time at, or podcasts that you'd like to follow?  

Andrew Ysasi  

Well, IG Guru is one that was the old records information management listserv that's evolved into a WordPress site that I encourage everyone to go to.

Andrew Ysasi  

The information that Peter curlers publishes from the news, the information that your sponsors and the community put out, I think is, is helpful to try to keep up with all Iggy trends. I personally, on the cyber side, you know, I look at hacker news. I look at slash dot. org. When it comes to tech news, I also like to read what the New York Times and what Bloomberg are saying about technology.

Andrew Ysasi  

Typically, these bigger markets are going to know things obviously more than quicker than what the folks in Michigan here that will come to me. So, I'd like to see what's going on there. I also attend cyber security conferences and talk to folks and find out what challenges they're having it. And I'll be honest.

Andrew Ysasi  

Sometimes I don't even understand what they're talking about because they use so many acronyms and I think I'm the acronym guy and initialism guy. I should know. And then I have to write down and take notes and go back. So, I think that the knowing that the connections that need to be made with the HR folks, the finance folks, some of the folks that aren't mentioned, we need to reach out to them too, and network with those folks, because I think there's some subgroups within IG that.

Andrew Ysasi  

If we don't help each other, we're going to have to rely on some future idea or AI is going to tell us what to do. And at some point, humans need to be involved, right? We need to be in charge still. We can't, we can't rely on sky now. We already know how that ends. So yeah, I would definitely keep up with that human connection.

Anthony Woodward  

Not great. No, it's a great piece of advice. I think for everybody. Thank you very much again for your time. This has been an amazing conversation. As you say, we're definitely going to need to find a spot in the world and many hours of conversation with a good, good whiskey and, and I don't smoke cigars, but it's certainly a good whiskey.

Anthony Woodward  

From there, I want to thank the listeners. This has been FILED. I'm Anthony Woodward.  

Kris Brown  

And I'm Kris Brown. And we'll see you next time on FILED.

Enjoying the podcast?

Subscribe to FILED Newsletter.  
Your monthly round-up of the latest news and views at the intersection of data privacy, data security, and governance.
Subscribe Now

We want to hear from you! 

Do you have a burning topic you'd love to hear discussed?
Submit your topic idea now to help shape the conversation.
Submit your Topic