is not for the faint of heart, according to Bruce Phillips. Phillips is Vice President, Information Security Manager at Fidelity National Financial, a provider of title insurance, specialty insurance and claims management services. Phillips said Fidelity National started the process of creating a data map, or a consolidated system that tracks the contents of multiple databases, over two years ago. He quickly found the it to be a huge behemoth of a project.
After a year on their own, Phillips and Fidelity National changed course and invested in a data mapping product from Exterro Inc. Still, even with a product to align the process, and plenty of assistance from staff, Phillips said the data mapping process is arduous and requires commitment of both time and resources. But the end benefit is that the company now has a much firmer grasp of their systems and can quickly respond to data requests.
Here, Phillips details the data mapping project at Fidelity National and gives advice to other organizations considering such a project.
CSO: What prompted Fidelity National Financial to start this data mapping process?Bruce Phillips: One of the challenges businesses have, particularly today, is mergers and acquisitions. It results in a lot of changes in business structure. And keeping track of what systems you have, who are the key players within those systems, becomes an increasing challenge. Whether it is for business continuity, litigation support, legal hold or information security and DLP [data loss prevention], it becomes just a nightmare. What we have found is creating a data map, however you go about doing it, gives you that bit of knowledge that helps you stay on top of an ever-changing landscape. So you were hoping data mapping would address several issues for you?
Absolutely. Data mapping is a hard thing to accomplish. It's expensive to do; especially if you don't get it right the first time. Once you create it, it's a living and breathing thing. You have to keep it up and maintain it. You must have a commitment to add resources and staff and time to just manage the data map itself, no matter what you are doing it for.
If you do a data map to map everything for just legal or regulatory or IT or just BCO that is a hard sell because it is expensive. If you don't have multiple constituents, don't try it. That's my advice to anyone. Unless you have a lot of uses for it, it's just too hard to do.
Tell me a little bit about the process.
We started out about two years ago. In our initial attempt, we decided to do it on our own. That just didn't work; it's way too complex of a problem. Unless you are in the business of building applications, and we are not, it's too complex. About a year and half later, after the process was begun, I took over and it was readily apparent we needed a tool to do this. We started the process with Exterro about nine months ago—the process of transferring the data that we did have. Initially it was just a legal hold product. But we saw the capability in the product to do the data map site that we wanted to do.
What was the data landscape in the organization like before the data mapping project began?paper-based systems that by regulation we have to maintain. There was no place to go; if you wanted to find something or answer certain questions you had to make five or six phone calls and hopefully everyone was in the office and not on vacation. If they were out, you had to wait for them to get back to you.
The company that had gone through an acquisition and we had production systems all over the place. Some of them we knew about, some of them we didn't. Some were just known by tribal knowledge. There was no single place from a corporate level where we could go and say these are the IT resources, and in some cases non-IT resource, because we have a lot of
There started to be a convergence from several different areas. From regulatory and legal aspects, the federal rules and civil procedures put more onus on quickly responding to discovery requests. From an IT standpoint we had so many resources scattered all over that we began to examine if there were opportunities to consolidate some systems, to bring some together, and to sunset some others. From the business-continuity side of it, we wondered: Where are systems we need to worry about? And figuring out what we need to augment to ensure that the business keeps going. This all sort of came to a nexus about two and half years ago.
There is so much we don't know in an organization that is rapidly changing—almost monthly. So that really was the driving factor. How do we understand what the organization looks like? And then other things came to the forefront too; DLP started coming to forefront, for instance. How do we know what data we have and how to protect it? The challenge was: How do you address this? We had legal, IT, and BCO all asking similar questions. It was a good point to start a data mapping process.
What was the first step?
The initial thought was: Let's go and build something ourselves. We sent an army of consultants out to interview the business units all over the U.S. That took almost a year. The challenge with that is when you collect that snapshot, within a month it's outdated. Sometimes it's not, but often it is. If you are going to start a data map project that is really not the way you want to do it. We managed to salvage a lot of that data and then went back and set up the process with the Exterro tool and then said to people: 'Please go in and verify this information. Update anything that is out of date.'
Depending on how you start, at best it will take at least a year to get started. And then understand it changes rapidly; a data map lives and breathes as your company lives and breathe. Any change you make needs to be reflected in that.
What does the data map look like now? How is it part of the everyday work life of employees?
To get it into everyday work life—that is one of the big challenges when you take on a data map project. We now have a web-based system where you can find out where your systems are and then go in and update them. It's getting people to understand that as you add a new application, or a new critical system, or a new storage location, that all needs to be updated.
One of the biggest challenges was getting our corporate structure modeled into the data map product so we knew who was reporting to whom. And then to identify the custodians and their managers. Then tying that in HR so that as people move from one part of the organization to another, it would trigger an event that would go back and say: 'This person has left; who has taken over this role with regard to this non-custodial data source?' Because often it is a file server, something a lot of people use, not just a single person. Or if a business unit goes away or we consolidate two offices into one we've automated that process so that as structure changes, it sends out notification that says: 'Hey, you need to update the data map.'
We have also tied it into our legal hold process so that if we have a demand letter or subpoena concerning a specific business unit or geographic location, the legal team can go into the legal-hold side of it. And as they scope that, all of those non-custodial data sources show up as part of that hold and the stewards for those systems are notified that this is now part of this hold. You need to update it and ensure all contact and data information is up to date. Also it will notify everyone who is identified within our corporate structure as a business owner and say: 'It's time to update your data map.'
How do you measure success? Have you had to put it to the test in some way?
It's being put to the test all the time; mostly from the legal side. We are continually getting requests from which we have to identify data. The challenge then becomes: How DO you measure success? Frankly, we've done some benchmark testing and said: 'Let's go ask this question of those who have domain knowledge and let's go ask the question of the system and then compare those results.' That was right when we started to get into adoption. It turned out once we got it into the system, the system was actually doing a better job of identifying the material we needed to find.
What advice would you give to organizations considering data mapping?
The first thing is don't do it for one purpose only. It's really about identifying the multiple constituents and part of it is a sales job, frankly. It's not a cheap thing to do and it's not an easy thing to do. It's not something you can start bottom up. It needs to start with senior management and come down. You need to be able to ID the benefit the constituents are going to get out of it.
The hardest sell is IT because, as in most companies, it's electronic data. So who is going to be the hardest hit in maintaining and upgrading the data map? It's going to be IT. You have to find the benefit for IT so they see what they can get out of it.