What Do Experts Really Think About Compliance Implementations in Organizations?

RecordPoint recently hosted a panel of nine Microsoft MVPs and experts to discuss how organizations view and implement compliance.

The conversation was inspired by independent research that was recently released in partnership with CollabTalk and the BYU School of Business. If you are interested in reading the research whitepaper, it is available for download.

The panel discussion is enlightening because it covers specific stories and examples from organizations to complement the statistics from the research. For example, one MVP talks about how one company has developed a chargeback model for compliance that drove adoption and covered the implementation costs.

The discussion is below as a video and a written transcript. Please add your questions in the comments!

Transcript

Erica Toelle: Hey everyone, welcome today's Expert Webinar. Today we are going to have a panel discussion of Microsoft experts about some recent research that we released on organizational compliance and security practices.
I am your host today, Erica Toelle, and in just a second, we will introduce our panelists. Also, you can download the white paper at the link below, and that link will be available on the other slides as well.
This webinar is part of our monthly Expert Webinar series here at RecordPoint. So, this series is designed to highlight real-life case studies and examples of records, management, governance, and lifecycle management in organizations.
So, today's kind of a Meta Day in that we are discussing some scenarios across many organizations we have uncovered through this research. Here is some background about the study.
This study is independent research that we did in partnership with CollabTalk founder Christian Buckley as well as with students at BYU Marriott School of Business. The students are the ones that designed and executed this study, following research best practices. Moreover, then Microsoft, Spanning and RecordPoint, as well as a couple of other companies, were the sponsors of the study.

Microsoft MVP Panelist Introductions

Erica Toelle: So, let us go ahead and introduce the panelists. If we could go in order of the slide to make it easy. So first, hi I am Erica Toelle, the Product Evangelist at RecordPoint and a Microsoft MVP. I will be the moderator today.
Anthony Woodward: Yes. Hi everybody. I work right closely with Erica. I am the CTO here at RecordPoint, and we will be contributing our thoughts today.
Antonio Maio: Hi there. My name's Antonio Maio. I am an Associate Director and a Senior Enterprise Architect with Protiviti.
Brian Culver: Hi, this is Brian Culver. I am an architect at Expert Point Solutions and a Microsoft MCM.
Christian Buckley: I am Christian Buckley. I am the founder and CEO of CollabTalk. We are an independent research and technical marketing services company. I am also a Microsoft MVP and Regional Director.
Liam Cleary: I am Liam Cleary, founder, and owner of SharePlicity and a Microsoft MVP.
Eric Overfield: And here, Eric Overfield, president, and co-founder of PixelMill as well as a Microsoft MVP and a Regional Director.
Joel Oleson.: I am Joel Oleson. I am an Architect and founder of Joel 365. I am an MVP and Regional Director as well. Great to be here.
Richard Harbridge: Awesome. Hey, I am Richard Harbridge, I am the Chief Technology Officer for a company called 2toLead. So, I work with customers on strategy around these things that we are talking about today.
Erica Toelle: Attendees - please ask your questions in the Go to Webinar questions area. I will be moderating those questions, and we will jump in to get them answered.
Christian, since you were the instigator of this project, would you mind telling us a bit about the method?

The Research Methodology

Christian Buckley: Sure! I have done several projects in partnership with the Marriott School at Brigham Young University, which is the business graduate school.
The method that we follow is always the same. There's primary and secondary research.
The secondary research is when we go and look at other sources, other studies, and added data that is out there. Some of it publicly available, some of it is through a paid source, such as Gartner, or other platforms and programs.
There are hundreds of databases that we have access to through the university’s research services.
The primary research is surveys, interviews, and panel discussions that create original and raw data that we also folded into the analysis.
Another piece of primary research is the community aspect. I think this is an important distinction, especially when we are talking about research done within the Microsoft ecosystem.
Because we have such an active community, especially around SharePoint and the broader Office 365 ecosystem, we have such a vast technology evangelist ecosystem, such as the MVP program, Regional Directors, vendors, and partners that are within that system.
Moreover, so, we get their perspective and layering that onto the customer primary research and all the secondary research.
Then the next step is the actual analysis and the review, and the recommendations that come out of that study. Also, we provide that as that final research report to the sponsors of the program.

Demographics of Survey Responses

Erica Toelle: Great! Thank you so much. I think before we jump into the responses to the questions, it is essential to understand who responded to the survey. So overall, there were 195 responses.
Christian Buckley: The 195 were complete responses, to clarify. There is actually at least that many, if not more of partial responses, which we remove as part of the cleanup. That is a crucial point to make about how we compiled the data.
Erica Toelle: Excellent. Thank you for that. So, here are some stats about organization size:
• Most of the responses at 23% were from organizations with less than 50 people;
• Followed by 1000 to 3000 people in an organization at 22%;
• More than 10,000 at 14%;
• And then 15-250 at 13% and on down.
So, we do have a variety of organization's sizes, small and large.
Then if we look at who responded to the survey by industry, it was interesting that a lot of the responses were:
• From public sector or government organizations at 22%.
This perspective is essential when you are talking about compliance and security, especially in the compliance area, they often have stringent regulations with which they need to comply.
• Then after that, we have technology in at 18%;
• Resource industries such as oil, gas, mining, utilities, at 5%;
• Education at about 5%
• Finance 5%
• Services rounded to 5%, et cetera.
This result is exciting because we do have a lot of highly regulated and public sector organizations that responded to the survey.
When we look at the roles of the respondents,
• Most of them at 18.5% were compliance officers;
• Followed by consultants, directors, senior managers, and senior leadership executives at about 9% each.
• Also, then, of course, other typical roles such as IT manager, information worker, et Cetera, after that.
So also, the right cross-section of roles. So, this shows that the right people responded to the survey. So, it was not just developers that did not know much about compliance and security. It is the people who run those programs that responded to the survey, which is excellent.
Christian Buckley: Moreover, that is another thing that the team tried to go in and screen those out as part of that method because the quality of the data dramatically improves when you have the right people responding to the survey.

Technology Environments of Survey Respondents

Erica Toelle: Yes, excellent job with that. Then we will go to our first question here.
It is also essential to understand when we are talking about compliance and security, what environments we are working with, and what people are thinking about when they are responding to the questions.
• Most of the respondents are running in a hybrid environment with a combination of Office 365 and on premises at 64%.
• Interestingly, other public cloud solutions such as box and Dropbox and G-suite came in next at 47%;
• Followed by Dynamics online and Salesforce at 42% each.
• Then down from there, other cloud solutions such as Rackspace 36%;
• Legacy ECM platforms at 32%;
• Office 365 only at 22%, et cetera.
This point is where I would like to ask the first question of the panel.
Does anything surprise you about the responses for the environments in this survey?
Anthony Woodward: We talked a lot, Erica; I think here at RecordPoint that we were quite surprised. I mean the hybrid number we saw is certainly something we had seen out in the market place, and that was standard.
However, we were surprised that the next result was cloud solutions such as Dropbox and G Suite. We had expected that that was going to be something more like on-premises solutions or even the legacy content management.
So, it was interesting to see that that collaboration mode for organizations has changed. Moreover, even as we drilled into the data a little bit, also about things like Slack in there was an interesting data point around how people are starting to use some of these tools that fit around that.
So, from our perspective that we are shocked by that data point.

How Are Cloud Services Used by Organizations?

How Are Cloud Services Used in Organizations?
Christian Buckley: One thing I would like to say. So, while we do not have the logical pivot on that data point would be, I wonder how much they use these services? What is the depth of that data point?
I may use the full Office 365 suite and yet I have a paid version of Dropbox because for specific partners, for example, the design companies that I work with because that is how they work.
So, it is mostly just a folder that I drop things into or pull things out of when I am working with those partners versus all the other productivity collaboration that I try to do within the organization with my clients. I do not know if any of the other panelists have an opinion on that, whether the depth of usage is there.
Joel Oleson: I would add on, I have asked this question a lot in a lot of the webinars that I have done. I think it has a lot to do with how you ask the question.
Meaning, if you supply a lot of different options and people can check multiple boxes, I have seen hybrid go as low as 10 or 20%, where typically, there is both Office 365 and SharePoint, and people can choose what they have.
If you were to say configured as a hybrid environment, I think that number goes way lower than saying, I also have this, and I have that. So, I put this as that has the big bucket of these organizations have both, and their environments are not fully migrated. That is kind of how I am interpreting the data a little bit, and I am extrapolating based on my experience.
Richard Harbridge: I think it is essential to understand that there is a variety of environments, right? We do not see Microsoft centricity here. We do not see cloud centricity. We are seeing that you need to have solutions and approaches that are going to work holistically.
Also, that is still a need today. Unless you are a small, 50-person company that has been cloud only, it is unlikely that you do not have some legacy or on-prem scenarios that you must protect.
Everyone has these sanctioned or unsanctioned file-sharing services and other things policed in their organization. So, I do not think this surprised me, but it was more useful in context with the rest of the data to see how people were addressing this problem or not addressing it as we saw in some of the other results.

What Workloads Do Organizations Use?

Erica Toelle: That is a perfect segue into our next question, which is:
In the Microsoft world, what workloads do organizations use? Do you have any thoughts here?
Liam Cleary: I thought Exchange would be higher than SharePoint.
Christian Buckley: Big time.
Richard Harbridge: It could be biased towards who have answered as well. Because if we think about compliance, compliance is for many organizations, from an IT perspective, they look at compliance for Exchange is kind of you can figure the policies, and you are done.
Whereas I think as you get more into files and content, it becomes more strategically important. So, I think that is also why you see OneDrive. You see Microsoft Teams, places where there are files way up there compared to areas where traditionally there are not as many shared files.
Anthony Woodward: It is possible that there is some confusion due to Microsoft branding.
Executives see Outlook as a primary tool, but it was not in one of the options to select. So, Exchange to them was not an obvious choice. Indeed, as we drilled into that, it was one of the results we saw. So, SharePoint may become clear as a result.
Eric Overfield: Along the compliance side, when I see something like Office 365 groups that low, I think if you are using teams, using groups. If you are using SharePoint, you are using groups.
So, I think that is a little concerning, and that gave me more context as to the rest of the questions of what people do and do not know. The fact that Forms is low told me a lot too.
Christian Buckley: That is a good point, Eric. However, I think it is intentional that we asked the question the way we did because there may be a gap in understanding of underlying technology.
However, I think that it was a miss not having Exchange and Outlook called out even more. It would be interesting to have Exchange and Outlook listed and see the difference.
Eric Overfield: Yes, great question.

Power BI Usage in Organizations

Joel Oleson: That Power BI is high on the list surprises me. Meaning, this says a lot about the organizations that responded. If those who did reply to this have a lot of more structured data, they focus more on analytics and reporting because I would expect Power Bi to be lower than Power Apps, as an example.
Christian Buckley: Yes, for these users, I am not surprised that it is that high.
Richard Harbridge: However, I think if you are an organization that rolls out Power BI, then it is high in your priority because data's incredibly essential to have compliant, especially with GDPR.
Also, there are places where we must be more in-depth in our inspection and the protection of our data. So, for privacy reasons and otherwise. Honestly, it feels about right because if I think of just like the other studies, we have done around Power BI as a rollout across organizations, it is about a 60% number.
So, this is not that far off how many organizations or even using Power BI today. Where it is a prominent thing with which to concern yourself. However, if you do, it is going to be on that list at the top.
Anthony Woodward: I was going to say that I see a ton of Power BI and we do not have this on the list but a ton of reporting services as well.
Christian Buckley: Sure.

Who Owns the Security and Compliance Program in Your Organization?

Erica Toelle: All right. So, with that, let us go ahead and move on to our compliance questions, moving away a little bit from specific technology and into more business requirements. The first question is:
Who owns your security and compliance program?
From the responses, it looks like the majority is:
• The IT department organizing the program
• Followed by a C level executive
• Then no clear ownership of the program.
• Moreover, then finally, representatives from multiple departments.
Before we jump into the panel, I am going to launch our first audience poll. The audience, I would like to know who owns your security and compliance program. You can go ahead and answer that now.
Also, then at the same time, Richard, I think you had a remarkable story about this.

A Premium Model of Security and Compliance Funding

Richard Harbridge: Yes. I think ownership is a challenging thing. Who owns the budget? Who owns the cost is where we struggle. Not necessarily with who is going to make every decision.
Also, one of the more exciting scenarios I have started to see in the industry is that many people look at security and compliance as insurance. So, I do not care about security and compliance until there is an issue and then it becomes top of mind.
One organization we were working with took this to heart, and they were smart. They created this program where they did chargebacks to different business groups and departments, so it was structured in the business. Moreover, so, what they did is they said you are going to have a premium and you are going to pay a premium for security and compliance.
They combined it into a subset of premiums, and you pay more of your premium if you do not do certain things. So, if you use a lot of unsanctioned file sharing tools within your department or your business unit, then you are going to pay a higher premium for security and compliance.
If as an example, if you don’t train your staff, if you don't do security training and other stuff, and it's not a large percentage of people, et Cetera, who've been kind of up to date on training on that, then again, you're going to pay a higher premium.
Also, it was smart because it encouraged positive change in the organization for those business units that were aware and cared about it. Moreover, for other business units, they did not care about it, but they still paid more, which allowed the organization to fund a lot of these very underfunded compliance and security initiatives.
Also, that helped to take the burden off IT and spread this awareness and a commitment across the business. So, the premium model was good because they have so many ways; they can take that moving forward.
They can make cost adjustments and other things based on how the organization is using different technologies or the way that they may be not following the security posture the organization would like them to. So, it was a smart way of really taking that further.
So sometimes the problem is not who owns it, it is how do you approach it within the organization that is just as relevant.

Compliance Programs are Gaining Visibility in the C-Suite

Erica Toelle: Hey Antonio, I know you do a lot with working to build out compliance programs, do you have any thoughts about this?
Antonio Maio: To the point around organizations treating security compliance like insurance. I think we used to see that in the past, but we see less and less of that because we see security and compliance come up as severe topics at the board level and the C level.
Moreover, you now have the question here, who owns your security and compliance program? It depends a little bit what you mean by ownership. If ownership is responsibility and consequences if there is a breach, we have seen that move up to the CSO level, the CIO level, and it has become a standard topic at the board level.
So, it has an organization-wide consideration and impacts. IT tends to own it from the perspective of implementing it. Also, often they tend to be the first ones since the issues, and they report that and sometimes they will have a tough time talking to legal and executives and getting buy-in.
However, again, we see that change more as the responsibility of that moves up to the board level and the C suite. I do not know if the other panelists have any thoughts on that, but that's kind of what we see in terms of ownership.
So, we often see the issues around security and compliance come out as part of say, findings, or recommendations from a security audit or a security assessment. Those were happening more on an annual basis. So, we will give suggestions and do implementations for customers and help them with that. If a breach occurs, then suddenly, it becomes top of mind and the whole dynamic changes in that regard.

Compliance Programs Tied to Security

Brian Culver: Antonio that is what I am seeing with many of my clients. They have had many concerns with other breaches happening that and it becomes an important initiative.
I have seen much compliance tied around best practices and security. There is a lot of penetration testing and much training. I have seen it across every single client I have, especially in the last six to eight months. You even hear stories where they have increased security around the elevators and checking badges and things.
One of the coolest things I have seen, especially at United Airlines, is that the C suite has made a point to visit all the different facilities. They are having direct training and meeting all the employees.
They even involve contractors, which I think makes much sense just because vendors and contractors are engaged in meaningful projects. You hear a lot of these breaches happening because of vendors. So, they are starting to include us in compliance activities as well.
Antonio Maio: It could be our weakest links, vendors, and contractors, depending on how large or small the organization is, how robust their security protocols are themselves.
Brian Culver: Yes, from my perspective, I find that fascinating. I think that awareness is excellent. Moreover, I remember seeing the security and compliance move up the agenda is essential.

Security and Compliance Teams are Growing

Brian Culver: Even at United four years ago, their security group was small. I think they are at about 120 people now. They have grown drastically, and they own this, they own the compliance side of it as well.
Richard Harbridge: Yeah, I think the investments increased everywhere in this space.
Christian Buckley: I was going to share that my last team when I worked with Microsoft, and this was a decade ago, but the organization that I was in was advertising operations. It was about an 1800-person organization, and the security team had two people for most of that time.
Also, the security team was buried; it was a subgroup within the support operations team. Like it was not a priority. Also, it was a priority! Looking at the data around the threats they were able to stop, what they were able to do and resolve - it was incredible.
Also, that team now has 40 or 50 employees and is significant. It has moved out of where it was in support over into another tier. It is looked at very differently. That evolution is like the change I have seen at other clients.
I think that data point is IT ownership. I think it used to be a majority, over 50% of the programs were owned by IT. That is still the largest group of ownership, but it is pretty spread out, which I think is excellent. We have seen that change. Unfortunately, the change happened because of much pain.

Join Ownership of Security and Compliance by IT and Security

Joel Oleson.: I have seen a massive change in the last few years too where security has blown up. However, often, it is security that owns it, but IT must enforce the policies. There is an increase of a partnership. Moreover, so when you say ownership, it is like it is a critical partnership between IT and security and often legal. It is a triune relationship.
Antonio Maio: Also, I would say that is a good thing, the separation there on the partnership because you typically want a separation of duties between who decides on what the policy is and who configures and enforces the policy. That is an excellent separation to have, but you are right, that needs to be a partnership between those groups.
Richard Harbridge: It is also affecting revenue now. You have customers who like lines of business-like sales care about security because they need to know their positioning too. It must become more digital and digitalized our technologies changing our companies go from a building truck to building trucks system, right, et cetera. These things become even more at the forefront.
Anthony Woodward: I was going to say that it is often driven by audit too, that rolling and ownership are coming to the truck point, that certification for those things has changed drastically over the last few years. So then why that ownership as changed is because of that certification.

What Are The Biggest Compliance Challenges?

Erica Toelle: Liam and Anthony, I would love to hear from you on this one.
What are the biggest compliance challenges faced by respondents?
So, on the left, we have the four most significant responses.
• Number one, end users do not classify data correctly.
• Number two, they still have content and legacy ECM systems.
• Three they have content spread across multiple workloads which we saw earlier in that technology question.
• Next citing the content life cycle is a challenge
• Then I added the rest of them in the table there.
So, Liam, we have not heard much from you yet. What are your thoughts about this? Are these like the everyday challenges you see? Do you have any ideas about how to solve them?
Liam Cleary: Yes, the main one, end users do not classify data correctly. I mean, that is a common one we have seen for 20 years. That had not changed from the days when I worked in the DOD, and they forced all the users to fill in 20 mandatory fields of metadata and then they would select them and be first to value and save it.
Because that was the most comfortable choice, but it did not help anything. So, it is still an issue. It is that balance between we need end users to classify, we need them to label because we want to apply policies. However, you are expecting, I mean take the new people coming into the workforce now they honestly do not care about that.

Should End Users Have to Classify Metadata?

Erica Toelle: Should users be completing Metadata? With AI, machine learning, and these modern technologies do we need them to do that anymore?
Liam Cleary: Well, there is a balance because there must be some structured components that you would put in place to say, I create a piece of content, and this is what I know the material to be.
AI is excellent, but it is not entirely smart. I mean, come on, my iPhone still does not understand what I say to it half the time. Moreover, that is supposed to be smart.
Erica Toelle: Well, I think it is your accent.
Liam Cleary: Well, hey, we all have accents, mine is just as bad as all of yours.
Christian Buckley: So, the AI, it knows you well enough that it is like, I do not want to answer that.
Liam Cleary: Yes, it is just messing with my head. That is what it is, but yes. However, these are common; I mean, I am working with an organization now; they have these same issues. I mean everything on this list is everything about which they talked. I mean, everything.
Richard Harbridge: I think the problem with like, let us talk about 38% number. I think it is a misnomer because we talk about users classifying data, but they might not know they are organizing data.
So, I guess it is back to the strategy, the 27% there. If you have a policy where the location that end users put the data in classifies it for them and they never knew, then you have solved your problem. Moreover, so I think, sometimes we use legacy approaches where we could not automate some of those things in the past, and we assume that the user must do an action, but now we know we have better ways of doing it too.
So, I think, combined with legacy systems not supporting some of these models or approaches and then the fact that we have these more dynamic, as you work these things are naturally happening based on where you work or those things that make a significant difference. So, I think it is an excellent point. Like end user classification, that tool of Metadata is one, but too often we use that as a framing device, and then we lose people quickly because no one wants to do extra work.

Risks of End Users Classifying Data

Antonio Maio: To add to that, when you look at many large organizations, they have had data classification schemes for an exceptionally long time. What they have not had are natural mechanisms for end users to choose a classification and then not had the proper, let us say roll out programs and education to teach employees.
Here is why we classify stuff, here is why it is essential. Also, here is what the different classification levels for mean and scoping that down to something comfortable and digestible for people.
Because when you look across many organizations, most employees want to do the right thing. They are not trying to breach data intentionally, but they also want to get their job done and go home to their families, right?
So, if you can roll that out and educate people and reeducate people over and over, give them uncomplicated ways to select those classifications, that helps to increase the options they have.
Liam Cleary: However, it would help if you also remembered that one of the most significant issues like I found working with, I will say some agencies right now, and one of their most significant problems is weirdly there like obscenely obsessed with PII data, like more than you can imagine.
Yes, when you ask the question what they mean by PII data, half the time they have no idea. This problem is not IT; this is the end user. So, they think it is okay to paste this PDF that is not encrypted with a whole bunch of stuff about Christian in it that no one should know but Christian and send it to anybody like they think that is okay.
Well, it is in an email; it is secure like they had no concept. Moreover, so when we see a number that says end users do not classify, I mean it's correct because one, they don't understand that's the problem and as more people move into the organization, especially like, I think of my daughter as an example, so she's 20.
When she comes in, I cannot imagine what she will be sharing because she does not care. I think it does not make a difference to them because everything should magically work.
Moreover, I think that is a problem that organizations that I spoke to, like this week, they are struggling with that. They have a young workforce coming in, and they are like, "Hey, just share this all over the place, and you guys fix it." Like how is that supposed to work?
Excellent planning and implementation and all kinds of stuff are all good and well, but you have, it goes back to what Antonio said, you still got to educate the end user to know that what they are doing is not right. Also, that is the fundamental flaw right now.

Metadata as it Related to the Content Lifecycle

Anthony Woodward: I would say not just to know what they are doing, but it is when, so we did some internal work in this area, right? The lifecycle matters because people do not start, not adding Metadata.
It is just that, I mean, they will do this. I have got a draft at CMI OneDrive, or I have got it locally. I am putting this PowerPoint presentation together at this point; I do not need Metadata; it is my file.
Moreover, then at some point, it changes with lifestyle step. The data we have seen here can be a little misleading because 38% can often represent information in those first phases.
The Metadata that comes later as you added into the system or you place it in some context and even adding some machine learning or AI to it, then changes the profile of that context depending on how modern you will system is.
I think the question needs to be refined around when you think about Metadata, or I guess if you were to rerun this survey and pushed hard for this thinking, when does your organization need it and in what context?

Security by Obscurity

Brian Culver: I came across an organization just yesterday that their implementation was more of an of later security by obscurity. So, for their medical record numbers, there was no standard.
So, they had this idea of; we want to hide the medical record number. We want to use a bunch of different varieties so that it is hard for people to find them. Well, the enforcement became that impossible because you could not find what a medical record number was and then enforce the policies.
So now all data, it must be considered patient data because we cannot tell where we use the medical record number. So now what would have been less than 1% is now 100% of all data needs to be enforced, and you have got 100 terabytes of data that now must be highly regulated where it could just be, again 1% that has patient data in it.
Richard Harbridge: This situation is also a result of the organization not being as proactive here, because we know organizations are behind. Moreover, so because there is no pro-activeness some end users who are trying to do the right thing might even try and do something else like password protect files, put them in different patterns, et cetera.
That creates the complications as mentioned. So, it is even more of a reason to prioritize some of these things. So, you are in the driving seat, and you can reduce some of those risks early on because it is prevalent for people to use the craziest methods to try and protect their data. That makes no sense.

Automate Data Capture as Much as Possible

Christian Buckley: It needs to be a combination, too, and you can have a perfectly outlined life cycle. You could have your metadata taxonomy outline, you could have all that set up for end users to go in and do that, but you also need to go in then and automate some of those things, so they don't have to think about it.
So, I would put this in the context of the user experience of the various roles in your organization that is handling this information.
Thinking about that end to end, what you need to have, and what is the best way to capture that as much as you can automate. Like the system knows that I am in marketing, that I have this function, I have labeled content as sensitive or whatever, and then it automatically does other classifications of things based on my profile.
It can look at my organization, the labels that I have applied to it that I do not have to go through this lengthy process, that form with 20 different options, which the people will fall like water running downhill. It will follow the path of least resistance. So, whatever is most straightforward is to upload that document and walk away. So thus, you want to automate as much as possible.

Do We Go Back to File Shares?

Liam Cleary: What I hear you saying Christian, is that we should go back to File Shares, because that was much easier. Because that's precisely what file shares were. You just put it in a folder and the location where you want. Moreover, if it was private, you change the permission-
Richard Harbridge: I beg to differ.
Liam Cleary: -also, you just renamed it and said, "This is the private one, don't open it."
Richard Harbridge: It was not easier. You try to figure out where to put it in that hierarchy. You try and access it outside the security system. We think it was easier because that is what we are used to doing at that time.
Anthony Woodward: In some ways do not you think we, what I see with organizations, particularly with OneDrive, there is a little bit of a step back to that, right?
Liam Cleary: Yes, correct. That is what I am saying.
Anthony Woodward: OneDrive has my shared files that I then share out, and they know something we have been dealing with our customers on is trying to work out how do I even use the ML to promote it back to the corporate store, right.
There are some exciting scenarios there. However, yes, it is like a retrograde step, it is like a file that is sharing this personal to me, but it is in the cloud.
Antonio Maio: Yep.

Is Your Compliance Offering Sufficient?

Erica Toelle: We talk about this all day, but we have other questions we should discuss. So, the next one is,
Is your compliance offering enough? Moreover, I think it is interesting that:
• 25% say it is not enough or is not enough.
• Then another 30% do not know if it is adequate, and they do not know if it is or is not.
• Also, then there is about 35% that say, probably or yes.
So quickly, I am going to do another audience poll here. Do you think that your compliance offering is efficient? So, then our panel, what do you think about this?
Brian Culver: I am surprised at how people think it is.
Christian Buckley: Yes. 19% are confident. No one else is confident. I think even at the positive end of that those went down like yes, that for compliance and security person that is a no.
Joel Oleson.: 30% percent is no too.
Eric Overfield: That is a yes.
Joel Oleson.: I think many people; they do not know the controls, they do not know what can and cannot be done. I believe that is the challenge too.
Eric Overfield: They do not know what it means to be compliant.
Richard Harbridge: It also depends on how you look at this, right? So, let us be clear; some organizations are cloud-oriented and feel that they have the right offering. They have not implemented it correctly or that there is an ecosystem included in that offering, and thereby, they are solved.
So, I could see people confidently saying yes, but it means something different, which is not necessarily that their compliance offering is deployed and that they are ready.
It is more than they believe that they have the right investments. So, I would argue that many organizations believe that, and some of them are right, right. It is just a matter of execution.
However, agreed, like most of the people, I think as you learn more, you realize that you let no less, and that is the nature of the space.

Real-Life Examples of Compliance Offering Implementations

Liam Cleary: I am going to count on you on that one, Richard, because I have just worked with six specific clients that have all had breaches in Office 365 and just because they have Office 365, they think they have everything they ever need. Moreover, when you peel back the covers, and I know Antonio was with me on this one, that you peel back the covers, and they go, "Well, have you got AIP? Did you put in labels? Do you have IRM?"
Moreover, they are like, "Well, I've put all together; they're all in there." Also, when you go in there, not they are not. They have them, but I have never done it.
I mean it does, I mean nothing. I mean, I had one guy that said, "We had a breach." So, I said, "Did you have multifactor?" "Yes." "Now, is it on?" "No." Well, there is a problem.
Richard Harbridge: Like who owns it, who implements it? These are two different people sometimes. So, the owner says, "Oh, we have the offering." The implementer has not implemented it because they have no budget to achieve these things. Let us be fair.
Also, so I agree, but I think it is because of this dynamic. Also, so when you have them both together, in theory, it makes it better. However, it does not because again, the budget is limiting.
Liam Cleary: I will give you the real world for this, at a call the other day with a group in an organization called the DIS Group. Okay. They are the data and information security group.
So, then they have security, and they have IT. Thus, security told the IT group; they want to put these things in place. So, they wanted AIP. So, the IT group go ahead and make AIP. The security does not own it. IT just put it in.
Moreover, then they handed it to this group called DIS and DIS called me and go, "What's the AIP? We have no idea." So, you have got these three organizations that somebody said do this. They had to go at it because they have made a blog post and then they handed it off, and they rolled out the client into everybody and said, knock yourself out. Moreover, then no one knows what they are doing. So, all this content is being created.
They had to go at it because they have made a blog post and then they handed it off, and they rolled out a Clayton into everybody and said, knock yourself out. Moreover, then no one knows what they are doing. So, all this content is being created.
They have AIP policies that no one knows what they do or anything. So, it is like this weird, and I think I see that more. I have been working with a bunch of enterprise clients, and they are the worst offenders. That is what it seems to be. They are like 27 departments. Nobody owns it. No one's going to pay for it. However, hey, it is all in.

What Do We Mean by Compliance?

Christian Buckley: We saw in the run-up, a notable example is with the GDPR, and the run-up to that last year, it is why I think Microsoft, there is a reason why, as the first answer at any FAQ was, Microsoft will be compliant by this date. Microsoft compliance does not equal your compliance just because you are using Office 365.
Antonio Maio: They were noticeably clear about that. For sure. Moreover, it depends on what you mean by compliance. Because when you consider what compliance means, in organizations that implies a comparison to a regulatory framework.
Whether it is PCI or NIST 800 or ISO 27001 or HIPPA or GDPR or the California Privacy Law comparison to some regulatory framework, that is what it typically means. Many organizations take it as we have these security policies that we have developed for organizations, and are we compliant with that? Also, that is still meaningful because many of that compliance, there's PCI does not talk about labeling anything.
It is more of a finding credit card numbers and DLP and those types of regulations. So, it depends a little on that. To Liam's point, I see the same thing where many organizations are struggling with the rollout of many of these features. The offering is there, the tools are there, in the Microsoft cloud, the tools are fantastic.
When you look at cloud app security and Microsoft information protection and DLP and the million other offerings that they have, rolling them out is a challenge. Sometimes it is budget, but I often see that it sometimes it is also a technology issue that is preventing them from rolling out the solutions. You see organizations that are moving from on-prem to the cloud still, and they have, let us say an on-prem deployment of RMS.
Moreover, they have a whole bunch of content that they've encrypted in the past and the organizations must migrate their keys to the cloud so that they can still decrypt their old encrypted data and they want to move to this new solution, but there's some little thing blocking them.
So, it is a process. It is an evolution. Many organizations are just starting to understand what AIP is and what data classification is. So, they are in the middle of that process, a lot of them that I find. I think they will get there, but we are still in this transitioning to the cloud phase and moving to these cloud-based security solutions phase.

What are Some Compliance Framework Examples?

Eric Overfield: One of the common problems is those policies that sit around as regulatory frameworks that companies have are not easily transcribe into those technologies. So, companies are struggling with, I have this policy, but what does that mean?
Also, then how do I audit what that means and how do I verify that I am compliant with those things? That is a common thing that I think is underlining this study here but also that you see out in customer end.
Richard Harbridge: To give an example of where I see a change in this specific instance is that compliance score model that Microsoft now has with Office 365 or Microsoft 365. You can do the compliance score and you can kind of measure it.
It is just like how the security score made a significant difference from what I have seen with my customers. Where they are like, "Hey, wait a second." Because it does not say precisely how to solve it, but it says, look. Microsoft would recommend these actions or these things, which does make it more understandable to the IT group who is implementing a lot of these things.
Moreover, when you go and look it up, it is quite smart because everything orients around a process. You assign, is this compliant? This specific clause or set of requirements, is this compliant to a person who is supposed to confirm it?
Also, so going back to the earlier point, it is about most organizations might feel, and I believe most organizations do think that they have the technology, or they have the plan for the technology, at least in the offering. However, the miss is how to implement it, the process, those types of things.
Because let us be honest, most organizations do not have that talent internally either to be able to do those types of things. Moreover, it is almost impossible to have that talent, even in larger organizations for scale, right. To be able to do that across the organization. So, I think these are notable examples of why this ecosystem exists as well.

How Mergers Complicate Compliance Offerings

Brian Culver: Yes, sometimes it is a little different, but I think it is worth mentioning. I deal with a lot of oil and gas, and they are always acquiring each other. So, when you are integrating these systems, you find incompatibilities.
One good example, I think it was Wood Group bought the Mustang Engineering. Mustang was way ahead of the game, and I say that from, I merged several other SharePoint farms, and they are way ahead of the game. Everything was immaculate. So, then I moved it into this filthy, messy environment where it was chaotic, they had 60 SharePoint developers, and it was the wild, wild west.
Also, it was heart-wrenching to see that because everything was pristine, and instead of taking the situation where you could look at the best of both worlds, it was just politics.
Moreover, politics crushed this scenario. The organization even let go a lot of these guys that did such an excellent job with governance and classifying things and putting all these systems in place. I just thought I would mention that because there are all these challenges coming in from various dimensions and the multiple aspects.

How Confident Are Respondents That They are Meeting Compliance Standards?

Erica Toelle: Since we have been talking about technology, I thought this slide was super exciting.
People are asked on a scale of one to seven, how confident they are that the services and solutions that they are using meet all organizational and industry compliance standards.
So currently Flow, and PowerApps are seen as the most compliant. What do you think of this?
Eric Overfield: Yes, when I compare this to some of the other earlier responses, it seems high that even though we are averaging, well, is this not a one to seven, right? So, we are averaging well over 50%.
I am surprised a lot of this is so highly ranked, but then again people talk about Flow or Skype for Business as more straightforward for them.
They have simple policies in place. I do not know, I the numbers did not jive with me, which also tells me I do not think people understand what they are doing.
Antonio Maio: I would agree on this one.
Eric Overfield: Yes, it is scary. That is what I am thinking.
Christian Buckley: That is normal.
Antonio Maio: Yes, people do not realize you can use Flow to send data any endpoint on the Internet.
Christian Buckley: Yes.
Joel Oleson.: It blows my mind.
Eric Overfield: However, you turn it on, so people think they are compliant, but they are not.

Is Microsoft Flow Compliant?

Liam Cleary: Let us talk about that compliance question though, like what does that mean?
When you talk about Microsoft compliance, what are you talking about with compliance?
Like, oh wow, I can make this super flow that sends me an email. We will be doing all right, but I can also make it do 50 million other things that you do not want to know you can make them Microsoft Flow do.
Richard Harbridge: Let us think about the usage of a tool with whether the application is compliant. Which is how we programmed it.
Liam Cleary: There is no way Flow meets every organization and industry compliance need. There is no way.
Brian Culver: The fact that it is turned on is a problem.
Liam Cleary: Yes. I was going to say, the fact that it is even listed there is a problem, there is nothing done here. Okay. Let us look through the list.
Christian Buckley: That is why it is like the administrative controls, it is like either turn it on, or you can turn it off there is nothing.
Liam Cleary: If the question was, is it switched on? Well, then it does not meet standards.
However, if it is off and then it would meet the organizational requirements because of course, you can because it is off.
Brian Culver: What percentage of customers have turned on the governance around Flow? Less than 1%, I would guess because you must pay extra for it.
Also, it is a brand-new plan, and nobody even knows that it exists. This usage points to a lack of education.
Richard Harbridge: I think it is perceived simplicity. I am surprised. Planner is also on the list because of that. However, like Flow, Skype for business, Power apps, Exchange. Many customers think, oh, that is like I am. Like they think of it as a narrow use case in a narrow scenario. Alternatively, they do not use it a lot. So, they assume, oh yes, that that is. Whereas the things that, where the content is found, you can see your ranking lower. The most curious thing I found in this by far was Planner being so low in the ranking.
Richard Harbridge: I was super curious about why organizations do that. However, that is just me because work management is not something; I typically see much compliance focus on, while we see it on content, things like that. So, I would be curious from an industry perspective on why an organization might be perceiving that as low.

How Familiar Are People with Office 365 Compliance Offerings?

Erica Toelle: Well, there is another graph that might bring to light a little bit of this, which is:
How familiar people are with compliance offerings in Office 365?
So, there are many technologies numbers here, but as an example,
• Classification labels. People said that they were either not familiar at all, familiar. That one is pretty spread out, so that is interesting.
• However, some of the other important ones, like data loss prevention, it looks like they are not as familiar with it or some of the other ones.
What do you think?
Liam Cleary: I am quite surprised that classification, labels and policies and retention policies and all that kind of stuff is familiar, I would not have expected that to be that high.
This opinion is based on the conversations that I have had with customers and clients. Like that is the problem, they do not understand that. So, the people that went in and said, "Oh, I'm very familiar with it."
Like, I'm not going to take it away from them, but still that's half the reason why I get a phone call, or Antonio goes in, Richard goes in, we were all into clients because they don't fundamentally understand labels, policies, categorization of content, retention, DLP.
DLP is a term that has been around for so long now that I am assuming that is where that would come from.
Antonio Maio: I thought it would be most familiar because DLP technology has been around for decades.
Liam Cleary: Yes, that is right. I mean, and of course, this stuff we have come from Exchange and all that. GDPR makes sense.

Is There a Positive Bias in the Answers?

Christian Buckley: What is interesting about this, I think that that helps is that I get the full report that people can go and download it and Erica will have a slide here at the end.
So, it was asking questions like this, and then the next thing is then to ask questions about your specifics in each of these areas. Moreover, what always happens is when you question that way, this is the people are, here is anecdotal, and this is my opinion based on the research projects that I have done, the studies that I have led.
Do people like to paint themselves in a better light with this kind of broad questions? Also, so then when you go, and you ask them more detailed questions about the specific tools and products, and then you start to uncover where the gaps are and the understanding of what those things are.
It is like we could go back to this question. It is like, would you like to refer, like answer again the same problem?
Liam Cleary: Yes.
Erica Toelle: Well, and this is almost asking the question in a bit unique way. It is not one to one, but I think it shows you the fact that the never is so high on people who use features.
Liam Cleary: Yes.
Christian Buckley: Yes.

The Administrative Process Behind Compliance

Richard Harbridge: Wow, this is scary. I think if you had labels in here, it would be exciting to see that result too.
The challenge I have with these types of things is, we think of the administrative process. So, like a disposition is an excellent example of it. Disposition is where there is a group of people that are named and manage the process. They can re-label things or dispose of it as is proper when the content hits a stage.
So, people go, oh, that has nothing to do with me. Moreover, yet, when the disposition process happens, there could be tie ins to a broader group of people. Think of like the labeling, schemes think of scenarios for added approvals and things like that.
So, I think part of it is also the toolset has been limiting. The number of licenses is so expensive, or they are restrictive. And one of the beautiful things, at least my opinion about the way that some of these things are being done in the cloud, is there kind of designing them so that they can be more broadly applied to a more extensive collection of users without necessarily licensing every one of those users who are going to do that action.
So, if I have an E5, nothing is stopping me from going in and doing things. So, I think that that is a meaningful change. I am picking on Microsoft, but this is an industry thing that is happening where compliance and security are distributing in terms of its importance in organizations, and by proxy, it is becoming more of like included in our suites and adding our licensing.
So, I am a massive fan of that because I do not if you had said, "Is this going to change?" I would have said a couple of years ago, no. Now I feel like is slowly going to change where increasingly, not end-user, but more leaders throughout the organization that is going to be taking part in these exercises.

How Can Organizations Audit Themselves?

Anthony Woodward: However, you do not think there is a counter pace happening with the cloud where the organizations feel outsourced oddly disposition to Microsoft. Because it has all these excellent features, and I can set that label in a timeline and now we do it.
Moreover, my auditor came and checked me and said it was done. So, we see this sort of odd thing that people almost, it is a little bit like the GDPR scenario, but there is not the same tooling to check on it. They are not able to kind of audit themselves on their processes to go, "Hey, we've got high-risk data, still in our I'm cloud solution, and we're not doing anything about that." So, there's kind of two sides to that, I think.
Liam Cleary: Yeah, I mean those are the audience in which they have been involved. I know Antonio has done some too where we go in, and it is quite scary when you peel back the layers in an organization and say, well, where do you store that? Do you have high-risk data? Like what do you mean by that?
Well, tell me what you think of high-risk data. It is not like, oh yes, we have got that all over the place. You are like, what? Wait for what? Okay, you need to shut down 365 right now, and we would like to take it all out because it is. It is this element like you said, it is my new word, lackadaisical way of looking after content.

The Dangers of Having a False Sense of Security

Liam Cleary: They are like throw it into 365 Microsoft looks after it, it is good to go. It is all secured; it is all encrypted. No one's going to hack it until someone steals the vendor credentials and then takes all your data, which is where I come in and have those conversations recently as well.
So, there is that. It is an indolent way of doing it because the tooling is getting easier. I go back to all those years ago, those who can go with me, who were developers when we used to use visual studio many, many years ago and you must code everything from scratch to make it do everything you want it to do. Now you open visual studio and press the button and say make me a website.
Moreover, it just goes, and it is done. Like that is the point. You have got to eat that commoditized, super easy wizard-driven, that means I have not got to think about what the impact of that doing is going to be. Because Microsoft tells me, if I click a button and do this, it is going to be good because that is what the documentation says. That is how I do it. Moreover, then I will realize when I have somebody come into audit that it is not enough. However, that goes to this question mentioning.
Antonio Maio: A concrete example I ran across from that, I was doing a security audit of an on-prem SharePoint environment in Florida, and this was for a hospital. So, we found a site and a few lists on the place where they stored tissue donations and patient information with all those tissue donations.
We found there was a couple of hundred people in the organization that had access to it. So that was an eyeopener for them that, they knew that personal medical information, personal health data was sensitive.
However, when you saw it all put together in this one convenient SharePoint list, with many people having access to it, it was a little bit of an eye-opener when you educate them on what can happen with that.
So, it is just one example of its part of this audit. I had never seen a SharePoint list used to store, donations, heart donations and lung donations, and so on. So, it was interesting to see their reaction and kind of remediation steps afterward.

When Should Organizations Use Third-Party Tools?

Richard Harbridge: I think that Microsoft compliance tools are not always enough. Does everyone agree they are not, and you need the third party?
I think everyone on this panel who are experts in this field would say you need a third party or a set of third-party tools to meet those needs.
Joel Oleson.: I would also chime in and say people are not even using what is in the box.
Richard Harbridge: True.
Liam Cleary: I would give you the consultant answer; it depends.
Joel Oleson.: It does.
Liam Cleary: Which is what it would be because like if you have X requirements, the act of the box will work perfectly fine for what you need. Moreover, if you would like, like if you've ten people or 50 people and you are not sharing stuff anywhere, and it is all controlled, then why not use the out of the box? Because the material is excellent.
I mean it chops, it encrypts and does all the things you need to and if you implement the Microsoft Stack in 365 correctly, correctly is the keyword that it works as defined out of the box. So as soon as you start to do other stuff, then yes, I agree that you want specific legal requirements, specific requirements for HIPPA or whatever else, then yes you need to move and have third-party components.
Richard Harbridge: I will get agreement across the panel on a different thing. Let me reframe, does everyone agree that third party or outside aid is necessary and that first party, in this case, Microsoft and its various, fast track style offerings are not enough to meet your needs to do this?
Liam Cleary: Well, that is a loaded question, but I would-
Richard Harbridge: I know, but doe everyone agrees?
Liam Cleary: Yes.
Christian Buckley: I am just going to add one other with a perspective there. The consultant/business analyst is that most organizations do not understand what their requirements are or what they should be and if you are not going to have the right requirements upfront, you are never going to meet those requirements that you do not know. Yes.
Joel Oleson: Moreover, it needs ability.

How To View Out of the Box Compliance Tools

Liam Cleary: Yes. Also, a cloud provider, let us be honest with the cloud provider like Microsoft or a vendor that provides that SaaS model for the story. It is not in their interest to consult with you on how that works. That is not their job.
Their job is, this is how we protect it. This solution is what we offer. You want to use it, knock yourself out. Here is the excellent documentation. I had this conversation the other day, Microsoft has excellent documentation on how to do something, so do this, do this, do this.
What they do not have is the scenario that matches what you are trying to do, and that is not what they are there for, they are there to give you excellent documentation but not how it suits you.
Joel Oleson: I think I had another notable example of showing, proving what you are talking about here is, imagine if you were to say, hey user, are you getting too much spam? The answer is yes.
Moreover, if you were, say, hey, CIO, CXOs, are you getting too many emails where you are getting phishing attacks and people trying to get your password? I think the answer would be obviously yes.
Do you like to reduce that number? Sure. Wouldn't that be great? Well, guess what, with the E3 or whatever they own, they could reduce that number.
Joel Oleson.: So that is some give and take of how much are you willing to pay? Moreover, what if we could take you and or your colleagues and or this department, is there a way to protect this a lot better? Yes. Yes.
Also, it is a maturity thing. How can we get you from where you are at to where you would like to be? Is there a path and how much cost and how much risk and so on, there needs to be a conversation here because I think so many people do throw up their hands and say, I do not know how to get there? I am so confused. We know we are going to get hacked. We were watching the clock.
Liam Cleary: Yes, just waiting for that moment.
Joel Oleson.: So, throwing money at the problem is not solving it. They need help for sure.

When to Get Outside Help on Implementing Compliance

Antonio Maio: I would say I agree with Liam's point about, Microsoft has excellent documentation on how to do something. They do not have nuts necessarily industry-specific documentation or scenarios correct documentation. I mean they have some, and they are working to increase that. However, that's where folks like us come in. Right?
Moreover, when you look at the tooling for security and compliance, they do have excellent tooling built into the cloud offering. However, depending on the scenario and the industry, that is where you might look at third-party solutions. Security and compliance is a vast, broad topic.
Moreover, there is a lot there that they do, but there are other industries specific against scenario specific circumstances where third parties help.
Christian Buckley: Also, there are three admin consoles that you need to work with within the product out of the box. So, having that ability, having that guidance, and having it done accurately for your requirements is critical.
Brian Culver: Only three. That is cool. I thought there were seven.
Christian Buckley: Well, I mean there is a lot of other admin consoles, but I am saying that primarily for security compliance.
Liam Cleary: So, they keep adding more.

Implementing Compliance is Complex

Richard Harbridge: We can talk about all the gaps. One, a quick comment that I have seen consistently is even in small businesses now I understand small companies must provide when working with partners because we know increased companies are working with B2B and more substantial relationship type modeling where there is more partner vendor, et Cetera.
Moreover, the supply chain is getting more complicated. In all those scenarios, I see increasingly of an expectation that you affirm certain things. That you have these security things, you have these protections. So, what I have seen in the research we have started to do we have seen that increased customers are saying no, they have a false positive.
They have got everything, and someone takes the legal risk and says, I am the CEO. Moreover, yes, we do all these things because they read that SharePoint or Office 365 or whatever offers those things. Not because they are implemented but because they supply them.
A big key word here is the critical takeaway is default is not on in most cases for this stuff and is certainly not configured. When I say not third party or external because many customers, the idea of you trying to do it yourself means that you're probably going to make mistakes and certain things are not going to be on, and certain items are not going to be configured, or you may misunderstand it.
I think that is one of my favorite outcomes for the whole paper. You always have that sinking feeling that people are overconfident. We saw that in the data, and these are people who went to a compliance survey and filled like these are people that should be informed, and they are still over-reporting their confidence. So, I think that is a considerable risk in the marketplace right now.
Christian Buckley: One point is that there is the ability to be 100% compliant out of the box with Office 365, which is do not add any users to the system.
Liam Cleary: That goes for every platform ever.
Richard Harbridge: Please do not sign up for it. If there's content in there, but all the users have been removed. I am sorry Christian, there is still a risk, yes.
Christian Buckley: That is true. No content, no users. Check.

How to Download the Compliance Study

Erica Toelle: Well, this has been an excellent discussion. I appreciate your time. We could talk about this forever, but we are 10 minutes over, and I respect that there is a lot of precious hours on this call being used. So, thank you so much.
If you would like to download the full report, the link is at the bottom of the screen there. The URL to download the whitepaper is:
https://rcrdpt.news/ComplianceWhitepaper
You can see all this information and lots more in that Whitepaper. Thank you, everybody.
Christian Buckley: Well, thank you.
Joel Oleson.: Thanks a lot.
Richard Harbridge: Thank you.
Eric Overfield: Bye, all.
Brian Culver: Thanks, Erica, and thanks for organizing this webinar. Appreciate it.
Anthony Woodward: Thanks, everybody.
Brian Culver: Thanks. Good. Bye.
Liam Cleary: Bye.

You Might Like These Posts